Hi, I have been performing several OOD installations in different environments, but so far only over HTTP(without SSL) protocol. I’ve been testing for a few days to secure the installation in a test environment according to the : 3. Secure Apache httpd — Open OnDemand 3.0.0 documentation.
I am not getting it to work, I am using self signed certificates, but as far as I understand this should not be a problem, my configuration file looks like this:
Seems like apache doesn’t know how to route the request. Hopefully this page will help. Seems like you need to set servername for apache to correctly route your request to the OOD virtual host.
Hello! and thank you very much for your prompt reply !!!
It looks like you are right Jeff, the redirect is not performing correctly and communicating with the local Apache server (which makes sense to me due to the testing I have done on the page shown).
I am modifying the file : /etc/httpd/conf.d/ssl.conf to indicate what will be the correct redirection.
I am testing with the section that I think is necessary:
SSL Virtual Host Context
General setup for the virtual host, inherited from global configuration
DocumentRoot “/var/www/ood”
ServerName www.ood.com:443
But I can not get it to work, still waiting for an index.html (in fact if I generate it in this path is the page I get), I’m doing wrong redirection? Should I indicate a different way?
I’m not sure if you need to set any other conf file for this to behave the way you expect.
2 things:
first is settting servername in the ood_portal.yml. Bouncing httpd so that this servername writes out to the resulting conf file.
secondly is that you have to access this instance through the servername you’ve provided (www.ood.com). This is what you should be supplying in your browsers URL bar. Are you accessing through a different hostname or just using the ip?
Is it possible that the virtual host on port 443 needs to be configured by copying the one declared in “/etc/httpd/conf.d/ood-portal.conf” but using the corresponding port instead of port 80?
Hmmm… Maybe get rid of the port configurations. You should be able to just use defaults here.
No manual editing of ood-portal.conf or derivatives of it should be required. Indeed it’s not recommended to edit this file by hand and it’s definitely not required to duplicate it.
The problem comes when uncommenting the SSL lines and commenting out the one that says “ssl:null”. When I do that and generate again using the command “/opt/ood/ood-portal-generator/sbin/update_ood_portal -f”, I can see that port 443 is not configured automatically:
Yes now something changed, I seem to have some errors, but the redirection seems to do it right. I’ll keep working on this these days and see if can fix it. I will keep updating this thread if need more help related to the topic, or post the final solution in case it works. Thanks!
Hi Guys! and sorry for the delay. I have been busy with other projects instead of OOD. I seem to have made progress with the configurations proposed by Jeff and Alainvanhoof but now I’m having a problem with the self signed certificates, onces I aced to the https version of OOD I see an internal error and once I check the log what I see is :
[Mon Oct 16 08:37:30.079549 2023] [auth_openidc:error] [pid 35320:tid 140074855429888] [client 10.3.0.1:60014] oidc_util_http_call: curl_easy_perform() failed on: Telepathy - Powering Successful Brands (SSL certificate problem: self signed certificate)
[Mon Oct 16 08:37:30.079578 2023] [auth_openidc:error] [pid 35320:tid 140074855429888] [client 10.3.0.1:60014] oidc_provider_static_config: could not retrieve metadata from url: Telepathy - Powering Successful Brands
Are self-signed certificates no valid for this?
Once again thank you for your help
Hello everyone again, I have just solved the problem I was having and I would like to leave it here in case anyone else has the same problem.
If I do the configuration as indicated in the thread (no port configuration in the ood_portal.yml) the problem I was having is because of the certificate. The idea was to test this on a virtual cluster to be able to see that everything was working correctly, for this reason I have not been able to get a real certificate or using the Let’s Encrypt tool. In the end I managed to solve it by creating my own Certificate Authority and signing my own certificates. I think that for testing environments this can be very useful for anyone who wants to try it.