Plugin: Jetty Web Server 2.0

[Taddeusz]

Are the instructions for enabling SSL in SageTV's Jetty posted anywhere else? Apparently assembla.com has a robots.txt file that now prevents web crawlers so the archived page is apparently no longer available.

I'm having a chain problem with my StartTLS cert that is recently preventing me from getting to my SageTV web interface from my iOS devices. Not sure what changed that brought this about but I don't remember how I did it all and need to figure out how to get the intermediate and possibly the Start CA root in there to complete the chain.

Weird part is it works fine in any other browser. However, if I check my site using this tool: https://www.sslshopper.com/ssl-checker.html it complains that it is not trusted in all web browsers and that I need to install the intermediate cert.

[KJake]

Quote:

Originally Posted by Taddeusz

Are the instructions for enabling SSL in SageTV's Jetty posted anywhere else? Apparently assembla.com has a robots.txt file that now prevents web crawlers so the archived page is apparently no longer available.

I'm having a chain problem with my StartTLS cert that is recently preventing me from getting to my SageTV web interface from my iOS devices. Not sure what changed that brought this about but I don't remember how I did it all and need to figure out how to get the intermediate and possibly the Start CA root in there to complete the chain.

Weird part is it works fine in any other browser. However, if I check my site using this tool: https://www.sslshopper.com/ssl-checker.html it complains that it is not trusted in all web browsers and that I need to install the intermediate cert.

If you combine the webserver cert and intermediary cert into one cert file and point Jetty to that, it will probably work. I've had to do this on nginx and other Jetty installs before.

[KarylFStein]

Quote:

Originally Posted by Taddeusz

Are the instructions for enabling SSL in SageTV's Jetty posted anywhere else? Apparently assembla.com has a robots.txt file that now prevents web crawlers so the archived page is apparently no longer available.

I'm having a chain problem with my StartTLS cert that is recently preventing me from getting to my SageTV web interface from my iOS devices. Not sure what changed that brought this about but I don't remember how I did it all and need to figure out how to get the intermediate and possibly the Start CA root in there to complete the chain.

Weird part is it works fine in any other browser. However, if I check my site using this tool: https://www.sslshopper.com/ssl-checker.html it complains that it is not trusted in all web browsers and that I need to install the intermediate cert.

Huh. I have a GoDaddy cert and that SSL checker site is telling me the same thing, (browsers have never complained). I grabbed the GoDaddy root and intermediate bundle, and used keytool to stick them in the keystore Jetty's using, but no luck so far. I'll play around with it tonight if no one has the answer by then. On my Ubuntu server I have this same certificate installed along with the GoDaddy certificate bundle and it checks out fine on that SSL checker site.

[Taddeusz]

Quote:

Originally Posted by KarylFStein

Huh. I have a GoDaddy cert and that SSL checker site is telling me the same thing, (browsers have never complained). I grabbed the GoDaddy root and intermediate bundle, and used keytool to stick them in the keystore Jetty's using, but no luck so far. I'll play around with it tonight if no one has the answer by then. On my Ubuntu server I have this same certificate installed along with the GoDaddy certificate bundle and it checks out fine on that SSL checker site.

Yeah, I tried that also. Not sure why that doesn't work for Jetty.

[KJake]

Oh, I forgot about keystores...and I haven't done this with Jetty, it was Tomcat - forgot. I know with Tomcat (and thus Jboss), you can point the config to a pfx/p12 file instead of dealing with keystores if you want.

[Taddeusz]

I had originally done the certificate request from my personal IIS server. I believe I have re-exported the key with the entire chain to a pfx file. It is double the size of the original pfx file. Now I think I just need the instructions on how to get this into the keystore to have it work with Jetty.

[KarylFStein]

Quote:

Originally Posted by Taddeusz

I had originally done the certificate request from my personal IIS server. I believe I have re-exported the key with the entire chain to a pfx file. It is double the size of the original pfx file. Now I think I just need the instructions on how to get this into the keystore to have it work with Jetty.

Ah, that did it. I did not export the entire chain before, (I also have this loaded on IIS then used the PFX file to create all the other certificate files). This time I exported the entire chain then created the keystore like so:

keytool.exe -importkeystore -srckeystore my_domain_com_full.pfx -srcstoretype pkcs12 -destkeystore my_domain_com.jks

The SSL checker now says everything's good.

[Taddeusz]

Quote:

Originally Posted by KarylFStein

Ah, that did it. I did not export the entire chain before, (I also have this loaded on IIS then used the PFX file to create all the other certificate files). This time I exported the entire chain then created the keystore like so:

keytool.exe -importkeystore -srckeystore my_domain_com_full.pfx -srcstoretype pkcs12 -destkeystore my_domain_com.jks

The SSL checker now says everything's good.

