Configuring https with self signed certificate

Hi,

I am using SCM Manager v2.38.1.
To have https access, I followed instructions here https://scm-manager.org/docs/2.38.x/en/administration/scm-server/

My server-config.xml file is as following (password masked)

<?xml version="1.0" encoding="UTF-8"?>
<!--
    MIT License

    Copyright (c) 2020-present Cloudogu GmbH and Contributors

    Permission is hereby granted, free of charge, to any person obtaining a copy
    of this software and associated documentation files (the "Software"), to deal
    in the Software without restriction, including without limitation the rights
    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    copies of the Software, and to permit persons to whom the Software is
    furnished to do so, subject to the following conditions:

    The above copyright notice and this permission notice shall be included in all
    copies or substantial portions of the Software.

    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
    SOFTWARE.
-->

<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure id="ScmServer" class="org.eclipse.jetty.server.Server">

  <!--
    This default configuration should match 90% of the use cases,
    if you have to change something ensure you know what you are doing.

    For further information on configuration scm-server have a look at:
    https://scm-manager.org/docs/2.38.x/en/administration/scm-server/
  -->

  <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <!-- increase header size for mercurial -->
    <Set name="requestHeaderSize">16384</Set>
    <Set name="responseHeaderSize">16384</Set>

    <Call name="addCustomizer">
      <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
    </Call>
  </New>

  <!--
  Connectors
  -->
  <Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ServerConnector">
        <Arg name="server">
          <Ref refid="ScmServer" />
        </Arg>
        <Arg name="factories">
          <Array type="org.eclipse.jetty.server.ConnectionFactory">
            <Item>
              <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                <Arg name="config">
                  <Ref refid="httpConfig" />
                </Arg>
              </New>
            </Item>
          </Array>
        </Arg>
        <Set name="host">
          <SystemProperty name="jetty.host" default="0.0.0.0" />
        </Set>
        <Set name="port">
          <SystemProperty name="jetty.port" default="8080" />
        </Set>
      </New>
    </Arg>
  </Call>

  <New id="scm-webapp" class="org.eclipse.jetty.webapp.WebAppContext">
    <Set name="contextPath">/scm</Set>
    <Set name="war">
      <SystemProperty name="basedir" default="."/>/var/webapp/scm-webapp.war
    </Set>
    <!-- disable directory listings -->
    <Call name="setInitParameter">
      <Arg>org.eclipse.jetty.servlet.Default.dirAllowed</Arg>
      <Arg>false</Arg>
    </Call>
    <Set name="tempDirectory">/var/cache/scm/work/webapp</Set>
  </New>

  <New id="docroot" class="org.eclipse.jetty.webapp.WebAppContext">
    <Set name="contextPath">/</Set>
    <Set name="baseResource">
      <New class="org.eclipse.jetty.util.resource.ResourceCollection">
        <Arg>
          <Array type="java.lang.String">
            <Item>
              <SystemProperty name="basedir" default="."/>/var/webapp/docroot</Item>
          </Array>
        </Arg>
      </New>
    </Set>
    <Set name="tempDirectory">/var/cache/scm/work/work/docroot</Set>
  </New>

  <Set name="handler">
    <New class="org.eclipse.jetty.server.handler.HandlerCollection">
      <Set name="handlers">
        <Array type="org.eclipse.jetty.server.Handler">
          <Item>
            <Ref id="scm-webapp" />
          </Item>
          <Item>
            <Ref id="docroot" />
          </Item>
        </Array>
      </Set>
    </New>
  </Set>

<!-- ssl configuration start -->

<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
  <!--
    path to your keystore, it can be a java keystore or in the pkcs12 format
  -->
  <Set name="KeyStorePath">
    <SystemProperty name="basedir" default="."/>/config/keystore.pkcs12
  </Set>
  <!--
    use pkcs12 or jks for java keystore
  -->
  <Set name="KeyStoreType">PKCS12</Set>
  <!--
    the password of you keystore
  -->
  <Set name="KeyStorePassword">xxx</Set>

  <!--
    For a more up to date list of ciphers and protocols, have a look at the mozilla ssl configurator:
    https://ssl-config.mozilla.org/#server=jetty&version=9.4.28&config=intermediate&guideline=5.4
  -->

  <!-- TLS 1.3 requires Java 11 or higher -->
  <Set name="IncludeProtocols">
    <Array type="String">
        <Item>TLSv1.2</Item>
        <Item>TLSv1.3</Item>
    </Array>
  </Set>

  <Set name="IncludeCipherSuites">
    <Array type="String">
      <Item>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</Item>
      <Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>
      <Item>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</Item>
      <Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
      <Item>TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256</Item>
      <Item>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item>
      <Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item>
      <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
    </Array>
  </Set>

  <Set name="useCipherSuitesOrder">
    <Property name="jetty.sslContext.useCipherSuitesOrder" default="false" />
  </Set>
</New>

