connecting to kernel on ipad

[theobarnhart]

Are there any tricks for connecting to a jupyter notebook on an ipad being served from a computer on the local network? I can bring up the tree, but cannon connect to the kernel when I click a notebook. I've tried becoming a certificate signing authority to generate a non self signed certificate for SSL, but this has not helped (and adding the CA certificate as a trusted profile on the ipad). The notebook says its connecting and then it hangs and says "not connected." ipad pro 9.7 running safari and chrome iOS 9.3.1. Jupyter version 4.1.0

[willingc]

@theobarnhart You may wish to try using Let's Encrypt for SSL since you seem to have admin access on the local network server. Here are instructions.

I'm not an iPad user. If others have a better solution, please post it here. Thanks!

[theobarnhart]

Thanks Carol, I tried that, but I'm on an internal server within a institutional network so its not visible outside of colorado.edu. Lets Encrypt cannot see the server so they will not issue a certificate for it.

Theodore Barnhart PhD Candidate INSTAAR / Geography University of Colorado theodore.barnhart@colorado.edu http://theobarnhart.host-ed.me/

On Tue, May 3, 2016 at 11:59 AM, Carol Willing notifications@github.com wrote:

@theobarnhart https://github.com/theobarnhart You may wish to try using Let's Encrypt for SSL since you seem to have admin access on the local network server. Here are instructions https://jupyter-notebook.readthedocs.io/en/latest/public_server.html#using-let-s-encrypt .

I'm not an iPad user. If others have a better solution, please post it here. Thanks!

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/jupyter/notebook/issues/1421#issuecomment-216612817

[willingc]

@theobarnhart Good point. @ellisonbg @fperez I believe that you both use iPads. Any suggestions?

[dopplershift]

You basically need a self-signed cert, but that self-signed cert needs to be signed by your own certificate authority; you can then add the certificate for your certificate authority as a profile(?) on iOS. I wrote up my notes for doing this stuff (when I figured it out) here: https://github.com/Unidata/Unidata-Dockerfiles/blob/master/jupyterhub/ssl/ssl_notes.txt

[dopplershift]

I should add--the root cause is that it seems that iOS refuses to use an untrusted cert for secure web sockets (WSS).

[willingc]

@dopplershift Thanks for sharing 👍

[theobarnhart]

Thank you @dopplershift! I tried a similar tutorial to become a signing authority, but yours is a little different so I'll give it a try and report back.

[dopplershift]

Since it's not in the repo, here's the openssl.cnf:

prompt = no
dir = .

[ca]
default_ca = my_ca

[my_ca]
serial = $dir/CA/serial
database = $dir/CA/certindex.txt
new_certs_dir = $dir/CA/certs
certificate = $dir/CA/cacert.pem
private_key = $dir/private/cakey.pem
default_md = sha1
default_days = 365
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = match
emailAddress = optional

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_ca
default_bits = 2048

[req_distinguished_name]
countryName = US
stateOrProvinceName = Colorado
localityName = Boulder
organizationalUnitName = 
commonName = 
0.organizationName = 
emailAddress = 

[ v3_ca ]
basicConstraints = CA:TRUE

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1 = 
DNS.1 = 

I think the alt-names stuff allowed it to work on a server where I only had an IP address.

[fperez]

I don't think there's a way to override the restriction on refusing connections to secure web sockets with self-signed certificates on iOS, even Safari on OSX imposes, I think, the same constraint. @minrk is quite the expert on these details, as always, so he can correct me if I'm wrong here.

[theobarnhart]

Thanks all, @dopplershift's solution and tutorial worked great!

[willingc]

I don't think there's a way to override the restriction on refusing connections to secure web sockets with self-signed certificates on iOS, even Safari on OSX imposes, I think, the same constraint.

@fperez You are correct on self-signed certs. This solution takes it a bit further, and it creates a certificate authority first and then uses it to sign the cert.

Thanks Team Colorado, @theobarnhart and @dopplershift, for the good work here :smile:

[theobarnhart]

I should note that I emailed my cacert.pem to myself and added it as a profile on my ipad, I'm not sure if thats necessary (or a good idea), but I read about it on a different tutorial.

