Unable to install SSL cert on Ubuntu ADS Controller

OS Name/Version: Ubuntu

Product Name/Version: 2.4.7 - 20240109.1

Problem Description: converted Cert to PFX format and uploaded to /home/amp/.ampdata/certs and set the password in the config file but amp is still loading as HTTP and not HTTPS

this shows up in the console when i restart amp

Unable to load certificate from file, using HTTP instead.
CryptographicException
[0] (CryptographicException) : Unable to decode certificate.
at Framework.Btls.X509CertificateImplBtls..ctor (Byte[] data, Microsoft.Platform.SafeHandles.SafePasswordHandle password, Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) at Framework.Btls.FrameworkBtlsProvider.GetNativeCertificate (Byte[] data, Microsoft.Platform.SafeHandles.SafePasswordHandle password, Security.Cryptography.X509Certificates.X509KeyStorageFlags flags) at Framework.Btls.X509PalImplBtls.Import (Byte[] data, Microsoft.Platform.SafeHandles.SafePasswordHandle password, Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) at Framework.SystemCertificateProvider.Import (Byte[] data, Microsoft.Platform.SafeHandles.SafePasswordHandle password, Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Framework.CertificateImportFlags importFlags) at Framework.SystemCertificateProvider.Framework.ISystemCertificateProvider.Import (Byte[] data, Microsoft.Platform.SafeHandles.SafePasswordHandle password, Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Framework.CertificateImportFlags importFlags) at Security.Cryptography.X509Certificates.X509Helper.Import (Byte[] rawData, Microsoft.Platform.SafeHandles.SafePasswordHandle password, Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) at Security.Cryptography.X509Certificates.X509Certificate..ctor (String fileName, String password, Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) at Security.Cryptography.X509Certificates.X509Certificate..ctor (String fileName, String password) at Security.Cryptography.X509Certificates.X509Certificate2..ctor (String fileName, String password) at GSMyAdmin.WebServer.LocalWebServer.GetCertificate ()
CryptographicException
[1] (CryptographicException) : `MonoBtlsPkcs12.Import` failed.
at Framework.Btls.FrameworkBtlsObject.CheckError (Boolean ok, String callerName) at Framework.Btls.FrameworkBtlsObject.CheckError (Int32 ret, String callerName) at Framework.Btls.FrameworkBtlsPkcs12.Import (Byte[] buffer, Microsoft.Platform.SafeHandles.SafePasswordHandle password) at Framework.Btls.X509CertificateImplBtls.ImportPkcs12 (Byte[] data, Microsoft.Platform.SafeHandles.SafePasswordHandle password) at Framework.Btls.X509CertificateImplBtls..ctor (Byte[] data, Microsoft.Platform.SafeHandles.SafePasswordHandle password, Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags)
Webserver started on http://0.0.0.0:8081

Config settings

# Webserver.IPBinding - NEVER CHANGE THIS SETTING MANUALLY! Always use `ampinstmgr rebind` to alter IP/Port bindings. I>
Webserver.IPBinding=0.0.0.0
Webserver.SessionTimeout=5
Webserver.NoUI=False
Webserver.FilterEndpoints=False
Webserver.AllowedEndpointIPs=["127.0.0.1"]
Webserver.CertificatePath=/home/amp/.ampdata/certs/certificate.pfx
Webserver.CertificateSerial=
Webserver.CertificateDomain=
Webserver.CertificatePassword=mypasswordhere
Webserver.EnableWebSockets=True
Webserver.EnablePluginWSStreams=False
Webserver.EnableFetchPostEndpoints=True
Webserver.APIRateLimit=1000
Webserver.AllowGETForAPIEndpoints=False
Webserver.UsingReverseProxy=False
Webserver.ReverseProxyHost=127.0.0.1
Webserver.ReverseProxyHosts=["127.0.0.1"]
Webserver.CORSOrigin=
Webserver.DisableCompression=False

Steps to reproduce:

• Converted cert using ampinstmgr
• move cert to folder above
• updated ADS01 AMPConfig.conf with path and password
• restart amp and getting the above console output

Actions taken to resolve so far:
try to convert cert again and created a new PFX cert and password but still not reading the cert

For HTTPS on Linux the supported method is using a reverse proxy via nginx. The certificate is generated automatically, no need to supply your own.

Run getamp postSetupHTTPS as root.

port 80 is already in use on my server so certbot is not working as it wants to use port 80, unless i can change it to use port 8080 somehow? and the cert has already been generated as my last amp server was on windows but it crashed. and i have a feeling as its still valid for another 8 months its not gonna let me generate a new one for the same domain.

If you’re using Apache on the system then this isn’t a supported configuration. Technically apache can be a reverse proxy for AMP but it’s websockets support isn’t so great. What you could do is use a separate system or a different IP address if you have multiple network interfaces.

Edit: of course you could just move whatever is on port 80 to another port and have nginx proxy that too. That’d be the tidy way of handling it.

ok thanks, so theres no way to use the PFX cert in AMP on linux?

No, that’s just used for Windows systems.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.