Docker Install with SSL


#1

Trying to install Kaltura Docker locally with SSL. I am using the following answer file as a test, so credentials are ok to see =).

I am getting this error when installing

tarting httpd: [Thu Jun 28 00:13:46 2018] [warn] The Alias directive in /opt/kaltura/app/configurations/apache/conf.d/enabled.apps.conf at line 38 will probably never match because it overlaps an earlier Alias.
httpd: Could not reliably determine the server’s fully qualified domain name, using 172.17.0.2 for ServerName

Not sure if I am missing something in my answer file , doing this on a clean docker install. I add my host k.test.com in the docker container pointing to 127.0.0.1

TIME_ZONE="Etc/UTC"
KALTURA_VIRTUAL_HOST_PORT="443"
KALTURA_FULL_VIRTUAL_HOST_NAME="k.test.com:443"
KALTURA_VIRTUAL_HOST_NAME="k.test.com"
DB1_HOST="127.0.0.1"
DB1_PORT="3306"
DB1_PASS="dMi63rEXkjedkEn"
DB1_NAME="kaltura"
DB1_USER="kaltura"
IS_NGINX_SSL="y"NGIN
SERVICE_URL="https://k.test.com:443"
SPHINX_SERVER1="127.0.0.1"
SPHINX_SERVER2=" "
DWH_HOST="127.0.0.1"
DWH_PORT="3306"
ADMIN_CONSOLE_ADMIN_MAIL="test@test.com"
ADMIN_CONSOLE_PASSWORD="password"
CDN_HOST="k.test.com"
SUPER_USER="root"
SUPER_USER_PASSWD="password"
ENVIRONMENT_NAME="test"
DWH_PASS="dMi63rEXkjedkEn"
PROTOCOL="https"
PRIMARY_MEDIA_SERVER_HOST="k.test.com"
USER_CONSENT="0"
CONTACT_MAIL="test@test.com"
VOD_PACKAGER_HOST="k.test.com"
VOD_PACKAGER_PORT="88"
VOD_PACKAGER_SSL_PORT="8443"
IP_RANGE="0.0.0.0-255.255.255.255"
WWW_HOST="127.0.0.1"
CONFIG_CHOICE="0"
IS_SSL="Y"
CRT_FILE="/etc/ssl/certs/localhost.crt"
KEY_FILE="/etc/pki/tls/private/localhost.key"
CA_FILE="NO_CA"
RTMP_PORT=1935

#2

Hi @melaleuca5,

You’re not doing anything wrong or at least, if you are, that warning is no indication of that:)

This block:

Alias /apps/kea "/opt/kaltura/apps/kea"
<Directory "/opt/kaltura/apps/kea">
    DirectoryIndex index.php
    Options -Indexes +FollowSymLinks +Includes
    Order allow,deny
    Allow from all
    AllowOverride all
</Directory>

will never match because of the block right above it:

Alias /apps "/opt/kaltura/apps"
<Directory "/opt/kaltura/apps">
    DirectoryIndex index.php
    Options -Indexes +FollowSymLinks +Includes
    AllowOverride None
    Order allow,deny
    Allow from all
    <IfVersion >= 2.4>
        Require all granted
    </IfVersion>
</Directory>

It should be removed and I’ll let the person who introduced it into the configuration know. You can safely ignore the warning.

If you have encountered an issue, that’s not the cause. Please provide more details so that I may guide you further.

Thanks,


#3

Ok I added IS_SSL=“Y”, I am getting when I try to login

An error occurred
(error code: API:-1)

Looking at the console I a getting 404
https://k.test.com/admin_console/css/style.css , so not sure if that virtual host is causing issues


#4

Hi @melaleuca5,

Check for errors in /opt/kaltura/log/kaltura_api_v3.log, /opt/kaltura/log/kaltura_apache_errors*log and /opt/kaltura/log/kaltura_prod.log.


#5

I only have kaltura_apache_errors_ssl.log

[Thu Jun 28 17:53:43 2018] [error] [client 172.17.0.1] File does not exist: /opt/kaltura/app/alpha/web/opt, referer: https://k.test.com/admin_console/index

in /opt/kaltura/app/alpha/web i dont have opt


#6

I do see this in the logs when i try to login

2018-06-29 00:22:34 [0.079353] [1071858] [8] [%context%] [ErrorController->errorAction] ERR: exception 'Kaltura_Client_ClientException' with message 'Peer certificate cannot be authenticated with known CA certificates. RC : 0' in /opt/kaltura/app/admin_console/lib/Kaltura/Client/ClientBase.php:942
Stack trace:
#0 /opt/kaltura/app/admin_console/lib/Kaltura/Client/ClientBase.php(249): Kaltura_Client_ClientBase->getKalturaClientException('Peer certificat...', -1)
#1 /opt/kaltura/app/admin_console/lib/Kaltura/Client/UserService.php(310): Kaltura_Client_ClientBase->doQueue()
#2 /opt/kaltura/app/ui_infra/Infra/AuthAdapter.php(148): Kaltura_Client_UserService->loginByLoginId('test@test.com', 'password', '-2', NULL, 'disableentitlem...', '')
#3 /opt/kaltura/app/vendor/ZendFramework/library/Zend/Auth.php(117): Infra_AuthAdapter->authenticate()
#4 /opt/kaltura/app/admin_console/controllers/UserController.php(165): Zend_Auth->authenticate(Object(Kaltura_AdminAuthAdapter))
#5 /opt/kaltura/app/vendor/ZendFramework/library/Zend/Controller/Action.php(513): UserController->loginAction()
#6 /opt/kaltura/app/vendor/ZendFramework/library/Zend/Controller/Dispatcher/Standard.php(289): Zend_Controller_Action->dispatch('loginAction')
#7 /opt/kaltura/app/vendor/ZendFramework/library/Zend/Controller/Front.php(946): Zend_Controller_Dispatcher_Standard->dispatch(Object(Zend_Controller_Request_Http), Object(Zend_Controller_Response_Http))
#8 /opt/kaltura/app/vendor/ZendFramework/library/Zend/Application/Bootstrap/Bootstrap.php(77): Zend_Controller_Front->dispatch()
#9 /opt/kaltura/app/vendor/ZendFramework/library/Zend/Application.php(358): Zend_Application_Bootstrap_Bootstrap->run()
#10 /opt/kaltura/app/admin_console/web/index.php(38): Zend_Application->run()
#11 {main}

