Iβd replace apt-get with yum and give it a try.
Yes, it worked. The more interesting part is the path and the content of the flyvemdm.conf ?
Looks like this installation will never end⦠
Iβd try with following changes:
auth_opt_host server.domain.tld
auth_opt_port 3312
auth_opt_user mosquitto
auth_opt_pass PASSWORD
1 Like
OK thank you. I am busy the next two daysβ¦
1 Like
OK, next step is: TLS Listener setup
TLS provides security to the communication, through authentication of server and client, besides data encryption.
Use TLS version 1.2, lower versions are no longer considered safe.
Mosquitto does not support SSLv2 or SSLv3 (and they are no longer safe).
- Copy in /etc/mosquitto/certs your certificate, your certificate authority chain and private key.
- Secure your private key
chmod 600 /etc/mosquitto/certs/private-key.key
chown mosquitto:root /etc/mosquitto/certs/private-key.key
- Refresh hash and symlinks to your certificates
c_rehash /etc/mosquitto/certs
Use a certificate signed by a certified authority or you may have trouble with the android devices, using them with custom certification authorities might not work (not tested).
> After sending the certification request, the CA will very likely send back several files.
>
>
>
> One is the certificate, signed by the CA, and the others are intermediate certificates.
>
>
>
> In Mosquitto the certificate must be the concatenation of the certificate delivered + the intermediate certificates.
>
>
>
> The client operating system must contain more certificates to establish a trust chain to the root certificate.
Append the following to /etc/mosquitto/conf.d/flyvemdm.conf.
listener 8883 cafile /etc/mosquitto/certs/cachain.pem certfile /etc/mosquitto/certs/cachain.pem keyfile /etc/mosquitto/certs/private-key.key tls_version tlsv1.2 ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-ECDSA-RC4-SHA:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
- Restart Mosquitto
- Test you can successfully connect to Mosquitto
mosquitto_sub -h host_name_of_mosquitto -t "#" -p 8883 -i test-client --cafile /tmp/mycert.pem --capath /etc/ssl/certs/
- Check the ports that Mosquitto listens. You should see only the port 8883.
netstat -taupen | grep mosquitto
You can also use OpenSSL to test the configuration
openssl s_connect -connect fqdn.of.mosquitto:8883
This will launch openssl as a client using the TLS protocol and leave the terminal in a state similar to telnet
Many debug information is displayed during TLS negociation, useful to diagnose TLS problems
2 Likes
Under /etc/pki are a lot of files:
[root@mdmsrv01 pki]# tree
.
βββ CA
β βββ certs
β βββ crl
β βββ newcerts
β βββ private
βββ ca-trust
β βββ ca-legacy.conf
β βββ extracted
β β βββ java
β β β βββ cacerts
β β β βββ README
β β βββ openssl
β β β βββ ca-bundle.trust.crt
β β β βββ README
β β βββ pem
β β β βββ email-ca-bundle.pem
β β β βββ objsign-ca-bundle.pem
β β β βββ README
β β β βββ tls-ca-bundle.pem
β β βββ README
β βββ README
β βββ source
β βββ anchors
β βββ blacklist
β βββ ca-bundle.legacy.crt -> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
β βββ README
βββ java
β βββ cacerts -> /etc/pki/ca-trust/extracted/java/cacerts
βββ nssdb
β βββ cert8.db
β βββ cert9.db
β βββ key3.db
β βββ key4.db
β βββ pkcs11.txt
β βββ secmod.db
βββ nss-legacy
β βββ nss-rhel7.config
βββ rpm-gpg
β βββ RPM-GPG-KEY-CentOS-7
β βββ RPM-GPG-KEY-CentOS-Debug-7
β βββ RPM-GPG-KEY-CentOS-SIG-SCLo
β βββ RPM-GPG-KEY-CentOS-Testing-7
β βββ RPM-GPG-KEY-EPEL-7
β βββ RPM-GPG-KEY-NethForge-7
β βββ RPM-GPG-KEY-NethServer-7
β βββ RPM-GPG-KEY-stephdl
βββ rsyslog
βββ tls
βββ cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
βββ certs
β βββ ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
β βββ ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
β βββ httpd-admin.crt
β βββ localhost.crt
β βββ make-dummy-cert
β βββ Makefile
β βββ NSRV.crt
β βββ renew-dummy-cert
βββ misc
β βββ CA
β βββ c_hash
β βββ c_info
β βββ c_issuer
β βββ c_name
βββ openssl.cnf
βββ private
βββ httpd-admin.key
βββ localhost.key
βββ NSRV.key
Which one should I choose/copy for:
cafile /etc/mosquitto/certs/cachain.pem
certfile /etc/mosquitto/certs/cachain.pem
keyfile /etc/mosquitto/certs/private-key.key/etc/pki/tls/certs/localhost.crt. This is created by template from whatever system certificate is selected. Better yet, the result of config get pki ChainFile and config get pki CrtFile, respectively.
