'SSL_Connect failed' after server upgrade

Post#1 by **kaaremai** » 18 Mar 2022, 10:20

Hi,

We upgraded to the latest Porteus kiosk version 5.3.0 last day and everything was working fine.

Yesterday we then upgraded or IIS server from Windows Server 2016 to Windows Server 2019 and made no other changes.

But after this we get the following error when booting porteus over the network:

Code: Select all

SSL_Connect failed
wget: error getting response: Connection reset by peer
hush: can't open '/tmp/config': No such file or directory
sed: /tmp/conf: No such file or directory
mv: can't rename '/tmp/conf': No such file or directory

The above is repeated three times and then we get this error in red below:

Code: Select all

Remote config is not accessible, was not parsed correctly (must be encoded with ANSI or UTF-8) or 'kiosk_config=' parameter is not present in it.
System configuration will not be updated - please report this issue to your network administrator.

Do you have any clue what could have changed? When i create the kiosk.iso file i can access the config file through the exact same url as it uses in the above.

EDIT: I can confirm that the config file downloaded is still coming back as UTF-8 also.

Post#2 by **kaaremai** » 18 Mar 2022, 10:53

I can also add, that i don't even get an entry in my webserver log anymore. But the url is working just fine, both if i just pull it up in my browser on my PC and also, as stated in my initial post, when i access it in the kiosk wizard.

Post#3 by **fanthom** » 18 Mar 2022, 11:01

Kare,

I guess that your updated Windows server must use a newer SSL certificate which is not supported by the 'ssl_helper' binary located in the initrdpxe.xz component.
SSL helper is used to establish encrypted connection and allows downloading the remote config over https protocol.

You have 3 options:
a) reconfigure the kiosk client and change remote config URL from 'https://' to 'http://' (it no longer will use the SSL protocol)
b) downgrade your Windows server
c) update 'ssl_helper' binary to support the new Windows server

Thanks

Post#4 by **kaaremai** » 18 Mar 2022, 11:55

Thanks for the quick response!

Unfortunately option 1 and 2 are not possible.

We really don't want to run any legacy HTTP services anymore due to the security concerns and i can't enable HSTS for our website as this will make the download of the kiosk config fail.

Is there any possibility that you'll update porteus to support Windows Server 2019 at some point? I'll try and see if i can figure out what TLS version and cipher that SSL_helper is trying to use and then hopefully i can enable it for windows server 2019 again.

Have a nice weekend!

Post#5 by **fanthom** » 18 Mar 2022, 13:08

"Is there any possibility that you'll update porteus to support Windows Server 2019 at some point?"
I must be able to recreate the problem first and then I could try to fix it.

Please get in touch with support@porteus-kioks.org and provide a SSH access to a kiosk which works in your network (it could be associated to my PK Server if port forwarding is a problem).

Thanks