#7

Perhaps it’s because we are using self generated cert

Currently, the Nginx VOD module does not support integration with Kaltura over HTTPs, only HTTP is supported.

Will try to setup a more production test will let you know.


#8

Ok seems like the docker image has expired CA files, I am not able to login to the admin console I had to do the following in the docker image

rm -f /etc/ssl/certs/ca-bundle.crt && yum reinstall -y ca-certificates

Now I can, Still testing everything else.


#9

@jess , After fighting with docker I found a solution but now VOD is not working properly. Basically vod when loading the file it tried to open https://vodk.test.com:88 If I change the VOD_PACKAGER_PORT=“88”
to VOD_PACKAGER_PORT=“8443” is causes conflict with nginx_ssl=y and have to go in and change nginx.conf manually. Perhaps I need go manually change the delivery_profile in the setting before this works.

Any ideas?

Also the docker image has the wrong CA files, I fix this with running this

ocker exec -it kaltura bash -c "yum update && rm -f /etc/ssl/certs/ca-bundle.crt && yum reinstall -y ca-certificates"

TIME_ZONE="Etc/UTC"
KALTURA_VIRTUAL_HOST_PORT="443"
KALTURA_FULL_VIRTUAL_HOST_NAME="k.test.com:443"
KALTURA_VIRTUAL_HOST_NAME="k.test.com"
DB1_HOST="127.0.0.1"
DB1_PORT="3306"
DB1_PASS="dMi63rEXkjedkEn"
DB1_NAME="kaltura"
DB1_USER="kaltura"
IS_NGINX_SSL="Y"
SERVICE_URL="https://k.test.com"
SPHINX_SERVER1="127.0.0.1"
SPHINX_SERVER2=" "
DWH_HOST="127.0.0.1"
DWH_PORT="3306"
ADMIN_CONSOLE_ADMIN_MAIL="test@test.com"
ADMIN_CONSOLE_PASSWORD="password"
CDN_HOST="k.test.com"
SUPER_USER="root"
SUPER_USER_PASSWD="password"
ENVIRONMENT_NAME="test"
DWH_PASS="dMi63rEXkjedkEn"
PROTOCOL="https"
PRIMARY_MEDIA_SERVER_HOST="k.test.com"
USER_CONSENT="0"
CONTACT_MAIL="test@test.com"
VOD_PACKAGER_HOST="vodk.test.com"
VOD_PACKAGER_PORT="88"
VOD_PACKAGER_SSL_PORT="8443"
IP_RANGE="0.0.0.0-255.255.255.255"
WWW_HOST="k.test.com:443"
CONFIG_CHOICE="0"
IS_SSL="Y"
CRT_FILE="/etc/ssl/certs/localhost.crt"
KEY_FILE="/etc/pki/tls/private/localhost.key"
SSL_KEY="/etc/pki/tls/private/localhost.key"
SSL_CERT="/etc/ssl/certs/localhost.crt"
CHAIN_FILE="/etc/ssl/certs/localhost.crt"

#10

Hi @melaleuca5,

As you can see here:

we simply use the default CentOS 6 Docker image. I’ve added:

rm -f /etc/ssl/certs/ca-bundle.crt && yum reinstall -y ca-certificates

here: https://github.com/kaltura/platform-install-packages/blob/Naos-14.1.0/docker/install/install.sh#L37

Which should fix the issue you’ve come across.

In regards to the Nginx config, if you want to work over SSL, run this SQL statement:

mysql> UPDATE kaltura.delivery_profile SET url = REPLACE(url, "$VOD_PACKAGER_HOST:$VOD_PACKAGER_PORT", "$VOD_PACKAGER_HOST:$VOD_PACKAGER_SSL_PORT") WHERE url LIKE '$VOD_PACKAGER_HOST:$VOD_PACKAGER_PORT/%'

Should get the job done. I recommend backing up the table before making changes to it.

Note that generally speaking, this Dockerfile is meant for development purposes only. On Production, you should deploy a cluster rather than an all in one instance and I’d also recommend using CentOS 7 as base, rather than 6.
We do not offer Dockerfiles for such a setup but it should be relatively easy for you to create your own based on the instructions here:

If you decide to do so and have questions, I’ll be happy to assist you and of course, we will welcome a pull request as well:)

Since CentOS/RHEL 7 make use of systemd and many of the packages in the official 7 repos no longer include tranditional POSIX init scripts, you will find it difficult to deploy an all in one CentOS 7 container but like I said, that sort of setup is not recommended for Production ENVs anyhow:)


#11

@jess thanks for that.

Not sure if you saw this https://github.com/kaltura/server-cluster-container-install is this something your team is working on .


#12

Hi @melaleuca5,

Yes, I’m aware of it, thank you:)
However, that repo still requires work and also, uses centos:6 as the base image.
Like I said, it would be best to use centos:7 instead. Due to systemd, that would require some additional work.