How to configure ProTop to communicate over SSL.
Requirements:- Hashed certificate file from the server you want to communicate with via SSL in $PROTOP/certs - delivered with ProTop
- $PROTOP/bin/localenv[.bat] containing the line: export PORTALPORT=443
- $PROTOP/bin/localenv[.bat] containing the line: export PORTALOPTIONS='-ssl -nohostverify'
- $PROTOP/etc/[custid].pf containing the line: -certstorepath [PROTOPDIR]/certs
All OSes
1. Add to [PROTOPDIR]/bin/localenv (copy bin/localenv[bat].x to bin/localenv[.bat] if not present):
export PORTALPORT=443export PORTALOPTIONS='-ssl -nohostverify'
Ex:
2. Add to [PROTOPDIR/etc/[custId].pf:
-certstorepath [PROTOPDIR]/certs
Ex:
3. Restart ProTop
Troubleshooting
Set ProTop debug level to 5 using pt3agent.[resrc].dbg in Protop’s tmp directory and restart Protop
cd [PROTOPDIR]/tmp
echo 5 > pt3agent.proddb.dbg
Check in ProTop’s log directory for pt3agent.[resrc].log file for error messages.
Common problem:
Can’t find issuer certificate:
2020/08/06 22:50:28.790-04:00 0 Secure Socket Layer (SSL) failure. error code -54: unable to get local issuer certificate: for xxxxxxxx.0 in <path>/certs (9318)
2020/08/06 22:50:28.791-04:00 9407 Connection failure for host <dashboard> port 443 transport TCP. (9407)
2020/08/06 22:50:28.791-04:00 newSocket: Connection to HTTP server: <dashboard> port 443 is unavailable.
Solution:
- Ensure the certificate file exists in [path]/certs and has the required permissions
- Make sure -certstorepath [path to certificate] is valid in [PROTOPDIR]/etc/[custid].pf or [etc]/friendlyName.pf]
- If the portal uses more than one certificate, you may need to place all of the portal’s certificates individually in ProTop’s certs directory. Save each BEGIN...END in the bundle.crt above into its own file, hash and save each to your certs directory
- Potential workaround: Place copies of the portal certificates in your $DLC/certs directory