Cool, thank you. That fixed it for me. Didn't know how to convert the pfx keystore into a java keystore. Now working again from iOS.

[Taddeusz]

On a side note, my SHA-1 certificate will be expiring at the end of the year. Is this version of Jetty capable of using a SHA-256 certificate?

[KarylFStein]

Quote:

Originally Posted by Taddeusz

On a side note, my SHA-1 certificate will be expiring at the end of the year. Is this version of Jetty capable of using a SHA-256 certificate?

It's working fine with mine.

[Taddeusz]

Quote:

Originally Posted by KarylFStein

It's working fine with mine.

Thanks, just thought I should double check that. Still have a few months but it's better to not be caught off guard since StartCom is issuing only SHA-256 certs now.

[wayner]

I am not sure if anyone has taken this over but in case they have here is a feature request:

In the Currently Watching portion of the home page it would be great if you could see the current timestamp of the program being watched. That way when accessing the web browser you would know if the show was just started or if it is almost done. The SageTV widget for Win Vista/7 had this and I found it very useful.

[Fuzzy]

Quote:

Originally Posted by wayner

I am not sure if anyone has taken this over but in case they have here is a feature request:

In the Currently Watching portion of the home page it would be great if you could see the current timestamp of the program being watched. That way when accessing the web browser you would know if the show was just started or if it is almost done. The SageTV widget for Win Vista/7 had this and I found it very useful.

That would not be a part of the Jetty Plugin (which is what this thread is for), that would be the Web Interface plugin.

[wayner]

Whoops wrong thread

[clip]

The Jetty plugin is failing to install in my fresh Windows 10 build. Worked fine under Windows 7. I've tried uninstalled and reinstalled the plugin several times, but it just tells me failed. It looks like it's having trouble downloading some of its files. Is that what's going on? I have Java 1.6 and 1.8 installed currently. I disabled my firewall and that didn't help. Can anyone give me a nudge in the right direction?

[Skirge01]

Quote:

Originally Posted by Taddeusz

Are the instructions for enabling SSL in SageTV's Jetty posted anywhere else? Apparently assembla.com has a robots.txt file that now prevents web crawlers so the archived page is apparently no longer available.

Ditto! After installing SageTV v9, I'm trying to get things set up and now I need the Jetty installation instructions. It has been so long, I don't have a clue where to start. Are they posted anywhere or does someone have a copy?

UPDATE: I'm not sure if all of this was necessary and it probably won't help everyone, but I managed to get this working by copying over the following files from my old setup:

jetty-ssl.xml (if you don't use SSL, then the jetty.xml would be the one)
keystore
realm.properties

Then, I went into the Jetty setup (via SageTV) and changed any settings which were not correct. Once that was done, I was able to login to the BMT web UI.

[Taddeusz]

I finally figured this out on my own. I have been using an IIS server for key requests. But here are the general steps:

1. Create a Java keystore with the keytool utility.

2. Import key into keystore. For me I exported the key from IIS that I had requested from StartSSL to a pfx file, including the whole certification path. I used keytool to import the pfx into the keystore with no name:

Code:

keytool.exe -importkeystore -srckeystore sagetv.pfx -srcstoretype pkcs12 -destkeystore sagetv.keystore

3. Stop your SageTV service. Edit the Sage.properties file to match your keystore's location and password. Keystore location is in a weird format. You have to escape the colon and backslash with a backslash like, "C\:\\keystore\\sage.keystore":

Code:

jetty/jetty.ssl.keypassword=<keystore password>
jetty/jetty.ssl.keystore=<keystore location>
jetty/jetty.ssl.password=<keystore password>
jetty/jetty.ssl.trustpassword=<keystore password>
jetty/jetty.ssl.truststore=<keystore location>

4. Start your SageTV service. Go to the Jetty plugin settings and set Enable SSL to "true".

[tmiranda]

I'm trying to pass the user and password to jetty in my url (http://userassword@ipaddress/....) but it's not being recognized, or at least Jetty is returning a 401 error.

I've also tried disabling the password altogether by commenting out the userassword line in the realm.properties file but I'm still getting a 401 error.

Any ideas what may be causing this?

[wayner]

@tmiranda - Did that used to work? I think I have tried this in the past and could never get it to work which is annoying as there doesn't seem to be any way of saving the password on iOS devices.

[egeller]

@tmiranda
The username@password probably no longer works. That is a security hole that browsers have plugged over time.

I am doing this from memory, but I think there is an authentication parameter in the XML that is set to True. You need to change it to False to get it to quit requiring a password. I keep notes on it, at home, because, with every upgrade, it gets reset to True.