Unable to install SSL cert on Ubuntu ADS Controller

Technical Support
,
1

OS Name/Version: Ubuntu

Product Name/Version: 2.4.7 - 20240109.1

Problem Description: converted Cert to PFX format and uploaded to /home/amp/.ampdata/certs and set the password in the config file but amp is still loading as HTTP and not HTTPS

this shows up in the console when i restart amp

Unable to load certificate from file, using HTTP instead.
CryptographicException
[0] (CryptographicException) : Unable to decode certificate.
at Framework.Btls.X509CertificateImplBtls..ctor (Byte[] data, Microsoft.Platform.SafeHandles.SafePasswordHandle password, Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) at Framework.Btls.FrameworkBtlsProvider.GetNativeCertificate (Byte[] data, Microsoft.Platform.SafeHandles.SafePasswordHandle password, Security.Cryptography.X509Certificates.X509KeyStorageFlags flags) at Framework.Btls.X509PalImplBtls.Import (Byte[] data, Microsoft.Platform.SafeHandles.SafePasswordHandle password, Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) at Framework.SystemCertificateProvider.Import (Byte[] data, Microsoft.Platform.SafeHandles.SafePasswordHandle password, Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Framework.CertificateImportFlags importFlags) at Framework.SystemCertificateProvider.Framework.ISystemCertificateProvider.Import (Byte[] data, Microsoft.Platform.SafeHandles.SafePasswordHandle password, Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Framework.CertificateImportFlags importFlags) at Security.Cryptography.X509Certificates.X509Helper.Import (Byte[] rawData, Microsoft.Platform.SafeHandles.SafePasswordHandle password, Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) at Security.Cryptography.X509Certificates.X509Certificate..ctor (String fileName, String password, Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) at Security.Cryptography.X509Certificates.X509Certificate..ctor (String fileName, String password) at Security.Cryptography.X509Certificates.X509Certificate2..ctor (String fileName, String password) at GSMyAdmin.WebServer.LocalWebServer.GetCertificate ()
CryptographicException
[1] (CryptographicException) : `MonoBtlsPkcs12.Import` failed.
at Framework.Btls.FrameworkBtlsObject.CheckError (Boolean ok, String callerName) at Framework.Btls.FrameworkBtlsObject.CheckError (Int32 ret, String callerName) at Framework.Btls.FrameworkBtlsPkcs12.Import (Byte[] buffer, Microsoft.Platform.SafeHandles.SafePasswordHandle password) at Framework.Btls.X509CertificateImplBtls.ImportPkcs12 (Byte[] data, Microsoft.Platform.SafeHandles.SafePasswordHandle password) at Framework.Btls.X509CertificateImplBtls..ctor (Byte[] data, Microsoft.Platform.SafeHandles.SafePasswordHandle password, Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags)
Webserver started on http://0.0.0.0:8081

Config settings

# Webserver.IPBinding - NEVER CHANGE THIS SETTING MANUALLY! Always use `ampinstmgr rebind` to alter IP/Port bindings. I>
Webserver.IPBinding=0.0.0.0
Webserver.SessionTimeout=5
Webserver.NoUI=False
Webserver.FilterEndpoints=False
Webserver.AllowedEndpointIPs=["127.0.0.1"]
Webserver.CertificatePath=/home/amp/.ampdata/certs/certificate.pfx
Webserver.CertificateSerial=
Webserver.CertificateDomain=
Webserver.CertificatePassword=mypasswordhere
Webserver.EnableWebSockets=True
Webserver.EnablePluginWSStreams=False
Webserver.EnableFetchPostEndpoints=True
Webserver.APIRateLimit=1000
Webserver.AllowGETForAPIEndpoints=False
Webserver.UsingReverseProxy=False
Webserver.ReverseProxyHost=127.0.0.1
Webserver.ReverseProxyHosts=["127.0.0.1"]
Webserver.CORSOrigin=
Webserver.DisableCompression=False

Steps to reproduce:

  • Converted cert using ampinstmgr
  • move cert to folder above
  • updated ADS01 AMPConfig.conf with path and password
  • restart amp and getting the above console output

Actions taken to resolve so far:
try to convert cert again and created a new PFX cert and password but still not reading the cert

2

For HTTPS on Linux the supported method is using a reverse proxy via nginx. The certificate is generated automatically, no need to supply your own.

Run getamp postSetupHTTPS as root.

3

port 80 is already in use on my server so certbot is not working as it wants to use port 80, unless i can change it to use port 8080 somehow? and the cert has already been generated as my last amp server was on windows but it crashed. and i have a feeling as its still valid for another 8 months its not gonna let me generate a new one for the same domain.

4

If you’re using Apache on the system then this isn’t a supported configuration. Technically apache can be a reverse proxy for AMP but it’s websockets support isn’t so great. What you could do is use a separate system or a different IP address if you have multiple network interfaces.

Edit: of course you could just move whatever is on port 80 to another port and have nginx proxy that too. That’d be the tidy way of handling it.

5

ok thanks, so theres no way to use the PFX cert in AMP on linux?

6

No, that’s just used for Windows systems.

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.