configuring bitnami for CDN on AWS

[furballproductionsinc]

Describe your issue as much as you can

Hi Bitnami, I'm on this page here https://docs.bitnami.com/general/how-to/generate-install-lets-encrypt-ssl/#alternative-approach and it says I'm supposed to contact you to find out how to set up my LightSail instance for use with a CDN.

I tried the certBot, and it complains that the IP's dont match (which they don't, the DNS points to the CDN, not the static IP).

How do I do this?

The symptom I'm experiencing is that PHP thinks I have a new session with every page flip. It worked fine before I set up the CDN, I had the DNS pointing to the static IP and it worked ok, it just didn't work with https

Now it works with https, but the PHP is confused. The certificate creation with let's encrypt didn't work, it look like it did but Apache complains at startup, the log says the server names dont match.

[Fri Sep 01 16:58:02.764729 2023] [ssl:warn] [pid 17548:tid 140474189442304] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name [Fri Sep 01 16:58:02.772588 2023] [ssl:warn] [pid 17549:tid 140474189442304] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name

(not sure why example.com is in there, I was meticulous about entering the proper domain names, two of them, one with www and one without)

[furballproductionsinc]

May I suggest that you publish some documentation around this?

This is the MOST basic thing that everyone has to do, once they get up into the cloud.

It's very, very annoying that 3 days of research is required to solve such a simple problem.

You claim you can provide docs, why don't you just publish them? Why do I have to ask you for them?

I'm right about at the point where I'm going to throw the cloud into the waste basket. My app runs fine in a local data center for 3 bucks a month, and suddenly I'm looking at 10 times the cost with 1/10th of the performance, and an extended hair pulling experience just to see if it works or not.

If all this high power technology won't serve https it's worthless, Please, make this information public. Soonest !

[mdhont]

Which CDN are you using? Also, could you run the bndiagnostic tool and share the code ID at the end of the output?

sudo /opt/bitnami/bndiagnostic-tool

[furballproductionsinc]

Hello Michiel, thank you for your message. I will be as specific as I can, and highlight the part that may be of use to you, for future Bitnami deployments.

Briefly, I have 40 years in programming, but haven’t had a need for the cloud till just recently. So, I’m trying various clouds to see if and whether they’ll work for us. Basically we have a business app (for the entertainment biz) that needs to scale up, it runs great in local data centers but now we have big customers with existing infrastructure.

So I got on AWS “first” (no particular reason), it seemed intuitive and accessible. The difficulty was choosing from among their myriad product offerings. The first thing I tried is bringing up my own Apache on an EC2, that failed miserably and broke within 5 minutes. So I tried LightSail instead, because it was advertised as the quick and easy way.

I followed the instructions meticulously, and everything worked fine till I attached the CDN. Then the whole thing broke, and the reason is, the domain name is no longer the same as the IP address. The domain lives in route53, whereas the app is on my static IP.

This is not necessarily a “difficult” situation, conceptually it’s very much like a proxy, however it breaks PHP. The CDN completely breaks the PHP session management, and setting up https properly through middleware is pretty detailed unless you’re ready for a pile of security vulnerabilities.

Amazon, it turns out states explicitly (buried at the bottom of some 7th page of one of their “educational” pages), that LightSail will not support this configuration “at all”, without a load balancer. In other words, this is about money, they let you get this far and then they tell you you can’t go public without paying them another 20 bucks a month.

Here’s the simple solution: they have to make it VERY CLEAR (which they don’t), that you should not attach ANY distribution to your instance until the certificates are in place. They don’t tell you this. And, while it may seem obvious to some, it’s not at all obvious to non-experts. I’m a programmer, not an administrator. I have studiously avoided network configuration issues my whole life, because there were always experts around to handle these things. Now, I’m being dragged kicking and screaming into the world of network security, because our app is a BUSINESS app, it handles money, it has tons of PII in it, we have jumped through extensive hoops to make sure it all works in the local data centers – and 3 days on Amazon and the whole thing breaks, and no one can tell us how to fix it. BAD experience. Very bad.

The simple issue here is the documentation around this stuff needs to be a LOT better. I’ve been doing this stuff for 40 years and if I can’t figure it out in 15 minutes there’s something wrong with the landscape, it means I’m not getting the information I need. In this case, ONE simple sentence: Do Not attach a distribution until your certificates are in place. That information is NOWHERE, not on Amazon, not in the Bitnami docs, not even on StackOverflow.

I have since removed the CDN distribution from my infrastructure, and everything works fine now. It won’t serve streaming video to Japan in the middle of the night, hut who cares for now, I’m just trying to see if the app itself will scale to the required size.

