Realm Object Server - SSL configuration causes ROS to fail start - ssl

Ubuntu 16.04 / ROS v1.3.0
I am attempting to configure my ROS to use secure SSL connections.
If I do not make any changes to the configuration.yml - ROS is fine. I can sync and use the dashboard as I would expect.
I have obtained an SSL cert from Letsencrypt. I used the CertBot in standalone mode so that I did not have to install or configure Nginx. (My preference is to not install yet another tech/layer - keep it clean!)
I have the following certificates/key stored in this folder:
/etc/letsencrypt/live/data.mydomain.net/cert.pem
/etc/letsencrypt/live/data.mydomain.net/chain.pem
/etc/letsencrypt/live/data.mydomain.net/fullchain.pem
/etc/letsencrypt/live/data.mydomain.net/privkey.pem
As soon as I enable HTTPS in the configuration.yml I am unable to launch ROS.
There are no error messages written to:
/var/log/realm-object-server.log
Here is a copy of the proxy section of configuration.yml.
http:
## Whether or not to enable the HTTP proxy module. It enables multiplexing requests
## by forwarding incoming requests on a single port to all services.
# enable: true
## The address/interface on which the HTTP proxy module should listen. This defaults
## to 127.0.0.1. If you wish to listen on all available interfaces,
## uncomment the following line.
# listen_address: '::'
## The port that the HTTP proxy module should bind to.
# listen_port: 9080
https:
## Whether or not to enable the HTTPS proxy module. It enables multiplexing requests
## by forwarding incoming requests on a single port to all services.
## Note that even if it enabled, the HTTPS proxy will only start if supplied
## with a valid pair of certificates through certificate_path and private_key_path below.
enable: true
## The path to the certificate and private keys (in PEM format) that will be used
## to set up the HTTPS server accepting connections.
## These configuration options are MANDATORY to start the HTTPS proxy module.
certificate_path: '/etc/letsencrypt/live/data.mydomain.net/fullchain.pem'
private_key_path: '/etc/letsencrypt/live/data.mydomain.net/privkey.pem'
## The address/interface on which the HTTPS proxy module should listen. This defaults
## to 127.0.0.1. If you wish to listen on all available interfaces,
## uncomment the following line.
# listen_address: '::'
## The port that the HTTPS proxy module should bind to.
listen_port: 9443
As I mention. The issue appears to be that as soon as I configure HTTPS the ROS server fails to start. If I disable the HTTPS then the ROS server starts without issue.
The reason I believe ROS is failing to start is - if I attempt curl 127.0.0.1:9080 or curl 127.0.0.1:9443 from the terminal I get the message curl: (7) Failed to connect to 127.0.0.1 port 9443: Connection refused
I'd love to hear your ideas/thoughts/suggestions on how I can get this to work. Cheers. Ian

Thanks to user #Radu - the answer was Permissions.
The realm user did not have permission to read the .pem files.
I picked up the answer from this answer.
Https Proxy for Realm Object Server not working
#Radu - is the man!

