It is currently Tue May 18, 2021 9:07 am
All times are UTC + 8 hours

SSL secure connection problem with "Shell in a box"

SSL secure connection problem with "Shell in a box"

Postby Delgado » Sun May 02, 2021 3:33 pm

Hello all,
I have a problem and hope that someone can help me.
First of all, I use FF as a browser and have Kaspersky (KIS) installed.

I have set up an SSL connection between the PC and the Asustor using openssl generated certificates. Everything works quite well.

I only have one problem with the app "Shell in a box". It can no longer be opened in an additional FF tab. I always get the error message "Firefox cannot establish a connection to the server under nas:4200". If I log in again via an insecure connection ("http://nas:8000/portal/") and start "Shell in a box", then it works. I do not understand this. I have installed a certificate with the certificate manager in ADM and I have installed a matching certificate on the PC. I have no problems with the URL "https://nas:8001/portal/", but I do have problems with the URL "https://nas:4200/" from Shell in a box.

Do you have an idea or solution?

I am grateful for any help.
Delgado
 
Posts: 41
Joined: Tue Oct 13, 2020 10:52 pm

Re: SSL secure connection problem with "Shell in a box"

Postby father.mande » Sun May 02, 2021 4:17 pm

Hi,

As I remember (I don't use shellinabox from a while (now I prefer chrome ssh app. and gateone ...))
you must change the start line and add -c or --cert=Path_to_cert_directory (to don't use the default)
also it's possible to use the Apache web server (provide by Asustor) as a proxy to don't directly open port 4200 on internet
with a configuration like this (just an example) ... in this case force shellinabox to be used ONLY by localhost.
<Location /shell>
ProxyPass http://localhost:4200/
Order allow,deny
Allow from all
</Location>

BUT as I write before ... it's based on my memory ... :mrgreen:

Philippe.
AS5202T /AS5002T / AS202TE / AS1002T
My Blog specific to my APKG : https://blog.father-mande.ovh/
User avatar
father.mande
 
Posts: 1161
Joined: Sat Sep 12, 2015 2:55 am

Re: SSL secure connection problem with "Shell in a box"

Postby Delgado » Sun May 02, 2021 5:27 pm

Hello Philippe,
thx for your help.

You say I need to pass the path to the certificate when starting Shell in a box.

1.) I don't know where the certificates are on the asustor, and
2.) How can I pass arguments to the app when I start it?

I also installed your gateone once :D. Unfortunately I get the same error there. Do you have any idea?
Delgado
 
Posts: 41
Joined: Tue Oct 13, 2020 10:52 pm

Re: SSL secure connection problem with "Shell in a box"

Postby father.mande » Sun May 02, 2021 8:36 pm

Hi,

For gateone or any other tools ... it's same, so the prefered solution for people with Apache skills ... is to use Apache as a proxy for other applications (or stunnel)

Q 1 : as I know ... all is under /volume0/usr/builtin/etc/certificate/ folder ... but have a look if your certificate is under another folder (like let'sencrypt) or directly at this place ... if not working ask to Asustor support for help.
Q 2 : I presume that it's an APKG so go to /usr/local/AppCentral/shellinabox/CONTROL (I presume for the name ... I have not installed shellinabox) and edit start-stop.sh script

A good light and more easy tools to manage SSL access to ANY non-ssl web server (or more email, vpn;, etc.) is to used stunnel from Entware APKG ( https://www.stunnel.org/docs.html ; https://www.stunnel.org/config_unix.html )

For gateone, when I have time I look for ... but I presume it's also a configuration option ...

Philippe.
AS5202T /AS5002T / AS202TE / AS1002T
My Blog specific to my APKG : https://blog.father-mande.ovh/
User avatar
father.mande
 
Posts: 1161
Joined: Sat Sep 12, 2015 2:55 am

Re: SSL secure connection problem with "Shell in a box"

Postby Delgado » Sun May 02, 2021 10:41 pm

Hello Philippe,
first of all thank you for your help and yes, I have found the correct certificate. The certificates are located under /usr/builtin/etc/certificate. The certificate I created with openssl is also in that directory. In the directory where "Shell in a box" installs (/volume1/.@Plugins/Appcentral/shell-in-a-box/etc) a symbolic link certificate.pem points to the directory of the Asustor support certificate. I have adjusted this now. The symbolic link now points to the correct certificate.