I think, rather than waste your time asking you to track down a bug that isn’t even yours (it belongs to Amazon), let’s close the technical part of this issue, and I’d only encourage you to add this information to your documentation, because this is the very thing that noobs are going to try to do when they bring up a LightSail box. The first thing they’re going to notice is, “hey, it doesn’t work with http”, and the next logical thought is “it probably needs a certificate”, and then when you go to Amazon and read about the CDN it says “we provide you with the required certificate” – which they do, but it’s NOT THE SAME CERTIFICATE they’re talking about, and they absolutely do not make this clear, at all whatsoever. And there is NO documentation that properly explains how this works in a LightSail configuration. (And the ultimate answer turns out to be “it doesn’t”, and you don’t find out till you’ve already set up the infrastructure and provisioned it).

There’s no particular reason I chose LightSail, I’m going to try this same exercise several different ways. Next I’m going to move the database into RDS and try to connect with Nginx-EC2 instead of Apache/LightSail. Then I’ll try the same thing with Docker containers instead of a VM. I’m trying to get a feel for the landscape, yes? My customers are going to ask me about this, and they expect me to be intelligent (and knowledgeable) about it. Here in Burbank we have 3 of the world’s 4 biggest record companies within 2 miles of my house. I just met with execs from Disney and Warner Bros “yesterday”. Universal has 12 THOUSAND artist web sites, and in that regard they’re like Nestle the food company, products (bands, artists) come and go, and someone has to administer the infrastructure (web sites, advertising, etc). At this point I can not imagine them (or us) trying to do this in the cloud, the infrastructure management costs are intractable (which is where tools like Terraform come in, it’s the reason for their existence). We deal with radio stations too, like iHeart and Cumulus which together own half of all the radio stations in the US. These people are not willing to learn cloud infrastructure, they’re in a different business – which means they have to hire someone like us to manage it all for them. And we’re not in the management business either, we’re in the entertainment business. We only do this so our artists can succeed. The reason we started on this path (a long time ago) is because we couldn’t reliably send e-mails out from local datacenters, our software can handle 4 million e-mails a day and no local datacenter will support that.

Okay, I digress. I wanted you to understand the landscape. I’ve fixed my web site, it works for now and I don’t need anything more “for now”. Let’s close the technical issue, and once again I encourage you to document this so other cloud noobs don’t end up tearing their hair out.

Thank you for your reply, and your attention to this issue. - Brian

This e-mail was sent from a secure system by Furball Productions Inc. If you are not the designated recipient or you believe you have received this e-mail in error, please contact @.**@.>

From: @.> Sent: Friday, September 1, 2023 11:52 PM To: @.> Cc: @.>; @.> Subject: Re: [bitnami/vms] configuring bitnami for CDN on AWS (Issue #1129)

Which CDN are you using? Also, could you run the bndiagnostic tool and share the code ID at the end of the output?

sudo /opt/bitnami/bndiagnostic-tool

— Reply to this email directly, view it on GitHubhttps://github.com/bitnami/vms/issues/1129#issuecomment-1703736203, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BBYOAT4FAX6ENY7TXLYQAO3XYLJS3ANCNFSM6AAAAAA4H2ZU6Y. You are receiving this because you authored the thread.Message ID: @.***>

[gongomgra]

Hi @furballproductionsinc,

Thanks for your message and for using Bitnami. As you mentioned, we can't update AWS's official docs, but we have our own documentation site to try to help our users and provide further details on how to use our products. We also have a guide on how to configure a CDN with your server (see link below), in which we configure the HTTPS connection in "full" mode (valid HTTPS certificate from CDN between end-users and CDN, plus self-signed certificate HTTPS between CDN and your web server)

https://docs.bitnami.com/aws/faq/administration/enable-ssl-cloudflare/

Regarding our Let's Encrypt guide, we documented how to generate the certificate with the HTTP challenge available in the lego tool, which is the use-case that seems to be the most frequently used. According to the CDN screenshot in our guide, the "full (strict)" mode also requires a valid SSL certificate on your web server. As you mentioned, you can't generate a valid Let's encrypt certificate using the HTTP challenge while your DNS name is pointing to CDN IP addresses. In that case, my understanding is that you will need to use a different challenge available in the lego tool, like the DNS challenge (see docs in the next link)

https://go-acme.github.io/lego/usage/cli/options/#dns-resolvers-and-challenge-verification

Please let us know if using the DNS challenge solves your issue and I will create an internal task to add a note in our guide on how to generate a SSL certificate when CDN is enabled.

Hope it helps!

[furballproductionsinc]

Good morning Gonzalo, thank you so much for your helpful input! I can’t get any information out of Amazon, and you’re being very helpful.

