GateOne doesn't load in embedded mode for the first time

[aryamazaheri]

Hi again, I have embedded the gateone into my app. But for the first time I want to load it, gateone alerts me with the following error:

2012-08-29 16:44:20 INFO displayMessage(): AUTHENTICATION ERROR: 'NoneType' object has no attribute 'getitem' :8024/combined_js:3073 2012-08-29 16:44:24 INFO PONG: Gate One server round-trip latency: 4ms :8024/combined_js:3073 2012-08-29 16:45:58 INFO displayMessage(): Message From Gate One Server: Only valid users please. Thanks! :8024/combined_js:3073 2012-08-29 16:45:58 ERROR Error communicating with server... :8024/combined_js:3073 2012-08-29 16:46:03 INFO displayMessage(): AUTHENTICATION ERROR: 'NoneType' object has no attribute 'getitem' :8024/combined_js:3073 2012-08-29 16:46:06 INFO displayMessage(): Message From Gate One Server: Only valid users please. Thanks! :8024/combined_js:3073 2012-08-29 16:46:06 ERROR Error communicating with server... :8024/combined_js:3073 2012-08-29 16:46:11 INFO displayMessage(): AUTHENTICATION ERROR: 'NoneType' object has no attribute 'getitem'

Then I tried to load the gateone individually. After that I load the embedded gateone again. It now works!! Do you know what's the problem?? I think that it's because of SSL issue! I'm now sure though.

[aryamazaheri]

For the first time use on a client, it doesn't authenticate the user. I inspected the GateOne.Users object with firebug. There was no username variable. But after visiting the original address of GateOne (i.e: https://localhost:8024) and then coming back to the embedded gateone the username variable appears in GateOne.Users object.

[aryamazaheri]

One thing about the SSL: I have the certificate.pem and keyfile.pem in my gateone directory. But for the first time use the user has to accept untrusted site. So when GateOne is going to work in the embedded mode it fails to load gateone.js due to untrusted website issue. I think you have managed it on chat_demo. Because I didn't have such a problem. Is there something extra which I should do due to overcome with this issue?

[liftoff]

Can you paste the logs from the Gate One server from the same time as the client logs?

[aryamazaheri]

I don't have access to the server right now. But I'm sure that the server was throwing the following error as same as the client: AUTHENTICATION ERROR: 'NoneType' object has no attribute 'getitem_'

[aryamazaheri]

One thing to mention is that by 'embedded mode' I don't mean that I have set the embedded parameted to True. I just mean that I want to load the terminal in my app. :)

[aryamazaheri]

I tried to look at the code in chat_demo.py and I found these lines: app.listen(options.port, ssl_options={ "certfile": os.path.join(os.getcwd(), "certificate.pem"), "keyfile": os.path.join(os.getcwd(), "keyfile.pem"), })

Could you tell me the purpose of these lines? Do I have to make any change in my Apache configuration?

[liftoff]

Well, that "'NoneType' object has no attribute 'getitem_'" exception happened because the 'authenticate' action made it all the way past all authentication types (anonymous, regular, and API) and get_current_user() returned "None". I am trying to figure out how that can even happen! LOL.

The problem lies somewhere around line 1123 in gateone.py I think. Your user wasn't authenticated successfully (obviously) but you should have at least been given a clear message as to what the problem is.

[liftoff]

The chat demo app uses its own certificate/key. Those parameters just tell it to look inside the same directory as chat.py itself (assuming you run it like so: ./chat.py).

[liftoff]

Oh, I forgot to ask: What does Apache have to do with anything? I assume that's what is running the app you're embedding Gate One into?

[aryamazaheri]

Yes, My App's web server is Apache! Or to better say Tomcat.

[aryamazaheri]

Update: My main app is written with jsp and it's webserver is Tomcat. Now I tried to check embedding gateone with php and apache. Now it works Ok if the user first visit the original address of GateOne, accept the untrusted site issue and then come back to the embedded page. That's because gateone.js doesn't load at the first time. So I think this is the main problem. Do you know how to fix this?

[liftoff]

A couple other notes from your previous comments on this issue:

GateOne.User.username will only get set if the Gate One server sends the client a 'set_username' action over the WebSocket. It will only send this message if the client has authenticated successfully. Obviously (from the errors) authentication failed the username was never sent :)

Your SSL problem with gateone.js can be solved by copying (or making a symbolic link to it) that file somewhere it can be served up by your web app. Then just include it on the page like you would any other script:

<script src="/path/to/gateone.js"></script>
<!-- As opposed to src="https://gateone.mycompany.com:8443/static/gateone.js" which will run into SSL security issues if the certificate is self-signed -->

I highly recommend making it a symbolic link so that it gets updated automatically when you update Gate One. This will work around the problem where the user can't load gateone.js because they haven't accepted the (Gate One) certificate yet. Note that in a production environment you'd probably use a purchased SSL certificate (or at least one that's trusted by all your client browsers) which would negate this issue.