Related

TURN server, TLS on port 5349 doesn't work

I've set up my turn server, and tested on IceTricklePage.
The non-secure port 3478 works just fine, I can gather a candidate with type "relay".
But with the secure port (TLS) 5349, it always failed.
The server turn:xx.xx.xx.xx:5349?transport=tcp returned an error with code=701.
Below is my turnserver.conf file:
# /etc/turnserver.conf
# STUN server port is 3478 for UDP and TCP, and 5349 for TLS.
# Allow connection on the UDP port 3478
listening-port=3478
# and 5349 for TLS (secure)
tls-listening-port=5349
external-ip= xx.xx.xx.xx
listening-ip=0.0.0.0
allow-loopback-peers
no-multicast-peers
min-port = 49152
max-port = 49365
verbose
# Require authentication
fingerprint
lt-cred-mech
# We will use the longterm authentication mechanism, but if
# you want to use the auth-secret mechanism, comment lt-cred-mech and
# uncomment use-auth-secret
# Check: https://github.com/coturn/coturn/issues/180#issuecomment-364363272
#The static auth secret needs to be changed, in this tutorial
# we'll generate a token using OpenSSL
#use-auth-secret
# static-auth-secret=replace-this-secret
# ----
# If you decide to use use-auth-secret, After saving the changes, change the auth-secret using the following command:
# sed -i "s/replace-this-secret/$(openssl rand -hex 32)/" /etc/turnserver.conf
# This will replace the replace-this-secret text on the file with the generated token using openssl.
# Specify the server name and the realm that will be used
# if is your first time configuring, just use the domain as name
server-name=turn.mydomain.com
realm=turn.mydomain.com
#
# Important:
# Create a test user if you want
# You can remove this user after testing
user=user:password
total-quota=100
stale-nonce=600
# Path to the SSL certificate and private key. In this example we will use
# the letsencrypt generated certificate files.
cert=/etc/coturn/turn_cert/turn.mydomain.com/cert.pem
pkey=/etc/coturn/turn_cert/turn.mydomain.com/privkey.pem
# Specify the allowed OpenSSL cipher list for TLS/DTLS connections
cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
# Specify the process user and group
proc-user=turnserver
proc-group=turnserver
# Log file path
log-file=/var/log/turnserver.log
simple-log
#syslog
I also config my router to port-redirect any transport to public xx.xx.xx.xx:5349 to the internal server running TURN server (similar to the way I did with 3478).
Below is the config:
Anyone get an idea how to fix this? Thanks
Try telnet xx.xx.xx.xx 5349 to see whether connecting successfully or not. If you got telnet: Unable to connect to remote host: Connection refused then your network config is incorrect and need to be changed. Here is something related

How to configure jfrog Artifactory web interface to use https rather than http

I cannot find on the jfrog website a simple explanation of how to configure Artifactory to use https for the website
I thought I might have found the answer in the example system.full-template.yaml that was delivered with the new version 7.17.11 in /opt/jfrog/artifactory/var/etc
## Artifactory Tomcat connector customization on the Artifactory port
tomcat:
## Set up an HTTPS connector for artifactory. This opens a port
## in addition to the default HTTP connector. All relevant
## properties configured for the HTTP connector are applied also
## for this connector (e.g. "maxThreads")
httpsConnector:
## Enable connector with SSL/TLS
#enabled: false
## Port to use for the HTTPS connector
#port: 8443
## Certificate file to use
#certificateFile: "$JFROG_HOME/artifactory/var/etc/artifactory/security/ssl/server.crt"
## Certificate key file to use.
#certificateKeyFile: "$JFROG_HOME/artifactory/var/etc/artifactory/security/ssl/server.key"
But having tried this in a modified system.yaml with the appropriate lines uncommented and values set (see below) and our key and cert copied into the stated locations, then restarting Artifactory, I still can't connect to my Artifactory server web interface with https to port 8443
## ARTIFACTORY TEMPLATE
artifactory:
## Artifactory Tomcat connector customization on the Artifactory port
tomcat:
## Set up an HTTPS connector for artifactory. This opens a port
## in addition to the default HTTP connector. All relevant
## properties configured for the HTTP connector are applied also
## for this connector (e.g. "maxThreads")
httpsConnector:
## Enable connector with SSL/TLS - ADK
enabled: true
## Port to use for the HTTPS connector - ADK
port: 8443
## Certificate file to use - ADK
certificateFile: "$JFROG_HOME/artifactory/var/etc/artifactory/security/ssl/server.crt"
## Certificate key file to use. - ADK
certificateKeyFile: "$JFROG_HOME/artifactory/var/etc/artifactory/security/ssl/server.key"
We are using the jfrog-artifactory-cpp-ce-7.17.11-71711900.x86_64.rpm on RHEL 7
Previously on an older version we did a whole bunch of customization of the embedded tomcat delivered by Artifactory in the tomcat/conf/server.xml and tomcat/conf/web.xml files and artifactory.system.properties file.
Am I wrong in assuming that the system.yaml is supposed to be the way of configuring https now, rather than having to mess about with the delivered tomcat ?
Just found this in the tomcat catalina log
Caused by: java.lang.IllegalArgumentException: /opt/jfrog/artifactory/app/artifactory/tomcat/$JFROG_HOME/artifactory/var/etc/artifactory/security/ssl/server.key (No such file or directory)
So doesn't seem to be using just the location I put in system.yaml for the key
In the end gave up on configuring Artifactory directly and installed nginx as a reverse proxy and configured that to do the https as per https://www.jfrog.com/confluence/display/JFROG/Configuring+NGINX
This then worked for https both for the website and for Conan remote connections
I had the same problem.
If you look at the top of the file system.full-template.yaml it says this:
## NOTE: JFROG_HOME is a place holder for the JFrog root directory containing the deployed product, the home directory for all JFrog products.
## Replace JFROG_HOME with the real path!
So it looks like an environment variable, but it's not. I had to replace $JFROG_HOME with the actual path to the certificate and key files.
For example:
certificateFile: /opt/jfrog/artifactory/var/etc/artifactory/security/ssl/server.crt
certificateKeyFile: /opt/jfrog/artifactory/var/etc/artifactory/security/ssl/server.key

