Regarding ssl configuration

General Discussion
1

Hello,

I am configuring the https for open ondemand web where I have created ssl certificate and configured it in ood-portal.yml. But still I am facing the error where the ssl certificate is secured and valid but it directs to the oopen ondemand IP address. It seems something related redirect rule. I have no clue where it redirects.

Below are is my ood-portal.yml file:
servername: ood.csc.uni-frankfurt.de

port: 443

ssl:

  • ‘SSLCertificateFile “/etc/letsencrypt/live/ood.csc.uni-frankfurt.de/fullchain.pem”’
  • ‘SSLCertificateKeyFile “/etc/letsencrypt/live/ood.csc.uni-frankfurt.de/privkey.pem”’

Use OIDC authentication

auth:

  • ‘AuthType openid-connect’
  • ‘Require valid-user’

user_mapping:
oidc_remote_user_claim: uid

dex_uri: false

host_regex: ‘[\w.-]+.lan.csc.uni-frankfurt.de’
#host_regex: “[^/]+”
node_uri: ‘/node’
rnode_uri: ‘/rnode’

Below is the ood-portal-le-ssl.conf:
IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName ood.csc.uni-frankfurt.de

ErrorLog “/var/log/apache2/ood.csc.uni-frankfurt.de_error.log”
CustomLog “/var/log/apache2/ood.csc.uni-frankfurt.de_access.log” combined

RewriteEngine On
RewriteCond %{HTTP_HOST} !^(141.2.213.51(:80)?)?$ [NC]
RewriteRule ^(.*) http://141.2.213.51:80$1 [R=301,NE,L]

Support maintenance page during outages of OnDemand

RewriteEngine On
RewriteCond /var/www/ood/public/maintenance/index.html -f
RewriteCond /etc/ood/maintenance.enable -f
RewriteCond %{REQUEST_URI} !/public/maintenance/.$
RewriteRule ^.$ /public/maintenance/index.html [R=302,L]

<FilesMatch “/var/www/ood/public/maintenance/.*”>
Header Set Cache-Control “max-age=0, no-store”

TraceEnable off

Header always set Content-Security-Policy “frame-ancestors http://141.2.213.51;”

<Directory “/var/www/ood/public/maintenance”>
RewriteCond /etc/ood/maintenance.enable !-f
ReWriteRule ^.*$ /

RewriteCond %{REQUEST_URI} !/public/maintenance/.*$
RewriteRule ^.*$ /public/maintenance/index.html [R=503,L]
ErrorDocument 503 /public/maintenance/index.html

ServerAlias 141.2.213.51
SSLCertificateFile /etc/letsencrypt/live/ood.csc.uni-frankfurt.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ood.csc.uni-frankfurt.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

Below is my error when I try ro access the web page with ssl (ood.csc.uni-frankfurt.de):

Not Found
Invalid client_id (“141.2.213.51”).

Is there anything I have to configure apart from ood-portal.yml file? Your help is indeed;

2

This is an issue with how you’ve setup OIDC.

It seems you’ve added the ip address to the server_aliases config? i don’t see the config in your ood-portal.yml but maybe it’s still in the .conf from a previous config state? Everytime you bounce apache2 we should regenerate this .conf file. If the settings from your YML aren’t propagating to your .conf then you’ll have to check systemctl or journalctl for errors.

Beyond that Invalid client_id errors are a mismatch between your apache configuration OIDCClientID and what you’ve configured for your client id in your OIDC provider.

I don’t see any dex configurations in your YML file, but I also don’t see any OIDC configs beyond oidc_remote_user_claim, so I’m not really sure how you’re setting OIDCClientID if at all.

3

Hi,
Thanks for your kind response!

Below is my complete ood_portal.yml file with ODIC confifuration;
servername: ood.csc.uni-frankfurt.de

port: 443

#ssl:

  • ‘SSLCertificateFile “/etc/letsencrypt/live/ood.csc.uni-frankfurt.de/fullchain.pem”’

‘SSLCertificateFile “/etc/letsencrypt/live/ood.csc.uni-frankfurt.de/privkey.pem”’

#custom_vhost_directives:

- “RewriteEngine On”

- “RewriteCond %{HTTPS} !=on”

- “RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]”

Use OIDC authentication

auth:

  • ‘AuthType openid-connect’
  • ‘Require valid-user’

user_mapping:
oidc_remote_user_claim: uid

dex_uri: false

host_regex: ‘[\w.-]+.lan.csc.uni-frankfurt.de’
#host_regex: “[^/]+”
node_uri: ‘/node’
rnode_uri: ‘/rnode’

apps:
shell:
ssh_options: “-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null”

dex:
connectors:

  • type: ldap
    id: ldap
    name: LDAP
    config:host: ‘10.141.204.153:389’
    insecureSkipVerify: true # or true if using self-signed certs
    insecureNoSSL: true
    bindDN: ‘cn=admin,dc=cm,dc=cluster’
    bindPW: “redacted”
    userSearch:
    baseDN: ‘ou=People,dc=cm,dc=cluster’
    filter: ‘(objectClass=posixAccount)’
    username: uid
    idAttr: uid
    emailAttr: mail

nameAttr: gecos

      preferredUsernameAttr: uid
    groupSearch:
      baseDN: 'ou=Groups,dc=cm,dc=cluster'
      filter: '(objectClass=posixGroup)'
      userMatchers:
        - userAttr: DN
          groupAttr: member
      nameAttr: cn

Could you please check the above ood_portal.yml file and suggest me the correction if there’s any for SSL?

I will also share with you the latest ood-portal.conf;

Thanks again!

4

OK you have servername set and you appear to be using dex which should automatically populate things for you.

You don’t need to share the entire ood-portal.conf only OIDCClientID value. This should be the same as your servername.

I’d also have you confirm that all the settings you have in your ood-portal.yml propogate out to apache and dex configurations. I.e., there are no errors when you bounce apache2 and/or dex.

5

Hi,
I have resolved the ssl sisue. I re-installed the lets encrypt with “certbot only” option. It worked pretty well and it didn’t redirect to the IP address.

Many thanks for your continous support!

Best Regards,
Hariharan