Problem getting started

davide-q · March 6, 2023, 4:29pm

I installed OOD v2.0.31 on my RH8.7 system following the documentation at Installation — Open OnDemand 2.0.20 documentation
I will need to enable LDAP, but I started without it as a first step. I configured SSL with self-signed certificate and selected port 8443. Other than that, this is plain vanilla install. SELinux is not enabled.

Now, almost nothing works and I’m very confused. First, the port I selected isn’t honored:

$ wget localhost:8443/.well-known/openid-configuration
--2023-03-02 06:55:57--  http://localhost:8443/.well-known/openid-configuration
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:8443... failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:8443... failed: Connection refused.

however the default port is somewhat responding

$ wget localhost:5556/.well-known/openid-configuration
--2023-03-02 06:56:09--  http://localhost:5556/.well-known/openid-configuration
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:5556... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1146 (1.1K) [application/json]
Saving to: ‘openid-configuration’

openid-configuration                                100%[=================================================================================================================>]   1.12K  --.-KB/s    in 0s

2023-03-02 06:56:09 (311 MB/s) - ‘openid-configuration’ saved [1146/1146]

But almost everything (besides the openid-configuration) is a 404

$ wget localhost:5556
--2023-03-02 06:51:49--  http://localhost:5556/
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:5556... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-03-02 06:51:49 ERROR 404: Not Found.

$ wget localhost:5556/pun/sys/dashboard
--2023-03-03 16:59:42--  http://localhost:5556/pun/sys/dashboard
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:5556... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-03-03 16:59:42 ERROR 404: Not Found.

Again, this is out of the box install and system starting, with minimal changes to the default as follows

 grep -v '^#' /etc/ood/config/ood_portal.yml | grep -v '^ *$'
---
port: 8443
ssl:
  - 'SSLCertificateFile "/etc/pki/tls/certs/localhost.crt"'
  - 'SSLCertificateKeyFile "/etc/pki/tls/private/localhost.key"'
auth:
  - 'AuthType Basic'
  - 'Require valid-user'

Any clues on what may be wrong? I triple checked everything and could not figure out anything that I did differently than what the documentation says.

Thanks a lot in advance!

jeff.ohrstrom · March 6, 2023, 6:05pm

I would try to get rid of your auth section in ood_portal.yml. You’ll also need to supply the servername as either the IP or the hostname of the machine (hostname is better). Whichever you use for servername you need to use that address in your webbrowser to, otherwise apache won’t route requests correctly. You’ll also need to supply listen_addr_port: 8443 when changing the ports from non-standard ports (that’s why you have the original connection refused).

After that I would go ahead and setup LDAP as best you can. At least get it to connect to your LDAP and attempt to pull records. This should at least get you to a point where you’re being redirected to Dex correctly even if it can’t pull records correctly.

When you have self signed certificates you’ll need be sure that Dex knows about the root certificate as well. That is be sure to copy the root certificate(s) into /etc/ood/dex.

Once you have that, you can check /var/log/httpd/*error* logs for any errors when you try to connect.

davide-q · March 6, 2023, 11:36pm

Thank you very much, really appreciated. That did not make a bit of a difference, though. I even tried to remove everything (but the IP number – the host does not have a DNS entry) for a test – no difference. I now suspect that everything is being ignored (yes, I’m running systemctl restart ondemand-dex.service && systemctl restart httpd after each change) because as you can see above the connection is established as HTTP not HTTPS and if I force wget to do HTTPS it will fail with An unexpected TLS packet was received

Are you saying that I should do that first? I wanted to see at least a login screen before diving into that… to make sure what I have so far is working.

Yeah, I had looked into there and the only think are warnings about that, but they are warnings, not failures. Nothing indicates something completely broken as it appears to be.

jeff.ohrstrom · March 7, 2023, 3:10pm

OK - scratch the LDAP stuff, here’s what you should need as a baseline to get this to work.

---
port: 8443
listen_addr_port: 8443
servername: 'some.ip.address'
ssl:
  - 'SSLCertificateFile "/etc/pki/tls/certs/localhost.crt"'
  - 'SSLCertificateKeyFile "/etc/pki/tls/private/localhost.key"'

With this configuration directly - you should be able to connect to apache and get some errors around self signed certificates.

This is because apache won’t have any way to verify that Dex’s certificate isn’t from the same certification. You’ll need to generate a Certificate Authority and generate these keys & certificates from that certificate authority.

You can see how we do this in these containers here for an example (note that you likely want to avoid localhost - that’s needed for containers, but is actually very problematic for servers).

github.com

ubccr/hpc-toolset-tutorial/blob/bdee95162be7e9d549c8798726cab73d6f9a611b/base/install.sh#L151


      
          if [[ "${ARCHTYPE}" = "x86_64" ]]; then
              wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-amd64"
          elif [[ "${ARCHTYPE}" = "aarch64" ]]; then
              wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-arm64"
          fi
          chmod +x /usr/local/bin/gosu
          gosu nobody true
          
          
log_info "Creating self-signed ssl certs.."
          # Generate CA
          openssl genrsa -out /etc/pki/tls/ca.key 4096
          openssl req -new -x509 -days 3650 -sha256 -key /etc/pki/tls/ca.key -extensions v3_ca -out /etc/pki/tls/ca.crt -subj "/CN=fake-ca"
          # Generate certificate request
          openssl genrsa -out /etc/pki/tls/private/localhost.key 2048
          openssl req -new -sha256 -key /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.csr -subj "/C=US/ST=NY/O=HPC Tutorial/CN=localhost"
          # Config for signing cert
          cat > /etc/pki/tls/localhost.ext << EOF
          authorityKeyIdentifier=keyid,issuer
          basicConstraints=CA:FALSE
          keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
          subjectAltName = DNS:localhost

davide-q · March 10, 2023, 5:30pm

Thank you Jeff, that helped me getting going. However I had to really make a DNS entry for this server (which I wanted to avoid) because otherwise there were too many ways to fail.

In the end I was unable to make OOD working with a IP number and self-signed certificate. Perhaps there is a way to do that, but getting a name for the server has been my solution.

The only additional things I did (compared to what you say and what the documentation mentions) is running /opt/ood/ood-portal-generator/sbin/update_ood_portal right before (re)starting the services.

Now off to LDAP configuration!

system · September 6, 2023, 5:31pm

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Self-signed certificates Get Help ondemand2 , question	3	236	August 27, 2023
Error logging into the web portal after enabling apache2 SSL Get Help ondemand2 , question	4	251	January 30, 2023
Problems securing OOD Get Help	17	293	April 15, 2024
Trouble installing SSL cert Get Help	5	1229	May 26, 2022
Getting started, after initial OOD installations Get Help	14	576	October 4, 2023

Problem getting started

Related Topics