Devolutions ForumDevolutions Forum

Fumbling through SSL

avatar
zm

I don't know that I've ever struggled this much to understand SSL and install it properly for a product, but there is a first time for everything. Maybe I'm overcomplicating it.
I've gone through several demos and tutorials on creating a Self-Signed SSL certificate and importing it into IIS but I can't seem to get that working properly.
From the IIS server I've used:

New-SelfSignedCertificate `
-FriendlyName '<certificatName>' `
-DnsName "<waykname>.<my>.<domain>.<name>" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-CertStoreLocation 'Cert:\LocalMachine\My' `
-NotAfter (Get-Date).AddYears(2) `
-KeyExportPolicy 'Exportable'


When starting/restarting Wayk the WARNING appears: WARNING: HTTPS is not configured for external access, peer-to-peer sessions will be disabled
Which I understand when Get-WaykBastionConfig sees -ExternalURL and ListenerURL without HTTPS.
Corrected(?) by doing:
Set-WaykBastionConfig -ExternalURL https://<waykname>.<my>.<domain>.<name> -ListenerURL https://localhost:4000
( -Realm is <my>.<domain>.<name> )

Restart Wayk, Restart IIS
Export the key to a file for use as PFX
Attempt to import the key

Import-WaykBastionCertificate -CertificateFile '<mypath>\<myfile>.pfx' -password <password>
ConvertFrom-RsaPrivateKey : Cannot bind argument to parameter 'Rsa' because it is null.
At C:\Program Files\WindowsPowerShell\Modules\WaykBastion\2021.1.6\Private\CertificateHelper.ps1:149 char:62
+ ...         $PrivateKey = ConvertFrom-RsaPrivateKey -Rsa $cert.PrivateKey
+                                                          ~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [ConvertFrom-RsaPrivateKey], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,ConvertFrom-RsaPrivateKey

WARNING: The certificate chain includes only one certificate (leaf certificate).
WARNING: The complete chain should also include the intermediate CA certificate.

I stumbled across this article from another help thread:
https://blog.devolutions.net/2021/03/how-to-configure-secure-ldap-ldaps-in-active-directory-with-lets-encrypt
but I'm so turned around right now its not making any sense... I know I can skip past creating a domain etc since obviously have one.

Thanks you

All Comments (5)

avatar
Richard Boisvert

Hello,

Self-signed certificates are not supported by Wayk Bastion, you need a full chain certificate. If you want an example with Let's Encrypt, you can refer to https://docs.devolutions.net/wayk/bastion/getting-started-acme.html

Once imported, if you do not have a reverse proxy in front of your Wayk Bastion, you would need to set the ListenerURL to use port 443 and then restart Wayk Bastion.

Set-WaykBastionConfig -ExternalURL https://<waykname>.<my>.<domain>.<name> -ListenerURL https://localhost
Restart-WaykBastion


Best regards,

Richard Boisvert

avatar
zm

./facepalm

Well, getting closer. https:// results in a 404 with the Wayk favicon appearing; localhost:4000 resolves.

avatar
zm

OK, certs in the right place as well as A records and server names.
Still kept ending up with a 404 going to https://<site>.<domain>.<name>

docker: Error response from daemon: failed to create endpoint den-traefik on network den-network: failed during hnsCallRawResponse: hnsCall failed in Win32: The process cannot access the file because it is being used by another process. (0x20).
Error starting den-traefik
At C:\Program Files\WindowsPowerShell\Modules\WaykBastion\2021.1.6\Public\WaykBastionService.ps1:678 char:9
+         throw "Error starting $($Service.ContainerName)"
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Error starting den-traefik:String) [], RuntimeException
    + FullyQualifiedErrorId : Error starting den-traefik


Caused by the ListenerURL being set to :443 - as soon it was back to :4000 this ceased.

Was seeing the untrusted cert for den-traefik; resolved by performing the Import-WaykBastionCertificate command.

Restarted Wayk, restarted iis (iisreset /restart)

https://<site>.<domain>.<name> = 404
Page source is just the 404 message
https://<site>.<domain>.<name>:4000 = redirect to https://<site>.<domain>.<name>:4000/web and presents a blank page.
Page source shows -> <wayk-root ... etc>
https://<site>.<domain>.<name>:4000/lucid gets me to the login screen; after login redirected to https://<site>.<domain>.<name>:4000/lucid/auth/signin and a 500 Error.
Deleting cache will get you back through this process until it dead ends again at 500 Error.

https://localhost:4000 authenticates and works just fine as wayk-admin

Realm: <domain>.<name>
ListenerURL: https://localhost:4000
ExternalURL: https://<site>.<domain>.<name>

Testing in FF we can get to:
https://<site>.<domain>.<name>:4000/lucid/auth/authenticate?authn_code=<random> after login with wayk-admin and a black screen with nothing in it.

At a loss here for what next. Any advice would be greatly appreciated.
Thank you,
ZM

avatar
Richard Boisvert

Hello,

Sadly, it was announced yesterday that Wayk Bastion will be phased out, you can read our blog post for more information: https://blog.devolutions.net/2021/07/wayk-is-dead-long-live-wayk

We apologize for the inconvenience.

Best regards,

Richard Boisvert

avatar
zm

That is very disappointing. It promised to be a cost effective solution vs Kaseya.