SSL error

[njoliat]

I'm running this app on Heroku and trying to get it working as an LTI provider on an edX page. I'm using this branch, which is like the upstream master branch except it updates uWSGI (see #33). I've got the app buiding on Heroku and when I go to the is_up page I get the expected "I'm up" response. I've created an LTI component using the edX editor, and followed the other instructions (such as adding the LTI Passports) on this page. On edX I published the page and view it live as a learner/student. I get the welcome screen (with "Welcome student." etc), and I get the form for the arithmetic problem, but when I enter the response, I get "Internal Server Error". The Heroku logs are here seem to indicate some sort of SSL error. Any ideas? Thanks!

[pdpinch]

Are you using SSL? It looks like it's having trouble parsing the PEM file, which you would pass through Heroku settings.

IIRC, you must use SSL for LTI with edx-platform.

[njoliat]

@pdpinch yes, I'm using SSL / I have the LTI URL with "https" on edX. I found some info on how to upload a .pem file to Heroku, but I'm not sure which .pem file I should use--- is there a specific way I should generate one for this project? (sorry SSL isn't a topic I know that much about so I might be missing something simple.)

[pdpinch]

Sorry @njoliat I'm realizing that the way this SSL configuration is implemented is quite old and there are better ways to do things now.

I'd recommend omitting this setting (it should be optional) and setting up SSL as described in the Heroku docs at https://devcenter.heroku.com/articles/ssl -- you can use your own certificate, or get one from Let's Encrypt.

[carsongee]

The PEM file in the MIT example is actually for doing client SSL authentication, i.e. authenticating the client to the server, not the more traditional SSL authentication i.e. the green lock that authenticates the server to the client. If you want to integrate this with an edX installation that doesn't have that, I think editing the config to remove that key from the PyLTI config should resolve the issue.

[pdpinch]

Thanks Carson! (ain't the internet amazing?)

So you're saying this setting is only used if the LTI provider (this app) is posting back to the LTI consumer (edX) ?

The PEM file in the MIT example is actually for doing client SSL authentication, i.e. authenticating the client to the server, not the more traditional SSL piece. If you want to integrate this with an edX installation that doesn't have that, I think editing the config to remove that key from the PyLTI config should resolve the issue.

[carsongee]

Hehe, yep, guess I'm still following this repo 😜 . If memory serves, we just added that to specifically integrate with MITx Residential, which when I was there used SSL client auth. The error in the logs is that it is trying to do that SSL authentication with @njoliat's edX installation to post the grade and not finding the cert. So I believe either @njoliat still will need the client cert to post the grade back to the edX installation (if this is to a SSL client auth enabled installation), or just not tell PyLTI that there isn't a cert, and it won't try to auth if the cert key isn't present

[njoliat]

@carsongee @pdpinch thanks! removing the "cert" entry from the PyLTI conflict (as here) seems to work; my Heroku instance with the LTI sample app now successfully sends data back to my MITx page.

[pdpinch]

MITx Residential doesn't use certificate authentication any more, so I think this problematic setting is obsolete.

I'm going to close this and open a new issue to remove this setting.