Enabling Encryption for Client access on setup with HTTPS enabled

Jimbolian8 years ago

Server has HTTPS enabled via the proxy method, we then tried adding an Android client with encryption enabled which gave the following errors:

2017-04-21 10:47:58 DEBUG: [D4BB7466: 5055 < 149.254.234.121] HEX: 16030100930100008f030279b24f7dcffa19f20f43330b86b1bff78590185941d3256000100004c0000001f001d00001a747261636b2e6461746163656e7472656d6f6e6b65792e636f6d00170000002300000010000b000908687474702f312e31000b00
2017-04-21 10:47:58  WARN: [D4BB7466] error - invalid version format: ￀ - IllegalArgumentException (...)
2017-04-21 10:47:58  INFO: [D4BB7466] disconnected
2017-04-21 10:47:58  WARN: [D4BB7466] error - invalid version format: ￀ - IllegalArgumentException (... < MainEventHandler:115 < *:104
2017-04-21 10:47:59  INFO: [4243FB69] connected

So we disabled encryption on the client and it was able to connect correctly via 5055:

2017-04-21 10:49:41 DEBUG: [20388A5C: 5055 > 149.254.234.121] HEX: 485454502f312e3120323030204f4b0d0a436f6e74656e742d4c656e6774683a203
2017-04-21 10:49:42  INFO: [20388A5C] id: 779739, time: 2017-04-21 10:01:53, lat: 51.52605, lon: -0.08141, speed: 0.0, course: 0.0

We then made the following addition to "/etc/apache2/sites-available/traccar.conf"

ProxyPass / http://localhost:5055/
ProxyPassReverse / http://localhost:5055/

And restarted Apache, re-enabled encryption on the client and everything looks good. But checking the logs we now get:

2017-04-21 12:24:33 DEBUG: [902F806A: 5055 < 149.254.234.121] HEX: 16030100930100008f030133da75eefdcaf9afc5d0bf6df7304b2040cfb4acd3949469fb918cf19aabad9700001ac009c00ac013c01400330039c007c011002f0035000500ff56000100004c0000001f001d00001a747261636b2e6461746163656e7472656d6f6e6b65792e636f6d00170000002300000010000b000908687474702f312e31000b00020100000a00080006001700180019
2017-04-21 12:24:33  WARN: [902F806A] error - invalid version format: ￀ - IllegalArgumentException (...)
2017-04-21 12:24:33  INFO: [902F806A] disconnected
2017-04-21 12:24:33  WARN: [902F806A] error - invalid version format: ￀ - IllegalArgumentException (... < MainEventHandler:115 < *:104 < ... < ExtendedObjectDecoder:52 < ... < GeocoderHandler:49 < ...)

And after a few minutes the client goes into an "unknown" state. So what is the correct method for allowing clients to connect with encryption given the site is setup with HTTPS?

Thanks!

Jimbolian8 years ago

Sorry, that should be:

ProxyPass /socket http://localhost:5055/
ProxyPassReverse /socket http://localhost:5055/
Anton Tananaev8 years ago

Your proxy config doesn't make any sense. First of all, Traccar Client port and web console port are two completely different things, so I don't understand proxying "/socket" to port 5055. It seems like you don't fully understand what you are doing. Secondly, it seems like you are keep using port 5055 directly on the phone, so your data doesn't even go through proxy.

Jimbolian8 years ago

Great, so what is the answer to my question then?

"How do you enable secure client access"

Anton Tananaev8 years ago

The answer is that you need to enable HTTPS proxy for port 5055.

Jimbolian8 years ago

Ok, but my question was how is that done? Have trawled through the forum without much joy.

Anton Tananaev8 years ago

I guess it would be something similar to what you already did:

ProxyPass / http://localhost:5055/
ProxyPassReverse / http://localhost:5055/

But then you have to configure devices to your your Apache port instead of sending data directly to Traccar.

