Kaltura CE 12.10.0 Cluster installation

Community Forums Backend Server Support
1

I have set up a new cluster 12.10 with https offloading and migrated the data from my single server installation to the cluster.
For testing I have set the service domain name to my server ip in the hosts file on the server and client.
I am using Debian.

I have 2 issues know

#Login Admin console
If I login in Admin console I result in a (error code: API:-1)
May be there is a Service call to a https://… ?

The kmc works!

Batch Server

It seems that the batch servers are not working because my uploaded file for testing are not converting. How can I register them to my DB or cluster?. I tryied dpkg-reconfigure kaltura-batch and kaltura-base but nothing changed.

I will install the nginx later.

2

Hi @roger78,

For Admin Console, what’s the output for:
# curl -I -v https://your.host/admin_console
?
Also, while making the request in the browser, from a root shell on the server, run:
# kaltlog
and take a look at the errors.

kaltlog is an alias defined in /etc/profile.d/kaltura-base.sh, if it’s not already sourced, source it with:
# . /etc/profile.d/kaltura-base.sh
note that there’s a space between ‘.’ and /etc/profile.d/kaltura-base.sh.

As for batch, first, check if the daemon is running with:
# service kaltura-batch status
and if not, look at /opt/kaltura/log/kaltura_batch.log to understand why not.

3

curl -I -v https://your.host/admin_console
-> no refused
because it not accessible with https only with http in my cluster
so can I assume it works if move to production an the https of the LB is accessible?

The batch service is running an do Error message in log.

4

Hi @roger78,

It can work over HTTP as well, I wrote https because of your comment:
“May be there is a Service call to a https://… ?”

Anyhow, what’s the output for:
$ curl -I -v http://your.host/admin_console
what’s in /opt/kaltura/log/kaltura_batch.log and what’s outputted to STDOUT when running kaltlog and making the request to /admin_console?

5

We moved now our domain to the cluster and its different now.?
The Admin Conosle works but the kmc is stuck now and loading endless after login.

The output of curl on the front server is:

curl -l -v https://tube.htwchur.ch 

* Rebuilt URL to: https://tube.htwchur.ch/
* Hostname was NOT found in DNS cache
*   Trying 193.5.58.89...
* Connected to tube.htwchur.ch (193.5.58.89) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*        subject: C=CH; ST=Graubuenden; L=Chur; O=Hochschule fuer Technik und Wirtschaft (HTW Chur); OU=Informatikdienst; CN=tube                                       .htwchur.ch
*        start date: 2016-04-19 08:50:35 GMT
*        expire date: 2019-04-19 08:50:33 GMT
*        subjectAltName: tube.htwchur.ch matched
*        issuer: C=BM; O=QuoVadis Limited; CN=QuoVadis Global SSL ICA G2
*        SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: tube.htwchur.ch
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Fri, 17 Feb 2017 14:13:21 GMT
* Server Apache/2.4.10 (Debian) is not blacklisted
< Server: Apache/2.4.10 (Debian)
< Location: http://tube.htwchur.ch/start/index.php
< Content-Length: 303
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://tube.htwchur.ch/start/index.php">here</a>.</p>
<hr>
<address>Apache/2.4.10 (Debian) Server at tube.htwchur.ch Port 80</address>
</body></html>
* Connection #0 to host tube.htwchur.ch left intact
6

the blocking of http comes from this mixed content:

Mixed Content: The page at 'https://tube.htwchur.ch/index.php/kmc/kmc4' was loaded over HTTPS, but requested an insecure script 'http://tube.htwchur.ch/lib/js/jquery-1.8.3.min.js'. This request has been blocked; the content must be served over HTTPS.

I have a https offloading

what did I wrong?

7

Hi @roger78,

The key to successfully determining the protocol [http or https] when configuring ssl offloading is here:
/opt/kaltura/app/configurations/apache/kaltura.conf

SetEnvIf X-Forwarded-Proto https HTTPS=on

That is, if your LB sets the X-Forwarded-Proto to https, the above Apache config will set HTTPS to ‘on’ which is in turn checked through out our code to determine whether to use https as the protocol.
Does your LB correctly set it?

