Manage Instances via SSL not working

  • Last Post 31 May 2021
Rac00n posted this 25 May 2021

Good morning,

OS Name/Version: Debian GNU/Linux 10 (buster)

Product Name/Version: AMP Release "Ganymede" v2.1.1.4, built 07/05/2021 19:00

Problem Description: Whenever I tried to manage an instance created via the web panel of ADS, I get the following error: Login server unreachable. Verify that the auth server URL in this instances config file is valid. This is the 'Login.AuthServerURL' line in AMPConfig.conf for this instance.

Actions taken to resolve so far: Within the log file of the instance I'd like to start I see the following errors:

[09:30:59] [Core Info]            : Checking for AMP updates...
[09:31:00] [Core Info]            : AMP is up-to-date.
[09:32:29] [RemoteAMPAuth:Anonymous Activity] : Authentication attempt for user Admin from
[09:32:29] [Core:Anonymous Error] : HttpRequestException
[09:32:29] [Core:Anonymous Error] : [0] (HttpRequestException) : The SSL connection could not be established, see inner exception.
[09:32:29] [Core:Anonymous Error] :   at AMPAPI.RemoteInstance.GetResponseDynamic (String Module, String Method, Object Parameters)
  at AMPAPI.RemoteInstance+API_Core.Login (String username, String password, String token, Boolean rememberMe)
  at GSMyAdmin.Authentication.RemoteAMPAuth.Authenticate (m.Http.IHttpRequest Request, String Username, String Password, String Token, Boolean TokenRequested, Collections.Generic.List`1[String]& Permissions, String& NewToken, GSMyAdmin.Authentication.UserInfoSummary& UserInfo, String& Reason)
[09:32:29] [Core:Anonymous Error] : AuthenticationException
[09:32:29] [Core:Anonymous Error] : [1] (AuthenticationException) : Authentication failed, see inner exception.
[09:32:29] [Core:Anonymous Error] : MonoBtlsException
[09:32:29] [Core:Anonymous Error] : [2] (MonoBtlsException) : Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /usr/src/mono/external/boringssl/ssl/handshake_client.c:1132
[09:32:29] [Core:Anonymous Error] :   at Framework.Btls.FrameworkBtlsContext.ProcessHandshake ()
  at Framework.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Framework.Net.Security.AsyncOperationStatus status, Boolean renegotiate)
  at (wrapper remoting-invoke-with-check) Framework.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Framework.Net.Security.AsyncOperationStatus,bool)
  at Framework.Net.Security.AsyncHandshakeRequest.Run (Framework.Net.Security.AsyncOperationStatus status)
[09:37:22] [Core Notice]          : AMP shutdown requested.
[09:37:22] [Core Notice]          : Stopping Application...
[09:37:22] [Core Notice]          : Stopping Web Server...
[09:37:22] [WebServer Info]       : Web server shutdown.
[09:37:22] [Core Notice]          : Goodbye!

ADS01 instance is set to SSL and running fine. Instance I'd like to start, the Login.AuthServerURL is set to https and the according Port

I also tried (unsuccessfully) the several solutions provided in this forum as for example:

ampinstmgr stopall
ampinstmgr --sync-certs
ampinstmgr startall

Any help would be appreciated :)

P.S. I've started out with one ofthe first versions of AMP which did not have the debian repository so it's still installed manually and also updated manually.

Order By: Standard | Newest | Votes
Mike posted this 25 May 2021

Who is the certificate authority?

Also ideally you should migrate to the current way of doing things. It's fairly easy to do, you simply backup the entire ~/.ampdata directory and move it after running GetAMP. Lots of features require this to work properly.

Rac00n posted this 25 May 2021

Hi Mike - the certificate was created by letsencrypt.

Thanks for information. I'll go for and give it a try with this solution - also in terms of the SSL problem, or do you think there might be something wrong on another end?

Mike posted this 25 May 2021

What it's saying is that it doesn't trust the certificate. It's hard to say why exactly. Is that instance running inside docker?

Rac00n posted this 25 May 2021

Yeah I was searching the net myself before posting for a possible solution, but all it came up with was the "cert-sync" command.

Nope - no docker.

Mike posted this 25 May 2021

I think you're just running into issues with AMP not knowing where things are because it's expecting the modern install method.

Rac00n posted this 25 May 2021

Many thanks - tomorrow I'll make a move as you instructed above. Afterwards I'll check the SSL issue again and see what happens :)

Rac00n posted this 31 May 2021

Hi Mike - just for your information, I found the solution to the problem.

Since you are creating a pfx from the .pem files of letsencrypt, you need to add the chain.pem with cert-sync. For example:

cert-sync /etc/letsencrypt/archive/<your domain="">/chain<xy>.pem
cert-sync --user /etc/letsencrypt/archive/<your domain="">/chain<xy>.pem

This way the certificates will be added to mono.