Wes_RAILS7 years ago

So after hours of banging my head against the wall I figured this little tidbit out. You need to add an additional SSL Port to your /etc/apache2/ports.conf

Here is what I have in the ports.conf

Listen 80

<IfModule ssl_module>
        Listen 443
        Listen 4435
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

Also here is my traccar.conf file as well.

<IfModule mod_ssl.c>
        <VirtualHost *:443>

                ServerName traccar.servername.com
                ServerAdmin it@email.com

                DocumentRoot /var/www/html

                ProxyPass /api/socket ws://localhost:8082/api/socket
                ProxyPassReverse /api/socket ws://localhost:8082/api/socket

                ProxyPass / http://localhost:8082/
                ProxyPassReverse / http://localhost:8082/

                SSLEngine on
                SSLCertificateFile /etc/ssl/certs/cert.crt
                SSLCertificateKeyFile /etc/ssl/private/server.key
                SSLCertificateChainFile /etc/ssl/certs/CA.crt

        </VirtualHost>
        <VirtualHost *:4435>

                ServerName traccar.servername.com
                ServerAdmin it@email.com
                DocumentRoot /var/www/html

                ProxyPass / http://localhost:5055/
                ProxyPassReverse / http://localhost:5055/

                SSLEngine on
                SSLCertificateFile /etc/ssl/certs/cert.crt
                SSLCertificateKeyFile /etc/ssl/private/server.key
                SSLCertificateChainFile /etc/ssl/certs/CA.crt

        </VirtualHost>
</IfModule>

Hope this helps anyone trying to secure the client as well as the web portal.

Noa7 years ago

I´m trying to set up HTTPS. Unfortunately after followinig the traccar secure connection tutorial (https://www.traccar.org/secure-connection) I can no longer reach traccar. Neither through public or private IP.
I´m new to both linux and traccar, so my skills are very limited. To be honest I have little knowledge what the commands/logs mean Any help is much appreciated!

Jul 06, 2017 12:26:35 AM org.rzo.yajsw.os.posix.PosixService getPid
INFO: wrapper pid file: /run/wrapper.traccar.pid
Jul 06, 2017 12:26:43 AM org.rzo.yajsw.os.posix.PosixService start
INFO: Starting traccar ...
YAJSW: yajsw-stable-12.08
OS   : Linux/4.9.35-v7+/arm
JVM  : Oracle Corporation/1.8.0_65//usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/32
************* STARTING traccar ***********************

Service traccar started

Jul 06, 2017 12:26:43 AM org.rzo.yajsw.os.posix.PosixService getPid
INFO: wrapper pid file: /run/wrapper.traccar.pid
Jul 06, 2017 12:26:44 AM org.rzo.yajsw.os.posix.PosixService getPid
INFO: wrapper pid file: /run/wrapper.traccar.pid
Jul 06, 2017 12:26:44 AM org.rzo.yajsw.os.posix.PosixService getPid
INFO: wrapper pid file: /run/wrapper.traccar.pid
Service traccar started
pi@Nespresso:/opt/traccar/logs $ tail -f tracker-server.log
2017-07-05 23:32:52  INFO: [5B8DE14B] disconnected
2017-07-05 23:32:52  INFO: [B9A26128] disconnected
2017-07-05 23:32:52  INFO: [ACFC953E] disconnected
2017-07-05 23:32:52  INFO: [1209D83D] disconnected
2017-07-05 23:32:52  INFO: [EEBA14F2] disconnected
2017-07-05 23:32:52  INFO: [5A476184] disconnected
2017-07-05 23:32:52  INFO: [D7670681] disconnected
2017-07-05 23:32:52  INFO: [11AE4A0C] disconnected
2017-07-05 23:32:52  INFO: [41F72239] disconnected
2017-07-05 23:32:52  INFO: [7D8C963E] disconnected
^Z
[5]+  Stopped                 tail -f tracker-server.log
pi@Nespresso:/opt/traccar/logs $ sudo nmap 192.168.0.148

