search

ckan / datapusher

A standalone web service that pushes data files from a CKAN site resources into its DataStore
GNU Affero General Public License v3.0
77 stars 155 forks source link

SSL connect fails - return of the "SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794" #131

Open ted-strauss-K1 opened 7 years ago

ted-strauss-K1 commented 7 years ago

http://stackoverflow.com/questions/43214581/ssl-connection-fails-to-datapusher-app-through-port-8800-with-nginx-reverse-pro

I am installing the datapusher service for CKAN. CKAN has been configured to use an NGINX reverse proxy that routes client requests, following instructions here. SSL certificate is installed and configured in NGINX. When trying to use the datapusher app to upload a file, it fails and Apache log gives this error:

Mon Apr 03 13:49:10.979179 2017] [:error] [pid 15468] 2017-04-03 13:49:10,979 CRITI [ckanext.datapusher.plugin] {'status_code': 403, 'message': 'An Error occurred while sending the job: 403 Client Error: Forbidden', 'details': u'<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\\n<html><head>\\n<title>403 Forbidden</title>\\n</head><body>\\n<h1>Forbidden</h1>\\n<p>You don\\'t have permission to access /job\\non this server.</p>\\n<hr>\\n<address>Apache/2.4.7 (Ubuntu) Server at 127.0.0.1 Port 8800</address>\\n</body></html>\\n'}

When testing access to the datapusher's 8800 port through openssl this is the output: 

[Mon Apr 03 13:49:10.981049 2017] [:error] [pid 15468] [remote 127.0.0.1:6855] Error - <type 'exceptions.TypeError'>: notify() takes exactly 3 arguments (2 given) 
open:/etc/ckan> openssl s_client -connect 127.0.0.1:8800
CONNECTED(00000003)
140385459791520:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 275 bytes

The datapusher docs give a workaround for bypassing SSL here, using the SSL_Verify config. I tried this and there was no change.

I also tried hardcoding the SSL bypass as suggested in #83 , also to no affect.

I think that I need to either:

  1. Force the nginx reverse proxy to allow SSL connections through port 8800 (in addition to 443). Or...
  2. Configure ckan/datapusher/apache/nginx to bypass SSL/https on port 880.

Any suggestions?

Referencing: https://github.com/ckan/datapusher/issues/83

amercader commented 7 years ago

I don't think this is related to SSL. The first exception you get is a 403 error. This is caused when the datapusher extension in CKAN core tries to contact the DataPusher on port 8800, and Apache returns a 403:

You don\\'t have permission to access /job

which might indicate a misconfiguration in Apache or a file permissions issue.