Kaltura SSL deployment issues

razvan_iacob · June 8, 2016, 4:30pm

Hello I have deployed a a single server with Kaltura. doing tests for the cluster which is in production at the moment.

Everything went well but when i try to access the site kalturassl.servcast.net I get the following message:

Bad Request
Your browser sent a request that this server could not understand.
Reason: You’re speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Hint: https://kalturassl.servcast.net/

In the mysql I have:
select partner_id,name,status from permission WHERE permission.NAME=‘FEATURE_KMC_ENFORCE_HTTPS’ ORDER BY permission.STATUS ASC LIMIT 1\G;
*************************** 1. row ***************************
partner_id: 0
name: FEATURE_KMC_ENFORCE_HTTPS
status: 1
1 row in set (0.00 sec)

Which seems alright.

In the /opt/kaltura/log/insertContent.log I have:

Queuing action [userRole.add]
Queuing action [user.add]
Executing multirequest
service url: [https://kalturassl.servcast.net]
curl: https://kalturassl.servcast.net/api_v3/service/multirequest
post: {“format”:“3”,“ignoreNull”:true,“clientTag”:“php5:16-06-08”,“apiVersion”:“3.3.0”,“0”:{“service”:“userrole”,“action”:“add”,“userRole”:{“objectType”:“KalturaUserRole”,“name”:"System Administra$
server: [kalturassl.servcast.net], session: [356856107]
result (serialized): a:2:{i:0;O:15:“KalturaUserRole”:10:{s:2:“id”;i:11;s:4:“name”;s:20:“System Administrator”;s:10:“systemName”;s:20:“System Administrator”;s:11:“description”;s:20:"System Administ$
result (object dump): Array
(
[0] => KalturaUserRole Object
(
[id] => 11
[name] => System Administrator
[systemName] => System Administrator
[description] => System Administrator
[status] => 1
[partnerId] => -2
[permissionNames] => AUDIT_PLUGIN_PERMISSION,FEATURE_MOBILE_FLAVORS,CONTENT_MANAGE_ASSIGN_USER_GROUP,scheduledTask.SYSTEM_ADMIN_MANAGE,ADMIN_USER_ASSIGN_PARNTERS,dropFolder.SYSTEM_ADMI$
[tags] => admin_console
[createdAt] => 1465394424
[updatedAt] => 1465394424
[relatedObjects] =>
)

[1] => KalturaUser Object
    (
        [id] => admin@servcast.net
        [partnerId] => -2
        [type] =>
        [screenName] => admin@servcast.net
        [fullName] => Kaltura Administrator
        [email] => admin@servcast.net
        [dateOfBirth] =>
        [country] =>
        [state] =>
        [city] =>
        [zip] =>
        [thumbnailUrl] =>
        [description] =>
        [tags] =>
        [adminTags] =>
        [gender] =>
        [status] => 1
        [createdAt] => 1465394424
        [updatedAt] => 1465394424
        [partnerData] =>

Which seems alright.

In the answer file i have:

TIME_ZONE="America/New_York"
KALTURA_FULL_VIRTUAL_HOST_NAME="kalturassl.servcast.net"
KALTURA_VIRTUAL_HOST_NAME="kalturassl.servcast.net"
DB1_HOST="127.0.0.1"
DB1_PORT="3306"
DB1_PASS="xxxxxxx"
DB1_NAME="kaltura"
DB1_USER="kaltura"
SERVICE_URL="https://kalturassl.servcast.net"
SPHINX_SERVER1="127.0.0.1"
SPHINX_SERVER2="127.0.0.1"
DWH_HOST="127.0.0.1"
DWH_PORT="3306"
ADMIN_CONSOLE_ADMIN_MAIL="xxxxxx"
ADMIN_CONSOLE_PASSWORD="xxxxx"
CDN_HOST="kalturassl.servcast.net"
KALTURA_VIRTUAL_HOST_PORT="443"
SUPER_USER="root"
SUPER_USER_PASSWD="xxxxxx"
ENVIRONMENT_NAME="Kaltura Video Platform"
DWH_PASS="xxxxxx"
PROTOCOL="https"
RED5_HOST="kalturassl.servcast.net"
USER_CONSENT="0"
CONTACT_MAIL="NO"
VOD_PACKAGER_HOST="kalturassl.servcast.net"
VOD_PACKAGER_PORT=“88"
IP_RANGE=“0.0.0.0-255.255.255.255"
WWW_HOST=“kalturassl.servcast.net”
[root@localhost tmp]# cat kaltura_08_06_09_53.ans
CONFIG_CHOICE=“0"
IS_SSL=“Y"
CRT_FILE=”/etc/httpd/ssl/apache.crt"
KEY_FILE=”/etc/httpd/ssl/apache.key"
CHAIN_FILE=”/etc/httpd/ssl/apache.pem”

