Use the following SSL tool to determine whether your server is missing any intermediate certificates:
https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp
Note: The following script may be used on the Mobility front-end generate missing intermediate certificates on the /usr/local/nukona/nginx.crt file. It is highly recommended to backup this file before running this script, even though it does the same. This script may also be ran from any CentOS/RHEL 6 server to test against any host to generate the missing intermediate certificates.
1. Transfer the attached script to the server.
2. Add execute privileges tot he script:
chmod +x sslfix.sh
3. Install the required packages:
./ssltest.sh --install
4. Test against a host:
For example:
[root@multife1 ~]# ./sslfix.sh west.smmglobal.net Is this request being made on from the Mobility front-end server? [y]: Warning, this script will fix the local certificate chain the nginx.crt file may need to also be copied to the reverse proxy. Is there a reverse proxy or load balancer between devices and this front-end? [y]: What is the IP of the reverse proxy? : proxy1.smmglobal.net The certificates are the same! ~/nginx.crt has been created. If replacing on the Mobility server: replace /usr/local/nukona/certs/configurator/nginx.crt with this updated file. Then restart the mm-nginx services with a command like: service mm-nginx restart Do you want to do this now? [y]: Stopping nginx: [ OK ] Starting nginx: [ OK ] The old nginx.crt file has been backed up to /tmp/nginx.crt it may be restored with the following command: mv /tmp/nginx.crt /usr/local/nukona/certs/configurator/nginx.crt service mm-nginx restart [root@multife1 ~]#
Raw script:
#!/usr/bin/env bash #!/bin/bash ACTION=$1 REQ_RPM1=wget REQ_RPM2= REQ_RPM3=perl-Git REQ_RPM4=openssl REQ_RPM5= REQ_RPM6=php54w REQ_RPM7= rm -f pub_cert* rm -f rp_cert* if [[ "$ACTION" == "--help" ]] || [[ "$ACTION" == "-h" ]] || [[ "$ACTION" == "" ]];then echo " Usage: --help Displays this message --install Installs the ssl-certificate-chain-resolver services [FQDN] Tests target on 443 and creates an nginx.crt to load onto the server For example: ./sslfix.sh west.smmglobal.net " fi if [[ "$ACTION" == "--install" ]];then rpm -Uvh https://mirror.webtatic.com/yum/el6/latest.rpm for RPM in $REQ_RPM1 $REQ_RPM2 $REQ_RPM3 $REQ_RPM4 $REQ_RPM5 $REQ_RPM6 $REQ_RPM7;do REQ=$(rpm -q $RPM |awk {'print $1'}) if [[ "$REQ" == "package" ]];then yum -y install $RPM fi done curl -sS https://getcomposer.org/installer | php mv composer.phar /usr/local/bin/composer touch /root/composer.json { php /usr/local/bin/composer --working-dir=/root/ update } &> /dev/null php /usr/local/bin/composer global require spatie/ssl-certificate-chain-resolver exit 0 fi if [[ "$ACTION" != "--install" ]];then if [[ "$ACTION" != "--help" ]];then if [[ "$ACTION" != "" ]];then read -p "Is this request being made on from the Mobility front-end server? [y]: " FRONT_END FRONT_END=${FRONT_END:-y} if [[ "$FRONT_END" == *"y"* ]];then echo " Warning, this script will fix the local certificate chain the nginx.crt file may need to also be copied to the reverse proxy. " fi read -p "Is there a reverse proxy or load balancer between devices and this front-end? [y]: " PROXY PROXY=${PROXY:-y} if [[ "$PROXY" == *"y"* ]];then