Converting HTTP to HTTPS on 14.14 CENTOS 7

Hiya

After successfully getting everything else working as well as test migration data I set up letsencrypt and attempted to move over to HTTPS.

On my first attempt I tried with the shell scripts for updating base, front and nginx. This resulted in me getting a default apache page with a self signed certificate. I tried again with kaltura-config-all.sh but had the same result.

In the end I resolved the self signed issue by deleting apaches default ssl config /etc/httpd/conf.d/ssl.conf, this also stopped the domain from resolving to apaches default index page.

Now however I get “connection refused” in chrome although the certificate is fine.

Curl output:

curl -I -v https://kaltura.xxxxxx.com/api_v3
* About to connect() to kaltura.scarlettentertainment.com port 443 (#0)
*   Trying 35.176.20.56...
* Connection refused
* Failed connect to kaltura.xxxxxx.com:443; Connection refused
* Closing connection 0
curl: (7) Failed connect to kaltura.xxxxxx.com:443; Connection refused

Vhost Dump Output:

[root@ip-172-26-7-33 apache]# httpd -t -DDUMP_VHOSTS
VirtualHost configuration:
35.176.20.56:*         kaltura.xxxxx.com (/etc/httpd/conf.d/zzzkaltura.ssl.conf:22)

Also an error from kaltura-config-all.sh, just after the front config part:

Redirecting to /bin/systemctl restart httpd.service
Note: Forwarding request to 'systemctl enable httpd.service'.
Note: Forwarding request to 'systemctl enable memcached.service'.
Redirecting to /bin/systemctl restart memcached.service
Restarting kaltura-monit (via systemctl):                  [  OK  ]
PHP Fatal error:  Uncaught exception 'KalturaClientException' with message 'Failed connect to kaltura.xxxxxx.com:443; Connection refused' in /opt/kaltura/apps/clientlibs/php5/KalturaClientBase.php:362
Stack trace:
#0 /opt/kaltura/apps/clientlibs/php5/KalturaClient.php(7013): KalturaClientBase->doQueue()
#1 /opt/kaltura/html5/html5lib/playkitSources/kaltura-ovp-player/create_playkit_uiconf.php(17): KalturaSessionService->start('01df9c586326581...', NULL, 2, '0')
#2 {main}
  thrown in /opt/kaltura/apps/clientlibs/php5/KalturaClientBase.php on line 362
Running Sphinx config...

It seems as if the vhosts for ssl are not being enabled properly for some reason.

Any help will be much appreciated.

Thanks

Hello @michael_hall,

Please see here: https://github.com/kaltura/platform-install-packages/issues/621
If, after following that, you’re still having issues, please provide the full /etc/httpd/conf.d/zzzkaltura.ssl.conf file, as well as the output of kaltura-{base,front,batch,nginx}-config.sh and that of netstat -plnt|grep httpd and httpd -t -DDUMP_VHOSTS.

For playback, please also review, https://github.com/kaltura/platform-install-packages/issues/612

@jess

Great thanks Jess, I am off for the day soon but will have a go first thing AM

Hiya @jess

Still no luck I am afraid. The certificate chain is fine in the zzzkaltura.ssl.conf file below but it does seem like when I am running kaltura-front-config.sh it fails at something due to the virtual host not existing. See all below.

zzzkaltura.ssl.conf:

<IfModule !ssl_module>
        LoadModule ssl_module modules/mod_ssl.so
</IfModule>


SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
<IfVersion < 2.4>
        SSLMutex default
</IfVersion>
<IfVersion >= 2.4>
        Mutex sysvsem default
</IfVersion>
SSLCryptoDevice builtin

SSLCertificateFile /etc/letsencrypt/live/kaltura.xxxxxx.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kaltura.xxxxxx.com/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/kaltura.xxxxxxx.com/chain.pem
<VirtualHost kaltura.xxxxxxx.com>
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

        ErrorLog "/opt/kaltura/log/kaltura_apache_errors_ssl.log"
        CustomLog /opt/kaltura/log/kaltura_apache_access_ssl.log vhost_kalt

