Troubleshooting Installation
Articles to help with common installation issues and questions
Post
I'll try to number the steps I've done so they are easier to refer to...
1. Obtained a wildcard certificate from a CA and installed into IIS7 using a CSR I generated in IIS7.
2. Used the Windows server certificate tool to export the public and private key which prompted me to generate a password for the pair.
3. Used openssl to convert the public/private key to the x509 format.
4. Used: 'keytool -keystore keystore -import -alias jetty -file my_cert.crt -trustcacerts' to import the certificate into Jetty (executed in C:\Program Files\Mingle\jre\bin).
! This also asked for a password and confirmation, so I entered the same info as step 2. This gave me a keystore file in the same folder, and gave me a message it was sucessfully entered into the store !
5. Added the following lines in jetty.xml:
<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.security.SslSocketConnector">
<Set name="Port">443</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="keystore"><SystemProperty name="jetty.home" default="." />/jre/bin/keystore</Set>
<Set name="password">mypassword</Set>
<Set name="keyPassword">mypassword</Set>
<Set name="truststore"><SystemProperty name="jetty.home" default="." />/jre/bin/keystore</Set>
<Set name="trustPassword">mypassword</Set>
</New>
</Arg>
</Call>
There are three password fields.... password, keyPassword, trustPassword, so I entered the same certificate password I used for step 2. and step 4. above in all three fields? What am I mising?
6. Since we run Mingle on a specific IP (sub-domain/port 80), seperate than IIS, I also specify the specific IP in the jetty.xml file in an additional addConnector section:
<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.nio.SelectChannelConnector">
<Set name="port"><SystemProperty name="mingle.port" default="80"/></Set>
<Set name="maxIdleTime">30000</Set>
<Set name="Acceptors">1</Set>
<Set name="Host">***.***.***.***</Set>
<Set name="statsOn">false</Set>
<Set name="lowResourcesConnections">1000</Set>
<Set name="lowResourcesMaxIdleTime">500</Set>
<Set name="headerBufferSize">16384</Set>
</New>
</Arg>
</Call>
When I have both these addConnector calls in the jetty.xml, I get the following in the log file:
[2009-06-09 07:15:25,399] [Thread-0] [org.mortbay.log] Started SelectChannelConnector@***.***.***.***:80
[2009-06-09 07:15:25,436] [Thread-0] [org.mortbay.log] Started SslSocketConnector@0.0.0.0:443
But... when I try either http and https with both these addConnector statements in the jetty.xml file, it just reels and reels, never connecting to Mingle. If I remove the SslSocketConnector connector, it works fine again.
Really my end goal is a single SSL connection through:
https://mingle.mydomain.com/
My questions are:
1.) Do I need both addConnector statements in jetty.xml?
2.) Do I need to specify my Mingle Host (IP) twice in the jetty.xml file (also in the SslSocketConnector section)?
3.) Do I need the confidentialPort Set in the SelectChannelConnector AddConnector section of jetty.xml? What do I set it to?
4.) Do I need to change the mingle.properties file. i.e. - Dmingle.memcachedPort or Dmingle.memcachedHost. Currently this is '11311' and 'localhost' respectively.
Any help is appreciated!
Thanks,
Thomas
Comment
I can get Mingle to work on SSL if I generate a self-signed certificate, but I can't get it to connect when I convert and import my CA issued certificate. So, apparently I'm converting my certificate incorrectly? Or, it's not trusted?
I'm exporting the public/private key pair as PFX through certificate manager in Windows (original CSR created in IIS), then converting it to the x509 format using openssl. This seems to work fine, and it imports it into the keystore successfully.
But, when I try SSL with the real certificate, the browser just reels and reels and never responds, and there are no additional entries in the Mingle log files.
And again, if I self-sign and import a certificate... SSL works fine.
Can anyone tell me how to propertly get my real certificate into the Jetty keystore? Or, find out how to get additional info on what exactly isn't working?
Been trying this all day... Do I need to install a root certificate or something. Why wouldn't it work? Can anyone at ThoughtWorks give me some troubleshooting tips?
bump...
Wow, does no one else run mingle over a SSL? Surely there must be someone with some experience that could read over my posts and give me some tips? No? A certificate provider issue? a conversion issue?
I've been trying to do this for sometime as well and am very interested in the solution. I worked with Cliff to get AD authentication working (great!), but can't use it yet because I need to have https working to be "network security compliant" at the lab I work at.
Thanks for helping to drive this to a solution.
Hi Thomas,
Can you please log a support request at:
http://studios.thoughtworks.com/mingle-agile-project-management/support-requests
We'll help you get this sorted out and then get a solution posted back for the community, thanks!
Support request logged...
Thanks,
Thomas
I just got back to this, and it all works. Thanks to a support email I got from ThoughtWorks.
If anyone else need help configuring Mingle to run on a SSL, I'm happy to help.
- Thomas
The short answer is that you can use use the following command to get a PFX file directly into Jetty's keystore:
java -cp <path-to-jar>\org.mortbay.jetty.jar org.mortbay.util.PKCS12Import <pfx-filename> <jks-filename>
(https://apps.skyworthttg.com/forums/viewtopic.php?f=22&t=39)
The way I did it:
1. Copied the jar file 'org.mortbay.jetty.jar' from the attached zip to:
C:\Program Files\Mingle\jre\bin
2. Copied my exported certificate (.PFX) to the same folder.
3. Opened a CMD prompt and changed directory to:
C:\Program Files\Mingle\jre\bin
4. Issued the following command:
org.mortbay.jetty.jar org.mortbay.util.PKCS12Import my_certificate.pfx my_jetty_keystore
5. Allowed only SSL connections to Mingle by replacing all connectors in jetty.xml with:
<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.security.SslSocketConnector">
<Set name="Host">***.***.***.***</Set>
<Set name="Port">443</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="keystore"><SystemProperty name="jetty.home" default="." />/jre/bin/keystore</Set>
<Set name="truststore"><SystemProperty name="jetty.home" default="." />/jre/bin/keystore</Set>
<Set name="password">mysuperlongsupersecretpasswordstring</Set>
<Set name="keyPassword">mysuperlongsupersecretpasswordstring</Set>
<Set name="trustPassword">mysuperlongsupersecretpasswordstring</Set>
</New>
</Arg>
</Call>
6. Restart the Mingle Service and everything should work on https://
Hi all:
A quick update on this configuration, in Mingle 3.3 we have added the ability to turn on SSL listener for HTTPS access by configuring parameters in mingle.properties. If you have modified your jetty.xml in older versions of Mingle for your https access, please note that it is invalid for Mingle 3.3. Click here to see our online help documentation for how to configure https access.
Thanks,
Huimin