read -p "What is the IP of the reverse proxy? : " RP_IP openssl s_client -showcerts -connect $RP_IP:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > ~/rp_cert.pem openssl s_client -showcerts -connect $ACTION:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > ~/pub_cert.pem MD5_1=$(md5sum ~/pub_cert.pem |awk {'print $1'}) MD5_2=$(md5sum ~/rp_cert.pem |awk {'print $1'} ) rm -f rp_cert* rm -f pub_cert* if [[ "$MD5_1" == "$MD5_2" ]];then echo " The certificates are the same! " fi if [[ "$MD5_1" != "$MD5_2" ]];then read -p " The certificates are not the same... do you wish to continue your test against the proxy instead? [y]: " CONTINUE_PROXY CONTINUE_PROXY=${CONTINUE_PROXY:-y} fi fi # if [[ "$CONTINUE_PROXY" != "y" ]];then # exit 0 # fi fi fi fi if [[ "$CONTINUE_PROXY" == "y" ]];then ACTION=$RP_IP USE_PROXY=true echo " Testing using the RP ip of $RP_IP instead of $1! " fi { if [[ "$CONTINUE_PROXY" != "y" ]];then curl https://$ACTION &> ~/pub_out.pem fi openssl s_client -showcerts -connect $ACTION:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > ~/pub_cert.pem OPENSSL_OUT=$(cat ~/pub_out.pem) } &> /dev/null if [[ "$OPENSSL_OUT" == *"err"* ]] || [[ "$OPENSSL_OUT" == *"esolve"* ]];then echo "There was a problem loading the site, please confirm that the server is online and that the web services are running." echo " Cause of error: $OPENSSL_OUT " exit 0 fi { /root/.composer/vendor/spatie/ssl-certificate-chain-resolver/ssl-certificate-chain-resolver resolve ~/pub_cert.pem ~/pub_cert_chain.pem cat ~/pub_cert_chain.pem > ~/pub_cert.pem mv -f ~/pub_cert.pem ~/nginx.crt if [[ "$USE_PROXY" != "true" ]];then rm -f ~/pub_*.pem fi } &> /dev/null if [[ "$USE_PROXY" != "true" ]];then echo " ~/nginx.crt has been created. If replacing on the Mobility server: replace /usr/local/nukona/certs/configurator/nginx.crt with this updated file. Then restart the mm-nginx services with a command like: service mm-nginx restart " if [[ "$FRONT_END" == *"y"* ]];then read -p "Do you want to do this now? [y]: " FIX FIX=${FIX:-y} if [[ "$FIX" == "y" ]];then { VOL1_DIR=$(rpm -q --qf "[%{PREFIXES}=%{INSTPREFIXES}\n]" appstore_cu | grep '/vol1' | awk -F'=' '{print $2}') NUK_DIR=$(rpm -q --qf "[%{PREFIXES}=%{INSTPREFIXES}\n]" appstore_cu | grep '/usr/local/nukona' | awk -F'=' '{print $2}') CACHE_BACKEND=$(grep -i 'filecacheBackends' $NUK_DIR/etc/settings.cfg |sed -n 1p|awk '{print $2}'|cut -d '"' -f 2) MDM_DB_TYPE=$(grep -i dbBackend $NUK_DIR/etc/settings.cfg |sed -n 1p|awk '{print $2}'|cut -d '"' -f 2) } &> /dev/null if [[ "$NUK_DIR" != *"ukona"* ]];then echo "To fix this issue, this script should be ran on the Mobility front-end. " exit 0 fi cp $NUK_DIR/certs/configurator/nginx.crt /tmp/ mv ~/nginx.crt $NUK_DIR/certs/configurator/nginx.crt chown nginx:nginx $NUK_DIR/certs/configurator/nginx.crt service mm-nginx restart echo "The old nginx.crt file has been backed up to /tmp/nginx.crt it may be restored with the following command: mv /tmp/nginx.crt $NUK_DIR/certs/configurator/nginx.crt service mm-nginx restart" fi exit 0 fi fi if [[ "$USE_PROXY" == "true" ]];then echo " Include the contents of ~/pub_cert_chain.pem on the reverse proxy. This may be as simple as appending these certificates to the reverse proxy's public certificate. " rm -f ~/pub_out.pem exit 0 fi