Issues with SSL installation on RedHat 7.7

Hello, I’ve been trying to install the latest version of Kaltura CE for some days now without any luck, I’ve tried many different setup but keep failing, I’ve decided to ask for help and see if somebody had the same experience as me and could help me out in resolving them.

I’ve tried the different installation setup but none have worked out of the box, the only one that was close to working is the installation on a redhat server, which is the one i decided to install it on.

I’m running a RedHat 7.7 VM in microsoft azure (No application gateway)

I followed the steps from: https://github.com/kaltura/platform-install-packages/blob/Propus-16.8.0/doc/install-kaltura-redhat-based.md

First problem: The kaltura repo seems to be broken for redhat 7.7, when you install the repo, the baseurl in the kaltura.repo file contains a variable for your OS version, therefore the URL becomes: baseurl = http://installrepo.kaltura.org/releases/latest/7.7/RPMS/$basearch/ but that dosent exist, i;ve got it fixed by manualy updating the RedHat version to 7 instead of 7.7, that seems to work. Not sure if this an explicit problem for RedHat 7.7 or any other version, but just leaving it in here if others have the same problem.

Once kaltura has been fully downloaded and the dependencies installed i started the kaltura-config-all.sh script

SQL service on the same VM: mariadb-server
no mail services
SSL certs from let’s encrypt

I’ve managed to get it to work without SSL but the main problem is with the SSL installation which does not cooperate. Now enough with the explanation, here’s with the real problem.
The first error i’m getting in the kaltura-config-all.sh script is the following:

Stopping kaltura-elastic-populate (via systemctl):  [  OK  ]
Starting kaltura-elastic-populate (via systemctl):  Job for kaltura-elastic-populate.service failed 
because the control process exited with error code. See "systemctl status kaltura-e
lastic-populate.service" and "journalctl -xe" for details.
[FAILED]
Redirecting to /bin/systemctl reload httpd.service

Second error is this one:

Generating UI confs..
PHP Fatal error:  Uncaught exception 'KalturaClientException' with message 'Peer's Certificate 
issuer is not recognized.' in /data/kaltura/apps/clientlibs/php5/KalturaClientBase.php:3
62
Stack trace:
#0 /data/kaltura/apps/clientlibs/php5/KalturaClient.php(7168): KalturaClientBase->doQueue()
#1 /data/kaltura/html5/html5lib/playkitSources/kaltura-ovp-player/create_playkit_uiconf.php(17): 
   KalturaSessionService->start('e248c2683977ccb...', NULL, 2, '0')
#2 {main}
thrown in /data/kaltura/apps/clientlibs/php5/KalturaClientBase.php on line 362


kaltura-db-config.sh FAILED with: 255 on line 240

Archving logs to /opt/kaltura/log/log_02_10_20_11_29.tar.gz...
ERROR: we failed on something else..

Here is my ans file:

Checking MySQL version..
Ver 5.5.64-MariaDB found compatible
TIME_ZONE="America/Toronto"
KALTURA_FULL_VIRTUAL_HOST_NAME="kaltura-dev.c******.azure.com"
KALTURA_VIRTUAL_HOST_NAME="kaltura-dev.c******.azure.com"
DB1_HOST="127.0.0.1"
DB1_PORT="3306"
DB1_PASS="******"
DB1_NAME="kaltura"
DB1_USER="kaltura"
SERVICE_URL="https://kaltura-dev.c******.azure.com"
SPHINX_SERVER1="127.0.0.1"
SPHINX_SERVER2="127.0.0.1"
DWH_HOST="127.0.0.1"
DWH_PORT="3306"
ADMIN_CONSOLE_ADMIN_MAIL="******"
ADMIN_CONSOLE_PASSWORD="******"
CDN_HOST="kaltura-dev.c******.azure.com"
KALTURA_VIRTUAL_HOST_PORT="80"
SUPER_USER="******"
SUPER_USER_PASSWD="******"
ENVIRONMENT_NAME="Kaltura Video Platform"
DWH_PASS="******"
PROTOCOL="http"
PRIMARY_MEDIA_SERVER_HOST="kaltura-dev.c******.azure.com"
USER_CONSENT="0"
VOD_PACKAGER_HOST="kaltura-dev.c******.azure.com"
VOD_PACKAGER_PORT="88"
IP_RANGE="0.0.0.0-255.255.255.255"
WWW_HOST="kaltura-dev.c******.azure.com"
IS_SSL="Y"
CRT_FILE="/etc/letsencrypt/live/kaltura-dev.c******.azure.com/cert.pem"
KEY_FILE="/etc/letsencrypt/live/kaltura-dev.c******.azure.com/privkey.pem"
CA_FILE="NO_CA"

