I am trying to run Orthanc off the Linux Server (18.04 LTS) machine and haven’t been much successful in enabling HTTPS encryption. I followed instructions on the page - http://book.orthanc-server.com/faq/https.html - to the tee. When I looked at the /var/log/orthanc/Orthanc.log after server restart, I see this line in there:
W0626 01:15:14.168662 HttpClient.cpp:686] HTTPS will use the CA certificates from this file: /etc/orthanc/
It looks a bit worrisome to me as my SslCertificate property in the configuration file is set to “/etc/orthanc/certificate.pem”, so shouldn’t it be read as:
W0626 01:15:14.168662 HttpClient.cpp:686] HTTPS will use the CA certificates from this file: **/etc/orthanc/certificate.pem**
?
Also, should certificate.pem also include certificates for the intermediate servers?
After researching this a bit more, when SslEnabled and SslCertificate are defined in the configuration file, the server fails to start and throws Segmentation Fault error. Upon examining /var/log/syslog file, I see the following related message:
Jun 26 12:06:36 superpacs-prod-1 kernel: [438878.581955] Orthanc[15770]: segfault at ffffffffc61c97a0 ip 00007fa5c494c646 sp 00007ffd1593bac8 error 5 in libc-2.27.so[7fa5c489b000+1e7000]
W0626 01:15:14.168662 HttpClient.cpp:686] HTTPS will use the CA
certificates from this file: /etc/orthanc/
It looks a bit worrisome to me as my SslCertificate property in the
configuration file is set to "/etc/orthanc/certificate.pem", so
shouldn't it be read as:
W0626 01:15:14.168662 HttpClient.cpp:686] HTTPS will use the CA
certificates from this file: /etc/orthanc/certificate.pem
This log output line relates to the HTTP client, not the server. This
implies the path in question is used to search for many certificates
for CAs (certificate authorities) for Orthanc to use in order to verify
peers (other TLS-enabled servers it connects to). This is controlled
with the HttpsCACertificates setting, not SslCertificate.
Also, should certificate.pem also include certificates for the
intermediate servers?
Technically (and depending on the freedom offered by client tooling)
it's not strictly necessary. In general however, I'd say yes. You want
to keep the trusted roots small to avoid churn since most clients
typically don't update it often enough. If you have control over both
the clients and the server, I'd say it doesn't really matter (but then
you might as well just use a self-signed cert and check the
fingerprints).
A kernel will typically dump the core of processes that fault like
that[1]. If you give the list a reference to the exact build you're
using along with that core dump then someone can use debug symbols to
extract a meaningful stack trace from it (and of course you can try to
do that yourself).
At the same time, you might consider sharing the certificate here (make
absolutely sure the file doesn't embed the private key), maybe someone
will spot something odd. If it's truly because of the certificate then
I'd say it's a bug (possibly in one of the dependencies of Orthanc). In
that case, you'll want to file an issue in the tracker[2].