Converting HTTP to HTTPS on 14.14 CENTOS 7


#1

Hiya

After successfully getting everything else working as well as test migration data I set up letsencrypt and attempted to move over to HTTPS.

On my first attempt I tried with the shell scripts for updating base, front and nginx. This resulted in me getting a default apache page with a self signed certificate. I tried again with kaltura-config-all.sh but had the same result.

In the end I resolved the self signed issue by deleting apaches default ssl config /etc/httpd/conf.d/ssl.conf, this also stopped the domain from resolving to apaches default index page.

Now however I get “connection refused” in chrome although the certificate is fine.

Curl output:

curl -I -v https://kaltura.xxxxxx.com/api_v3
* About to connect() to kaltura.scarlettentertainment.com port 443 (#0)
*   Trying 35.176.20.56...
* Connection refused
* Failed connect to kaltura.xxxxxx.com:443; Connection refused
* Closing connection 0
curl: (7) Failed connect to kaltura.xxxxxx.com:443; Connection refused

Vhost Dump Output:

[root@ip-172-26-7-33 apache]# httpd -t -DDUMP_VHOSTS
VirtualHost configuration:
35.176.20.56:*         kaltura.xxxxx.com (/etc/httpd/conf.d/zzzkaltura.ssl.conf:22)

Also an error from kaltura-config-all.sh, just after the front config part:

Redirecting to /bin/systemctl restart httpd.service
Note: Forwarding request to 'systemctl enable httpd.service'.
Note: Forwarding request to 'systemctl enable memcached.service'.
Redirecting to /bin/systemctl restart memcached.service
Restarting kaltura-monit (via systemctl):                  [  OK  ]
PHP Fatal error:  Uncaught exception 'KalturaClientException' with message 'Failed connect to kaltura.xxxxxx.com:443; Connection refused' in /opt/kaltura/apps/clientlibs/php5/KalturaClientBase.php:362
Stack trace:
#0 /opt/kaltura/apps/clientlibs/php5/KalturaClient.php(7013): KalturaClientBase->doQueue()
#1 /opt/kaltura/html5/html5lib/playkitSources/kaltura-ovp-player/create_playkit_uiconf.php(17): KalturaSessionService->start('01df9c586326581...', NULL, 2, '0')
#2 {main}
  thrown in /opt/kaltura/apps/clientlibs/php5/KalturaClientBase.php on line 362
Running Sphinx config...

It seems as if the vhosts for ssl are not being enabled properly for some reason.

Any help will be much appreciated.

Thanks


#2

Hello @michael_hall,

Please see here: https://github.com/kaltura/platform-install-packages/issues/621
If, after following that, you’re still having issues, please provide the full /etc/httpd/conf.d/zzzkaltura.ssl.conf file, as well as the output of kaltura-{base,front,batch,nginx}-config.sh and that of netstat -plnt|grep httpd and httpd -t -DDUMP_VHOSTS.

For playback, please also review, https://github.com/kaltura/platform-install-packages/issues/612


#3

@jess

Great thanks Jess, I am off for the day soon but will have a go first thing AM


#4

Hiya @jess

Still no luck I am afraid. The certificate chain is fine in the zzzkaltura.ssl.conf file below but it does seem like when I am running kaltura-front-config.sh it fails at something due to the virtual host not existing. See all below.

zzzkaltura.ssl.conf:

<IfModule !ssl_module>
        LoadModule ssl_module modules/mod_ssl.so
</IfModule>


SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
<IfVersion < 2.4>
        SSLMutex default
</IfVersion>
<IfVersion >= 2.4>
        Mutex sysvsem default
</IfVersion>
SSLCryptoDevice builtin

SSLCertificateFile /etc/letsencrypt/live/kaltura.xxxxxx.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kaltura.xxxxxx.com/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/kaltura.xxxxxxx.com/chain.pem
<VirtualHost kaltura.xxxxxxx.com>
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

        ErrorLog "/opt/kaltura/log/kaltura_apache_errors_ssl.log"
        CustomLog /opt/kaltura/log/kaltura_apache_access_ssl.log vhost_kalt