TURN server under proxy pass with Apache web server

I am trying to my own coturn (TURN) server. I want it to run on port 443. I have Apache already running on that port. Can i use Apache proxy pass to run TURN on port 3479, 53499 but still listening to port 443?
I am not sure how to go about this problem. Is my approach wrong?. If yes, whats the better approach
listening-port=3478
alt-listening-port=3479
tls-listening-port=5349
alt-tls-listening-port=5350
#stening-port=80
#tls-listening-port=443
listening-ip=127.0.0.1
relay-ip=127.0.0.1
external-ip=*****
realm=explain.bookmane.in
server-name=explain.bookmane.in
lt-cred-mech
userdb=/etc/turnuserdb.conf
Apparently, the latest version of COTURN, COTURN 4.5.2r3, recently released this year, and still marked as unstable, has just incorporated support for reverse proxy. I infer this from description I found in its config file: /etc/turnserver.conf
https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf
This is what it says:
# Some network setups will require using a TCP reverse proxy in front
# of the STUN server. If the proxy port option is set a single listener
# is started on the given port that accepts connections using the
# haproxy proxy protocol v2.
# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
#
#tcp-proxy-port=5555"

Google Cloud Load Balancer - 502 - Unmanaged instance group failing health checks

I currently have an HTTPS Load Balancer setup operating with a 443 Frontend, Backend and Health Check that serves a single host nginx instance.
When navigating directly to the host via browser the page loads correctly with valid SSL certs.
When trying to access the site through the load balancer IP, I receive a 502 - Server error message. I check the Google logs and I notice "failed_to_pick_backend" errors at the load balancer. I also notice that it failing health checks.
Some digging around leads me to these two links: https://cloudplatform.googleblog.com/2015/07/Debugging-Health-Checks-in-Load-Balancing-on-Google-Compute-Engine.html
https://github.com/coreos/bugs/issues/1195
Issue #1 - Not sure if google-address-manager is running on the server
(RHEL 7). I do not see an entry for the HTTPS load balancer IP in the
routes. The Google SDK is installed. This is a Google-provided image
and if I update the IP address in the console, it also gets updated on
the host. How do I check if google-address-manager is running on
RHEL7?
[root#server]# ip route ls table local type local scope host
10.212.2.40 dev eth0 proto kernel src 10.212.2.40
127.0.0.0/8 dev lo proto kernel src 127.0.0.1
127.0.0.1 dev lo proto kernel src 127.0.0.1
Output of all google services
[root#server]# systemctl list-unit-files
google-accounts-daemon.service enabled
google-clock-skew-daemon.service enabled
google-instance-setup.service enabled
google-ip-forwarding-daemon.service enabled
google-network-setup.service enabled
google-shutdown-scripts.service enabled
google-startup-scripts.service enabled
Issue #2: Not receiving a 200 OK response. The certificate is valid
and the same on both the LB and server. When running curl against the
app server I receive this response.
root#server.com curl -I https://app-server.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
Thoughts?
You should add firewall rules for the health check service -
https://cloud.google.com/compute/docs/load-balancing/health-checks#health_check_source_ips_and_firewall_rules and make sure that your backend service listens on the load balancer ip (easiest is bind to 0.0.0.0) - this is definitely true for an internal load balancer, not sure about HTTPS with an external ip.
A couple of updates and lessons learned:
I have found out that "google-address-manager" is now deprecated and replaced by "google-ip-forward-daemon" which is running.
