Self-Signed Certificate

[theo-dep]

Hi,

I am following this tutorial to generate and import a self-signed certificate : https://docs.opencast.org/r/16.x/admin/#configuration/https/self-signed-certificates/

Because I am facing this issue when I am trying to read a video from my external IP: Failed to load resource: net::ERR_BLOCKED_BY_CLIENT. From localhost, everything work.

My certificate is correctly imported (I guess) because I tested : > keytool -list -storepass changeit -cacerts | grep testing testing_root, Aug 18, 2024, trustedCertEntry ...

In the tutorial, the last step is to restart Opencast but ./bin/stop-opencast stop the container (because of the heal-check ?) and when I restart the container, the keystore is reset. There is the same issue with docker stop.

How to import a self-check certificate in Opencast in docker?

[mtneug]

Running ./bin/stop-opencast will stop the main container process and will, therefore, terminate the container.

When the container starts, there is some logic to create the CA store for the OS and Java. I guess this is why you see it being reset. To add custom certificates, you should be able to simply mount them in the correct location:

$ ls /path/to/my-certs
my-ca.crt

$ docker run ...
    -v /path/to/my-certs:/usr/local/share/ca-certificates/my-certs
    ...

I think the file needs to have the .crt extension.

[mtneug]

I will close this for now. Feel free to reopen if this does not solve your problem.

[theo-dep]

Hello, Thanks you for your response. Sorry I didn't have much time to continue my experiment. Finally I used a let's encrypt certificate with a nginx reverse proxy added to your docker compose file. Opencast keeps to redirect to localhost:8080 when I try to play a video but I think I am on the good way. I let you know if I succeeded that! But for my knowledge, there so little users of Opencast with Docker or other container engine?

[mtneug]

Finally I used a let's encrypt certificate with a nginx reverse proxy added to your docker compose file. Opencast keeps to redirect to localhost:8080 when I try to play a video but I think I am on the good way.

You want to set org.opencastproject.download.url. There is an environment variable for the containers. However, I would recommend instead mounting overwritten configuration files to /etc/opencast in the container file system. I only added the most important options as environment variables, mainly for starting up quick testing/example instances. Usually, a production instance will configure many more options, necessitating mounting config files anyway.

But for my knowledge, there so little users of Opencast with Docker or other container engine?

I don't have a complete overview of who is running Opencast in containers. There are some mid to large-size organizations I know of. But deciding for a containerized solution mainly boils down to how familiar you are with this way of running workloads. There is nothing you can or cannot do with Opencast when using containers compared to traditional installation methods. I see many benefits in container orchestrators, but ultimately Opencast will run fine in both environments.

[theo-dep]

Thanks you for your response. I was needed to recreate volumes when I changed the site url but this is working and I can share my testing to other in my association now :). I will continue to setup Opencast if members will be satisfied by this solution. Thanks again for your time.

Here my configuration:

• compose.yml:

  
  opencast:
  image: quay.io/opencast/allinone:16.4
  environment:
    ORG_OPENCASTPROJECT_SERVER_URL: https://com.example.org:8080/
    ORG_OPENCASTPROJECT_DOWNLOAD_URL: https://com.example.org:8080/static/
    # ... other variables
  #ports:
  #  - 8080:8080
  volumes:
    - data:/data

nginx: image: nginx:latest volumes:

• ./nginx/nginx.conf:/etc/nginx/nginx.conf
• ./nginx/proxy_params:/etc/nginx/proxy_params
• ./nginx/sites-available:/etc/nginx/sites-available
• /etc/letsencrypt/live/com.example.org/fullchain.pem:/etc/letsencrypt/live/com.example.org/fullchain.pem
• /etc/letsencrypt/live/com.example.org/privkey.pem:/etc/letsencrypt/live/com.example.org/privkey.pem ports:
• 80:80
• 443:443 depends_on:
• opencast

  
  - nginx/site-available/com.example.org.conf
  ```conf
  upstream opencast {
  server opencast:8080;
  }

server { listen 80; listen [::]:80; server_name com.example.org;

return 301 https://$host$request_uri;

}

server { listen 443 ssl; listen [::]:443 ssl; server_name com.example.org;

ssl_certificate_key /etc/letsencrypt/live/com.example.org/privkey.pem;
ssl_certificate /etc/letsencrypt/live/com.example.org/fullchain.pem;

client_max_body_size 0;

location / {
    include proxy_params;
    proxy_pass http://opencast/;

    proxy_redirect http://$host https://$host;
    proxy_cookie_flags ~ secure httponly;
    proxy_buffering off;
    proxy_request_buffering off;
}

}