Starting Nmap 6.47 ( http://nmap.org ) at 2017-07-06 00:27 CEST
Nmap scan report for 192.168.0.148
Host is up (0.000047s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 3.28 seconds

/etc/apache2 ports.conf

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
        Listen 443
        Listen 4435
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

/etc/apache2/sites-available: traccar.conf

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerName 185.XXX.XXX.XXX
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                ProxyPass /api/socket ws://localhost:8082/api/socket
                ProxyPassReverse /api/socket ws://localhost:8082/api/socket

                ProxyPass / http://localhost:8082/
                ProxyPassReverse / http://localhost:8082/

                SSLEngine on
                SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

        </VirtualHost>
</IfModule>

/opt/traccar/conf traccar.xml

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE properties SYSTEM 'http://java.sun.com/dtd/properties.dtd'>

<properties>

    <!--

    This is the main configuration file. All your configuration parameters should be placed in this file.

    Default configuration parameters are located in the "default.xml" file. You should not modify it to avoid issues
    with upgrading to a new version. Parameters in the main config file override values in the default file. Do not
    remove "config.default" parameter from this file unless you know what you are doing.

    For list of available parameters see following page: https://www.traccar.org/configuration-file/

    -->

    <entry key="config.default">./conf/default.xml</entry>

    <entry key='database.driver'>org.h2.Driver</entry>
    <entry key='database.url'>jdbc:h2:./data/database</entry>
    <entry key='database.user'>sa</entry>
    <entry key='database.password'></entry>
<IfModule mod_ssl.c>

        <VirtualHost *:443>

                ServerName 185.XXX.XXX.XXX
                ServerAdmin XXXw@gmail.com

                DocumentRoot /var/www/html

                ProxyPass /api/socket ws://localhost:8082/api/socket
                ProxyPassReverse /api/socket ws://localhost:8082/api/socket

                ProxyPass / http://localhost:8082/
                ProxyPassReverse / http://localhost:8082/

                SSLEngine on
                SSLCertificateFile /etc/ssl/certs/cert.crt
                SSLCertificateKeyFile /etc/ssl/private/server.key
                SSLCertificateChainFile /etc/ssl/certs/CA.crt

        </VirtualHost>
        <VirtualHost *:4435>

                ServerName 185.XXX.XXX.XXX
                ServerAdmin XXXw@gmail.com
                DocumentRoot /var/www/html

                ProxyPass / http://localhost:5055/
                ProxyPassReverse / http://localhost:5055/

                SSLEngine on
                SSLCertificateFile /etc/ssl/certs/cert.crt

Any help regarding this matter is much appreciated
Kind regards

Anton Tananaev7 years ago

Why are you putting Apache configuration into Traccar? Settings up SSL proxy has actually nothing to do with Traccar. Don't change any Traccar configuration!!! You just have to configure Apache. There is plenty of information on internet on how to do it.

Noa7 years ago

Ok, new clean image and installed both traccar and Apache from scratch. Both tutorials according to the traccar site Still no luck. However I´m now reaching the Apache2 Debian Default Page "It works" when entering the address and port for my traccar server.
The apache conf into traccar.xml was a mistake and has been rectified. For more experienced guys my problem is probably easily fixed, but for me I´m stuck. I´m not posting questions here frivolously, I have searched internet seriously. I just don´t understand what to change to make it work. We all have been there haven´t we?

These are my exact conf files in Apache, any help deciphering and suggestions regarding changes is much appreciated! More files cvan be provided if needed.

etc/apache2/sites-enabled/traccar.conf

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>

                ServerName localhost
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                ProxyPass /api/socket ws://localhost:8082/api/socket
                ProxyPassReverse /api/socket ws://localhost:8082/api/socket

                ProxyPass / http://localhost:8082/
                ProxyPassReverse / http://localhost:8082/

                SSLEngine on
                SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

        </VirtualHost>
</IfModule>

etc/apache2/ports.conf

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

etc/apache2/apache2.conf

...