[root#server ~]# sudo service google-ip-forwarding-daemon status
Redirecting to /bin/systemctl status google-ip-forwarding-daemon.service
google-ip-forwarding-daemon.service - Google Compute Engine IP Forwarding Daemon
Loaded: loaded (/usr/lib/systemd/system/google-ip-forwarding-daemon.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2017-12-22 20:45:27 UTC; 17h ago
Main PID: 1150 (google_ip_forwa)
CGroup: /system.slice/google-ip-forwarding-daemon.service
└─1150 /usr/bin/python /usr/bin/google_ip_forwarding_daemon
There is an active firewall rule allowing IP ranges 130.211.0.0/22 and 35.191.0.0/16 for port 443. The target is also properly set.
Finally, the health check is currently using the default "/" path. The developers have put an authentication in front of the site during the development process. If I bypassed the SSL cert error, I received a 401 unauthorized when running curl. This was the root cause of the issue we were experiencing. To remedy, we modified nginx basic authentication configuration to disable authentication to a new route (eg. /health)
Once nginx configuration was updated and the path was updated to the new /health route at the health check, we were receivied valid 200 responses. This allowed the health check to return healthy instances and allowed the LB to pass through traffic

Yaws with SSL gives the error "SSL accept failed: timeout"

I used certbot to generate a Let's encrypt certificate for my website, but Yaws gives me an SSL accept failed: timeout error when I try to connect to it (after it times out of course). Interestingly it works when I redirect example.com to the local ip address of the server in the hosts file on my machine and connect to example.com:8080, but not when I connect to example.com without editing the hosts file or when I connect from my phone over 4G. Here's my webserver's configuration file (it is the only configuration file in conf.d):
<server www.example.com>
port = 8080
listen = 0.0.0.0
docroot = /usr/share/yaws
<ssl>
keyfile = /etc/letsencrypt/live/example.com/privkey.pem
certfile = /etc/letsencrypt/live/example.com/fullchain.pem
</ssl>
</server>
I made sure that the keyfile and the certificate are both readable by the yaws user. Next to the keyfiles is a README that contains the following:
`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.
So I'm relatively sure I've used the right file (the other ones gave me errors like badmatch and {tls_alert,"decrypt error"}). I also tried trivial things like writing https:// before the URL, but it didn't fix the issue, also, everything works fine when the server is running without SSL. The version of Erlang running on my server is Erlang/OTP 19. Also, if it's unclear, the domain isn't actually example.com.
Also, example.com is redirected via cname to examplecom.duckdns.org, if that matters.
UPDATE:
My server was listening on port 8080, that was forwarded from the external port 80, for https connections, when the default https port is port 443. My other mistake was connecting to http://example.com instead of https://example.com. Forwarding the external port 443 to the internal port 8443 and configuring yaws to listen on port 8443 fixed everything.
Just to be sure to understand, when you do something like curl -v https://example.com:8080, you get a timeout, that's it ? (here https protocol and port 8080 are mandatory of course)
SSL timeout during accept can be triggered when an unencrypted request is received on a SSL vhost.
Could you also provide the output of the following command:
echo -e "HEAD / HTTP/1.0\r\n\r\n" | openssl s_client -connect mysite.com:8080 -ign_eof
And finally, which version of Yaws are you running ? on which OS ?