        Include "/opt/kaltura/app/configurations/apache/conf.d/enabled.*.conf"
</VirtualHost>

Netstat:

[root@ip-172-26-7-33 ~]# netstat -plnt|grep httpd
tcp6       0      0 :::443                  :::*                    LISTEN      16818/httpd
tcp6       0      0 :::80                   :::*                    LISTEN      16818/httpd

Vhost Dump:

VirtualHost configuration:
35.176.20.56:*         kaltura.scarlettentertainment.com (/etc/httpd/conf.d/zzzkaltura.ssl.conf:22)
*:443                  ip-172-26-7-33.eu-west-2.compute.internal (/etc/httpd/conf.d/ssl.conf:56)

Base Config:

kaltura-base-14.14.0-14.noarch
Welcome to Kaltura Server 14.14.0 post install setup.

In order to finalize the system configuration, please input the following:


CDN hostname [ip-172-26-7-33.eu-west-2.compute.internal]:

The host will be accessed over http(s). In case your CDN operates on a non-default port, please input CDNHO
ST:PORT.
kaltura.xxxxxxxxxxxxxxxx.com:443
Apache virtual hostname [ip-172-26-7-33.eu-west-2.compute.internal]
(Must be accessible from both inside the machine and from any clients / browsers that will use Kaltura):

kaltura.xxxxxxxxxxxxxxxx.com
Vhost port to listen on [80]: 443
range of ip addresses belonging to internal kaltura servers [0.0.0.0-255.255.255.255]:
The range is used when checking service actions permissions and allowing to access certain services without
 KS from the internal servers.
The default is only good for testing, on a production ENV you should adjust according to your network.
DB port [3306]: 3306
MySQL super user [only for install, default root]: root
Analytics DB hostname [127.0.0.1]:127.0.0.1
Analytics DB port [3306]:3306
Sphinx hostname [127.0.0.1]: 127.0.0.1
Media Streaming Server secondary host [ip-172-26-7-33.eu-west-2.compute.internal]: kaltura.scarlettentertai
nment.com
Secondary Sphinx hostname [leave empty if none]:
Your Kaltura Service URL [https://kaltura.xxxxxxxxxxxxxxxx.com]
(Base URL where the Kaltura API and Apps will be accessed from - this would be your Load Balancer URL on a
cluster or same as your virtual host in an all-in-one Kaltura server - Must be accessible from both inside
the machine and from any clients / browsers that will use Kaltura):

https://kaltura.xxxxxxxxxxxxxxxx.com
VOD packager hostname [ip-172-26-7-33.eu-west-2.compute.internal]: kaltura.xxxxxxxxxxxxxxxx.com
VOD packager port to listen on [88]: 88
Admin user login password (must be minimum 8 chars and include at least one of each: upper-case, lower-case
, number and a special character):
Confirm passwd:
Your time zone [see http://php.net/date.timezone], or press enter for [Zulu]: Zulu
Your Kaltura install name (this name will show as the From field in emails sent by the system) [Kaltura Vid
eo Platform]:Your website Contact Us URL [http://corp.kaltura.com/company/contact-us]: Your 'Contact us' ph
one number [+1 800 871 5224]:Checking MySQL version..
Ver 5.5.60-MariaDB found compatible

===========================================================================================================
=============
Kaltura install answer file written to /tmp/kaltura_13_03_09_52.ans  -  Please save it!
This answers file can be used to silently-install re-install this machine or deploy other hosts in your clu
ster.
===============

Front Config:

base-config completed successfully, if you ever want to re-configure your system (e.g. change DB hostname) run the following script:
# rm /opt/kaltura/app/base-config.lock
# /opt/kaltura/bin/kaltura-base-config.sh


kaltura-front-14.14.0-2.noarch
Is your Apache working with SSL?[Y/n]
Please input path to your SSL certificate[/etc/ssl/certs/localhost.crt]:
/etc/letsencrypt/live/kaltura.xxxxxxxxxxxxxxxx.com/cert.pem
Please input path to your SSL key[/etc/pki/tls/private/localhost.key]:
/etc/letsencrypt/live/kaltura.xxxxxxxxxxxxxxxx.com/privkey.pem
Please input path to your SSL CA file or leave empty in case you have none:
/etc/letsencrypt/live/kaltura.xxxxxxxxxxxxxxxx.com/chain.pem
Which port will this Vhost listen on? [443]
443
Please select one of the following options [0]:
0. All web interfaces
1. Kaltura Management Console [KMC], Hosted Apps, HTML5 lib and ClipApp
2. KAC - Kaltura Admin Console
Enabling Apache config - apps.conf
Enabling Apache config - var.conf
Enabling Apache config - admin.conf


