MathieuPre
commented
4 years ago I have lots of difficulties to install my own certificate for Greenlight. BBB is working fine with .
Closed digitalsleuth closed 2 years ago
MathieuPre
commented
4 years ago I have lots of difficulties to install my own certificate for Greenlight. BBB is working fine with .
klepptor
commented
4 years ago Uh, same here: https://github.com/bigbluebutton/greenlight/issues/1642
klepptor
commented
4 years ago I think you can skip the verification of the ssl certificate of the BBB Server in lib/bbb_api.rb
'# Make the request. http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = (uri.scheme == 'https') '# don't verify, so it works with own CA or self signed cert
http.verify_mode = OpenSSL::SSL::VERIFY_NONEresponse = http.get(uri.request_uri)
But of course this shouldn't be done by just adding the line.
Is it possible to add an environment variable to enable/disable this?
klepptor
commented
4 years ago ok, that's not enough, I still get
Checking environment: Passed Checking Connection: Failed Error connecting to BigBlueButton server - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (unable to get local issuer certificate)
after I changed the lines and build a new docker file...
digitalsleuth
commented
4 years ago @klepptor What you're suggesting is actually separate from the request for this issue. I'm asking for a method/mapping for the docker pulled from the docker hub to allow for easy mapping of custom certs. At first, I had to create a new Dockerfile from the existing one which added the following:
COPY ./myCA.pem /usr/local/share/ca-certificates/myCA.pem
COPY ./myCA.crt /usr/local/share/ca-certificates/myCA.crtThen I just added a volume to the docker-compose.yml file to map one directory in the greenlight folder containing the certs to the proper location, and had to create volumes for the config directories so I don't lose my configs on restart.
To get my greenlight working, I didn't need (and you shouldn't need) the SSL bypass/verify.
klepptor
commented
4 years ago Sorry, I opened a similar issue and for my use case it's ok to have the ability to easily use own certs (which is the much better way!) or to simply bypass the cert verification to get rid off the failure message.
klepptor
commented
3 years ago @digitalsleuth Hi again! Do you have any news on this? I just did a few checks on this again and I can nearly get it to work.
Without building a new Dockerfile the easiest way so far for me is to add this to docker-compose.yml:
services:
app:
...
volumes:
...
# mount own certs
- ./certs:/usr/local/share/ca-certificatesand then manually execute
docker exec greenlight-v2 update-ca-certificates
This works great, but of course you have to execute it every time the container starts up manually.
There must be a possibility to execute this command on docker-compose up:
# update cert store
command: sh -c "/usr/sbin/update-ca-certificates"but this command in docker-compose.yml has no effect.
Maybe this is because I don't know enoght of Docker/Docker-Compose...
Is there any other possibility in the Greenlight code itself to execute this command? @farhatahmad
orion0815
commented
3 years ago Hi, I have a similar issue - actually I had a lot of issues, which I solved one by one. But now I am stocked.
I have solved e.g. issues with docker-compose 1) error with version in docker-compose.yml - solved docker-compose version 1.8 was installed instead of 1.29.1 2) error uninstalling / installing actual docker-compose version - solved by uninstalling and installing docker-compose
but still have one issue: error docker-compose build - OPEN: WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
I have self signed certificates : bbb.cer RootCA.crt SubCA.crt
when I run "sudo docker-compose build" no certificate is copied into /root or other directories. I have tried to do this manually, but I still have an error in the status....
admin1@bbb:/greenlight$ admin1@bbb:/greenlight$ pwd /home/admin1/greenlight admin1@bbb:/greenlight$ ls -las ssl/ total 16 4 drwxrwxr-x 2 admin1 admin1 4096 Apr 22 17:21 . 4 drwxrwxr-x 3 admin1 admin1 4096 Apr 22 16:20 .. 4 -rw-rw-r-- 1 admin1 admin1 1675 Apr 21 19:23 bbb.crt 4 -rw-rw-r-- 1 admin1 admin1 2190 Apr 8 16:09 RootCA.crt
admin1@bbb:~/greenlight$ cat docker.add.root.certificate
FROM bigbluebutton/greenlight:v2 COPY ./ssl/RootCA.crt /root/
RUN cp /root/RootCA.crt /usr/local/share/ca-certificates/ \ && /usr/sbin/update-ca-certificates
admin1@bbb:/greenlight$ admin1@bbb:/greenlight$ sudo cp -p RootCA.crt /root/ admin1@bbb:/greenlight$ sudo cp /root/RootCA.crt /usr/local/share/ca-certificates/ admin1@bbb:/greenlight$ sudo /usr/sbin/update-ca-certificates Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d...