(You might see kaltura being installed in /data instead of /opt, i’m using a symbolic link, just so you know)

Looking at the errors, the second one seems interesting, is let’s encrypt supported?
My guess is that it is, so out of curiosity, i’ve tried removing the SSL verification from the following 2 files:
admin.ini: settings.clientConfig.verifySSL = false
and
batch.ini: clientConfig.verifySSL = 0

and ran kaltura-front-config.sh, got the same error

Here are my httpd settings:

• No modification in /etc/httpd/conf/httpd.conf

• I’ve modified the SSLCertificateKeyFile and SSLCertificateFile from /etc/httpd/conf.d/ssl.conf to match my let’s encrypt files

• /etc/httpd/conf.d/zzzkaltura.ssl.conf contains both SSLCertificateKeyFile and SSLCertificateFile from let’s encrypt and placeholder for ##SSLCACertificateFile @SSL_CERTIFICATE_CHAIN_FILE@

• /etc/hosts contains an entry for my URL to redirect to 127.0.0.1

Now for some extra stuff:

• httpd seems to be running at this time on port 443, going to my URL i’m getting the default Red Hat Enterprise Linux Test Page

• Azure networking interface has the ports : 80, 443, 88, 1935, 1936, 9312 open (Based on ports that needs to be open from the install documentation)

• I’ve tried with a regular server certificate instead of let’s encrypt and i got a different error, that the certificate was invalid, i did not post this error since i want a valid certificate, not a default server one

• I’ve tried SSL offloading to an application gateway but got different errors (i can go back to it if you suggest it as an easier approach)

That’s a really long post, but i honestly can’t find anything else i can do, i’ve tried many combination with the ans file for the service URL and the base url without any luck.

I’m open for suggestion, or let me know if you need more info about the setup.

Thank you!!

Hello @cedricguindon,

With regards to the repo URLs, they are configured thusly (in /etc/yum.repos.d/kaltura.repo):

baseurl = http://installrepo.kaltura.org/releases/latest/$releasever/RPMS/$basearch/
baseurl = http://installrepo.kaltura.org/releases/latest/$releasever/RPMS/noarch

$releasever should resolve to the major release (6,7,8), not the minor, so for instance:

# /usr/libexec/platform-python -c 'import dnf, json; db = dnf.dnf.Base(); print(json.dumps(db.conf.substitutions, indent=2))'
{
  "arch": "x86_64",
  "basearch": "x86_64",
  "releasever": "8"
}

or on 6 and 7:

# python -c 'import yum, json; yb = yum.YumBase(); print json.dumps(yb.conf.yumvar, indent=2)'

Loaded plugins: fastestmirror, priorities
{
“releasever”: “6”,
“basearch”: “x86_64”,
“arch”: “ia32e”,
“uuid”: “a27cb56a-1c96-4f38-9be6-5cd54e185cbf”,
“infra”: “stock”
}

What does it resolve to in your case?
And what’s the output for:

$ lsb_release -a

?

In terms of the SSL cert, the error:

PHP Fatal error: Uncaught exception ‘KalturaClientException’ with message ‘Peer’s Certificate
issuer is not recognized.’ in /data/kaltura/apps/clientlibs/php5/KalturaClientBase.php:3
62

Implies that you’re missing the CA cert, which, in fact you are (based on your output).
When using Let’s Encrypt, you will find it here: /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem

Set the CA_FILE ENV var to that path (or input it interactively when prompted by kaltura-front-config.sh

/opt/kaltura/app/configurations/batch/batch.ini: clientConfig.verifySSL = 0
Only pertains to the Batch daemon (and setting to 0/false is ill-advised).

Let me know as to your progress following that.

Cheers,

Hello Jess, thank you for getting back to me.

