Author Bruce

Add a valid SSL to r1soft server web interface


When you setup r1soft for backups, it will generate its own self-signed SSL for the browser UI. Although it worked fine, the SSL warnings annoyed me and at $work we have a multi-year wildcard for the domain the backup servers sit on, so I decided to sort out a valid SSL for the service.

Unfortunately the r1soft wiki is not great for this as it can be a bit unclear, with the link to key tool they tell you you need being dead, and it took a little bit of fiddling and wrangling with java (one of my favourite things). And why not do their wiki maintainer's job for them?

Requirements

First you'll need the ImportKey tool to generate the keystore file. The link on the r1soft wiki is dead, but you can get the java file from this git repository. Put the ImportKey.java file in /usr/sbin/r1soft/jre/bin

Although r1soft bundles its own version of java, it doesn't include javac which is required to build the ImportKey tool. You should be able to get this from your repos by installing openjdk. The java bundled with r1soft is openjdk 1.7.0, so I downloaded the matching version (package name java-1.7.0-openjdk-devel in centos 7), but in theory openjdk 1.8.0 should also be fine if you don't have repos for 1.7.0, but I haven't tested with this.

Process

First things first, you'll want to ensure you have your SSL certificate in DER format with the cabundle added to the certificate. If you want/need to generate your own from PEM, you should create two files: example.crt and example.key where the example.crt contains your Certificate followed by your CABundle one after the other, and the example.key should contain your Private Key.

Once you have these files, you can run the following openssl commands to convert them to DER files (I do this in /root, but it's up to you where, you'll just need to adjust the upcoming ImportKey commands accordingly):

openssl pkcs8 -topk8 -nocrypt -in example.crt -inform PEM -out examplecert.der -outform DER

openssl x509 -in example.key -inform PEM -out examplekey.der -outform DER

Now you have the necessary certificates, cd to /usr/sbin/r1soft/jre/bin and chmod the file java and keystore to 755 to make them executable. But before we can use the ImportKey file, we need to build it, which you can do by running:

javac ImportKey.java

With that done, we can use the included java with r1soft to generate the keystore file, as follows:

./java ImportKey /root/examplekey.der /root/examplecert.der cdp

n.b. Despite the file being ImportKey.java, you need to run the command on just ImportKey, otherwise java will complain about not being able to load the class

This will have created a file in /root called keystore.ImportKey and we now need to change the passwords on the keystore since this is hardcoded to just password in r1soft (Yay, security!).

First run:

./keytool -storepasswd -keystore /root/keystore.ImportKey

When prompted for the keystore password, just put in importkey and when prompted for the new keystore password, set it to password. Then we need to change the key password to, which we do with:

./keytool -keypasswd -alias cdp -keystore /root/keystore.ImportKey 

On the first password prompt ('Enter keystore password:') enter the new keystore password, which should be password and on the second prompt ('Enter key password for :') put in importkey and then on the final prompt ('New key password for :') enter password.

And with that you're basically done, you just need to replace the existing keystore with

cp /root/keystore.ImportKey /usr/sbin/r1soft/conf/keystore

Then just restart the r1soft service (called cdp-server) and you'll be done.

Author: Bruce - Type: Fixes - Date: 24th Nov, 2017


# Back