ConfigServer Community Forum

Just installed the latest csf on my Debian 10 setup and it works fine, the Web-UI is however showing a connection refused error. Checking the lf logs shows this error:
Searching on internet it seems the certificate format is not something compatible on my linux installation. lfd and csf bot starts and run fine.

droid1 wrote: ↑15 Dec 2019, 12:26 Just installed the latest csf on my Debian 10 setup and it works fine, the Web-UI is however showing a connection refused error. Checking the lf logs shows this error:

Code: Select all

Dec 15 12:15:04 xxxx lfd[6078]: UI: *Error* cannot open server on port 1026: Failed to load certificate from file (no PEM, DER or PKCS12) error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error, at line 8859 

Searching on internet it seems the certificate format is not something compatible on my linux installation. lfd and csf bot starts and run fine.

SAME THING TO ME
Thanks
Liteblue

I am running into the exact same issue, new install, CSF/LFD are running and working fine but I get a certificate error. Is this a known issue or are we missing something? The UI directory has a key/crt but the error is asking for a PEM, DR or PKCS512. Converting the CRT to PEM doesn't work either.

I have the same issue on fresh installed centos 8 please help me

Same issue here - fresh install of CentOS 8 in a local environment (no domain), tried multiple ports, tried creating new certs, but no luck: I found this error message in file SSL.pm on many sites showing the source for SSL.pm:

On my server I fixed this by deleting the existing certificate and key an generating a new self signed certificate and key

I switched from APF to CSF many years ago. This year my admin tasks started to scale in a way that made me need to automate more. Ansible. And... CSF cluster. Part of learning how to cluster CSF made me curious about the UI. And my master node is CentOS 8 so I had the same error as OP and Google brought me here.

alex_john_m's solution works perfectly. If you prefer a Letsencrypt certificate for CSF UI, I can add the following to this thread:

TL;DR;
1) Install acme.sh
2) Issue a cert - I use DNS verification method so that I don't need to open any ports for the issue / renewal.
3) Tell acme.sh to deploy the key and fullchain cert to the CSF ui.

acme.sh will automatically install a renewal cron job. This cron job should renew the cert when needed, deploy the fresh certs to CSF and reload LFD.
Note that I implemented this today so I have not yet seem a successful renewal but based on my experience with acme.sh I am confident it will work 2 months down the track.


Details:

I use cloudflare as my DNS provider. If yours is different it may still be possible to tailor this to your provider if they have a DNS API.

Many are supported.

1) Generate Cloudflare API Token. Do not use your global API key. That was a thing years ago. Nowadays you can create more granular tokens with limited powers. The token currently needs access read access to Zone.Zone, and write access to Zone.DNS, across all Zones. There is work being done to do away with "all zones" access so that you can have a token that can only access the one zone in question but that is not ready yet. that is not ready yet.

2) Install curl, git and socat

3) Install acme.sh. Quick and dirty is but I recommend the slower approach so you can inspect the script first rather than blindly execute a script off the internet.

Recommended:
Now inspect it. If satisfied, run it
4) Logout and back in because it will have added a path to your .bashrc. Alternatively source your ~/.bashrc

5) In your bash shell export variables 6) Assuming your fqdn for this install is csf.domain.tld, let's issue a cert:
If you are old school and have issues with elliptic curve cryptography leave out the --keylength ec-384 to request an RSA cert instead. I won't judge.

7) At this point acme.sh has your cert and created a cron job to keep renewing it. All of this without opening any ports for letsencrypt validation. But the cert isn't doing anything yet. We need the deploy action.

8) Again if you did not want elliptic curve cryptography in the previous step and have an RSA cert instead you need to modify the above by omitting the --ecc option.

This will copy the most current version of the cert chain and the matching private key to the relevant CSF UI files and restart LFD to make it take effect. It will also do it automatically any time the cert was automatically renewed!

We might be able to reload LFD rather than restart ? I have not tested yet.

This method also allows for wildcard certs to be issued but in my case there was no use for it because the CSF node running the UI will not run anything else.