Welcome to Headwind MDM Q&A, where you can ask questions and receive answers from other members of the community.

Please do not post bug reports, missing feature requests, or demo inquiries. If you have such an inquiry, submit a contact form.

0 votes
I am using the SSL certificates purchased at Comodo. My instance of Headwind MDM is on the LAN so I can't use Let's Encrypt.

My certificate has expired yesterday. I have received new certificate (the certificate itself and the CA bundle) but I do not know now to renew the certificate.
by (25.2k points)

1 Answer

0 votes

The procedure of certificate renewal is mostly similar to the setup of new certificates. The only difference is that old and new certificates should have the same private key so it remains unchanged.

Notice: it's better to create a new JKS file than to patch an existing one.

Headwind MDM (main module)

1. Make sure old and new certificates are compatible with the same private key.

openssl rsa -modulus -noout -in yourdomain.key.pem | openssl md5

(stdin)= 3304b66c905852a0e6e1bd2174db95f0

openssl x509 -modulus -noout -in yourdomain_legacy.crt | openssl md5

(stdin)= 3304b66c905852a0e6e1bd2174db95f0

openssl x509 -modulus -noout -in yourdomain.crt | openssl md5

(stdin)= 3304b66c905852a0e6e1bd2174db95f0

The resulting MD5 hash should be the same for all files

2. Create the new JKS file containing the key and the certificate chain

This procedure is same as for the new certificate creation: https://qa.h-mdm.com/1240/

openssl pkcs12 -export -out yourdomain.p12 -inkey yourdomain.key.pem -in yourdomain.crt -certfile yourdomain.ca_bundle

keytool -importkeystore -destkeystore yourdomain.jks -srckeystore yourdomain.p12 -srcstoretype PKCS12

3. Replace the certificate file and restart Tomcat

cp yourdomain.jks /var/lib/tomcat9/ssl

service tomcat9 restart

After restarting Tomcat, make sure HTTPS is running properly.

journalctl -f -u tomcat9.service

should display the following log entry

Starting ProtocolHandler ["https-openssl-nio-8443"]

Headwind Remote

If you're running Headwind Remote on the same domain, you need to update certificates for this module as well.

1. Check the certificate path in the config.yaml

custom_ssl_cert: "/opt/remote-control/ssl/yourdomain_full_chain.crt"

2. Prepare the "Full chain" file

Important: the domain certificate should go first, before higher level certificates, otherwise Headwind Remote may fail!

cat yourdomain.crt yourdomain.ca_bundle > /opt/remote-control/ssl/yourdomain_full_chain.crt

3. Restart Headwind Remote

cd /opt/remote-control

bash ./install.sh

4. In the case it doesn't work, check the nginx logs for critical errors:

cd /opt/remote-control

docker-compose logs --tail 100 nginx

by (25.2k points)
edited by