Do you happen to know, what the proper way to get e-mails into and out of Amazon is? I set up a mail server in the Bitnami box, but now it turns out Amazon won’t let me open up port 25 through their system, and I have no idea how this is supposed to work. (They have a thing called SES, that I’m into and signed up for and it seems to work, but….)

The simple use case is, the web site running on Apache in the Bitnami AMI, sends out registration e-mails. The user clicks on “register” and types in their e-mail address, and then the web site sends out a registration email using the PHP “sendmail” routine.

Then, when the registration email comes back, PHP reads the mailbox and sets a flag in the database.

It’s pretty simple, really – but the absolute requirement is the email has to come from @.**@.>, and not from an AWS endpoint.

Do you know how people do this? Am I supposed to be using SES as a proxy or something?

Amazon has adamantly told me they refuse to turn on my port 25, I’m not sure why, but they offer no alternative!

This is a mandatory feature of our web sites, and it’s a show-stopper, if this doesn’t work the web site is dead in the water, no one can sign up.

I’m sorry to be asking dumb noob questions, but I can’t find any information on how to do this! Asking on the off chance that you might know.

The higher-level use case is, we have 36 web sites running in the field, they’re in local data centers and we’d like to move them up into the cloud. These are customer sites, and we “could” do each one manually, but some of the sites have large amounts of existing data and “custom stuff” we’d have to move over, so we were looking at an automated way of doing, like maybe a Terraform or something. And, this e-mail setup would have to be part of the port, yes? 😊

Thank you! - Brian

This e-mail was sent from a secure system by Furball Productions Inc. If you are not the designated recipient or you believe you have received this e-mail in error, please contact @.**@.>

From: Gonzalo Gómez @.> Sent: Tuesday, September 5, 2023 4:19 AM To: @.> Cc: @.>; @.> Subject: Re: [bitnami/vms] configuring bitnami for CDN on AWS (Issue #1129)

Hi @furballproductionsinchttps://github.com/furballproductionsinc,

Thanks for your message and for using Bitnami. As you mentioned, we can't update AWS's official docs, but we have our own documentation site to try to help our users and provide further details on how to use our products. We also have a guide on how to configure a CDN with your server (see link below), in which we configure the HTTPS connection in "full" mode (valid HTTPS certificate from CDN between end-users and CDN, plus self-signed certificate HTTPS between CDN and your web server)

https://docs.bitnami.com/aws/faq/administration/enable-ssl-cloudflare/

Regarding our Let's Encrypt guidehttps://docs.bitnami.com/general/how-to/generate-install-lets-encrypt-ssl/#alternative-approach, we documented how to generate the HTTP challenge available in the lego tool, which is the use-case that seems to be the most frequently used. According to the CDN screenshot in our guide, the "full (strict)" mode also requires a valid SSL certificate on your web server. As you mentioned, you can generate a valid Let's encrypt certificate using the HTTP challenge while your DNS name is pointing to CDN IP addresses. In that case, my understanding is that you will need to use a different challenge available in the lego tool, like the DNS challenge (see docs in the next link)

https://go-acme.github.io/lego/usage/cli/options/#dns-resolvers-and-challenge-verification

Please let us know if using the DNS challenge solves your issue and I will create an internal task to add a note in our guide on how to generate a SSL certificate when CDN is enabled.

Hope it helps!

— Reply to this email directly, view it on GitHubhttps://github.com/bitnami/vms/issues/1129#issuecomment-1706427782, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BBYOAT4QCHMJQOZFHLPXUR3XY4DDPANCNFSM6AAAAAA4H2ZU6Y. You are receiving this because you were mentioned.Message ID: @.***>

[gongomgra]

Hi @furballproductionsinc,

Thanks for your message. I'm afraid your issue seems to be more related to AWS itself than to our installation. We highly recommend you to contact the AWS support team instead.

Regarding the AWS SES service for emails, we have a guide on how to get started, but I don't know if that will solve your specific use case. I'm sharing it in case it is of help

https://docs.bitnami.com/aws/how-to/use-ses/

I have also found a thread in AWS support forums on how to request the port 25 restriction that may be of help for you

https://repost.aws/knowledge-center/ec2-port-25-throttle

[github-actions[bot]]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[furballproductionsinc]

Hello Gonzalo – may I ask you a general question? We just came across this on your web site: phpBB packaged by Bitnamihttps://docs.bitnami.com/general/apps/phpbb/

This might save us a lot of time, relative to what we’ve been doing so far. We’re trying to migrate customers to the cloud, in our case customers are musicians, mostly starving artists lol – we are primarily a music production company, and the demands of the industry these days are such that we have to get “slick” with our web sites and our presentation. So in addition to some fancy graphics, we built some “business software” for musicians, that conveniently runs on a LAMP stack. And, as part of a standard deployment we’ve been provisioning artists with optional phpBB bulletin boards. Here’s my two questions about this:

1. Is your phpBB image available, in both AWS and Google clouds? Can we run the same configuration in both clouds?
2. Is this image preconfigured with Postfix, or how does the e-mail get into and out of phpBB?