<New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
  <Arg>
    <Ref refid="httpConfig"/>
  </Arg>
  <Call name="addCustomizer">
    <Arg>
      <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
        <Arg name="sniRequired" type="boolean"><Property name="jetty.ssl.sniRequired" default="false"/></Arg>
        <Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg>
        <Arg name="stsMaxAgeSeconds" type="int"><Property name="jetty.ssl.stsMaxAgeSeconds" default="-1"/></Arg>
        <Arg name="stsIncludeSubdomains" type="boolean"><Property name="jetty.ssl.stsIncludeSubdomains" default="false"/></Arg>
      </New>
    </Arg>
  </Call>
</New>

<Call name="addConnector">
  <Arg>
    <New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
      <Arg name="server">
        <Ref refid="ScmServer" />
      </Arg>
      <Arg name="factories">
        <Array type="org.eclipse.jetty.server.ConnectionFactory">
          <Item>
            <New class="org.eclipse.jetty.server.SslConnectionFactory">
              <Arg name="next">http/1.1</Arg>
              <Arg name="sslContextFactory">
                <Ref refid="sslContextFactory"/>
              </Arg>
            </New>
          </Item>
          <Item>
            <New class="org.eclipse.jetty.server.HttpConnectionFactory">
              <Arg name="config">
                <Ref refid="sslHttpConfig" />
              </Arg>
            </New>
          </Item>
        </Array>
      </Arg>
      <!--
        Address to listen 0.0.0.0 means on every interface
      -->
      <Set name="host">
        <SystemProperty name="jetty.host" default="0.0.0.0" />
      </Set>
      <!--
        Port for the https connector
      -->
      <Set name="port">
        <Property name="jetty.ssl.port" default="8443" />
      </Set>
    </New>
  </Arg>
</Call>

<!-- ssl configuration end -->
</Configure>

I can establish a connection to http:8080 but not to https:8443

Since there is no “conf” directory, I tried KeyStorePath with both “conf/keystore.pkcs12” and “/config/keystore.pkcs12”. Both didn’t work for me.

I checked log file but could not see anything related port 8080 or 8443 or a certificate not activated, etc.

I am sure that my keystore.pkcs12 password is correct. I am sure that keystore.pkcs12 file is readable by SCM Manager (owner and group of the file is set as scm). I am sure that 8443 port is not used and is available. I am using a customized directory for SCM Manager (this can be understood from below command output).

I also increased log detail to DEBUG. I just have below line when “grep” it for “http”

root@omv:/srv/dev-disk-by-path-pci-0000-03-00.0-scsi-0-0-1-0-part1/scm/config# cat /var/log/scm/scm-manager.log |grep http
2022-08-14 16:15:23.632 [main] [          ] DEBUG sonia.scm.plugin.ExtensionBinder - create multibinder for javax.servlet.http.HttpSessionListener
root@omv:/srv/dev-disk-by-path-pci-0000-03-00.0-scsi-0-0-1-0-part1/scm/config#

I could not see any error message or bind port numbers in that detailed log file.

In short, I could not make SCM to work over HTTPS.

Any help is appreciated.

Thanks & Regards,
Ertan

Hey @ertank,

a first wild guess without trying your setup out.

Is your SCM Manager home directory on a different network drive than the server? Did you try to place the keystore file next to your server-config.xml. In my case the path is /opt/scm-server/conf/.

What kind of error did you get? Is the port not open at all?

Regards, Eduard

Hi, @eheimbuch,

SCM home directory is on another drive on the same system. It is not on a separate network.

I did not. Actually, I thought “basedir” mentioned in XML config means the “home directory”. I will try that and write back in here.

There is no error I could observe in the logs. It seems not binding to 8443 port at all. Browser side gets timeout error.

Thanks.

This did not work for me. My system is Debian 10. Placed it in /etc/scm/conf/ and still same. No error in log files as far as I can tell. Browser timeout for port 8443. No problem accessing port 8080.

Directory content where keystore file is as following

root@omv:/etc/scm/conf# ls -la
total 12
drwxr-xr-x 2 root scm 4096 Aug 15 10:09 .
drwxr-xr-x 3 root scm 4096 Aug 15 10:09 ..
-rw------- 1 scm  scm 2589 Aug 15 10:09 keystore.pkcs12
root@omv:/etc/scm/conf#

Config file relevant part points to “conf” as can be seen below

  <Set name="KeyStorePath">
    <SystemProperty name="basedir" default="."/>/conf/keystore.pkcs12
  </Set>

I am not sure which part to look in log file to understand that SCM Manager recognizes there is an SSL configuration and it is working on it. There are lots of log output when in DEBUG detail.

Thanks & Regards,
Ertan

Hi @ertank,

since we had a lot of tickets and conversations in the past 30 days I would like to know if this issue is still open on your side?
On our side everything is working as expected. A deeper investigation is only available with a support agreement.
I would leave this open for another 14 days. Maybe someone from our community has an idea.

Best,
Christoph

Hello,

Thank you for the follow up.

I just gave up on trying to add HTTPS support and setup a firewall in order to allow only specific IP numbers to access SCM-Manager.

Once I have time, I will check it out again in the future.

Regards,
Ertan

I am closing this topic as there has been no activity for more than 30 days.