Maybe - but you need the root certificate to be in the chain. I.e., apache has to recognize your self signed certificate’s root as being a certificate authority. I believe that’s just moving files around and making sure apache can read those files.
hpc4you:
Or, can I totally disable SSL?
It seems, without SSL, Job composer does not work.
We do require SSL by default, but you can add these initialziers (as described in this ticket) to bypass that.
opened 09:43AM - 31 May 21 UTC
closed 02:38PM - 17 Jun 21 UTC
bug
After a fresh installation of OOD-2.0.9 on CentOS-7.9, I'm unable to use batch c… onnect applications.
The navigation through the dashboard (file explorer, shell, etc.) is working well though.
But every time I try to submit a job in an interactive session, I'm getting a HTTP 422 Error.
In the /var/log/ondemand-nginx/<user>/error.log, I'm seeing this error message:
```
App 19736 output: [2021-05-31 09:51:01 +0200 ] WARN "Can't verify CSRF token authenticity."
App 19736 output: [2021-05-31 09:51:01 +0200 ] INFO "method=POST path=/pun/sys/dashboard/batch_connect/sys/bc_desktop_3d/session_contexts format=html controller=BatchConnect::SessionContextsController action=create status=422 error='ActionController::InvalidAuthenticityToken: ActionController::InvalidAuthenticityToken' duration=0.73 view=0.00"
App 19736 output: [2021-05-31 09:51:01 +0200 ] FATAL ""
App 19736 output: [2021-05-31 09:51:01 +0200 ] FATAL "ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):"
App 19736 output: [2021-05-31 09:51:01 +0200 ] FATAL ""
App 19736 output: [2021-05-31 09:51:01 +0200 ] FATAL "actionpack (5.2.6) lib/action_controller/metal/request_forgery_protection.rb:215:in `handle_unverified_request'\nactionpack (5.2.6) lib/action_controller/metal/request_forgery_protection.rb:247:in `handle_unverified_request'\nactionpack (5.2.6) lib/action_controller/metal/request_forgery_protection.rb:242:in `verify_authenticity_token'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:426:in `block in make_lambda'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:198:in `block (2 levels) in halting'\nactionpack (5.2.6) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:199:in `block in halting'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:513:in `block in invoke_before'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:513:in `each'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:513:in `invoke_before'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:131:in `run_callbacks'\nactionpack (5.2.6) lib/abstract_controller/callbacks.rb:41:in `process_action'\nactionpack (5.2.6) lib/action_controller/metal/rescue.rb:22:in `process_action'\nactionpack (5.2.6) lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'\nactivesupport (5.2.6) lib/active_support/notifications.rb:168:in `block in instrument'\nactivesupport (5.2.6) lib/active_support/notifications/instrumenter.rb:23:in `instrument'\nactivesupport (5.2.6) lib/active_support/notifications.rb:168:in `instrument'\nactionpack (5.2.6) lib/action_controller/metal/instrumentation.rb:32:in `process_action'\nactionpack (5.2.6) lib/action_controller/metal/params_wrapper.rb:256:in `process_action'\nactionpack (5.2.6) lib/abstract_controller/base.rb:134:in `process'\nactionview (5.2.6) lib/action_view/rendering.rb:32:in `process'\nactionpack (5.2.6) lib/action_controller/metal.rb:191:in `dispatch'\nactionpack (5.2.6) lib/action_controller/metal.rb:252:in `dispatch'\nactionpack (5.2.6) lib/action_dispatch/routing/route_set.rb:52:in `dispatch'\nactionpack (5.2.6) lib/action_dispatch/routing/route_set.rb:34:in `serve'\nactionpack (5.2.6) lib/action_dispatch/journey/router.rb:52:in `block in serve'\nactionpack (5.2.6) lib/action_dispatch/journey/router.rb:35:in `each'\nactionpack (5.2.6) lib/action_dispatch/journey/router.rb:35:in `serve'\nactionpack (5.2.6) lib/action_dispatch/routing/route_set.rb:840:in `call'\nrack (2.2.3) lib/rack/tempfile_reaper.rb:15:in `call'\nrack (2.2.3) lib/rack/etag.rb:27:in `call'\nrack (2.2.3) lib/rack/conditional_get.rb:40:in `call'\nrack (2.2.3) lib/rack/head.rb:12:in `call'\nactionpack (5.2.6) lib/action_dispatch/http/content_security_policy.rb:18:in `call'\nrack (2.2.3) lib/rack/session/abstract/id.rb:266:in `context'\nrack (2.2.3) lib/rack/session/abstract/id.rb:260:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/cookies.rb:670:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:98:in `run_callbacks'\nactionpack (5.2.6) lib/action_dispatch/middleware/callbacks.rb:26:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'\nlograge (0.11.2) lib/lograge/rails_ext/rack/logger.rb:15:in `call_app'\nrailties (5.2.6) lib/rails/rack/logger.rb:26:in `block in call'\nactivesupport (5.2.6) lib/active_support/tagged_logging.rb:71:in `block in tagged'\nactivesupport (5.2.6) lib/active_support/tagged_logging.rb:28:in `tagged'\nactivesupport (5.2.6) lib/active_support/tagged_logging.rb:71:in `tagged'\nrailties (5.2.6) lib/rails/rack/logger.rb:26:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'\nrequest_store (1.5.0) lib/request_store/middleware.rb:19:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/request_id.rb:27:in `call'\nrack (2.2.3) lib/rack/method_override.rb:24:in `call'\nrack (2.2.3) lib/rack/runtime.rb:22:in `call'\nactivesupport (5.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/executor.rb:14:in `call'\nrack (2.2.3) lib/rack/sendfile.rb:110:in `call'\nrailties (5.2.6) lib/rails/engine.rb:524:in `call'\n/opt/rh/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/rack/thread_handler_extension.rb:107:in `process_request'\n/opt/rh/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/request_handler/thread_handler.rb:157:in `accept_and_process_next_request'\n/opt/rh/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/request_handler/thread_handler.rb:110:in `main_loop'\n/opt/rh/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/request_handler.rb:416:in `block (3 levels) in start_threads'\n/opt/rh/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/utils.rb:113:in `block in create_thread_and_abort_on_exception'"
```
Any idea what's causing this ?
I have this exact same installation with ondemand-1.8.20 and it's working fine.
Lastly - let’s encrypt certificates are free work really well, so I’d also through that out there as an option.
Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG). Read all about our nonprofit work this year in our 2023 Annual Report.
1 Like
hpc4you
(Cat Tommy)
November 9, 2022, 2:39am
22
Many thanks, @jeff.ohrstrom
I have followed issue #1193 and finally succeeded.
I believe that SSL is a better choice.
Well, I am not sure that Let’s Encrypt works for private IP addresses and private domain names.
I would like to use Open OnDemand for teaching purposes. The students prefer clicking the mouse on the web interface to the traditional cmd line mode. The open OnDemand is awesome.
In my case, all the servers and laptops work on a private LAN. We do not have an internet connection. I am wondering if I can deploy Let’s Encrypt SSL for our servers. Or, if the SSL were a must-have, the self-signed cert would be the only choice? Sorry, this is the first time I have tried to set up an HTTP service. I am not quite familiar with TLS/SSL stuff.
By the way, restarting the HTTP server is not adequate.
Reboot the server instead.
You’d better drop all the cookies and cache for your browser, too.
hpc4you:
In my case, all the servers and laptops work on a private LAN. We do not have an internet connection. I am wondering if I can deploy Let’s Encrypt SSL for our servers. Or, if the SSL were a must-have, the self-signed cert would be the only choice? Sorry, this is the first time I have tried to set up an HTTP service. I am not quite familiar with TLS/SSL stuff.
On a private LAN where everyone (clients included) are on the LAN, plain http may be OK. I wouldn’t recommend it, because someone can catch that traffic (which could include passwords).
It seems to me that you need to reach out to a system administrator or someone who can setup that certificate.
I know as a user accepting a self signed certificate from something that’s supposed to be legitimate is off putting. Meaning - I myself would likely not accept it and ask someone directly what’s going on.
For Let’s Encrypt - I believe you would need internet connectivity as well as a valid CNAME for your machine (which it sounds like you don’t have internet connectivity) because it generates the certificate but also validates it.
Sorry, none of them seem like good options for you. Again, I’d suggest connecting with someone else at your site who may know how to resolve this with your sites constraints.
hpc4you
(Cat Tommy)
November 14, 2022, 6:15am
24
Thanks, @jeff.ohrstrom .
I tried another solution.
I configured httpd only to allow access from a particular LAN. And this specific LAN is powered by a VPN tunnel.
All users should start the VPN client first. All other connections are denied.
system
(system)
Closed
May 13, 2023, 6:16am
25
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.