In the start stop script under CONTROL the argument -c is specified as etc. This is the directory that contains the symbolic link. This is correct.

If I now want to start the shellinaboxd daemon with ./start-stop.sh start, I get the error message "Failed to find any available port".

From this I would conclude that port 4200 is not accessible and this must be due to the SSL connection. How can I release the port 4200?

Or am I still making a mistake here? Do you have any other ideas for me, Philippe?
Delgado
 
Posts: 41
Joined: Tue Oct 13, 2020 10:52 pm

Re: SSL secure connection problem with "Shell in a box"

Postby father.mande » Sun May 02, 2021 11:08 pm

Hi,

As I write ... I don't use anymore (from long time) shellinabox so difficult to debug ...
... seems that port is used ... try to stop then start again ... perhaps your previous shellinabox is always running ... (verify with ps command)
... also be sure you provide a xxxx.pem file for certificate ...

For Gateone ... config file is in /usr/local/AppCentral/gateone/etc/gateone/conf.d/ ... named 10server.conf
... in this file you get the information for adding your own certificate in the PEM format (concatenate format .key with .crt) or directly if .pem format is provide.
... perhaps others options exist please have a look to : https://liftoff.github.io/GateOne/About ... ne-options

Philippe.
AS5202T /AS5002T / AS202TE / AS1002T
My Blog specific to my APKG : https://blog.father-mande.ovh/
User avatar
father.mande
 
Posts: 1161
Joined: Sat Sep 12, 2015 2:55 am

Re: SSL secure connection problem with "Shell in a box"

Postby Delgado » Tue May 04, 2021 1:40 am

Hi Philippe,
regarding the certificates, I have adjusted the corresponding places in the 10server.conf file at /volume1/.@plugins/AppCentral/gate1/gateone/etc/gateone/conf.d (see screenshot below).

Image

But it looks like Gateone is not using this certificate, because Kaspersky shows me the certificate as untrusted in FF (see screenshot below).

Image

But this is not the certificate I created.

Do you have any idea where Gateone gets this certificate and how I can change it?
Delgado
 
Posts: 41
Joined: Tue Oct 13, 2020 10:52 pm

Re: SSL secure connection problem with "Shell in a box"

Postby Delgado » Wed May 05, 2021 1:49 am

Now the knot has been broken. It's finally working now.

These certificates have cost me the last nerve :).
From today I use Gateone.

Thanks to Philippe
Delgado
 
Posts: 41
Joined: Tue Oct 13, 2020 10:52 pm

Re: SSL secure connection problem with "Shell in a box"

Postby Delgado » Sat May 08, 2021 7:23 pm

Hi Philippe,
I still have a question about Gateone. The settings, e.g. the font size, are always active for current session only.

When Gateone is called again, the settings are reset. How can I set my settings permanently?

The display of Midnightcommander under Gateone does not look good. The function keys in the MC are also without function.
Does anyone of you have an idea how I can change this?
Delgado
 
Posts: 41
Joined: Tue Oct 13, 2020 10:52 pm

Re: SSL secure connection problem with "Shell in a box"

Postby father.mande » Sun May 09, 2021 1:53 am

Hi,
Delgado wrote:Hi Philippe,
I still have a question about Gateone. The settings, e.g. the font size, are always active for current session only.

When Gateone is called again, the settings are reset. How can I set my settings permanently?

The display of Midnightcommander under Gateone does not look good. The function keys in the MC are also without function.
Does anyone of you have an idea how I can change this?


Hum! can you explain and provide more information on first point (actions you do) ? because I have tested to change font and after exit ssh and close web interface ... when I restart I have always the new font ?

I will test with MC ... but it's possible that you have to change the xterm used ...

Philippe.
AS5202T /AS5002T / AS202TE / AS1002T
My Blog specific to my APKG : https://blog.father-mande.ovh/
User avatar
father.mande
 
Posts: 1161
Joined: Sat Sep 12, 2015 2:55 am

Next

Return to ADM general

  • You cannot post new topics in this forum
    You cannot reply to topics in this forum
    You cannot edit your posts in this forum
    You cannot delete your posts in this forum
    You cannot post attachments in this forum
  • Who is online

    Users browsing this forum: No registered users and 1 guest