jessp01
commented
6 years ago Hi @fishfree,
Please post your /opt/kaltura/app/configurations/apache/kaltura.ssl.conf and also, the output for:
$ curl -I -v $YOUR_KALTURA_END_POINTClosed fishfree closed 6 years ago
jessp01
commented
6 years ago Hi @fishfree,
Please post your /opt/kaltura/app/configurations/apache/kaltura.ssl.conf and also, the output for:
$ curl -I -v $YOUR_KALTURA_END_POINT
fishfree
commented
6 years ago @jessp01 Thank you for your reply!
<IfModule !ssl_module> LoadModule ssl_module modules/mod_ssl.so
SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin <IfVersion < 2.4> SSLMutex default
SSLCryptoDevice builtin
SSLCertificateFile /etc/ssl/certs/shisu.pem SSLCertificateKeyFile /etc/ssl/certs/shisu.key
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
jessp01
commented
6 years ago Hi @fishfree,
As you can see yourself from the curl output, the issue is not that the cert is self signed but rather, that you're missing the CA cert. Add
SSLCACertificateFile /path/to/CA/certto /opt/kaltura/app/configurations/apache/kaltura.ssl.conf
And reload your Apache. The CA cert path is prompted about during the kaltura-front postinst phase. I suppose you just didn't input a value, hence the issue.
You are allowed to input an empty value for SSLCACertificateFile because sometimes, the CA is part of the file SSLCertificateFile points to. Obviously, that's not your case so you do need that value.
fishfree
commented
6 years ago @jessp01 I set SSLCACertificateFile /etc/ssl/certs/shisu.crt in /opt/kaltura/app/configurations/apache/kaltura.ssl.conf, but CURL result still shows: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
Then I even replace the content of the file /etc/pki/tls/certs/ca-bundle.crt with /etc/ssl/certs/shisu.crt, the same problem still persists.
jessp01
commented
6 years ago Hi @fishfree,
You shouldn't touch /etc/pki/tls/certs/ca-bundle.crt. Looking at your curl output again, it says:
NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
Issuer certificate is invalid.I suggest you check why that is, looks to me as though this cert is self issued. Like I said, that will not work.
You can verify that with:
$ openssl verify $CRT_FILEThe CA can be verified with:
$ openssl verify -CAfile $CA_FILE $CRT_FILEThere is really nothing special in the Kaltura Apache SSL config. Is there a different Apache server that you were able to configure to work properly with this cert, key and CA?
Also, maybe try with a letsencrypt.org cert and key to get it working?
fishfree
commented
6 years ago @jessp01 I had tried Letsencrypt before, but no luck, the same problem. Did you have a success of installing Kaltura CE SSL with Letsencrypt? If so, could you share the detail, please?
jessp01
commented
6 years ago Hi @fishfree,
Yes, I've tried it many times using letsecrypt certs and it worked just fine. Like I said, our Apache config is standard so there's no reason why it shouldn't work.
Replace the following values in /opt/kaltura/app/configurations/apache/kaltura.ssl.conf so that they point to the letsecrypt files:
SSLCertificateFile @SSL_CERTIFICATE_FILE@
SSLCertificateKeyFile @SSL_CERTIFICATE_KEY_FILE@
SSLCACertificateFile @SSL_CERTIFICATE_CA_FILE@Then reload Apache. If it does not work, provide again the curl output and also the output for:
# apachectl -t -DDUMP_VHOSTS@jessp01 Still does not work. Would you please share your whole file content of /opt/kaltura/app/configurations/apache/kaltura.ssl.conf ?
and share the certbot command for requesting the Letsencrypt certificate? Thank you for replying me so quickly!
jessp01
commented
6 years ago Hi @fishfree,
/opt/kaltura/app/configurations/apache/kaltura.ssl.conf is generated based on /opt/kaltura/app/configurations/apache/kaltura.ssl.conf.template. The kaltura-front post install script replaces the tokens with whatever you input. No manual changes should be required. Again, please share the output for:
# curl $SERVICE_URL# apachectl -t -DDUMP_VHOSTSand the contents of /opt/kaltura/app/configurations/apache/kaltura.ssl.conf after you set the letsecrypt paths.