If we can start with an image that already contains a working phpBB and e-mail, it would save us plenty of headaches, plus the snapshotting of our configurations would become less of an issue.

We’d like to migrate somewhere between 60 and 100 web sites to the cloud, they all look pretty much the same in terms of behavior and software. What we would need to do (either at installation time or later on, or both) is disconnect the local database and switch it over to and RDS (or other managed database) instance so multiple web sites can share the same database. phpBB is the exception to this rule, “at this time” – there is no current reason to require phpBB instances to share a database, however it IS on our long term wish list, for various business reasons that are too lengthy to explain and probably irrelevant anyway. We’re working with the phpBB team on some of this, but the general picture is we expect to be making significant changes to the phpBB application code, and if the deployment is as simple as uploading a few files with FTP we’re in good shape.

So, two things: the database, and the e-mail. We want to use RDS or the Google equivalent, and we’d like Postfix (or whatever) to be included in the standard image with the appropriate setup for port 587. Switching the database should be pretty easy, yes? The security setup with the certificates always seems to be the most painful part of it, because “during migration” we require 100% uptime, we can’t take the sites down while they’re being moved. We have to bring up the new site before we switch over the DNS, which creates problems with the installation of certificates and etc.

However if we can get the basic configuration pre-packaged, which it looks like the above link is “pretty close”, it already saves us a lot of time and effort.

Thank you – Brian Castle 747 238 0235

This e-mail was sent from a secure system by Furball Productions Inc. If you are not the designated recipient or you believe you have received this e-mail in error, please contact @.**@.>

From: Gonzalo Gómez @.> Sent: Thursday, September 7, 2023 4:21 AM To: @.> Cc: @.>; @.> Subject: Re: [bitnami/vms] configuring bitnami for CDN on AWS (Issue #1129)

Hi @furballproductionsinchttps://github.com/furballproductionsinc,

Thanks for your message. I'm afraid your issue seems to be more related to AWS itself than to our installation. We highly recommend you to contact the AWS support team instead.

Regarding the AWS SES service for emails, we have a guide on how to get started, but I don't know if that will solve your specific use case. I'm sharing it in case it is of help

https://docs.bitnami.com/aws/how-to/use-ses/

I have also found a thread in AWS support forums on how to request the port 25 restriction that may be of help for you

https://repost.aws/knowledge-center/ec2-port-25-throttle

— Reply to this email directly, view it on GitHubhttps://github.com/bitnami/vms/issues/1129#issuecomment-1709974865, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BBYOATZ7YZUJ67XALBFYLVTXZGU3XANCNFSM6AAAAAA4H2ZU6Y. You are receiving this because you were mentioned.Message ID: @.***>

[gongomgra]

Hi @furballproductionsinc,

Our AWS and Google images for phpBB are the same. You should be able to run the same configuration in both clouds without major issues (unless there is any additional policy in any cloud that I must not be aware of). Regarding the SMTP configuration, you can find more details in our guide linked below

https://docs.bitnami.com/virtual-machine/apps/phpbb/configuration/configure-smtp/

Also notice additional restrictions or required configuration may be needed to be performed

https://docs.bitnami.com/virtual-machine/how-to/troubleshoot-smtp-issues/

For the external database configuration, I understand phpBB can work that way by configuring the remote database endpoint and credential in its config file, but we recommend you to better ask the official phpBB developers for further help on this

https://www.phpbb.com/community/viewforum.php?f=551

[furballproductionsinc]

Good morning Gonzalo, thank you for your reply. I’m having a difficult time connecting Postfix with SES. The SASL authentication is failing.

Can I ask an honest question? Why don’t you (Bitnami) include Postfix in your distributions? Is it because it’s a royal PITA to set up? lol 😊

Here’s my question: you guys are the experts, and I’m not. I have 30 years of software development but I’m not an e-mail configuration expert.

It occurs to me, that it might be better and faster to have one of y’all look at the issue, rather than me spending endless hours tearing my hair out – because Amazon doesn’t provide any debugging tools, I get the “authentication failiure” message from them but not much else.

I have SASL set up on my Bitnami instance, it seems to work fine, saslauthdtest comes back with “Success”, and the local e-mail is working fine within the instance. I just can’t seem to connect to Amazon SES, I keep getting authentication failures.

Would you like to consult me on this out-of-band? Can I pay you for an hour of consulting time to fix this problem?