Mine resolved to the major + minor version for some reason

[root@dev-kaltura-allinone admin_vm]# python -c 'import yum, json; yb = yum.YumBase(); print json.dumps(yb.conf.yumvar, indent=2)'
Loaded plugins: langpacks, product-id
{
  "arch": "ia32e", 
  "basearch": "x86_64", 
  "releasever": "7.7", 
  "uuid": "760859cc-c8d5-47a2-8499-9f568670333f"
}
[root@dev-kaltura-allinone admin_vm]# lsb_release -a
LSB Version::core-4.1-amd64:core-4.1-noarch
Distributor ID:RedHatEnterpriseServer
Description:Red Hat Enterprise Linux Server release 7.7 (Maipo)
Release:7.7
Codename:Maipo

As you can see above, it shows 7.7 (including the minor) this messes up the repo by resolving to 7.7, the URL does not exist. I easily fixed it by manually entering 7 instead of 7.7 in the repo file, but it should be mentionned in the documentation somewhere i beleive :\ Unless i have a really special RedHat setup, but i can’t tell you how i would begin to identify that.

Regarding SSL, i executed the kaltura-front-config.sh script, inputted the fullchain.pem file as the SSL CA prompt and got the same error:

PHP Fatal error:  Uncaught exception 'KalturaClientException' with message 'Peer's Certificate issuer is not recognized.' in /data/kaltura/apps/clientlibs/php5/KalturaClientBase.php:3
62

I checked the system.ini file in /app/configuration/ and found that the certs file are entered 3 times, but only the last CHAIN_FILE= entry is populated, is that normal? i guess the file is being appended to when rerunning the configs?

I also added the chain file to the ssl.conf file in my httpd conf.d folder, reran kaltura-front-config.sh and got the same error

Hello @cedricguindon,

What does you /etc/httpd/conf.d/zzzkaltura.ssl.conf contain?
Specifically, you should have these lines:

SSLCertificateFile /path/to/.crt
SSLCertificateKeyFile /path/to/.key
SSLCACertificateFile /path/to/ca-.crt

zzzkaltura.sss.conf has the following:

SSLCertificateFile /etc/letsencrypt/live/kaltura-dev.c******.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kaltura-dev.c******.com/privkey.pem
##SSLCACertificateFile /etc/letsencrypt/live/kaltura-dev.c******.com/fullchain.pem

CA file is in comments, my lets encrypt cert does not have a CA file but the full chain.

I uncommented the line, restarted httpd and now i got no errors when running kaltura-front-config.sh but my URL still brings me to the Red Hat Enterprise Linux Test Page.

This seems to be a httpd settings now, i can look elsewhere since this is a kaltura forum, unless you know how to fix that one easily?

What errors are you getting? What’s in the Apache error log?
Also, what is the output for:

# apachectl -t -DDUMP_VHOSTS

?

httpd ssl_error_log has the following:

AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,ind
ex.php) found, and server-generated directory index forbidden by Options directive

kaltura is not in /var/www/html, seems like a redirect is missing somewhere

Here’s the DDUMP_VHOSTS

[root@dev-kaltura-allinone httpd]# apachectl -t -DDUMP_VHOSTS
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
VirtualHost configuration:
127.0.0.1:*            kaltura-dev.c******.com (/etc/httpd/conf.d/zzzkaltura.ssl.conf:22)
*:443                  dev-kaltura-allinone.internal.cloudapp.net (/etc/httpd/conf.d/ssl.conf:56)

UPDATE

I changed the zzzkaltura.ssl.conf VirtualHost from:
<VirtualHost kaltura-dev.c***.com>
to
<VirtualHost *:443>

And i can get the main page, including the /admin_console, do you consider it a good fix or just a temporary patch to make it work?

Hello @cedricguindon,

That depends on your needs. Ideally, this machine should be dedicated solely to running Kaltura CE. If that’s the case, the best thing to do is remove/backup the default Vhost config and ONLY have the Kaltura one.

Thank you for all your help regarding my SSL problem, it seems to be fixed at this time, i still have some problem with the nginx HLS and CORS but i’ll try to figure it out by myself then asking for some help if i need it.

Thank you again!

You’re welcome, @cedricguindon.
For Nginx, start here: Install kaltura Nginx VOD module