SSL config with drumsergio/genieacs

1

I’m not understanding the documentation well, or the documentation for the docker image assumes I know more than I do.

I discovered that config.json doesn’t exist for the docker image, that it’s in the genieacs.env files.

I’m trying to enable SSL, and have set:
CWMP_SSL_CERT=/opt/genieacs/cert.crt
CWMP_SSL_KEY=/opt/genieacs/key.key

in the geniceacs.env files, but SSL is not working and I see nothing in the logs to tell me why.

Can someone provide an example genieacs.env with working SSL for me to compare?

Thanks!

2

Hi,

All GenieACS environment variables must be prefixed with GENIEACS_ . Please try with:
GENIEACS_CWMP_SSL_CERT=/opt/genieacs/cert.crt
GENIEACS_CWMP_SSL_KEY=/opt/genieacs/key.key

3

I have done the installation from the source code of genieacs 1.2 with nodejs 12 and modified the genieacs.env file as above to use SSL but it doesn’t work (without SSL lines all work fine):
[ERROR] Worked died
[ERROR] uncaught exception

Could it be from the nodejs version?
Any suggestions for help?

Thank you in advanced

1 Like
4

hi, hello, i have the same problem as you, have you solved it?
I used your configuration,
After restarting the genieacs server, /usr/bin/genieacs-cwmp is lost;
genieacs-cwmp cannot run,
Because in the environment variables, I only configure the SSL parameters of genieacs-cwmp;
GENIEACS_CWMP_SSL_CERT=/opt/genieacs/cert.crt
GENIEACS_CWMP_SSL_KEY=/opt/genieacs/key.key
When I remove GENIEACS_CWMP_SSL_CERT/ GENIEACS_CWMP_SSL_KEY;
genieacs-cwmp can start normally.
Can anyone help me check it?
Nothing can be seen in the genieacs log, use journalctl -e to check:

image
image1884×242 101 KB

thank you very much.

5

Hi,

Did you generate your key using a passphrase? If yes, please try to regenerate it without.

1 Like
6

Hi, lavira;
First of all, thanks for your reply,
Secondly, I did not use openssl to generate a password, and used my own certificate and secret key;
Is there any problem?
What are the correct configuration and steps for SSL connection requests?
Are there any detailed instructions or documentation?

7

the error you received seems to be related to a invalid key … just to make sure your key is not encrypted, please run:
openssl rsa -in /opt/genieacs/key.key -out /opt/genieacs/unencryptedKey.key

and after that check if the certificate and key match:

openssl x509 -noout -modulus -in /opt/genieacs/cert.crt | openssl md5
openssl rsa -noout -modulus -in /opt/genieacs/unencryptedKey.key | openssl md5

The hashed values from each command should be equal … If all is ok, replace the key in the env file and restart the process and see if it works.
GENIEACS_CWMP_SSL_KEY=/opt/genieacs/unencryptedKey.key

8

All that is needed to enable SSL is to generate certificate and assign these variables CWMP_SSL_CERT, CWMP_SSL_KEY?

What about installing nginx and then adding all its configs that was mentioned in some other discussions. Is this required for genieacs 1.2?

Currently I have genieacs 1.2 installed and running using this procedure http://docs.genieacs.com/en/latest/installation-guide.html.

Would like to change ACS URL from http://a.b.c.d:7547 to https://genieacs-1.acme.com/CPEMgt and the console from http:/a.b.c.d:3000 to https://genieacs-1.acme.com. So I would need two certificates?

9

I never tried this, but multi domain certificates seem to be a thing!

10

You can get a wildcard cert, it would be good for *.acme.com

11

Does anyone really work for just added the following lines into the “genieacs.env” ?

I generated the CRT and KEY (by openssl self-certified ) and it does NOT work at all, is there anyone actually work without any issue??

12

It works perfect fine without any issues. Did you restart the CWMP process? Are the _CERT and _KEY entries pointing to valid files?

13

Hi akcoder
Thank you for your reply.

Yes, I restart CWMP, and does CRT and key files necessarily have to be certificated by the trust certification authority?

Added more:
I generated the CRT and KEY again for self certificated and I still see the error when apply the “systemctl status genieacs-ui.service” which I change to ACS’s UI instead of CWMP.

Here is how I generated the SSL certificate:

$openssl genrsa -aes256 -passout pass:gsahdg -out server.pass.key 4096
$openssl rsa -passin pass:gsahdg -in server.pass.key -out server.key
$rm server.pass.key
$openssl req -new -key server.key -out server.csr
(no challenge password)
$openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

Here is how the genieacs.env file has been set up.

Genieacs_env
Genieacs_env748×499 57.3 KB

Here is the result when apply the command “systemctl status genieacs-ui.service”

GenieACS
GenieACS1114×354 83.2 KB

Thank you.

Mason

14

Hi akcoder

I am sorry, my bad, the CRT and KEY file was generated by root and Genieacs was not able to access them and after change the permission and it works.

Thank you,

Mason