Frankly, I’m beyond caring about the “why” part at this point, I’ve been tearing my hair out for a whole week on this, It took considerable research to find the SASL configs and all that – it occurs to me that you guys could connect into my instance and fix this thing in no time.

Is that possible? Either in band or out of band?

Or, what would you recommend? Should I get Amazon tech support? What’s the best way to do this?

Thanks - Brian

This e-mail was sent from a secure system by Furball Productions Inc. If you are not the designated recipient or you believe you have received this e-mail in error, please contact @.**@.>

From: Gonzalo Gómez @.> Sent: Monday, September 25, 2023 1:13 AM To: @.> Cc: @.>; @.> Subject: Re: [bitnami/vms] configuring bitnami for CDN on AWS (Issue #1129)

Hi @furballproductionsinchttps://github.com/furballproductionsinc,

Our AWS and Google images for phpBB are the same. You should be able to run the same configuration in both clouds without major issues (unless there is any additional policy in any cloud that I must not be aware of). Regarding the SMTP configuration, you can find more details in our guide linked below

https://docs.bitnami.com/virtual-machine/apps/phpbb/configuration/configure-smtp/

Also notice additional restrictions or required configuration may be needed to be performed

https://docs.bitnami.com/virtual-machine/how-to/troubleshoot-smtp-issues/

For the external database configuration, I understand phpBB can work that way by configuring the remote database endpoint and credential in its config file, but we recommend you to better ask the official phpBB developers for further help on this

https://www.phpbb.com/community/viewforum.php?f=551

— Reply to this email directly, view it on GitHubhttps://github.com/bitnami/vms/issues/1129#issuecomment-1733143321, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BBYOATZBZFDLRHL3HMOADI3X4E4MBANCNFSM6AAAAAA4H2ZU6Y. You are receiving this because you were mentioned.Message ID: @.***>

[furballproductionsinc]

Hello Gonzalo, following up on yesterday’s e-mail, we were able to capture a complete (and very verbose) packet trace from the SES negotiation. It shows that the problem is somehow related to a certificate handshake. The whole sequence is there, you can see the STARTTLS and then SES broadcasting its ciphers and it gets all the way through the certificate exchange and then dies. Which casts this issue in a slightly different light, it kind of brings it back to the Bitnami instance.

I’m not sure if I’ve handled “the certificates” correctly. This was our first prototype instance, and it’s a throwaway as far as we’re concerned, it was supposed to be a “proof of concept” (and to explore issues exactly like this, how hard is it, and is Amazon going to be responsive as a partner). To get a web site up and running quickly we used Lightsail to start with, that’s what our Bitnami LAMP stack is running on. But it was never the intent to use Lightsail in production, what we really need is multiple EC2’s backed up by an RDS and a little bit of bucket storage. We’d like 31 web sites to share a database, eventually. So like, this e-mail issue is very important to us, if it takes 4 hours to raise a web site but 3 weeks to connect the e-mail, we’re going to have problems with migration.

My question about certificates is this (and please correct me if I’m wrong) – when the instance first started, there was already a folder called “bncert”, and I’m guessing that means you (Bitnami) had already provisioned the box with some kind of certificate. I’m not sure what kind and for what purpose, are there any docs about that?

But, when the web site started, the first thing I tried to do was redirect all the http to https, and to do that I found I had to use a Certbot certificate. So I installed that – and it’s been working fine, except I’m not sure whether it’s affected what you or Amazon may have done, prior to my opening the box. Right now we have the mail pointing to the Certbot certificate, and I’m not sure if this is what’s causing the problem.

Everything works in the box, I can telnet everywhere (including SES, I can issue a STARTLS and it works fine), the saslfinger works fine, openssl works fine, it’s just that Amazon doesn’t seem to like the certificate we’re presenting to them (or it isn’t being properly negotiated, or something – but as near as I can determine all the pathways for negotiation are working properly, and I can see the TLS occurring in the packet stream, so I’m pretty sure it’s the certificate itself).

I also noticed a weird thing, which is that there’s a “/” at the end of Amazon’s smtp password, and I’m pretty sure that’s going to get munged if it’s treated as a URL. (The error we’re getting is “Invalid Credentials”). Not sure if that’s meaningful, but everything on Amazon is a URL, so just thought I’d mention it in passing.

My question is, have I don’t something wrong with these certificates? Maybe somehow clobbered something that Amazon is expecting to see? The bncert folder is still there, I’m not using it though (that I know of).

I’m thinking it’s the certificate “by a process of elimination”. It’s not the TLS (I can see that in the trace), it’s not the exchange (I can see both sides of it), therefore it must be the data in the packets, namely the certificate itself. Postfix is sending out “something”, I’m not sure exactly what it is, it looks like a short RSA-256 key.