Any help is much appreciated!

Noa7 years ago

Maybe also this can help deciphering whats wrong..

/var/log/apache2/error.log

[Thu Jul 06 22:52:08.642920 2017] [mpm_event:notice] [pid 6272:tid 1996349440] AH00489: Apache/2.4.10 (Raspbian) configured -- resuming normal operations
[Thu Jul 06 22:52:08.643279 2017] [core:notice] [pid 6272:tid 1996349440] AH00094: Command line: '/usr/sbin/apache2'
[Thu Jul 06 22:53:15.985676 2017] [mpm_event:notice] [pid 6272:tid 1996349440] AH00491: caught SIGTERM, shutting down
[Thu Jul 06 22:53:17.377208 2017] [mpm_event:notice] [pid 6516:tid 1995689984] AH00489: Apache/2.4.10 (Raspbian) OpenSSL/1.0.1t configured -- resuming normal operations
[Thu Jul 06 22:53:17.377580 2017] [core:notice] [pid 6516:tid 1995689984] AH00094: Command line: '/usr/sbin/apache2'
[Thu Jul 06 22:55:24.097572 2017] [mpm_event:notice] [pid 6516:tid 1995689984] AH00491: caught SIGTERM, shutting down
[Thu Jul 06 22:55:25.441041 2017] [ssl:warn] [pid 6657:tid 1996279808] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Thu Jul 06 22:55:25.484033 2017] [ssl:warn] [pid 6658:tid 1996279808] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Thu Jul 06 22:55:25.486923 2017] [mpm_event:notice] [pid 6658:tid 1996279808] AH00489: Apache/2.4.10 (Raspbian) OpenSSL/1.0.1t configured -- resuming normal operations
[Thu Jul 06 22:55:25.487047 2017] [core:notice] [pid 6658:tid 1996279808] AH00094: Command line: '/usr/sbin/apache2'
[Fri Jul 07 00:09:36.402046 2017] [mpm_event:notice] [pid 6658:tid 1996279808] AH00491: caught SIGTERM, shutting down
[Fri Jul 07 00:09:37.720095 2017] [ssl:warn] [pid 8260:tid 1996234752] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jul 07 00:09:37.764264 2017] [ssl:warn] [pid 8261:tid 1996234752] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jul 07 00:09:37.767120 2017] [mpm_event:notice] [pid 8261:tid 1996234752] AH00489: Apache/2.4.10 (Raspbian) OpenSSL/1.0.1t configured -- resuming normal operations
[Fri Jul 07 00:09:37.767245 2017] [core:notice] [pid 8261:tid 1996234752] AH00094: Command line: '/usr/sbin/apache2'
[Fri Jul 07 00:33:36.335069 2017] [mpm_event:notice] [pid 8261:tid 1996234752] AH00491: caught SIGTERM, shutting down
[Fri Jul 07 00:33:37.660026 2017] [ssl:warn] [pid 8431:tid 1996374016] AH01909: traccar.com:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jul 07 00:33:37.703486 2017] [ssl:warn] [pid 8432:tid 1996374016] AH01909: traccar.com:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jul 07 00:33:37.706696 2017] [mpm_event:notice] [pid 8432:tid 1996374016] AH00489: Apache/2.4.10 (Raspbian) OpenSSL/1.0.1t configured -- resuming normal operations
[Fri Jul 07 00:33:37.706832 2017] [core:notice] [pid 8432:tid 1996374016] AH00094: Command line: '/usr/sbin/apache2'
[Fri Jul 07 00:35:20.130578 2017] [mpm_event:notice] [pid 8432:tid 1996374016] AH00491: caught SIGTERM, shutting down
[Fri Jul 07 00:35:21.454170 2017] [ssl:warn] [pid 8553:tid 1995841536] AH01909: traccar:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jul 07 00:35:21.497669 2017] [ssl:warn] [pid 8554:tid 1995841536] AH01909: traccar:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jul 07 00:35:21.500521 2017] [mpm_event:notice] [pid 8554:tid 1995841536] AH00489: Apache/2.4.10 (Raspbian) OpenSSL/1.0.1t configured -- resuming normal operations