        Include "/opt/kaltura/app/configurations/apache/conf.d/enabled.*.conf"
</VirtualHost>

Netstat:

[root@ip-172-26-7-33 ~]# netstat -plnt|grep httpd
tcp6       0      0 :::443                  :::*                    LISTEN      16818/httpd
tcp6       0      0 :::80                   :::*                    LISTEN      16818/httpd

Vhost Dump:

VirtualHost configuration:
35.176.20.56:*         kaltura.scarlettentertainment.com (/etc/httpd/conf.d/zzzkaltura.ssl.conf:22)
*:443                  ip-172-26-7-33.eu-west-2.compute.internal (/etc/httpd/conf.d/ssl.conf:56)

Base Config:

kaltura-base-14.14.0-14.noarch
Welcome to Kaltura Server 14.14.0 post install setup.

In order to finalize the system configuration, please input the following:


CDN hostname [ip-172-26-7-33.eu-west-2.compute.internal]:

The host will be accessed over http(s). In case your CDN operates on a non-default port, please input CDNHO
ST:PORT.
kaltura.xxxxxxxxxxxxxxxx.com:443
Apache virtual hostname [ip-172-26-7-33.eu-west-2.compute.internal]
(Must be accessible from both inside the machine and from any clients / browsers that will use Kaltura):

kaltura.xxxxxxxxxxxxxxxx.com
Vhost port to listen on [80]: 443
range of ip addresses belonging to internal kaltura servers [0.0.0.0-255.255.255.255]:
The range is used when checking service actions permissions and allowing to access certain services without
 KS from the internal servers.
The default is only good for testing, on a production ENV you should adjust according to your network.
DB port [3306]: 3306
MySQL super user [only for install, default root]: root
Analytics DB hostname [127.0.0.1]:127.0.0.1
Analytics DB port [3306]:3306
Sphinx hostname [127.0.0.1]: 127.0.0.1
Media Streaming Server secondary host [ip-172-26-7-33.eu-west-2.compute.internal]: kaltura.scarlettentertai
nment.com
Secondary Sphinx hostname [leave empty if none]:
Your Kaltura Service URL [https://kaltura.xxxxxxxxxxxxxxxx.com]
(Base URL where the Kaltura API and Apps will be accessed from - this would be your Load Balancer URL on a
cluster or same as your virtual host in an all-in-one Kaltura server - Must be accessible from both inside
the machine and from any clients / browsers that will use Kaltura):

https://kaltura.xxxxxxxxxxxxxxxx.com
VOD packager hostname [ip-172-26-7-33.eu-west-2.compute.internal]: kaltura.xxxxxxxxxxxxxxxx.com
VOD packager port to listen on [88]: 88
Admin user login password (must be minimum 8 chars and include at least one of each: upper-case, lower-case
, number and a special character):
Confirm passwd:
Your time zone [see http://php.net/date.timezone], or press enter for [Zulu]: Zulu
Your Kaltura install name (this name will show as the From field in emails sent by the system) [Kaltura Vid
eo Platform]:Your website Contact Us URL [http://corp.kaltura.com/company/contact-us]: Your 'Contact us' ph
one number [+1 800 871 5224]:Checking MySQL version..
Ver 5.5.60-MariaDB found compatible

===========================================================================================================
=============
Kaltura install answer file written to /tmp/kaltura_13_03_09_52.ans  -  Please save it!
This answers file can be used to silently-install re-install this machine or deploy other hosts in your clu
ster.
===============

Front Config:

base-config completed successfully, if you ever want to re-configure your system (e.g. change DB hostname) run the following script:
# rm /opt/kaltura/app/base-config.lock
# /opt/kaltura/bin/kaltura-base-config.sh


kaltura-front-14.14.0-2.noarch
Is your Apache working with SSL?[Y/n]
Please input path to your SSL certificate[/etc/ssl/certs/localhost.crt]:
/etc/letsencrypt/live/kaltura.xxxxxxxxxxxxxxxx.com/cert.pem
Please input path to your SSL key[/etc/pki/tls/private/localhost.key]:
/etc/letsencrypt/live/kaltura.xxxxxxxxxxxxxxxx.com/privkey.pem
Please input path to your SSL CA file or leave empty in case you have none:
/etc/letsencrypt/live/kaltura.xxxxxxxxxxxxxxxx.com/chain.pem
Which port will this Vhost listen on? [443]
443
Please select one of the following options [0]:
0. All web interfaces
1. Kaltura Management Console [KMC], Hosted Apps, HTML5 lib and ClipApp
2. KAC - Kaltura Admin Console
Enabling Apache config - apps.conf
Enabling Apache config - var.conf
Enabling Apache config - admin.conf