Any input would be greatly appreciated.
Regards,
Jacob R.

jess · June 8, 2016, 4:52pm

Hi,

Since you configured the Apache to work over SSL, you should also make the requests stating explicitly that you want HTTPs, like so:
https://kalturassl.servcast.net/admin_console/

You can also add something like:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

to the Apache config to auto redirect HTTP traffic to HTTPs
I see you are also using a self signed cert, which is not that good because you will have issues using KMC from some browsers, depending on their Flash plugin implementation. Admin Console should work though.

It is HIGHLY recommended that you use a real certificate.

razvan_iacob · June 8, 2016, 5:10pm

Ok so basicallly i should do a redirect via .htaccess? and of course i will use a real certificate for the cluster.
I will try and do the redirect now, and post the results.
Thank you very much Jess for response on such a short notice.

Regards,
Jacob R.

jess · June 8, 2016, 5:17pm

Hi Jacob,

Welcome.
You can use .htaccess or just put it in the main Apache conf file, that’s fine too.
In a cluster though, you would want a load balancer operating over HTTPs and then offload over HTTP to the nodes.

razvan_iacob · June 8, 2016, 5:31pm

<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so

SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
<IfVersion < 2.4>
SSLMutex default

= 2.4>
Mutex sysvsem default

SSLCryptoDevice builtin

SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key
SSLCACertificateFile /etc/httpd/ssl/apache.pem

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    ErrorLog "/opt/kaltura/log/kaltura_apache_errors_ssl.log"
    CustomLog /opt/kaltura/log/kaltura_apache_access_ssl.log vhost_kalt

    Include "/opt/kaltura/app/configurations/apache/conf.d/enabled.*.conf"

This is what i’ve done and i still get the 400 bad request page.

jess · June 8, 2016, 5:49pm

Which file did you put it in?

razvan_iacob · June 8, 2016, 5:50pm

zzzkaltura.ssl.conf which is symlinked to /opt/kaltura/app/configurations/apache/kaltura.ssl.conf

jess · June 8, 2016, 5:57pm

Right, but that’s too late:) needs to go to the main Apache conf file.

razvan_iacob · June 8, 2016, 6:50pm

Ok. I understand, will try that, sorry for the late response, i was on my way home from the office.

Regards,
Jacob R.

razvan_iacob · June 9, 2016, 1:43pm

Hi Jess,
I’ve messing with the httpd.conf, adding virtual host there and the redirect conditions and if i do

VirtualHost kalturassl.servcast.net
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key
SSLCACertificateFile /etc/httpd/ssl/apache.pem

    ErrorLog "/opt/kaltura/log/kaltura_apache_errors_ssl.log"
    CustomLog /opt/kaltura/log/kaltura_apache_access_ssl.log vhost_kalt

    Include "/opt/kaltura/app/configurations/apache/conf.d/enabled.*.conf"

/VirtualHost

It does the same thing

if add port 443 at the virtual host it redirects me to /var/www/html/error/noindex.html

Really strange…any advice is more than welcome.
Regards,
Jacob R.

razvan_iacob · June 9, 2016, 2:17pm

I also tryed commenting out the whole zzzkaltura.ssl.conf and moving all the rules including the redirect to the httpd.conf from apache but i get the same results the 400 bad request.