/etc/pki/tls/private/localhost.key, or better, config get pki KeyFile.
1 Like
MySQL 5.6 or MariaDB 10.0 are minimum supported DB versions
https://glpi-install.readthedocs.io/en/latest/prerequisites.html#database
@fausp are you using MySQL for any service in your setup?
Sorry I used the wrong steps⦠It should work with this one:
wget https://github.com/glpi-project/glpi/releases/download/9.4.0/glpi-9.4.0.tgz
tar -xzf glpi-9.4.0.tgz
mv glpi /usr/share/
# Set owner to apache
chown -R apache:apache /usr/share/glpi
# Create httpd conf for glpi
cat << EOF > /etc/httpd/conf.d/glpi.conf
Alias /glpi /usr/share/glpi
<Directory /usr/share/glpi>
Require all granted
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:9001"
</FilesMatch>
</Directory>
<Directory /usr/share/glpi/files>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
Allow from localhost
</Directory>
EOF
# Install Nethserver rh-php71 and extensions and mariadb 10.2 from stephdl repo
yum install http://mirror.de-labrusse.fr/NethServer/7/x86_64/nethserver-stephdl-1.0.7-1.ns7.sdl.noarch.rpm
yum -y install nethserver-rh-php71-php-fpm rh-php71-php-mysqlnd rh-php71-php-mbstring rh-php71-php-gd rh-php71-php-ldap \
rh-php71-php-imap rh-php71-php-opcache rh-php71-php-xmlrpc nethserver-rh-mariadb102
# Create database and user
mysql102
create database glpi;
grant all privileges on glpi.* to glpi@mdm01.mydomain.lan identified by 'Password';
exit;
# Restart services
systemctl restart httpd
systemctl restart rh-php71-php-fpm
# Install Wizzard
Browse to https://mdm01.inet.local/glpi install.
But I got another error:
Were asked to you the database connection setup?
https://glpi-install.readthedocs.io/en/latest/install/wizard.html#database-connection
Also: mariaDB and MySQL are sharing the same port or is customized?
Is it the wrong port? Did you try 3312?
Yes, thank you. It works now with Version 9.4.3 β¦
what was wrong?
I used localhost instead of hostname.domain.ltd:3312
1 Like
Cannot configure Flyve MDM with the Wizard because there are some points missingβ¦
... Please check the general settings, the API settings and the notification settings. ...
Let me recommend you Headwind MDM - an open source Mobile Device Management system. The software is easily installed on Ubuntu Linux and Android devices. Its primary purpose is remote installation and update of mobile apps, as well as management of mobile devices.
Headwind MDM is an extensible platform which could be adapted to fit every companyβs needs.
The software is used and highly rated by the users in such industries as retail, wholesale, logistics, and more.
Let me ask to @h-mdm: is the project going to officially support CentOS?
The project is cross-platform, and we have users whoβs using the software on CentOS. As far as I know, the only thing they must do is to adjust the Tomcat directory in the installer script. So I may definitely say that Headwind MDM supports CentOS (weβll add a question and answer about CentOS soon!)
It is better to have a product which supports Android and iPhone/iPad.