SSL Issues - Githubissues

SEPIA-Framework / sepia-docs

Documentation and Wiki for SEPIA. Please post your questions and bug-reports here in the issues section! Thank you :-)

https://sepia-framework.github.io/

237 stars 16 forks source link

SSL Issues #12

Closed vpsinghbaghel closed 4 years ago

vpsinghbaghel commented 4 years ago

SSL Not working after following the steps mentioned using letsencrypt. sepia-errors Getting above error after restarting service by restart-sepia.sh after performing mentioned dns and ssl steps. Even after this error, http page is opening but there is no https. Setting up on Ubuntu 16. Please help.

fquirin commented 4 years ago

Hi,

the error you are seeing is likely unrelated to SSL since the SSL-termination is done either by the reverse-proxy or Duck DNS. The SEPIA server should start as usual. Some questions to figure out whats going on:

Does the 'sepia-assist-server/log.out' file show any errors?
Did you follow this guide?
Can you sum up what you did exacty?
Are you using the SEPIA reverse proxy?
Do you get the same error without SSL?
Did you change any settings after you've done the SSL setup?

vpsinghbaghel commented 4 years ago

Thank you very much for your kind response @fquirin

I will send you new logs as previous one I have messed up with lots of trials to fix. 2. This is the only guide I am following for duckdns name and ssl.
I followed below guide to setup basic sepia: and its working fine but to get most of the features, I need to enable SSL. https://medium.com/sepia-framework/hosting-your-own-private-virtual-assistant-533b86553d63
I am confused with Sepia reverse proxy and nginx reverse proxy. If I run the .sh script for Sepia reverse proxy, and then restart sepia. Is that all for sepia-reverse proxy to be working? and what url should I use after starting sepia-reverse-proxy? Because I am not getting the page after it. Then I tried setting up nginx reverse proxy but still didn't succeed.
No. I don't get this error before enabling SSL. I don't get error after enabling duckdns domain name also. I start getting this error after running ~/SEPIA/letsencrypt/run-certbot-duckdns.sh After running certbot-duckdns.sh, when I restart services using restart-sepia.sh, I get the errors mentioned in above screenshot and page starts giving communication errors.

After that if instead of using restart-sepia.sh, if i start services 1 by 1, going the folders sepia-assist.. , sepia-websocket.... , sepia-teach.... , and starting each of 3 by running individual run.sh from all these folders, page comes up. but SSL doesn't work.

Not changed anything after doing SSL setup. What should be the URL after enabling sepia-reverse-proxy and when enabling nginx-reverse-proxy? For the time we are testing, Firewall has been completely disabled.

I would be grateful for your support on this issue. Best Regards. VP Singh

fquirin commented 4 years ago

ok lets see :-)

I will send you new logs as previous one I have messed up with lots of trials to fix

This will be very helpful to figure out why the start script is not working.

After that if instead of using restart-sepia.sh, if i start services 1 by 1, going the folders sepia-assist.. , sepia-websocket.... , sepia-teach.... , and starting each of 3 by running individual run.sh from all these folders, page comes up.

This is very confusing, we'll need to check out later whats going on there. The run script basically does the same thing it just adds a wait script to make sure the Assist-Server is up and running before you start the Teach-Server and Chat-Server. Let's focus on the proxy first.

What should be the URL after enabling sepia-reverse-proxy and when enabling nginx-reverse-proxy

If you use the SEPIA reverse proxy the URL is defined by the SEPIA/sepia-reverse-proxy/settings/proxy.properties file.
If you use Nginx the URL is defined by one of the SEPIA/nginx/sites-available/[...].conf files. Which one of the files is used depends on what you've selected during SEPIA/setup-nginx.sh. This setup file will set the correct DOMAIN (given during DuckDNS setup) and copy the Nginx config to /etc/nginx/sites-enabled/.
By default both proxies will use port 20726 and path /sepia/ so that your client should be available via (no SSL):

http://localhost:20726/sepia/assist/app/index.html
host name for server:
http://localhost:20726/sepia

or (SSL on port 20726):

https://[my-domain]:20726/sepia/assist/app/index.html
host name for server:
https://[my-domain]:20726/sepia

or (SSL on port 443):

https://[my-domain]/sepia/assist/app/index.html
host name for server:
https://[my-domain]/sepia

[EDIT]: Please note that the last HTTPS links only work if your network redirects all traffic from port 443 to [server-ip]:20726 for your domain. I probably have to write more about this ^^.

