Best way to change kaltura 11.2.0 using http to use https

Hi all,
I have configured kaltura 11.2.0 in http and I would like to know the best way to change to https.
Is it possible avoiding to drop database data and running kaltura_cofigure_all.sh script?

Thank´s in advance,

Raúl

Hello,

You will need to rerun the config scripts specifying https:// when prompted for service URL and also providing the needed certificate, key and CA when prompted during the kaltura-front config phase. In addition, you will need to update the kaltura.delivery_profile table and set the url field to https:// where relevant.

Hi,

  • which script should I run ?
  • does it modify nginx and apache ?
  • what is the format of the certificat kaltura is asking? is the script asking for a path to the certificate ?

Hi,

In order to reconfigure the platform for HTTPs, you need to re-run kaltura-base-config.sh and kaltura-front-config.sh, for nginx, the script is kaltura-nginx-config.sh.

kaltura-base-config.sh will prompt about the service URL and should input a URL with “https:///”, kaltura-front-config.sh and kaltura-nginx-config.sh will each prompt for the location of the cert, key and in the case of Apache [kaltura-front-config.sh], CA files.

The certs should be standard x509 ones, which both Apache and Nginx expect, nothing special about Kaltura in that regard. You can get valid certs for free from http://letsencrypt.org.

Thank you for your reply but this is the error I got :

root@hdv:/opt/kaltura/bin|⇒  ./kaltura-base-config.sh
./kaltura-base-config.sh: ligne 74: rpm : commande introuvable
Exiting as kaltura-base is not installed.
This MAY be because the installation of it was skipped do to SELinux being in 'Enforcing' mode.
Please review: https://github.com/kaltura/platform-install-packages/blob/master/doc/install-kaltura-redhat-based.md#disable-selinux---required-currently-kaltura-cant-run-properly-with-selinux
And re-run:
# yum install kaltura-server

The installation was OK and kaltura is working fine. SE linux is and was not set-up.
I am using ubuntu 14

Hi @fravetier,

The instructions I provided relate to the RPM packages, for deb packages, you need to run:
# dpkg-reconfigure kaltura-base
# dpkg-reconfigure kaltura-front
# dpkg-reconfigure kaltura-batch
# dpkg-reconfigure kaltura-nginx

instead.

Thank you.
Sometimes it asks for vhost port, should I set 443 instead of 80 ?

When using HTTPs on a standard port, the port should be 443.

Thanks and for the VOD packager port ? is it the nginx one (8443 when using ssl ?)

It can be any port you want, just need to make sure it is open, unoccupied by another process and of course that the kaltura.delivery_profile DB records are adjusted accordingly.

For your information, there is a script that add into monit confil file https but this seems not supported by monit
This is the error (at the end of dpkg-reconfigure kaltura-front)

/etc/monit/conf.d/apache2.rc:6: Error: syntax error 'https'

Monit doc : https://mmonit.com/monit/documentation/monit.html#HTTP

Also in the vhost the script is settings :
<VirtualHost streaming.example.fr:443>
This is not working on ubuntu, it does not use the SSL protocol.

I set
<VirtualHost *:443>
and it works but will be erase next time I will run the configure.

You probably need to add this line in the virtualhost
ServerName streaming.example.fr

In regards to:

You are right, will be fixed and thanks.

As for the Apache Vhost configuration, just stating the port to be 443 does not make it work over SSL, what makes it work over SSL is setting:

SSLEngine on

The template for that is here:
/opt/kaltura/app/configurations/apache/kaltura.ssl.conf.template
Upon selecting SSL during kaltura-front’s /opt/kaltura/app/configurations/apache/kaltura.ssl.conf is generated by replacing the tokens in the template with the actual values, and a symlink is created under /etc/apache2/sites-available:

zzzkaltura.ssl.conf -> /opt/kaltura/app/configurations/apache/kaltura.ssl.conf

and then, a2ensite zzzkaltura.ssl.conf is called, which creates:

/etc/apache2/sites-enabled/zzzkaltura.conf

You can see the code for that here: /var/lib/dpkg/info/kaltura-front.postinst

The difference between:

<VirtualHost streaming.example.fr:443>

and:

<VirtualHost *:443>

Is that the first will only affect requests to streaming.example.fr:443 and the other will affect ALL requests made to this server over port 443.
Both are valid but we try to not affect other operations or functions they server may be performing, hence, we only apply the configuration for the domain you’ve input during the post config phase.