The only other “maybe relevant” part is, the domain and all its DNS records are on Route 53 and Lightsail, the DNS is “managed by Lightsail”.

If you were me, what would you do? Are there any other diagnostic tools we can use to get a handle on this? Or is this a good time to start over with a brand new Debian instance and try to do it right this time? - Brian

This e-mail was sent from a secure system by Furball Productions Inc. If you are not the designated recipient or you believe you have received this e-mail in error, please contact @.**@.>

From: Gonzalo Gómez @.> Sent: Monday, September 25, 2023 1:13 AM To: @.> Cc: @.>; @.> Subject: Re: [bitnami/vms] configuring bitnami for CDN on AWS (Issue #1129)

Hi @furballproductionsinchttps://github.com/furballproductionsinc,

Our AWS and Google images for phpBB are the same. You should be able to run the same configuration in both clouds without major issues (unless there is any additional policy in any cloud that I must not be aware of). Regarding the SMTP configuration, you can find more details in our guide linked below

https://docs.bitnami.com/virtual-machine/apps/phpbb/configuration/configure-smtp/

Also notice additional restrictions or required configuration may be needed to be performed

https://docs.bitnami.com/virtual-machine/how-to/troubleshoot-smtp-issues/

For the external database configuration, I understand phpBB can work that way by configuring the remote database endpoint and credential in its config file, but we recommend you to better ask the official phpBB developers for further help on this

https://www.phpbb.com/community/viewforum.php?f=551

— Reply to this email directly, view it on GitHubhttps://github.com/bitnami/vms/issues/1129#issuecomment-1733143321, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BBYOATZBZFDLRHL3HMOADI3X4E4MBANCNFSM6AAAAAA4H2ZU6Y. You are receiving this because you were mentioned.Message ID: @.***>

[furballproductionsinc]

Hi Gonzalo – on the off chance you’re tracking my input, we’re getting almost an identical trace to what’s shown here:

amazon web services - AWS SES with PHPMailer using SMTP, SMTP Error: Could not authenticate? - Stack Overflowhttps://stackoverflow.com/questions/47128467/aws-ses-with-phpmailer-using-smtp-smtp-error-could-not-authenticate?rq=3

However, I’m well aware of the credentials issues with IAM and all that – and have gone back at least a dozen times to verify the correctness of the connection information.

I’m pretty sure it’s a certificate issue of some kind. In /etc/ssl/certs I see four Amazon root CA’s, the inbound is correctly configured to look at them and the outbound is using the (working) Certbot keys like I mentioned.

Unless I accidentally clobbered an existing certificate, my box is correctly configured.

How can I say this – your Bitnami instance came up in just a few hours, we provisioned it, we were done. I don’t understand how Amazon (or anyone else) can make it so entirely difficult and miserable to hook up a simple email pathway. And because of recent experience, I find it noteworthy that you (and anyone else) don’t provide any e-mail in your packages. This is a miserable bit of business on Amazon’s part, and they’re completely unresponsive when it comes to tech support, so…

We may end up walking away from this whole thing, we simply can not afford to spend three weeks bringing up an e-mail pathway. If that happened in the corporate world the person would be fired. On the other hand if we can get over the hump there’s 31 web sites ready to migrate – but the first e-mail has to make a round trip before we can talk that way. I’m on the verge of having to make a very unpleasant business decision.

Any help or guidance would be greatly appreciated. I’d like to start spinning up instances TODAY but can’t, and it’s not good that I’m having to load packet sniffers into my instance (Amazon doesn’t provide us with any diagnostic tools), especially this early in the game.

Are there ANY instances that are preconfigured for SES ? Anything at all ? - Brian

This e-mail was sent from a secure system by Furball Productions Inc. If you are not the designated recipient or you believe you have received this e-mail in error, please contact @.**@.>

From: Gonzalo Gómez @.> Sent: Monday, September 25, 2023 1:13 AM To: @.> Cc: @.>; @.> Subject: Re: [bitnami/vms] configuring bitnami for CDN on AWS (Issue #1129)

Hi @furballproductionsinchttps://github.com/furballproductionsinc,

Our AWS and Google images for phpBB are the same. You should be able to run the same configuration in both clouds without major issues (unless there is any additional policy in any cloud that I must not be aware of). Regarding the SMTP configuration, you can find more details in our guide linked below

https://docs.bitnami.com/virtual-machine/apps/phpbb/configuration/configure-smtp/

Also notice additional restrictions or required configuration may be needed to be performed

https://docs.bitnami.com/virtual-machine/how-to/troubleshoot-smtp-issues/

For the external database configuration, I understand phpBB can work that way by configuring the remote database endpoint and credential in its config file, but we recommend you to better ask the official phpBB developers for further help on this

https://www.phpbb.com/community/viewforum.php?f=551

— Reply to this email directly, view it on GitHubhttps://github.com/bitnami/vms/issues/1129#issuecomment-1733143321, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BBYOATZBZFDLRHL3HMOADI3X4E4MBANCNFSM6AAAAAA4H2ZU6Y. You are receiving this because you were mentioned.Message ID: @.***>

[furballproductionsinc]

Hi Gonzalo – okay, well, it works – and I have no idea why. None. I’m clueless. Which is very scary.