Since the Nginx setup might depend a bit on your system setup and specific Nginx installation lets try to get the SEPIA proxy running first. The key-points of the guide are:

Open the '~/SEPIA/letsencrypt' folder and start the 'run-certbot-duckdns.sh' script
Run '~/SEPIA/letsencrypt/copy-cert-to-keystore.sh' to convert the Let's Encrypt certificate to Java-compatible version

After step one you should see your Letsencrypt certificate located at: SEPIA/letsencrypt/config/[your-domain-name]/....
After step two you should see this file: SEPIA/letsencrypt/sepia-proxy-keystore.jks.
If step two was successful you can start the proxy via:

SEPIA/sepia-reverse-proxy/run.sh

... and in theory you should be good :-)

vpsinghbaghel commented 4 years ago

Hi fquirin, Thank you very much for your guidance. Following you guidance I have setup the SEPIA with SSL correctly with SEPIA-Proxy and its working fine. Unfortunately I am getting another strange issue now.

I am unable to open app page correctly on any browser. It keeps connecting and doesn't load full. page content showing faded and blurred. Here is the screenshot. Even the server itself stops responding to any request after some time. and then I have to reboot the server.
I am able to access tools page correctly on any browser, but unable to create new user. I am using a VPS and working on it through SSH. Here is the error screenshot. How can I enable it to allow settings from outside network. Thanks VP Singh

fquirin commented 4 years ago

Happy to hear that SSL is working now :-)

It keeps connecting and doesn't load full. page content showing faded and blurred.

Could you open the dev-tools of the browser (usually F12) and check the console for errors? If the client stops loading during start-up it probably means some files could not be loaded, maybe due to access restrictions (mixed content or something).

How can I enable it to allow settings from outside network.

In the assist-server properties file you should find the setting allow_global_dev_requests which is false by default.

vpsinghbaghel commented 4 years ago

Hi Fquirin, Thanks for your suggestions. Could you open the dev-tools of the browser (usually F12) and check the console for errors? If the client stops loading during start-up it probably means some files could not be loaded, maybe due to access restrictions (mixed content or something).

_In the assist-server properties file you should find the setting allow_global_devrequests which is false by default. I have change the setting from false to true. Still getting same error when trying to create a user.

Additionally I want to mention the Firewall config & Java version. SSH, All-ICMP and 20726 are only allowed ports configured.

fquirin commented 4 years ago

I have change the setting from false to true. Still getting same error when trying to create a user.

Maybe you've edited the wrong file? There are 3 .properties files that can be used to start the server in 3 different modes: live, test, custom. This setting is defined by the start arguments (--live, --test, --my or --custom). By default (defined in run script) the custom properties file will be loaded assist.custom.properties.

No. of errors changing in every refresh of page from 30 to 60 errors. Sometimes the login box appears while the errors are still there. Sometimes it stops at connecting.

The randomness of this is really confusing 😟 otherwise I would have said something is blocking the connection. You said the Control-HUB (admin tools) are working fine? Are you calling them from the same base URL? According to your logs it should be: https://vpsingh.duckdns.org:20726/sepia/assist/tools/index.html ?

Can you try to use the public client: https://sepia-framework.github.io/app/index.html and see if it can connect to your server. Hostname should be https://vpsingh.duckdns.org:20726/sepia according to your error-log. Something else you can try is to double-check if the localhost (non-SSL) URL is still working. This should be http://localhost:20721/app/index.html (obviously this can only be accessed from the same machine as the server).

Hope this helps to find the error, Florian

vpsinghbaghel commented 4 years ago

Thank you very much for your kind assistance.

1st issue regarding management from external network is solved by editing assist.custom.properties.

Regarding 2nd issue of app page not loading properly: I have tried using public client https://sepia-framework.github.io/app/index.html while giving my server hostname https://vpsingh.duckdns.org:20726/sepia. It worked very smooth.

Its working wonderful using my client also. This time I did not start SEPIA-Reverse-Proxy. Instead I enabled NGINX Proxy with SSL and its working awesome.

Could you please guide me with a further question. Can I use my own domain name instead of duckdns.org If yes, How can I do that?

Thank you very much for your support and guidance.

Best Regards. VP Singh.

fquirin commented 4 years ago

Hi VP Singh,

happy to hear that its working now. I'll do some tests with the SEPIA Proxy to see if I can find out what the issue is. At home I have a RPi4 running Raspbian Buster (Debian 10) with Java 11 and SEPIA Proxy without issues but to be honest I haven't tested the proxy in many different configurations. Maybe I can reproduce the issue using Ubuntu 18.04. and a similar SSL configuration.

Can I use my own domain name instead of duckdns.org If yes, How can I do that?

From the official DuckDNS FAQ:

Q: I want to use my own Domain name with DuckDNS, can I do this?
A: Yes you can. At your NAME provider set your purchased record as a CNAME to your duckdns.org record. [www.ilikeweasels.org CNAME weasels.duckdns.org]

If you do that you most likely have to run Let's Encrypt again to get a proper SSL certificate for the domain and replace the old one in your Nginx setup. All SEPIA settings should still work.