========================================================================================================================
Kaltura install answer file written to /tmp/kaltura_13_03_09_54.ans  -  Please save it!
This answers file can be used to silently-install re-install this machine or deploy other hosts in your cluster.
========================================================================================================================


Redirecting to /bin/systemctl restart httpd.service
Note: Forwarding request to 'systemctl enable httpd.service'.
Note: Forwarding request to 'systemctl enable memcached.service'.
Redirecting to /bin/systemctl restart memcached.service
Restarting kaltura-monit (via systemctl):  [  OK  ]
PHP Fatal error:  Uncaught exception 'KalturaClientException' with message 'failed to unserialize server result
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /api_v3/service/session/action/start was not found on this server.</p>
</body></html>
' in /opt/kaltura/apps/clientlibs/php5/KalturaClientBase.php:401
Stack trace:
#0 /opt/kaltura/apps/clientlibs/php5/KalturaClient.php(7013): KalturaClientBase->doQueue()
#1 /opt/kaltura/html5/html5lib/playkitSources/kaltura-ovp-player/create_playkit_uiconf.php(17): KalturaSessionService->start('01df9c586326581...', NULL, 2, '0')
#2 {main}
  thrown in /opt/kaltura/apps/clientlibs/php5/KalturaClientBase.php on line 401

Batch Config:

kaltura-batch-14.14.0-1.noarch
base-config completed successfully, if you ever want to re-configure your system (e.g. change DB hostname) run the following script:
# rm /opt/kaltura/app/base-config.lock
# /opt/kaltura/bin/kaltura-base-config.sh


Note: Forwarding request to 'systemctl enable httpd.service'.
Redirecting to /bin/systemctl reload httpd.service
Note: Forwarding request to 'systemctl enable memcached.service'.
Redirecting to /bin/systemctl restart memcached.service
Starting kaltura-monit (via systemctl):  [  OK  ]

Nginx config:

kaltura-nginx-1.14.0-5.x86_64
Kaltura API host and port (without the protocol) [ip-172-26-7-33.eu-west-2.compute.internal:80]:
kaltura.xxxxxxxxxxxxxxxx.com:443
Nginx server name [ip-172-26-7-33.eu-west-2.compute.internal]:
kaltura.xxxxxxxxxxxxxxxx.com
Nginx port to listen on [88]: 88
RTMP port to listen on [1935]: 1935
Would you like to configure Nginx with SSL?[Y/n]Nginx SSL port to listen on [8443]: 8443
Nginx SSL cert:  /etc/letsencrypt/live/kaltura.xxxxxxxxxxxxxxxx.com/cert.pem
Nginx SSL key:  /etc/letsencrypt/live/kaltura.xxxxxxxxxxxxxxxx.com/privkey.pem
Note: Forwarding request to 'systemctl enable kaltura-nginx.service'.
Redirecting to /bin/systemctl reload kaltura-nginx.service

If I reconfigure back to non ssl everything works fine again but once ssl is configured it just defaults back to the apache default index page.

Thanks in advance.


#5

When I
curl -I -v https://kaltura.xxxxxx.com/

I get a 403 forbidden, in the browser when I look at dev tools it does the same before loading the default apache page.


#6

I seem to have resolved the problem (in a rather dodgy way) by first deleting the default virtual host in /etc/httpd/conf.d/ssl.conf and then changing the virtual host in zzzkaltura.xxxx.com to <VirtualHost default:443 >

Not tested if everything else still works yet but I have access to admin and kmcng via https now.