Not if you add ServerName streaming.example.fr
It was not working with

Can you please paste the full configuration file that was created, as well as the output for:
# apachectl -t -DDUMP_VHOSTS

and the output for:
curl -I -v https://streaming.example.fr/api_v3
?
I’m happy to take a look but this config works correctly on all my test machines.

apachectl -t -DDUMP_VHOSTS

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
127.0.1.1:443          streaming.example.fr (/etc/apache2/sites-enabled/zzzkaltura.ssl.conf:22)

configuration :

<IfModule !ssl_module>
        LoadModule ssl_module modules/mod_ssl.so
</IfModule>


SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
<IfVersion < 2.4>
        SSLMutex default
</IfVersion>
<IfVersion >= 2.4>
        Mutex sysvsem default
</IfVersion>
SSLCryptoDevice builtin

SSLCertificateFile /etc/ssl/mexamplecerts/exampleWild-Cert.pem
SSLCertificateKeyFile /etc/ssl/mexampleprivate/exampleWild-key.pem
SSLCertificateChainFile /etc/ssl/mexamplecerts/exampleWild-ChaineCertif.pem
<VirtualHost streaming.example.fr:443>
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

        ErrorLog "/opt/kaltura/log/kaltura_apache_errors_ssl.log"
        CustomLog /opt/kaltura/log/kaltura_apache_access_ssl.log vhost_kalt

        Include "/opt/kaltura/app/configurations/apache/conf.d/enabled.*.conf"
</VirtualHost>

curl:

curl -I -v https://streaming.example.fr/api_v3
* Hostname was NOT found in DNS cache
*   Trying 127.0.1.1...
* Connected to streaming.example.fr (127.0.1.1) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*        subject: C=FR; postalCode=76037; ST=Seine-Maritime; L=example; street=2 PLACE DU GENERAL DE GAULLE; O=COMMUNE DE example; OU=0002 217605401; CN=*.example.fr
*        start date: 2016-04-22 00:00:00 GMT
*        expire date: 2017-04-22 23:59:59 GMT
*        subjectAltName: streaming.example.fr matched
*        issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Organization Validation Secure Server CA
*        SSL certificate verify ok.
> HEAD /api_v3 HTTP/1.1
> User-Agent: curl/7.35.0
> Host: streaming.example.fr
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Date: Thu, 19 Jan 2017 15:32:19 GMT
Date: Thu, 19 Jan 2017 15:32:19 GMT
* Server Apache/2.4.7 (Ubuntu) is not blacklisted
< Server: Apache/2.4.7 (Ubuntu)
Server: Apache/2.4.7 (Ubuntu)
< Location: https://streaming.example.fr/api_v3/
Location: https://streaming.example.fr/api_v3/
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1

<
* Connection #0 to host streaming.example.fr left intact

Hi,

We do set ServerName in /opt/kaltura/app/configurations/apache/conf.d/enabled.kaltura.conf which is included by both:
/opt/kaltura/app/configurations/apache/kaltura.ssl.conf
and
/opt/kaltura/app/configurations/apache/kaltura.conf

So it should be OK, do you not have ServerName set in /opt/kaltura/app/configurations/apache/conf.d/enabled.kaltura.conf?

As for the monit issue, this seems to stem from the version being used, with monit version 5.19.0, it works just fine, same with monit 1:5.11-1 from my Ubuntu 14.04 repo and such a configuration sample is also documented here:
https://mmonit.com/monit/documentation/monit.html#HTTP

Here is an example of setting both global and local SSL options:

    # Enable certificate verification for all SSL connections
    # Self-signed certificates are not allowed by default
    set ssl options {
            verify: enable
    }

    # Verify certificate (via global setting)
    # Allow self-signed certificate for this check
    check host example with address example.com
            if failed
                    port 443
                    protocol https
                    with ssl options {selfsigned: allow}
            then alert

What monit version do you have deployed?

Thanks,

I let kaltura set-up everything on ubuntu 14. Which is the 5.6

On my Ubuntu machine:

# cat /etc/issue
Ubuntu 14.04.2 LTS \n \l

root@jessex:/opt/kaltura/web/content/clientlibs/csharp# apt-cache policy monit 
monit:
  Installed: 1:5.11-1
  Candidate: 1:5.11-1
  Version table:
 *** 1:5.11-1 0
        100 /var/lib/dpkg/status
     1:5.6-2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages

Can you upgrade to 5.11?

yes I will did you use the apt-get ? or did you set-up the package version? Where did you find it ?
There is only the 5.6.2 : http://packages.ubuntu.com/trusty/admin/monit