========================================================================================================================
Kaltura install answer file written to /tmp/kaltura_13_03_09_54.ans  -  Please save it!
This answers file can be used to silently-install re-install this machine or deploy other hosts in your cluster.
========================================================================================================================


Redirecting to /bin/systemctl restart httpd.service
Note: Forwarding request to 'systemctl enable httpd.service'.
Note: Forwarding request to 'systemctl enable memcached.service'.
Redirecting to /bin/systemctl restart memcached.service
Restarting kaltura-monit (via systemctl):  [  OK  ]
PHP Fatal error:  Uncaught exception 'KalturaClientException' with message 'failed to unserialize server result
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /api_v3/service/session/action/start was not found on this server.</p>
</body></html>
' in /opt/kaltura/apps/clientlibs/php5/KalturaClientBase.php:401
Stack trace:
#0 /opt/kaltura/apps/clientlibs/php5/KalturaClient.php(7013): KalturaClientBase->doQueue()
#1 /opt/kaltura/html5/html5lib/playkitSources/kaltura-ovp-player/create_playkit_uiconf.php(17): KalturaSessionService->start('01df9c586326581...', NULL, 2, '0')
#2 {main}
  thrown in /opt/kaltura/apps/clientlibs/php5/KalturaClientBase.php on line 401

Batch Config:

kaltura-batch-14.14.0-1.noarch
base-config completed successfully, if you ever want to re-configure your system (e.g. change DB hostname) run the following script:
# rm /opt/kaltura/app/base-config.lock
# /opt/kaltura/bin/kaltura-base-config.sh


Note: Forwarding request to 'systemctl enable httpd.service'.
Redirecting to /bin/systemctl reload httpd.service
Note: Forwarding request to 'systemctl enable memcached.service'.
Redirecting to /bin/systemctl restart memcached.service
Starting kaltura-monit (via systemctl):  [  OK  ]

Nginx config:

kaltura-nginx-1.14.0-5.x86_64
Kaltura API host and port (without the protocol) [ip-172-26-7-33.eu-west-2.compute.internal:80]:
kaltura.xxxxxxxxxxxxxxxx.com:443
Nginx server name [ip-172-26-7-33.eu-west-2.compute.internal]:
kaltura.xxxxxxxxxxxxxxxx.com
Nginx port to listen on [88]: 88
RTMP port to listen on [1935]: 1935
Would you like to configure Nginx with SSL?[Y/n]Nginx SSL port to listen on [8443]: 8443
Nginx SSL cert:  /etc/letsencrypt/live/kaltura.xxxxxxxxxxxxxxxx.com/cert.pem
Nginx SSL key:  /etc/letsencrypt/live/kaltura.xxxxxxxxxxxxxxxx.com/privkey.pem
Note: Forwarding request to 'systemctl enable kaltura-nginx.service'.
Redirecting to /bin/systemctl reload kaltura-nginx.service

If I reconfigure back to non ssl everything works fine again but once ssl is configured it just defaults back to the apache default index page.

Thanks in advance.

When I
curl -I -v https://kaltura.xxxxxx.com/

I get a 403 forbidden, in the browser when I look at dev tools it does the same before loading the default apache page.

I seem to have resolved the problem (in a rather dodgy way) by first deleting the default virtual host in /etc/httpd/conf.d/ssl.conf and then changing the virtual host in zzzkaltura.xxxx.com to <VirtualHost default:443 >

Not tested if everything else still works yet but I have access to admin and kmcng via https now.