If you did something, thank you! (Tell me what you did!)

If you didn’t, well… cue Twilight Zone music. We generated 8 sets of credentials, all at the same time, all done the same way. Only one of them works. And there’s no rhyme or reason to it (that I can see, anyway). And there’s no one at Amazon I can talk to, to find out why this one works and the rest don’t.

Well, I’m kind of past the point of caring “why”, it’s sufficient that it works. I never wanted to be an e-mail administrator in the first place! (our system takes care of all that stuff, that’s why we built it in the first place! Anything that requires manual intervention on our part is a BAD thing, it sucks time away from our business). Our app is built so we never have to touch it. It runs an entire record company all by itself. It even cycles web content on calendar or on demand.

Anyway, I’m sorry to have bothered you with all this, I’m sure you have more interesting things to think about. But I’ll get back with you when the time comes, if this e-mail pans out we’re going to need to start building and migrating pretty quickly.

Cheers - Brian

This e-mail was sent from a secure system by Furball Productions Inc. If you are not the designated recipient or you believe you have received this e-mail in error, please contact @.**@.>

From: Gonzalo Gómez @.> Sent: Monday, September 25, 2023 1:13 AM To: @.> Cc: @.>; @.> Subject: Re: [bitnami/vms] configuring bitnami for CDN on AWS (Issue #1129)

Hi @furballproductionsinchttps://github.com/furballproductionsinc,

Our AWS and Google images for phpBB are the same. You should be able to run the same configuration in both clouds without major issues (unless there is any additional policy in any cloud that I must not be aware of). Regarding the SMTP configuration, you can find more details in our guide linked below

https://docs.bitnami.com/virtual-machine/apps/phpbb/configuration/configure-smtp/

Also notice additional restrictions or required configuration may be needed to be performed

https://docs.bitnami.com/virtual-machine/how-to/troubleshoot-smtp-issues/

For the external database configuration, I understand phpBB can work that way by configuring the remote database endpoint and credential in its config file, but we recommend you to better ask the official phpBB developers for further help on this

https://www.phpbb.com/community/viewforum.php?f=551

— Reply to this email directly, view it on GitHubhttps://github.com/bitnami/vms/issues/1129#issuecomment-1733143321, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BBYOATZBZFDLRHL3HMOADI3X4E4MBANCNFSM6AAAAAA4H2ZU6Y. You are receiving this because you were mentioned.Message ID: @.***>

[furballproductionsinc]

Hi Gonzalo – after much ado with the e-mail, I’m starting to figure out why this was so painful.

The Bitnami compute instance, has me logging into some kind of single-user shell, it won’t actually let me “log in” as anyone but root.

How I’ve been achieving the other users so far, is with “su”. But if I try to log out of the shell, it won’t let me, it terminates Putty as if I’d typed “exit”.

Is this something Amazon requires, or what’s up with this? That’s why my e-mail wasn’t working, it wouldn’t let me assume Unix user identities. Everything I sent out came from “root” (which Amazon then somehow translates into “daemon” when it determines my send came from an app instead of from user-mail).

Does this situation apply to “all” of your compute instances ? If so, how can I send e-mail from different users?

Here’s how our app works: there are FOUR reserved e-mail addresses, they are: admin, operations, support, and webmaster. They are required for our business to work, and every web site (both ours and the customers’) has these 4 e-mail addresses, they’re used for specific business purposes and they’re mandatory.

Is there an instance we can use that lets us directly map Unix users to mail users in the usual way? I mean, we can force the “from” address using a canonical map, but that isn’t going to solve the problem, all our e-mails will still come from “one” address instead of four.

Is there an instance we can use that will support our required business behavior? We can tell our customers they must have an Amazon identify, but I don’t think we can sell “four” identities. The instance itself has to be able to send out from multiple identities, and Amazon has to be okay with that.

What is the solution, how can we architect this? The app that’s running is PHP on a LAMP stack, but we also have a containerized version that has the same requirement, it’ll run on Docker or Kubernetes, and if this is an Amazon requirement we have to figure out how to get around it. The four identities per web site (meaning, per instance) are business-centric, they have specific meanings in the business context.