[dopplershift]

@theobarnhart IIRC, I emailed to myself as well. It's necessary so that your regular self-signed cert will be trusted by safari; unless someone else gets their hands on your CA private key, shouldn't be risky.

[algorithmx]

@dopplershift Hi Ryan, I met the same problem (kernel not connected) with the latest version of Safari browser. According to the replies people refer to your tutorial which works well. But when I click the link, it is already dead. Could you please provide the tutorial again? Thanks! Best, Yunlong

[dopplershift]

Sorry, that repository has been repurposed. I don't have the instructions up anywhere, so I'll just put them here:

To create CA:

1. Generate new key and cert with password: openssl req -new -x509 -keyout private/cakey.pem -out CA/cacert.pem -days 365 -config ./openssl.cnf
2. Initialize serial number: echo '100001' > CA/serial
3. Init cert db: touch CA/certindex.txt
4. Open CA/cacert.pem on OSX and trust it in the keychain.

To issue new certificate:

1. Generate new RSA private key: openssl genrsa -out private/ssl.key 4096
2. Make a new certificate request: openssl req -new -out ./ssl.req -key private/ssl.key -config ./openssl.cnf
3. (optional) Check request for Subject Alternative Name info (SAN) openssl req -text -noout -in ./ssl.req
4. Issue new cert from CA: openssl ca -in ssl.req -out ssl.cert -config openssl.cnf -extensions v3_req
5. (optional) Verify SAN in output cert: openssl x509 -in ssl.cert -noout -text
6. (optional) Verify trust: openssl verify -CAfile CA/cacert.pem ssl.cert To revoke (e.g. need to update IP address): openssl ca -revoke ./CA/certs/100001.pem -config openssl.cnf

[ioancw]

Hello, thanks for the solution. I've followed your steps above, which (at the end of step 4 creates a new CA in CA/certs called 100001.pem.

Question. Which file do I move to my server (as c.NotebookApp.certfile)? Is it cacert.pem, or 100001.pem? Also which do I open/use on my iPad?

Thanks

[dopplershift]

@ioancw ssl.cert should be on the server

cacert.pem is what you need to open and trust on your iPad.

[ioancw]

Thanks for the info. So I copied ssl.cert and ssl.key to the server, and set: c.NotebookApp.certfile = ssl.cert and c.NotebookApp.keyfile = ssl.key

Everything seems to be ok when I run from my Mac, i.e. I can get a kernel and perform a calc in Jupyter. But after sending cacert.pem to my iPad and installing it, I still get a 'connecting to kernel' message.

Thanks

[dopplershift]

All I can offer is to open up settings > General > profiles and make sure the CA cert is there and that all of the information in the fields looks good (and trusted). My setup still seems to work fine.

If your server doesn't have a DNS name you may need to set up the alternative name stuff listed in openssl.cnf above.

[ioancw]

@dopplershift thanks for your reply. I will check it out tonight.

[ioancw]

@dopplershift thanks. that did the trick (adding the ip address of my server). All works now on my iPad.

[ioancw]

Another minor point. I've noticed that tab auto-completion doesn't work when using my iPad keyboard (it's a 10.5 iPad Pro). Incidentally it also doesn't work with azure Jupyter notebooks. So may well be my set up. Is this configurable within Jupyter?

[kimolas]

I was able to run all of your instructions, @dopplershift. However, when I run jupyter notebook on my server and try to access the webpage from my iPad, I keep getting a prompt to "Enter PEM pass phrase" which prevents me from actually accessing my notebook. I can provide it the pass phrase several times and I can log in on my iPad, but then I cannot connect to the kernel since no matter how many times I provide the pass phrase it will eventually time out and say that the kernel could not be connected to.

I guess the pass phrase needs to be stored in the system keychain, but I am not sure how to do that. @ioancw did you have this problem as well?

Running macOS Sierra on my server and iOS 11 on my iPad Pro 10.5", although I have the same problem with iOS 10 on my iPad Air 2. Notebook works perfectly fine without SSL.

