Configuring SSL for inginious-lti to integrate with edX

[ohss]

Hi,

I have been trying to test inginious with edX. I have an AWS instance with inginious configured and I'm running the frontends (both webapp and lti) with the built-in python servers. Everything is working almost correctly. I can embed the exercises on edX, submit the exercises and get results, but the results aren't saved to edX, i.e. I can't see the results on the edX progress page. From what I understand, I guess it's because I'm not using https on the inginious instance. That brings to my question(s):

1) Is it possible to configure SSL for the lti (preferably with letsencrypt) with the built-in Python server?

2) I tried to set up lighttpd with the hope that I would have more luck configuring SSL with lighttpd. I followed the documentation and should have everything correct, but I get the following error in /var/log/lighttpd/error.log when running sudo service lighttpd start:

(log.c.194) server started 
(mod_fastcgi.c.1102) the fastcgi-backend /var/www/INGInious/start-lti.sh failed to start:
(mod_fastcgi.c.1106) child exited with status 13 /var/www/INGInious/start-lti.sh
(mod_fastcgi.c.1109) If you're trying to run your app as a FastCGI backend, make sure you're using the FastCGI-enabled version.
If this is PHP on Gentoo, add 'fastcgi' to the USE flags.
(mod_fastcgi.c.1395) [ERROR]: spawning fcgi failed.
(server.c.1030) Configuration of plugins failed. Going down. 

It gues it shouldn't be about permissions. When I run sudo -u lighttpd ./start-lti.sh the script runs correctly.

Sorry for asking support here on issues. I've been looking into this for few days now without any luck. Thanks a lot in advance :)

-otso

[GuillaumeDerval]

Hi!

For (1), I think nobody ever tried to run SSL with the internal web.py server, which is intended for development only. It is probably not a very good thing to do.

Concerning (2), I have a work-in-progress documentation for the installation with lighttpd on this gist: https://gist.github.com/GuillaumeDerval/f5a92211ec0c1c3261e630cbf18b61a1 It notably uses let's encrypt as default. Can you try with these instructions?

[ohss]

Thanks a lot!

I got it to work following your gist. There was a few things I had to change:

I created the combinedcert.pem file with:

 sudo su (login as root)
 cd /etc/letsencrypt/live/yourdomain
 cat privkey.pem cert.pem > combinedcert.pem

And I got the following error when running lighttpd:

Traceback (most recent call last):
  File "/bin/inginious-webapp", line 38, in <module>
    inginious.frontend.webapp.app.start_app(load_json_or_yaml(config), hostname=args.host, port=args.port, sshhost=args.sshhost, sshport=args.sshport)
  File "/usr/lib/python2.7/site-packages/inginious/frontend/webapp/app.py", line 256, in start_app
    return runfcgi(func, None)
  File "/usr/lib/python2.7/site-packages/inginious/frontend/webapp/app.py", line 233, in runfcgi
    import flup.server.fcgi as flups
ImportError: No module named flup.server.fcgi

I solved that with pip install flup

Just in case someone else runs into the same problems I did.

Thanks a lot!

[GuillaumeDerval]

Thanks for the feedback :-)

[ohss]

I still have the problem that the grades inginious returns aren't stored in edX. I'll look into this tomorrow, it might be about my letsencrypt configuration. I get the following error message:

Jul  6 14:57:54 localhost lighttpd: 2016-07-06 14:57:54,668 - inginious.lti.outcome_manager - ERROR - An exception occured while sending a grade to the TC.[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)
Jul  6 14:57:54 localhost lighttpd: Traceback (most recent call last):
Jul  6 14:57:54 localhost lighttpd: File "/usr/lib/python2.7/site-packages/inginious/frontend/lti/lis_outcome_manager.py", line 58, in run
Jul  6 14:57:54 localhost lighttpd: if pylti.common.post_message(self._lti_consumers, consumer_key, service_url, xml):
Jul  6 14:57:54 localhost lighttpd: File "/usr/lib/python2.7/site-packages/pylti/common.py", line 227, in post_message
Jul  6 14:57:54 localhost lighttpd: content_type,
Jul  6 14:57:54 localhost lighttpd: File "/usr/lib/python2.7/site-packages/pylti/common.py", line 194, in _post_patched_request
Jul  6 14:57:54 localhost lighttpd: headers={'Content-Type': content_type})
Jul  6 14:57:54 localhost lighttpd: File "/usr/lib/python2.7/site-packages/oauth2/__init__.py", line 687, in request
Jul  6 14:57:54 localhost lighttpd: connection_type=connection_type)
Jul  6 14:57:54 localhost lighttpd: File "/usr/lib/python2.7/site-packages/httplib2/__init__.py", line 1609, in request
Jul  6 14:57:54 localhost lighttpd: (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
Jul  6 14:57:54 localhost lighttpd: File "/usr/lib/python2.7/site-packages/httplib2/__init__.py", line 1351, in _request
Jul  6 14:57:54 localhost lighttpd: (response, content) = self._conn_request(conn, request_uri, method, body, headers)
Jul  6 14:57:54 localhost lighttpd: File "/usr/lib/python2.7/site-packages/httplib2/__init__.py", line 1272, in _conn_request
Jul  6 14:57:54 localhost lighttpd: conn.connect()
Jul  6 14:57:54 localhost lighttpd: File "/usr/lib/python2.7/site-packages/httplib2/__init__.py", line 1059, in connect
Jul  6 14:57:54 localhost lighttpd: raise SSLHandshakeError(e)
Jul  6 14:57:54 localhost lighttpd: SSLHandshakeError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)

If you have some hints in mind let me know.

Thanks!

[GuillaumeDerval]

SSL: CERTIFICATE_VERIFY_FAILED

Is your Linux up-to-date? Notably the ca_cert package? That is very strange...

[ohss]

Solved. The issue was caused by an incomplete SLL certificate on the edX instance. Thanks a lot for help! :)