[Fri Jul 07 00:35:21.500642 2017] [core:notice] [pid 8554:tid 1995841536] AH00094: Command line: '/usr/sbin/apache2'
[Fri Jul 07 00:37:09.919858 2017] [mpm_event:notice] [pid 8554:tid 1995841536] AH00491: caught SIGTERM, shutting down
[Fri Jul 07 00:37:11.230046 2017] [ssl:warn] [pid 8676:tid 1995677696] AH01909: 185.147.237.177:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jul 07 00:37:11.273160 2017] [ssl:warn] [pid 8677:tid 1995677696] AH01909: 185.147.237.177:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jul 07 00:37:11.276048 2017] [mpm_event:notice] [pid 8677:tid 1995677696] AH00489: Apache/2.4.10 (Raspbian) OpenSSL/1.0.1t configured -- resuming normal operations
[Fri Jul 07 00:37:11.276167 2017] [core:notice] [pid 8677:tid 1995677696] AH00094: Command line: '/usr/sbin/apache2'
[Fri Jul 07 00:39:23.547338 2017] [mpm_event:notice] [pid 8677:tid 1995677696] AH00493: SIGUSR1 received.  Doing graceful restart
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
[Fri Jul 07 00:39:23.599444 2017] [ssl:warn] [pid 8677:tid 1995677696] AH01909: 185.147.237.177:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jul 07 00:39:23.600006 2017] [mpm_event:notice] [pid 8677:tid 1995677696] AH00489: Apache/2.4.10 (Raspbian) OpenSSL/1.0.1t configured -- resuming normal operations
[Fri Jul 07 00:39:23.600045 2017] [core:notice] [pid 8677:tid 1995677696] AH00094: Command line: '/usr/sbin/apache2'
[Fri Jul 07 00:41:34.529014 2017] [mpm_event:notice] [pid 8677:tid 1995677696] AH00493: SIGUSR1 received.  Doing graceful restart
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
[Fri Jul 07 00:41:34.574682 2017] [ssl:warn] [pid 8677:tid 1995677696] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jul 07 00:41:34.575334 2017] [mpm_event:notice] [pid 8677:tid 1995677696] AH00489: Apache/2.4.10 (Raspbian) OpenSSL/1.0.1t configured -- resuming normal operations
[Fri Jul 07 00:41:34.575387 2017] [core:notice] [pid 8677:tid 1995677696] AH00094: Command line: '/usr/sbin/apache2'

Again, any help is much appreciated!

Anton Tananaev7 years ago

It seems like you have an issue with your certificate. Anyway, I would recommend to ask on Apache forums. Your issue is NOT with Traccar.

ortigonover6 years ago

Dear Anton.
What am I doing wrong?

I have been following your tutorial: https://www.traccar.org/secure-connection/
I have the certificates and everything ok, but when I open the URL mydomain.com I see the "Debian Apache2 Debian Default Page" instead the automatically redirect to mydomain.com:8082 with https.

Thanks

infantryman4 years ago

ortigonover,

I know this is an old post but the issue is with Apache conf file example in the Traccar Https Tutorial. In the Apache conf file, delete "DocumentRoot /var/www/html", save the file then sudo service apache2 restart. That specific line directs inbound request to that directory instead of proxying it to the Traccar server. And as you don't have any index.html or whatever php file, then it defaults to the web server.

The issue is not related to the Traccar server itself........it is instead related to the Traccar staff who wrote that guide.

Hope this help others as the Traccar https tutorial has not been updated......in the last 2 years.