Also, look at: /opt/kaltura/app/configurations/admin.ini and make sure settings.serviceUrl is prefixed with “https://”.
I would also recommend going to Admin Console->Publishers->Your Partner Row->Actions->Configure and check both:
“Embed Code Default Protocol HTTPS”
“Force KMC HTTPS”

8

Thank you jess

Thats must be obviously the reason. Our IT will check the LB soon, it is not under my control. Until then I have set the “HTTP on” manually in my apache config and it works more or less. I still got some mixed content at some points but I guess these are gone if the LB have been set properly.

During my latest installations on Debian I have found some bugs:

After installation of a batch machine the directoy /opt/kaltura/tmp was not set to the user kaltura:ww-data.

After configure a front-machine with ssl (on my test envronment) there was a missing word-wrap in front of CRT_FILE=… in the files local.ini and system.ini.

9

Hi @roger78,

Permission issue is fixed by this commit - https://github.com/kaltura/platform-install-packages/commit/4730d100bf8fc79adbff12218d97c3012104b56a#diff-eb7a79d505d7d1a7d299ea7d11d7909dR20, thank you:)
As for the CRT_FILE, just so I understand, you mean your path to the CA has spaces and thus the fact the value is not wrapped in quotes caused an issue for you?
I am also a little confused because you wrote “CRT_FILE=… in the files local.ini and system.ini” but this ENV var is only inserted to system.ini, not local.ini…

10

in the local.ini is
[reports_db_config]
host = localhost
user = etl
port = 3306
password = mydbpasswordCRT_FILE=/etc/apache2/ssl/mydaomain.com.crt.pem

instead of
[reports_db_config]
host = localhost
user = etl
port = 3306
password = mydbpassword
CRT_FILE=/etc/apache2/ssl/mydaomain.com.crt.pem

I dont know why but reconfiugre inserted this.
so there is a missing newline; the same in system.ini

11

Hi @roger78,

Are you able to reproduce this? Asking because local.ini does not need that directive at all and I don’t see anywhere in the post or pre install scripts that makes an attempt to insert that directive into local.ini either:

# grep CRT_FILE /var/lib/dpkg/info/kaltura-* -r

/var/lib/dpkg/info/kaltura-front.postinst: CRT_FILE=$RET
/var/lib/dpkg/info/kaltura-front.postinst: CRT_SUM=openssl x509 -in $CRT_FILE -modulus -noout | openssl md5
/var/lib/dpkg/info/kaltura-front.postinst: VERIFY_COMMAND=“openssl verify -CAfile $CHAIN_FILE $CRT_FILE”
/var/lib/dpkg/info/kaltura-front.postinst: VERIFY_COMMAND=“openssl verify -CAfile $CA_FILE $CRT_FILE”
/var/lib/dpkg/info/kaltura-front.postinst: VERIFY_COMMAND=“openssl verify $CRT_FILE”
/var/lib/dpkg/info/kaltura-front.postinst: sed “s#@SSL_CERTIFICATE_FILE@#$CRT_FILE#g” -i $MAIN_APACHE_CONF
/var/lib/dpkg/info/kaltura-front.postinst: echo “CRT_FILE=$CRT_FILE” >> $RC_FILE

RC_FILE in this case is /etc/kaltura.d/system.ini, defined earlier in /var/lib/dpkg/info/kaltura-front.postinst…

Thanks,

12

no cannot reproduce in local.ini but in system.ini

I deleted the CRT_FILE line manually and it doesnt appear after reconfigure in local.ini.

but in system.ini it appears:
DWH_PASS=passwordCRT_FILE=/etc/apache2/ssl/mydomain.com.crt.pem

Thanks

13

Thanks, Roger, now I understand. For deb [thanks to debconf] Apache CRT and KEY ENV vars are not needed in system.ini so I just removed the code that adds them from /var/lib/dpkg/info/kaltura-front.postinst.
These ENV vars are set in system.ini only for the benefit of the RPM postinst scripts since RPM does not support interactive input prompting during any of its package installation steps.