Problems securing OOD

Get Help
1

Hi, I have been performing several OOD installations in different environments, but so far only over HTTP(without SSL) protocol. I’ve been testing for a few days to secure the installation in a test environment according to the : 3. Secure Apache httpd — Open OnDemand 3.0.0 documentation.

I am not getting it to work, I am using self signed certificates, but as far as I understand this should not be a problem, my configuration file looks like this:

port: 80
listen_addr_port: 80
servername: www.ood.com
host_regex: “[^/]+”
node_uri: ‘/node’
rnode_uri: '/rnode
#ssl: null
ssl:

  • ‘SSLCertificateFile “/etc/pki/tls/certs/certs/ood/ood.crt”’
  • ‘SSLCertificateKeyFile “/etc/pki/tls/certs/ood/ood/ood.key”’
  • ‘SSLCertificateChainFile “/etc/pki/tls/certs/ood/ood/ood.crt”’
    dex:
    connectors:
  • type: ldap
    id: ldap
    name: OOD
    config:
    host: www.ood.com:389

But when I try to connect with https it redirects to the index page located in /var/www/html instead of accessing the OOD portal.

Any idea what could be happening?
Thank you very much in advance

2

Seems like apache doesn’t know how to route the request. Hopefully this page will help. Seems like you need to set servername for apache to correctly route your request to the OOD virtual host.

https://osc.github.io/ood-documentation/latest/how-tos/debug/debug-apache.html#show-virtualhosts

3

Hello! and thank you very much for your prompt reply !!!
It looks like you are right Jeff, the redirect is not performing correctly and communicating with the local Apache server (which makes sense to me due to the testing I have done on the page shown).

Screenshot from 2023-09-26 16-02-19
Screenshot from 2023-09-26 16-02-19969×196 36.1 KB

I am modifying the file : /etc/httpd/conf.d/ssl.conf to indicate what will be the correct redirection.
I am testing with the section that I think is necessary:

SSL Virtual Host Context

General setup for the virtual host, inherited from global configuration

DocumentRoot “/var/www/ood”
ServerName www.ood.com:443
But I can not get it to work, still waiting for an index.html (in fact if I generate it in this path is the page I get), I’m doing wrong redirection? Should I indicate a different way?

Best regards

4

I’m not sure if you need to set any other conf file for this to behave the way you expect.

2 things:

  • first is settting servername in the ood_portal.yml. Bouncing httpd so that this servername writes out to the resulting conf file.
  • secondly is that you have to access this instance through the servername you’ve provided (www.ood.com). This is what you should be supplying in your browsers URL bar. Are you accessing through a different hostname or just using the ip?
5

Everything works correctly with the address “www.ood.com” or “http://www.ood.com” when the configuration file has the section

ssl: null

This problem occurs when I add the lines with the SSL certificates so that HTTPS can be used.

6

Is it possible that the virtual host on port 443 needs to be configured by copying the one declared in “/etc/httpd/conf.d/ood-portal.conf” but using the corresponding port instead of port 80?

7

Hmmm… Maybe get rid of the port configurations. You should be able to just use defaults here.

No manual editing of ood-portal.conf or derivatives of it should be required. Indeed it’s not recommended to edit this file by hand and it’s definitely not required to duplicate it.

8

With this configuration, as I was saying, I am able to perform the access.

Screenshot from 2023-09-26 16-34-16
Screenshot from 2023-09-26 16-34-161334×867 69.9 KB

The problem comes when uncommenting the SSL lines and commenting out the one that says “ssl:null”. When I do that and generate again using the command “/opt/ood/ood-portal-generator/sbin/update_ood_portal -f”, I can see that port 443 is not configured automatically:

image
image1227×621 106 KB

So I understand that my mistake is in how I am configuring the VirtualHost 443, I don’t know if you have any idea or advice on how I should do it?

Thank you for your hep Jeff!

9

OK - looking at the template maybe you do need to specify port.

So if you specify ssl then you also need to specify the port to be 443.

port: 443
10

Yes now something changed, I seem to have some errors, but the redirection seems to do it right. I’ll keep working on this these days and see if can fix it. I will keep updating this thread if need more help related to the topic, or post the final solution in case it works. Thanks!

1 Like
11

I don’t see any mention in this threat of this command to update the apache conf when ood_portal.yaml changes:

You would then build and install the new Apache configuration file with:

sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal

12

Hi and welcome @alainvanhoof!

In more recent versions of OpenOnDemand bouncing httpd (or apache2 as the case may be) through systemd will execute this command before it restarts.

# httpd given here, but could be different for different platforms
systemctl restart httpd
13

Aha, that’s not it then.

14

Or ood_porttal.yml does not contain any port number or listen_addr just the ssl directives and that works for us.

15

This was my assumption as well - that it should just work when ssl is enabled. Good to hear it confirmed!

16

Hi Guys! and sorry for the delay. I have been busy with other projects instead of OOD. I seem to have made progress with the configurations proposed by Jeff and Alainvanhoof but now I’m having a problem with the self signed certificates, onces I aced to the https version of OOD I see an internal error and once I check the log what I see is :

[Mon Oct 16 08:37:30.079549 2023] [auth_openidc:error] [pid 35320:tid 140074855429888] [client 10.3.0.1:60014] oidc_util_http_call: curl_easy_perform() failed on: Telepathy - Powering Successful Brands (SSL certificate problem: self signed certificate)
[Mon Oct 16 08:37:30.079578 2023] [auth_openidc:error] [pid 35320:tid 140074855429888] [client 10.3.0.1:60014] oidc_provider_static_config: could not retrieve metadata from url: Telepathy - Powering Successful Brands

Are self-signed certificates no valid for this?
Once again thank you for your help

17

Hello everyone again, I have just solved the problem I was having and I would like to leave it here in case anyone else has the same problem.

If I do the configuration as indicated in the thread (no port configuration in the ood_portal.yml) the problem I was having is because of the certificate. The idea was to test this on a virtual cluster to be able to see that everything was working correctly, for this reason I have not been able to get a real certificate or using the Let’s Encrypt tool. In the end I managed to solve it by creating my own Certificate Authority and signing my own certificates. I think that for testing environments this can be very useful for anyone who wants to try it.

Best regards and thanks to all!

18

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.