What would you recommend? Is there a different instance we can try? Thanks - Brian

This e-mail was sent from a secure system by Furball Productions Inc. If you are not the designated recipient or you believe you have received this e-mail in error, please contact @.**@.>

From: Gonzalo Gómez @.> Sent: Monday, September 25, 2023 1:13 AM To: @.> Cc: @.>; @.> Subject: Re: [bitnami/vms] configuring bitnami for CDN on AWS (Issue #1129)

Hi @furballproductionsinchttps://github.com/furballproductionsinc,

Our AWS and Google images for phpBB are the same. You should be able to run the same configuration in both clouds without major issues (unless there is any additional policy in any cloud that I must not be aware of). Regarding the SMTP configuration, you can find more details in our guide linked below

https://docs.bitnami.com/virtual-machine/apps/phpbb/configuration/configure-smtp/

Also notice additional restrictions or required configuration may be needed to be performed

https://docs.bitnami.com/virtual-machine/how-to/troubleshoot-smtp-issues/

For the external database configuration, I understand phpBB can work that way by configuring the remote database endpoint and credential in its config file, but we recommend you to better ask the official phpBB developers for further help on this

https://www.phpbb.com/community/viewforum.php?f=551

— Reply to this email directly, view it on GitHubhttps://github.com/bitnami/vms/issues/1129#issuecomment-1733143321, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BBYOATZBZFDLRHL3HMOADI3X4E4MBANCNFSM6AAAAAA4H2ZU6Y. You are receiving this because you were mentioned.Message ID: @.***>

[furballproductionsinc]

Hi Gonzalo – FYI –

This is completely mystifying! Yesterday the from address said @.**@.>, today, it says “Indie Heaven Cloud” which is the name of our web site.

I have no idea who’s doing this, you, or Amazon, or some automagic in the Cloud. I wish someone would communicate with us. It’s very scary having this stuff happen behind our backs.

It works a lot better today than it did yesterday. (And we didn’t do anything to change it). If the from address always says the name of our web site, we’re happy campers. That is “sufficient”.

Now we have to get the incoming side working, there’s a bad MX record somewhere (probably a leftover from our testing), it’s trying to go to us-east-1 instead of us-east-2. And we have to figure out a way to read e-mail from an S3 bucket – “in a way that lets us reply” lol. - Brian

This e-mail was sent from a secure system by Furball Productions Inc. If you are not the designated recipient or you believe you have received this e-mail in error, please contact @.**@.>

From: Gonzalo Gómez @.> Sent: Monday, September 25, 2023 1:13 AM To: @.> Cc: @.>; @.> Subject: Re: [bitnami/vms] configuring bitnami for CDN on AWS (Issue #1129)

Hi @furballproductionsinchttps://github.com/furballproductionsinc,

Our AWS and Google images for phpBB are the same. You should be able to run the same configuration in both clouds without major issues (unless there is any additional policy in any cloud that I must not be aware of). Regarding the SMTP configuration, you can find more details in our guide linked below

https://docs.bitnami.com/virtual-machine/apps/phpbb/configuration/configure-smtp/

Also notice additional restrictions or required configuration may be needed to be performed

https://docs.bitnami.com/virtual-machine/how-to/troubleshoot-smtp-issues/

For the external database configuration, I understand phpBB can work that way by configuring the remote database endpoint and credential in its config file, but we recommend you to better ask the official phpBB developers for further help on this

https://www.phpbb.com/community/viewforum.php?f=551

— Reply to this email directly, view it on GitHubhttps://github.com/bitnami/vms/issues/1129#issuecomment-1733143321, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BBYOATZBZFDLRHL3HMOADI3X4E4MBANCNFSM6AAAAAA4H2ZU6Y. You are receiving this because you were mentioned.Message ID: @.***>

[gongomgra]

Hi @furballproductionsinc,

We do not have access to your servers nor to your AWS infrastructure. I'm afraid I don't know why SES finally worked for you and the SASL certificates, but I'm glad you made it work. Unfortunately, your questions about this are out of the scope of this forum, so we highly recommend you to open a new question in a more specialized forum or to the AWS support team directly.

Regarding bncert, it is just a wrapper for the lego tool (a drop-in replacement for certbot written in Go) that is aim to be an easy to use tool to generate SSL certificates for web applications. You can get more information on this in the link below

https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/

However, if you were able to generate your custom certificates using certbot, there shouldn't be any issue.

About users in the system, the default bitnami user is configured with enough privileges to become root by running sudo su. You can check the available user accounts in the /etc/passwd file, but beware some accounts may be configured with the /bin/false shell for security reasons. Apart from that, you should be able to add and/or edit the required users as in any other linux system. We do not configure anything special in our instances related to this.

[github-actions[bot]]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions[bot]]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.