Having said that, users will still have to accept the Gate One server's certificate in order to connect to its WebSocket. Fortunately gateone.js includes logic to handle this automatically: If a connection to the Gate One server has yet to be established successfully it will automatically redirect the user to the accept_certificate.html page on the Gate One server (it also presents a dialog to the user informing them of the problem where they have to click OK to proceed). When that happens the user will be presented with the option to accept the SSL certificate and when complete they'll be sent right back to your application (the page embedding Gate One).

[liftoff]

I forgot to mention this: If your web application and Gate One server are going to reside on the same host you can configure Gate One to use the very same SSL certificate as your web application. That will also work around the, "can't load gateone.js due to SSL errors" issue.

In production you can purchase a single "wildcard" SSL certificate for both your Gate One server and your web server if you host them both from the same subdomain. The certificate would have it's CN set to something like, "*.web.mycompany.com". That way you can configure both your web app and Gate One to use the same certificate and as long as they both live somewhere under web.mycompany.com users won't encounter any problems with SSL.

[aryamazaheri]

Thanks a million for your thorough explanation. It works fine now in my local apache webserver. I'll check it on the server tomorrow. Of course we'll purchase a certificate. I'm at development and testing phase right now.

[aryamazaheri]

Haah! I think I found another bug! I was playing around with authobj which is passing to GateOne.Init. It works fine in Chrome. If the auth parameter be available the terminal loads fine and if not available, Gateone throws authentication error. But it doesn't look the same in Firefox. Firefox loads the terminal in both scenarios and doesn't prevent the users to see the terminal.

[liftoff]

What do you mean by "doesn't prevent the users to see the terminal"?

[aryamazaheri]

I mean preventing the users from interacting with it. Or in other way, it doesn't show any authentication error notification box.

[aryamazaheri]

Ok, I tried to test it again on the server and use the symlink to gateone.js. Also I decided to use the same SSL certificate as my portal use. So I copied the public and private cert keys from apache SSL folder. I assumed that the ssl key in ssl.crt folder is equivalent to 'certificate.pem' and the key file in ssl.key folder is equivalent to 'keyfile.pem'. So I made the changes in server.conf. Everything is fine when I load the Gateone in Chrome. It doesn't notify me again for untrusted certificate. Because I have approved it once from my app. But when I want to see the terminal in Firefox it shows me the untrusted website again and gateone throws the following error:

[W 120901 16:14:00 iostream:425] Read error on 19: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca [W 120901 16:14:00 iostream:359] error on read Traceback (most recent call last): File "/usr/local/lib/python2.7/site-packages/tornado/iostream.py", line 354, in _handle_read if self._read_to_buffer() == 0: File "/usr/local/lib/python2.7/site-packages/tornado/iostream.py", line 421, in _read_to_buffer chunk = self._read_from_socket() File "/usr/local/lib/python2.7/site-packages/tornado/iostream.py", line 696, in _read_from_socket chunk = self.socket.read(self.read_chunk_size) File "/usr/local/lib/python2.7/ssl.py", line 160, in read return self._sslobj.read(len) SSLError: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

I'm confused why this error message will be thrown only if I use Firefox. Why Chrome is totally fine with this?

[liftoff]

Can you paste your server.conf? You're not using client certificates, are you? An error like this can crop up if you have ssl_auth=True in your server.conf and the browser is sending a certificate along with the connection that Gate One can't verify.

Also, this error can happen if you don't have any CA certificates installed in your Linux distribution (where Python expects them to be anyway). I see it a lot in embedded distributions like Angstrom Linux where the user built their own custom Linux firmware but neglected to include the CA certificate package.

[aryamazaheri]

No, auth_ssl is set to False. What do you mean by CA certificates installed on my system? So, is there anything I can do? I'll post the content of server.conf in the next few hours.

[aryamazaheri]

Ok, I found the problem. I had to add the authority server to my Firefox. It now works smoothly. Thanks for mentioning client certificate problem.

[vsasikiran]

If my web application which is deployed in tomcat is settled in one machine and the GateOne server is in another machine, then how can we avoid this

Authentication Failure

You must re-authenticate with the Gate One server. The page will now be reloaded.

Can you please help me with this in detail. I was pretty new to this SSL issues.

Thanks, Sasikiran.

[liftoff]

Sasikiran, I can help you with that problem but it warrants its own ticket since it is completely unrelated to this issue. Please open a new ticket with the details about your environment: Gate One version, distribution, how you're embedding Gate One, and please paste in your 10server.conf (please remove/censor the cookie_secret setting before posting).