As for the certbot command, you should run:
# ./path/to/certbot-auto certonlythe certbot-auto script has the option to set the apache conf file up for you but you best not use that option. Generate the certs and then either re-run the kaltura-front postinst script or edit the file manually and reload Apache. To re-run the script if using the RPM package:
# /opt/kaltura/bin/kaltura-front-config.shif using the deb package:
# dpkg-reconfigure kaltura-front@jessp01 Thank you for your patient instruction! I reinstall Kaltura CE in my box. Before execute "/opt/kaltura/bin/kaltura-config-all.sh", I executed " certbot certonly" and select "3: Place files in webroot directory (webroot)", but errors occurred:
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: kaltura.shisu.edu.cn Type: connection Detail: Fetching http://kaltura.shisu.edu.cn/.well-known/acme-challenge/yhphZk4RAkBG8WpH02KJKakis04Vnc1uqJZoyyLor1Q: Timeout
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
Could you please show me the sequential key steps of requesting Letsencrypt cert and configuring Kaltura?
jessp01
commented
6 years ago Hi @fishfree,
As the certbot output is telling you, the request for http://kaltura.shisu.edu.cn/.well-known/acme-challenge/yhphZk4RAkBG8WpH02KJKakis04Vnc1uqJZoyyLor1Q: times out. I, too, cannot reach http://kaltura.shisu.edu.cn. The letsencrypt script MUST be able to access your web server in order to validate you are asking for a cert for a domain you own and have control over and so, you must first enable it to do that, otherwise, no cert and key will be generated.
fishfree
commented
6 years ago @jessp01 Thank you for your tip! It turned out that Web Application Firewall blocked external 80 port access. Now, I unblock. But when I run command "certbot certonly", It shows error: Failed authorization procedure. kaltura.shisu.edu.cn (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://kaltura.shisu.edu.cn/.well-known/acme-challenge/N_9h6IlHb2DU9yBiGont-sX0_m-3bTlFG1hq7KgWWso: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
fishfree
commented
6 years ago @jessp01 This morning, I do these things:
I cannot understand why. Which steps I missed?
fishfree
commented
6 years ago [root@kaltura ~]# curl https://kaltura.shisu.edu.cn
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
==================
[root@kaltura ~]# apachectl -t -DDUMP_VHOSTS
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
VirtualHost configuration:
*:80 kaltura.shisu.edu.cn (/etc/httpd/conf.d/zzzkaltura.conf:1)
*:443 is a NameVirtualHost
default server kaltura.shisu.edu.cn (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost kaltura.shisu.edu.cn (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost kaltura.shisu.edu.cn (/opt/kaltura/app/configurations/apache/kaltura-le-ssl.conf:2)
===============
[root@kaltura ~]# cat /opt/kaltura/app/configurations/apache/kaltura-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
# for SSL offloading support, if LB has X_FORWARDED_PROTO set to 'https', set HTTPS to 'on'
SetEnvIf X-Forwarded-Proto https HTTPS=on
ErrorLog "/opt/kaltura/log/kaltura_apache_errors.log"
CustomLog /opt/kaltura/log/kaltura_apache_access.log vhost_kalt
Include "/opt/kaltura/app/configurations/apache/conf.d/enabled.*.conf"
SSLCertificateFile /etc/letsencrypt/live/kaltura.shisu.edu.cn/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kaltura.shisu.edu.cn/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/kaltura.shisu.edu.cn/chain.pem
</VirtualHost>
</IfModule>Hi @fishfree,
As you can see from:
$ curl -I -v https://kaltura.shisu.edu.cn/ -k
...