Adding debian:RootCA.pem done. done. admin1@bbb:/greenlight$
admin1@bbb:/greenlight$ sudo docker-compose build db uses an image, skipping Building app Sending build context to Docker daemon 37.89kB Step 1/3 : FROM bigbluebutton/greenlight:v2 ---> 102147e5ff33 Step 2/3 : COPY ./ssl/RootCA.crt /root/ ---> c5bc4e46d993 Step 3/3 : RUN cp /root/RootCA.crt /usr/local/share/ca-certificates/ && /usr/sbin/update-ca-certificates ---> Running in 0a0409f85672 WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping Removing intermediate container 0a0409f85672 ---> 0ce997a7ae14 Successfully built 0ce997a7ae14 Successfully tagged bigbluebutton/greenlight:v2 admin1@bbb:/greenlight$
admin1@bbb:~/greenlight$ sudo docker run --rm --env-file .env bigbluebutton/greenlight:v2 bundle exec rake conf:check
Checking environment: Passed Checking Connection: Failed Error connecting to BigBlueButton server - SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) admin1@bbb:~/greenlight$ admin1@bbb:~/greenlight$
admin1@bbb:~/greenlight$ docker -v Docker version 20.10.6, build 370c289
admin1@bbb:~/greenlight$ docker-compose --version docker-compose version 1.29.1, build c34c88b2
admin1@bbb:~/greenlight$ bbb-conf --status nginx —————————————————► [✔ - active] freeswitch ————————————► [✔ - active] redis-server ——————————► [✔ - active] bbb-apps-akka —————————► [✔ - active] bbb-transcode-akka ————► [✔ - active] bbb-fsesl-akka ————————► [✔ - active] red5 ——————————————————► [✔ - active] tomcat7 ———————————————► [✔ - active] mongod ————————————————► [✔ - active] bbb-html5 —————————————► [✔ - active] bbb-webrtc-sfu ————————► [✔ - active] kurento-media-server ——► [✔ - active] etherpad ——————————————► [✔ - active] bbb-web ———————————————► [✔ - active]
what am I doing wrong ?
thank you in advance for any help
Best Regards
kaihen
commented
3 years ago @klepptor We don't have that problem/issue.
We just overwriting the ca-certificates.crt file in the docker container (similar to the way you did it):
services:
app:
volumes:
- ./ca-certificates.crt:/etc/ssl/certs/ca-certificates.crtWe just added our CA certificate to the ca-certificates.crt file. That solved our greenlight problems with the self-signed cert.
The issue of AndNovAtor isn't a greenlight issue and can be solved by adding the ca-certificates.crt to /usr/share/meteor/bundle/systemd_start.sh:
#!/bin/bash -e
export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crtWe also needed to import the certificate to truststore of java for bbb by using following command:
keytool -import -alias CA -keystore /etc/ssl/certs/java/cacerts -file /etc/ssl/certs/CA.pem@farhatahmad May these steps should be added to greenlight / bbb documentation.
klepptor
commented
3 years ago @kaihen Thx a lot! Sometimes the solution can be so easy! Just didn't think that way! ;)
AndNovAtor
commented
3 years ago Wow, I lost hope long time ago and didn't use BBB for months (not needed BBB now). Anyway, @kaihen, and more @klepptor, thx a lot
hadicheaito1
commented
2 years ago Hello! Unfortunately, we will not be able to devote time into this feature/enhancement request at the moment due to our attention being directed towards Greenlight v3! If this is something you believe that will be beneficial to v3, then we encourage you to please re-create this request once v3 is up and running.
To find out more information on Greenlight v3, please click the following link: https://groups.google.com/g/bigbluebutton-dev/c/1nG-k_iTHjo
Thanks for your continued support!
When following the documentation found here: http://docs.bigbluebutton.org/greenlight/gl-install.html there is no direction provided on how to add a self-signed cert can be added to the docker container. As such, the last part of step 3 - Verifying configuration will fail with an SSL error message.
In order to do this, one will have to build from the Dockerfile found in this repo, then manually add commands to the Dockerfile to copy over the certs and update-ca-certificates.
I would like to ask for an option/pass-through/variable or other means be added during configuration to allow for the addition of these certs without having to build a manual docker.
And to clarify, this is not for OAuth, or for creating a cert. I already possess the certs for my internal domain, I just wish to add them to the pulled dockers so I can use https.
Cheers.