As an extra details the server is CentOS 6.8 and i’m configuring /etc/httpd/conf/httpd.conf

Edit: In the apache ssl error log from kaltura i can see the following:
[error] [client 89.136.235.146] PHP Notice: Use of undefined constant DEBUG_BACKTRACE_IGNORE_ARGS - assumed ‘DEBUG_BACKTRACE_IGNORE_ARGS’ in /opt/kaltura/app/infra/log/KalturaLog.php on line 192, referer: https://kalturassl.servcast.net/start/index.php , but i don’t really think this can cause the issues with my redirect. As i can see the error if being generated only when i access the admin_console, so has nothing to do with my 400 bad request.

razvan_iacob · June 9, 2016, 4:13pm

Also i tried adding a .htaccess file in the /opt/kaltura/app/start with a redirect and I still got the 400 bad request.

mihail_karpych · June 9, 2016, 4:28pm

@razvan_iacob
1st - two symlinks in /etc/httpd/conf.d (you can merge this two files into one):
zzzkaltura_redirects.conf -> /opt/kaltura/app/configurations/apache/kaltura_redirects.conf
zzzkaltura.ssl.conf -> /opt/kaltura/app/configurations/apache/kaltura.ssl.conf

2nd kaltura_redirects.conf:

<VirtualHost YOUR_KALTURA_HOSTNAME:80>

RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

</VirtualHost>

3rd kaltura.ssl.conf:

<IfModule !ssl_module>
        LoadModule ssl_module modules/mod_ssl.so
</IfModule>


SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
<IfVersion < 2.4>
        SSLMutex default
</IfVersion>
<IfVersion >= 2.4>
        Mutex sysvsem default
</IfVersion>
SSLCryptoDevice builtin

SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

SSLCertificateFile /opt/kaltura/app/configurations/apache/crt/hostname.crt
SSLCertificateKeyFile /opt/kaltura/app/configurations/apache/crt/hostname.key
SSLCertificateChainFile /opt/kaltura/app/configurations/apache/crt/hostname.ca-bundle

<VirtualHost YOUR_KALTURA_HOSTNAME:443>
        SSLEngine on
        SSLProtocol All -SSLv2 -SSLv3
        SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLHonorCipherOrder On
        SSLUseStapling off

        ErrorLog "/opt/kaltura/log/kaltura_apache_errors_ssl.log"
        CustomLog /opt/kaltura/log/kaltura_apache_access_ssl.log vhost_kalt

        Include "/opt/kaltura/app/configurations/apache/conf.d/enabled.*.conf"
</VirtualHost>

jess · June 9, 2016, 4:39pm

Hi,

You don’t need to add a virtual host to /etc/httpd/conf/httpd.conf
only:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

The rest should remain exactly the same as before. Then, reload Apache and it should be fine.

If not, then run:
# curl -I -v kalturassl.servcast.net

and paste the output.

Thanks,

razvan_iacob · June 9, 2016, 4:42pm

At the end of the httpd.conf i have the rewrite instructions, and the output from curl is as follows :

[root@kalturassl log]# curl -l -v kalturassl.servcast.net

About to connect() to kalturassl.servcast.net port 80 (#0)
Trying 31.14.40.118… connected
Connected to kalturassl.servcast.net (31.14.40.118) port 80 (#0)

GET / HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: kalturassl.servcast.net
Accept: /

400 Bad Request

Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

Hint: https://kalturassl.servcast.net/

Apache/2.2.15 (CentOS) Server at kalturassl.servcast.net Port 443 * Connection #0 to host kalturassl.servcast.net left intact * Closing connection #0

jess · June 9, 2016, 4:46pm

It needs to be the first thing that really happens. If your main httpd.conf contains a VirtualHost declaration for example, it should happen BEFORE that.

razvan_iacob · June 9, 2016, 4:47pm

Thanks Mihail,
I do not have the second symlink, i only have
zzzkaltura.ssl.conf -> /opt/kaltura/app/configurations/apache/kaltura.ssl.conf

Will apply your suggestion and post the results.
Thank you.

Regards,
Jacob R.

razvan_iacob · June 9, 2016, 4:50pm

Will take another look, but at first glance doesn’t have any virtual vhost defined in httpd.conf.

Thank you Jess, will post my results.

razvan_iacob · June 13, 2016, 10:30am

Much appreciated Mihail, your solution worked for me, I’m in your debt.

Best regards,
Jacob R.

razvan_iacob · June 13, 2016, 10:31am

Thank you very much for your support Jess, you’re a true fountain of knowledge

I wish you the best
Regards,
Jacob R.