Having difficulty with https on ADS

  • 168 Views
  • Last Post 18 December 2020
duffy45 posted this 11 December 2020

I was doing testing as I wish to have both a windows server and linux server for amp but I have run into trouble with https. I have set up a controller named amp-control and so far I've made a linux target called amp-linux. I set up https on them by using my pfsense router as a CA and I've made crts using the pfsense CA. I added the crts to ADS by using the following guide using ampinstmgr convertcertificate,

https://github.com/CubeCoders/AMP/wiki/Setting-up-secure-HTTP-with-AMP

I can accsess both by host name and ip address using https individually but I can only add the target to the controller using the hostname or else it will error out with a trust issue. I have it set up on the crontroller to use the host name but when I click on manage it shows this error in the console,

Failure to make API call to ADS01 (https://192.168.4.15:8080/) - retried 10 times : The SSL connection could not be established, see inner exception.
HttpRequestException
[0] (HttpRequestException) : The SSL connection could not be established, see inner exception.
at ADSModule.WebMethods.MakeInstanceRequest (m.Http.IHttpRequest request, String REQ_RAWJSON,        String requesturi) at ADSModule.WebMethods.Servers (m.Http.IHttpRequest request, String id, String REQ_RAWJSON)
AuthenticationException
[1] (AuthenticationException) : Authentication failed, see inner exception.
MonoBtlsException
[2] (MonoBtlsException) : Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED at /usr/src/mono/external/boringssl/ssl/handshake_client.c:1132
at Framework.Btls.FrameworkBtlsContext.ProcessHandshake () at Framework.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Framework.Net.Security.AsyncOperationStatus status, Boolean renegotiate) at (wrapper remoting-invoke-with-check) Framework.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Framework.Net.Security.AsyncOperationStatus,bool) at Framework.Net.Security.AsyncHandshakeRequest.Run (Framework.Net.Security.AsyncOperationStatus status) 

I am also able to create instances using the controller for the amp-linux target so I'm not sure what the problem is. If anyone can give me any help that would be grateful and I have included a basic diagram of how the network is here : https://ibb.co/N2Q9T7C

Order By: Standard | Newest | Votes
Mike posted this 12 December 2020

If you issued the certificates from a local CA then AMP won't recognise them. You'd have to import the root certificate into the system certificate store and then run ampinstmgr --sync-certs to get AMP to trust them.

duffy45 posted this 12 December 2020

I didn't know about that command but I have tried it and it still give me that error even after both systems have been restarted. It could be because I was messing around when testing so I'll remake the machines from scratch and try again.

*Edit as for some reason I can't add another post to this

I have recreated the machines and I've used the ampinstmgr --sync-certs on both machines but now I get this error and I'm not sure why it's using http instead of https this time round as the target URL is using https. ip change is due to recreating them so it's not a typo and the certs have been recreated also.

Failure to make API call to ADS01 (http://192.168.4.16:8080/) - retried 10 times : An error occurred while sending the request.
HttpRequestException
[0] (HttpRequestException) : An error occurred while sending the request.
at ADSModule.WebMethods.MakeInstanceRequest (m.Http.IHttpRequest request, String REQ_RAWJSON, String requesturi) at ADSModule.WebMethods.Servers (m.Http.IHttpRequest request, String id, String REQ_RAWJSON)
IOException
[1] (IOException) : The server returned an invalid or unrecognized response.
at Net.Http.HttpConnection.FillAsync () at Net.Http.HttpConnection.ReadNextResponseHeaderLineAsync (Boolean foldedHeadersAllowed) 

I've also cleared cookies and data on the amp-control and amp-linux and restarted both machine just to make sure nothing was stuck and needed a restart.

Mike posted this 12 December 2020

Remove the target and then delete the targets ADSModule.kvp to re-run its setup, and re-add it to the controller.

duffy45 posted this 12 December 2020

I tried that but I'm still getting the same error in my edit. Is there any settings in a file I could of missed or is there a location where I could try manually changing it's address to include https to see if it will work?

duffy45 posted this 15 December 2020

I was able to get amp-control to communicate with amp-linux using https by going into the instances.json and turning the https option to true. It still fails and gives the same error as in the original post. To provide more information I investigated using the following openssl command on amp-control,

openssl s_client -debug -connect amp-linux:8080

It retuned

 Verify return code: 0 (ok)

I then removed the ca from the machine and tried the command again which gave,

Verify return code: 19 (self signed certificate in certificate chain)

So amp-control on the system level is recognising the local ca but for some reason even after issuing, "ampinstmgr --sync-certs" amp is not importing the root cert to trust it

Mike posted this 16 December 2020

AMP won't accept self signed certificates or self signed chains. It must be issued by a trusted root CA (the subject cannot be equal to the issuer)

duffy45 posted this 16 December 2020

Wait so your saying the following statement is false and you can't import a root CA to amp for it to trust it?

If you issued the certificates from a local CA then AMP won't recognise them. You'd have to import the root certificate into the system certificate store and then run ampinstmgr --sync-certs to get AMP to trust them.

I'm not sure if there's some confusion in the discussion so I'll try and explain. pfsense is the CA and the CA is called Ampca. I then created two server certificates signed by Ampca called, amp-control and amp-linux. I have added the Ampca.crt to both of the systems certificate store so it recognises it as a valid CA along with adding Ampca.crt to my own browsers list of trusted CA's so I don't get an error saying it's self-signed when I go and accsess the AMP web gui. amp-control is using the cert amp-control and amp-linux is using the cert amp-linux. I get no error's trying to access the web gui's since on my end it's trusted since I've added Ampca to be a trusted CA on my browser. So my next question is, is amp not going to sync it's own list of trusted CA's with the systems certificate store?

Mike posted this 18 December 2020

AMP only syncs against the primary system bundle (ca-bundle.crt or similar). So it's quite likely it might not trust a CA that isn't in the systems default store as opposed to any other stores that you've imported into.

Supporting this setup neatly would possibly require extra work to make it nice and also need a security review.

duffy45 posted this 18 December 2020

I see. To my understanding since the machines are debian you just need to add your ca.crt to /usr/local/share/ca-certificates/ and run the command sudo update-ca-certificates and then this adds the ca.crt to the systems bundled certs. So have I misunderstood adding a trusted ca to the whole debian system?

Mike posted this 18 December 2020

I'm not entirely sure on that I'm afraid, basically AMP looks for the following files:

  • /etc/ssl/certs/ca-certificates.crt
  • /etc/pki/tls/certs/ca-bundle.crt
  • /var/lib/ca-certificates/ca-bundle.pem

And any of those that exists it syncs into its certificate store, adding/removing as needed. You can trigger this manually via ampinstmgr --sync-certsas the amp user.

My advice would be to try and connect using wget/curl as opposed to a browser (since they too use the main system bundle) to see what messages they give about whether or not they trust the certificate. If they do, then AMP should do too.

duffy45 posted this 18 December 2020

I have confirmed that the CA has been added to /etc/ssl/certs/ca-certificates.crt file on both machines but I'm still getting the same error as in the original post even after issuing ampinstmgr --sync-certs so I don't know what the issue is and curl worked fine connecting to amp on https://amp-linux:8080

Close