[ioancw]

No I didn't have the same problem. I set up my server following the instructions here: https://github.com/yhilpisch/cloud-python

The only difference is the way we create the key - and I followed the steps detailed in this step.

[kimolas]

I see, thanks! I'll give it a shot. By the way, tab completion works for me, although it only really works if there is a unique completion.

[kimolas]

@ioancw It looks like the instructions you linked to create a certificate without a passcode, so it circumvents the PEM key input issue. That's fine with me, although I am now running into the following error:

The Jupyter instance shows this:

I might be missing something obvious/simple. Any ideas?

[86magic]

I spent a lot of time trying to solve this. And finally it works thanks to instructions from @dopplershift. Thank you!

[pretesh100]

@ioancw @dopplershift I have the same issue where from a regular pc/browser my jupyterhub works fine, but when I try to run from iphone/ipad (both safari and chrome), i get the "kernel not connecting" error.

I have tried adding the following line to my conf (I dont have anything for DNS):

[alt_names] IP.1 = 173.232.XXX.XX (my ip address)

When I check the configuration settings of the installed certificate on my iphone I dont see my IP address anywhere (should I be able to see it there?)

Any other ideas/troubleshooting I can try??

[dopplershift]

@pretesh100 Sorry, nothing springs to mind here. I can say that I don't see the alt_names listed on my iPad either, and everything seems to work.

[pretesh100]

@dopplershift I manged to get it working. I found this dummies guide with all the steps which seems to have done the trick.

For anyone else stuck - here is the link:

https://kernels.io/ssl-self-signed-cert/

[alexstaravoitau]

Here's an updated link of the article above on how to configure valid SSL certificate in order to connect to your Jupyter server from iPad:

https://juno.sh/ssl-self-signed-cert/

[tensorcopy]

What IP should I put in the alt_names? The public IP for the router or the static local ip assigned to the server?

[alexstaravoitau]

@garyzhalo Should be server's public address that iPad will try to open in Safari.

[sunyiwei24601]

thank for @dopplershift ，your method is practicable.But the openssl.cnf file which you privided is not very good ,Because in this section

[req_distinguished_name] countryName = US stateOrProvinceName = Colorado localityName = Boulder organizationalUnitName = commonName = 0.organizationName = emailAddress = all the attrs should be filled ,there's something wrong there. By the way, I followed the step provided by Juno @navoshta ,I failed with ssl vertified ,I think there is still something wrong in this method. This should be written as an article which could help the others.(Since Ipad Pro are becoming a more generallt accepted productive tool)

[ioancw]

Hello, I have written up the steps I followed on my blogpost. I’ve stopped using the method above and I’m now using the instructions for the Juno app. Please follow my instructions step by step and see how far you go. If you think that anything isn’t clear then let me know and I will update the post. This method will allow you to connect via Safari on iPad Pro, irrespective of whether you use Juno. However I would strongly recommend using Juno (it’s worth the price).

It’s basically pointing at the instructions from the Juno blog. Follow this and you can’t go wrong.

https://ioancw.github.io/2018/08/11/jupyter-ipad-juno.html

[willingc]

Thanks for the tip @ioancw. While the Jupyter team does not endorse particular vendor services or products, we appreciate you sharing with the community.

Antoher no cost solution for notebooks on an iPad is to use mybinder.org a free service maintained by Jupyter's JupyterHub team.

[h-jia]

Is it possible to implement on Jupyterhub? If so, what do I need to change the jupyterhub_config.py file? I have followed the Juno to generate the cert file and add into (simply with a new line) the ssl_cert. However it dose not working yet.

Any suggestions? Thanks in advance.

[goldmyu]

This is still an issue today with Ios 14 on iPad pro, tries using these instruction but no dice The thing is I am using a Linux-based server that runs the Jupyter notebook as a job and allocates a new IP for the notebook whenever it ran, but the OpenSSL.cnf only knows the server public IP in which I SSH to. anyone can shed some light on this issue? how do I by-pass that?

I also tried downgrading tornado to<6.0 as some people suggested in other posts but that didn't do the trick either.