Hi, I have been performing several OOD installations in different environments, but so far only over HTTP(without SSL) protocol. I’ve been testing for a few days to secure the installation in a test environment according to the : 3. Secure Apache httpd — Open OnDemand 3.0.0 documentation.
I am not getting it to work, I am using self signed certificates, but as far as I understand this should not be a problem, my configuration file looks like this:
- ‘SSLCertificateFile “/etc/pki/tls/certs/certs/ood/ood.crt”’
- ‘SSLCertificateKeyFile “/etc/pki/tls/certs/ood/ood/ood.key”’
- ‘SSLCertificateChainFile “/etc/pki/tls/certs/ood/ood/ood.crt”’
- type: ldap
But when I try to connect with https it redirects to the index page located in /var/www/html instead of accessing the OOD portal.
Any idea what could be happening?
Thank you very much in advance
Seems like apache doesn’t know how to route the request. Hopefully this page will help. Seems like you need to set
servername for apache to correctly route your request to the OOD virtual host.
Hello! and thank you very much for your prompt reply !!!
It looks like you are right Jeff, the redirect is not performing correctly and communicating with the local Apache server (which makes sense to me due to the testing I have done on the page shown).
I am modifying the file : /etc/httpd/conf.d/ssl.conf to indicate what will be the correct redirection.
I am testing with the section that I think is necessary:
SSL Virtual Host Context
General setup for the virtual host, inherited from global configuration
But I can not get it to work, still waiting for an index.html (in fact if I generate it in this path is the page I get), I’m doing wrong redirection? Should I indicate a different way?
I’m not sure if you need to set any other
conf file for this to behave the way you expect.
- first is settting
servername in the
ood_portal.yml. Bouncing httpd so that this servername writes out to the resulting conf file.
- secondly is that you have to access this instance through the
servername you’ve provided (
www.ood.com). This is what you should be supplying in your browsers URL bar. Are you accessing through a different hostname or just using the ip?
Everything works correctly with the address “www.ood.com” or “http://www.ood.com” when the configuration file has the section
This problem occurs when I add the lines with the SSL certificates so that HTTPS can be used.
Is it possible that the virtual host on port 443 needs to be configured by copying the one declared in “/etc/httpd/conf.d/ood-portal.conf” but using the corresponding port instead of port 80?
Hmmm… Maybe get rid of the port configurations. You should be able to just use defaults here.
No manual editing of
ood-portal.conf or derivatives of it should be required. Indeed it’s not recommended to edit this file by hand and it’s definitely not required to duplicate it.
With this configuration, as I was saying, I am able to perform the access.
The problem comes when uncommenting the SSL lines and commenting out the one that says “ssl:null”. When I do that and generate again using the command “/opt/ood/ood-portal-generator/sbin/update_ood_portal -f”, I can see that port 443 is not configured automatically:
So I understand that my mistake is in how I am configuring the VirtualHost 443, I don’t know if you have any idea or advice on how I should do it?
Thank you for your hep Jeff!
OK - looking at the template maybe you do need to specify
So if you specify
ssl then you also need to specify the port to be 443.
Yes now something changed, I seem to have some errors, but the redirection seems to do it right. I’ll keep working on this these days and see if can fix it. I will keep updating this thread if need more help related to the topic, or post the final solution in case it works. Thanks!
I don’t see any mention in this threat of this command to update the apache conf when ood_portal.yaml changes:
You would then build and install the new Apache configuration file with:
Hi and welcome @alainvanhoof!
In more recent versions of OpenOnDemand bouncing httpd (or apache2 as the case may be) through systemd will execute this command before it restarts.
# httpd given here, but could be different for different platforms
systemctl restart httpd
Or ood_porttal.yml does not contain any port number or listen_addr just the ssl directives and that works for us.
This was my assumption as well - that it should just work when ssl is enabled. Good to hear it confirmed!
Hi Guys! and sorry for the delay. I have been busy with other projects instead of OOD. I seem to have made progress with the configurations proposed by Jeff and Alainvanhoof but now I’m having a problem with the self signed certificates, onces I aced to the https version of OOD I see an internal error and once I check the log what I see is :
[Mon Oct 16 08:37:30.079549 2023] [auth_openidc:error] [pid 35320:tid 140074855429888] [client 10.3.0.1:60014] oidc_util_http_call: curl_easy_perform() failed on: Telepathy - Powering Successful Brands (SSL certificate problem: self signed certificate)
[Mon Oct 16 08:37:30.079578 2023] [auth_openidc:error] [pid 35320:tid 140074855429888] [client 10.3.0.1:60014] oidc_provider_static_config: could not retrieve metadata from url: Telepathy - Powering Successful Brands
Are self-signed certificates no valid for this?
Once again thank you for your help
Hello everyone again, I have just solved the problem I was having and I would like to leave it here in case anyone else has the same problem.
If I do the configuration as indicated in the thread (no port configuration in the ood_portal.yml) the problem I was having is because of the certificate. The idea was to test this on a virtual cluster to be able to see that everything was working correctly, for this reason I have not been able to get a real certificate or using the Let’s Encrypt tool. In the end I managed to solve it by creating my own Certificate Authority and signing my own certificates. I think that for testing environments this can be very useful for anyone who wants to try it.
Best regards and thanks to all!