After Kaltura 9.19.5 Install, HTTPS not working

Hi,

Here is the output:
#more /tmp/kaltura_10_12_19_17.ans
TIME_ZONE="UTC"
KALTURA_FULL_VIRTUAL_HOST_NAME="my_service_url:80"
KALTURA_VIRTUAL_HOST_NAME="my_service_url"
DB1_HOST="127.0.0.1"
DB1_PORT=“3306"
DB1_PASS=”*"
DB1_NAME="kaltura"
DB1_USER="kaltura"
SERVICE_URL="http://my_service_url:80"
SPHINX_SERVER1=“127.0.0.1"
SPHINX_SERVER2=” "
DWH_HOST="127.0.0.1"
DWH_PORT="3306"
SPHINX_DB_HOST="127.0.0.1"
SPHINX_DB_PORT="3306"
ADMIN_CONSOLE_ADMIN_MAIL="My_email_address"
ADMIN_CONSOLE_PASSWORD=""
CDN_HOST="my_service_url"
KALTURA_VIRTUAL_HOST_PORT="80"
SUPER_USER="root"
SUPER_USER_PASSWD="
"
ENVIRONMENT_NAME="Kaltura Video Platform"
DWH_PASS="
"
RED5_HOST="my_service_url"
USER_CONSENT="1"
CONTACT_MAIL="My_email_address"
CONFIG_CHOICE="0"
IS_SSL=“N”

apachectl -t -DDUMP_VHOSTS

VirtualHost configuration:
wildcard NameVirtualHosts and default servers:
default:443 ip-10-182-200-2.ec2.internal (/etc/httpd/conf.d/ssl.conf:74)
*:80 my_service_url (/etc/httpd/conf.d/zzzkaltura.conf:1)
Syntax OK

curl -I -v https://my_service_url

  • About to connect() to my_service_url port 443 (#0)
  • Trying 10.182.200.2… connected
  • Connected to my_service_url (10.182.200.2) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • Certificate is signed by an untrusted issuer: ‘E=root@ip-10-182-200-2,CN=ip-10-182-200-2,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=–’
  • NSS error -8172
  • Closing connection #0
  • Peer certificate cannot be authenticated with known CA certificates
    curl: (60) Peer certificate cannot be authenticated with known CA certificates
    More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

Hi,

According to your answer file, you chose 80 as port and put in http as protocol.
You should choose HTTPs as protocol and pass that when prompted for service url and also choose a port other than 80, default SSL port is 443.

Please rerun the config.

Thanks,

Hi,

I am getting this question:

It is recommended that you do work using HTTPs. Would you like to continue anyway?[N/y]
If I chose Y:
y
Which port will this Vhost listen on? [80]
443
Please select one of the following options [0]:
0. All web interfaces

  1. Kaltura Management Console [KMC], Hosted Apps, HTML5 lib and ClipApp
  2. KAC - Kaltura Admin Console
    0
    Enabling Apache config - apps.conf
    Enabling Apache config - var.conf
    Enabling Apache config - admin.conf

========================================================================================================================
Kaltura install answer file written to /tmp/kaltura_12_12_02_21.ans - Please save it!
This answers file can be used to silently-install re-install this machine or deploy other hosts in your cluster.

Stopping httpd: [ OK ]
Starting httpd: [Fri Dec 12 03:04:00 2014] [warn] default VirtualHost overlap on port 443, the first has precedence
[FAILED]

            Archving logs to /opt/kaltura/log/log_12_12_14_03_04.tar.gz...

ERROR: /opt/kaltura/bin/kaltura-front-config.sh failed:( You can re-run it when the issue is fixed.

If I chose N, the install stops.

Regards.

Hello,

According to this:

You choice no when prompted about whather or not to configure SSL and yet when prompted about port you chose 443 which IS SSL.
Please re-run config and select correctly.

Thank you,

Hi,

As I mentioned before, if I chose N the installation exits:

It is recommended that you do work using HTTPs. Would you like to continue anyway?[N/y]
N
Exiting.
ERROR: /opt/kaltura/bin/kaltura-front-config.sh failed:( You can re-run it when the issue is fixed.