[EDIT]: Oh I just realized that the included Let's Encrypt script of SEPIA may not work properly in this case because it validates the domain by modifying the DuckDNS TXT domain record. I think you have to use a different method to get the SSL certificate. There are many tutorials out there, this one for example. Some important things to know:

SEPIA updates the DuckDNS record to always point to your latest IP address (because this IP is changing each day unless you have a fixed IP).
Your domain points to the DuckDNS CNAME. This is kind of a redirect just on a very low level.
Let's Encrypt needs to validated your own domain name without redirects. See tutorial above.

vpsinghbaghel commented 4 years ago

Okay. Thank you for updating. So, if I modify the nginx conf file inside /etc/nginx/sites-enabled, and put my own domain name replacing duckdns domain name. And for ssh I configure certbot for nginx separately. It should be working with sepia? my own domain name and SSL?

I want to mention 2 more issues I am facing: I have done the sepia setup exactly same way I had mentioned above in 2 VPS. 1 is Ubuntu 16 and another is Ubuntu 18. All your solutions I was testing on Ubuntu18 and its working absolutely fine now using NGINX proxy. Also I have modified SSL port from 20726 to 443 so I don't need to mention port number in URL. Only problem I am getting is sometimes server Stops responding, I can't even connect the SSH. I have to reboot server and start sepia again, then it works normally.

Another issue I am talking about is: On Ubuntu16, after doing the same setup, sepia services don't restart using "restart-sepia.sh" script. All 3 services fail to start. I have to start them individually by going to particular directory and running their respective run.sh script. After that it works normally. Whenever I have to restart services after making any change, I have to go to individual directory and run shutdown.sh and run.sh respectively for all 3 services (sepia-assist, sepia-teach, sepia-websocket). I can see the script restart-sepia.sh is triggering shutdown-sepia.sh and run-sepia.sh and these 2 scripts are doing the same thing which I am doing manually. But I don't understand why I have to do it manually on Ubuntu16 and it works fine on Ubuntu18.

Both of these 2 machine are only running sepia. Nothing else is installed except basic system services.

fquirin commented 4 years ago

So, if I modify the nginx conf file inside /etc/nginx/sites-enabled, and put my own domain name replacing duckdns domain name. And for ssh I configure certbot for nginx separately. It should be working with sepia? my own domain name and SSL?

It should work, yes. SEPIA will update your IP address for DuckDNS, your domain will point at the DuckDNS domain (via CNAME entry) and Nginx will use the SSL certificate signed for your domain name. That said I have to mention that I haven't tested this configuration myself, but I'm using a similar setup with Nginx on one of my servers. Please note that 'certbot' will most likely try a 'HTTP-01 challenge' to validated your domain and thus will require access to your web-server (Nginx) via port 80 and 443 (80 might be optional).

Only problem I am getting is sometimes server Stops responding, I can't even connect the SSH. I have to reboot server and start sepia again, then it works normally.

Do you see any errors in one of log files (log.out) of either 'sepia-assist-server' or 'sepia-websocket-server-java' folders? What kind of machine is the sever regarding CPU and RAM? My best guess is that there is a memory issue although I haven't had any problems with this even on a Raspberry Pi3 with 1GB RAM. Something you can try is the on-reboot.sh script in the SEPIA home folder. It will set the virtual memory for Elasticsearch via sudo sysctl -w vm.max_map_count=262144 before starting the server. Here is a bit more info about it.

On Ubuntu16, after doing the same setup, sepia services don't restart using "restart-sepia.sh" script. All 3 services fail to start. I have to start them individually by going to particular directory and running their respective run.sh script.

Very strange indeed. The only thing I can think of is that the ~/SEPIA/elasticsearch/wait.sh script is not working properly for some reason or the sleep 10 after starting the Assist-server is too short. Usually the Assist-server needs around 3s (on a Raspberry Pi) to be responsive and deliver data to the teach- and chat-server about the cluster. Guessing this time with 'sleep 10' is not optimal but so far it never failed me :-(

Hope this helps.

fquirin commented 4 years ago

One thing I'd like to mention. It sounds like you've allowed access to the server settings from outside your local network (allow_global_dev_requests) and you are using a publicly available domain. First of all please make sure to use strong passwords for all your accounts, especially admin and assistant! And to better protect your server against brute-force attacks you should consider a rate limit via your Nginx settings as described here. Something reasonable could look like this in your Ngnix conf:

limit_req_zone $binary_remote_addr zone=sepia:1m rate=5r/s;

server {
        limit_req zone=sepia;
        ...
}

It will allow 5 requests per second for each clients IP address supporting around 16k addresses (1MB zone memory). I'll update SEPIA in the near future with more info about this.