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: kaltura.shisu.edu.cn (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=--,ST=SomeState,L=SomeCity,O=SomeOrganization,OU=SomeOrganizationalUnit,CN=kaltura.shisu.edu.cn,EMAIL=root@kaltura.shisu.edu.cn
* start date: Thu, 21 Dec 2017 09:49:23 GMT
* expire date: Fri, 21 Dec 2018 09:49:23 GMT
* issuer: C=--,ST=SomeState,L=SomeCity,O=SomeOrganization,OU=SomeOrganizationalUnit,CN=kaltura.shisu.edu.cn,EMAIL=root@kaltura.shisu.edu.cn
...This is not a valid cert and is certainly not one issues by letsecrypt. If it were, you'd see:
issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3In one of your last replies, you wrote:
I run command "certbot certonly", It shows error: Failed authorization procedure. kaltura.shisu.edu.cn (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://kaltura.shisu.edu.cn/.well-known/acme-challenge/N_9h6IlHb2DU9yBiGont-sX0_m-3bTlFG1hq7KgWWso: "
Clearly, the request for a letscrypt certificate failed. There's nothing I can do for you until you get a valid certificate, either from letsecrypt or another certified vendor. Sorry but I have to close this issue.
If, after obtaining a valid cert and ensuring
$ curl https://kaltura.shisu.edu.cn/returns correctly, you have additional questions or issues, please post at forum.kaltura.org.
Thanks,
fishfree
commented
6 years ago @jessp01 Sorry, I don't agree with you closing this issue. Please read my question more carefully. The key point is what's the sequence of running "/opt/kaltura/bin/kaltura-config-all.sh" and letsencrypt-related commands. I've tried many times, but still failed. If you made it working with Letsencrypt SSL cert, just share the process, please!
jessp01
commented
6 years ago @fishfree,
/opt/kaltura/bin/kaltura-config-all.sh has nothing to do with it. It calls /opt/kaltura/bin/kaltura-front-config.sh which expects you to input a valid cert, a CA and a key. It then proceeds to configure an Apache VHost to be used for the Kaltura Server. The cert you provided is invalid [see my detailed explanations in past replies]. Your certbot output clearly shows that the command failed to obtained a valid cert.
Once you have a valid cert, we can continue. This is nothing specific to the Kaltura Server, ANY Apache server using the cert and key you inputted will fail in the exact same way. You can try and see.
fishfree
commented
6 years ago @jessp01 I seriously doubt that you did not tried to configure Kaltura CE with a Letsencrypt cert, for Letsencrypt does not provide CA cert. If you can, show me your related config, please?
jessp01
commented
6 years ago @fishfree,
It certainly does too. You must have a CA. Letsecrypt creates: /etc/letsencrypt/live/$DOMAIN/cert.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/letsencrypt/live/$DOMAIN/chain.pem
These should be used like so:
SSLCertificateFile /etc/letsencrypt/live/$DOMAIN/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/$DOMAIN/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/$DOMAIN/chain.pemIn the Apache Vhost config which, in Kaltura's case, is here: /opt/kaltura/app/configurations/apache/kaltura.ssl.conf
This is going to be my last response to you. I've been nothing if not patient and kind and I utterly resent being called a liar.
fishfree
commented
6 years ago After I switch to Ubuntu 16.04, I finally get it working with Letsencrypt SSL. The key step is to install certbot and run "certbot certonly --standalone -d ***.com" command before run "./install_kaltura_all_in_1.sh". I always failed on CentOS 7, that was probably because the installation script always ended with an SSL config error of not being able to recognize the %app% and %log% variables. Even I manually replaced these variables with physical paths, it still had unauthorized SSL problems.
@jessp01 Thank you for your time and patience!!!
spprod35
commented
4 years ago Hi @jessp01
I'am Reopen this topic.
I managed to get the letsencrypt certificate to work by manually modifying the certificates defined in the file: /etc/httpd/conf.d/ssl.conf
Unlike the "/opt/kaltura/app/configurations/apache/kaltura.ssl.conf" file, the ssl.conf file is not modified by the installation script and the config.ans file
I followed the tutorial and installed a Kaltura CE in a CentOS 7 box. But the HTTPS certificate is always recognized as self-signed by browsers, whether using LetsEncrypt or Commercial certificates.