If I chose y, it will continue the installation with 2 possibilities:

  • If here I keep port 80 (http) the install continues to the end successfully but HTTPS doesn’t work.
  • If I change port to 443, it throws this error at the end:
    default VirtualHost overlap on port 443, the first has precedence
    [FAILED]

Regards.

Hello,

Here is the flow your should follow:
Is your Apache working with SSL?[Y/n]
Y
Please input path to your SSL certificate[/etc/ssl/certs/localhost.crt]:
/etc/ssl/certs/yourcert.crt
Please input path to your SSL key[/etc/pki/tls/private/localhost.key]:
/etc/pki/tls/private/yourkey.crt
Please input path to your SSL chain file or leave empty in case you have none:

Which port will this Vhost listen on? [443]

Please select one of the following options [0]:
0. All web interfaces

  1. Kaltura Management Console [KMC], Hosted Apps, HTML5 lib and ClipApp
  2. KAC - Kaltura Admin Console
    0

If you are not seeing the question:
Is your Apache working with SSL?[Y/n]
It must be because you previously chose no and it is cached in /etc/kaltura.d/system.ini.
If so, simply edit the file and remove:
IS_SSL=N
or just change to IS_SSL=Y

Hi,

The problem is that I am not getting this question:

Is your Apache working with SSL?[Y/n]

Regards.

Hello,

As I wrote…

Hi,

There is no such IS_SSL in /etc/kaltura.d/system.ini

I added IS_SSL=Y but nothing changed.

Regards.

Hi,

Not sure I understand what you mean by ‘nothing changed’.
I suggest you remove all ‘IS_SSL=’ strings from /etc/kaltura.d/system.ini and re-run, you should get the exact prompts I listed before.

Thanks,

Jess:

This is the topic I mention in my thread. You did not seem to understanding what he was explaining here. His issue is the same as the one I described in my thread.

okay. Since the recent update of Kaltura this issue appears to be resolved. I have posted different solutions depending on your errors in my thread with the help of Jess.

I was able to set the initial port to the default of [80] and the SSL port to default [443] and everything worked. There were other issues which are being worked on as this message is being created but I have the script running.

It was necessary to update the GitHub instructions to get Kaltura-Monit working with SSL configured but if you read the required port information that should get you started. I do however need to update the instructions for SSL with some additional notes. I found additional instructions in the actual monit config file you have to follow to get it working if your not farmilar with how to make a .pem file.

Hi @hiphopservers,

Just to make sure, since the issue has spanned on multiple threads - do you now have a working install?
As to Monit and SSL, if there are needed documentation changes, I’ll be happy to see you make a pull request.

Thanks,

Hello @jess :

After following the instruction in my thread I got Kaltura CE to run in SSL and the dependent services including Monit SSL This is even after the configuration script breaking as described in my thread. I made notes in my thread what I did to archive the positive results. However, I open another thread describing an issue with HTML5 that is not allowing my content to display on any other my sites using the Kaltura All in One WordPress plugin.

So the short answer is NO I do not yet have a full working install at this time. I have already submitted the Pull request to change the required ports documentation and I will be submitting a pull request for the main documentation later today to update the documentation as it relates to the Monit SSL configuration.

Thanks,
@hiphopservers

Hi @hiphopservers

I did not see a pull here: https://github.com/kaltura/platform-install-packages/pulls
Where did you make the pull?

Thanks,

Hello @jess

My first pull request is located here.

Hi @hiphopservers,

Sorry, not sure I understand… the link you provided is that of the original document as it currently exists.
Where is your pull request?

@jess

I submitted it via GitHub about two weeks ago just after xMas. It just mention that the port 2018 or something like that used by kaltura-monit is not on the list. That port needs to be open for Kaltura-Monit to work properly. I see the port information in the configuration file when I was editing it to enable SSL. Then notice it was open in my Firewall and after I open that port the Kaltura-Monit worked fine.

Thanks,

Hi,

I am not seeing it. Please provide a direct link to the pull request.

@jess

I do not see it now either. Hmm… well I will resubmit it again over the weekend along with some of the other requests I previously mention.