Dspace 7.3 and HTTP

[Sonia R Thompson]

Hello,

I have successfully installed DSpace 7.3 and migrated my SQL data to the new installation.  All my data is available and the app works great.  However,  I am struggling with the HTTPS part of the install.

Is it possible to implement HTTP only as client access to the server will only be given to 2 internal users and I don't really need HTTPS.  I want to use 'localhost" only.

If there is any one here who has done this please share as much config details as you can. 

My environment is as follows.
- Windows 2019 Data Center
- Dspace 7.3
- Java JDK 17.0.4.1
- Apache Maven 3.8.6
- Apache Ant 1.10.12
- PostgreSQL 13.8
- Apache Solr 8.11.2
- Apache Tomcat 9.0.65
- Git 2.37.2.2
- Apache HTTPD 2.4.54

Front End
- Node.js 16.17.1
- Yarn 1.22.19
- PM2 5.2.0

The 2 clients accessing the server via local network will be Windows 10.

Grateful for any assistance.

Sonia

[Tim Donohue]

Hi Sonia,

Because of how cookies work in modern web browsers (Safari, Firefox, Chrome, all of them), unfortunately it's not possible to run the DSpace v7 REST API under HTTP unless your only client is the same machine (i.e. localhost).  So, for development scenarios, many active developers do run DSpace 7 on HTTP... but that means you can only use "http://localhost" style URLs.  As soon as you want to use a different, non-localhost URL, you have to use HTTPS or else your web browser will block the cookies that the DSpace 7 REST API requires to support authentication, etc.

So, if your internal users are only accessing your site via "http://localhost:4000" (or similar) URLs, then you are fine to stay on HTTP.   But, if you need a different URL (or even an IP address) to access the site, you'll need to switch to using HTTPS.  This is a security feature of all modern web browsers, and it's there to protect your site & users on your site.

If you have more information about the problems you've run into with getting HTTPS working, it's possible someone on this list can help you find a quick solution. There are also many common installation issues we've documented the solutions to at https://wiki.lyrasis.org/display/DSDOC7x/Installing+DSpace#InstallingDSpace-CommonInstallationIssues  So, be sure to check those, as it's possible your solution will be documented there.

We also have documentation on setting up HTTPS for the backend (see step 16 of backend install) and frontend (see step 8 of frontend install) in our Installation guide: https://wiki.lyrasis.org/display/DSDOC7x/Installing+DSpace

If you have any more questions, let us know on this list.

Tim

[Sonia R Thompson]

Hello again,

I have spent some time trying to configure HTTPS on my server with absolutely so success.  I am hoping someone can assist me with this issue.

Here are my configs for Windows Server 2019

----------------------------------------------------------------------------

local.cfg

dspace.server.url = https://myspace.xyz /server

dspace.ui.url = https://myspace.xyz

solr.server = http://localhost:8983/solr

----------------------------------------------------------------------------

config.prod.yml

ui:

ssl: false

host: myspace.xyz

port: 4000

nameSpace: /

rest:

ssl: true

host: localhost

port: 443

nameSpace: /server

----------------------------------------------------------------------------

httpd.conf

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_http_module modules/mod_proxy_http.so

LoadModule setenvif_module modules/mod_setenvif.so

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

LoadModule ssl_module modules/mod_ssl.so

Include conf/extra/httpd-vhosts.conf

----------------------------------------------------------------------------

httpd-vhost.conf

<VirtualHost _default_:443>
# Setup for my virtual host

ErrorLog "${SRVROOT}/logs/error.log"
TransferLog "${SRVROOT}/logs/access.log"

SSLEngine on

SSLCertificateFile "${SRVROOT}/ssl/server.crt"
SSLCertificateKeyFile "${SRVROOT}/ssl/server.key"

# Backend
ProxyPass /server http://localhost:8080/server
ProxyPassReverse /server http://localhost:8080/server
# RequestHeader set X-Forwarded-Proto https

# Frontend
ProxyPass / http://localhost:4000
ProxyPassReverse / http://localhost:4000

</VirtualHost>

----------------------------------------------------------------------------

Now Apache2 won't start.  I checked the error.log and saw this start up error.

[Thu Nov 17 13:04:23.667292 2022] [ssl:emerg] [pid 5624:tid 480] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file C:/Apache24/ssl/server.key)
[Thu Nov 17 13:04:23.682918 2022] [ssl:emerg] [pid 5624:tid 480] AH02311: Fatal error initialising mod_ssl, exiting. See C:/Apache24/logs/error.log for more information
[Thu Nov 17 13:04:23.682918 2022] [ssl:emerg] [pid 5624:tid 480] AH02564: Failed to configure encrypted (?) private key servername:443:0, check C:/Apache24/ssl/server.key
[Thu Nov 17 13:04:23.682918 2022] [ssl:emerg] [pid 5624:tid 480] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Thu Nov 17 13:04:23.682918 2022] [ssl:emerg] [pid 5624:tid 480] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Thu Nov 17 13:04:23.682918 2022] [ssl:emerg] [pid 5624:tid 480] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Thu Nov 17 13:04:23.682918 2022] [ssl:emerg] [pid 5624:tid 480] SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
[Thu Nov 17 13:04:23.682918 2022] [ssl:emerg] [pid 5624:tid 480] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Thu Nov 17 13:04:23.682918 2022] [ssl:emerg] [pid 5624:tid 480] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSAPrivateKey)
[Thu Nov 17 13:04:23.682918 2022] [ssl:emerg] [pid 5624:tid 480] SSL Library Error: error:04093004:rsa routines:old_rsa_priv_decode:RSA lib
[Thu Nov 17 13:04:23.682918 2022] [ssl:emerg] [pid 5624:tid 480] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Thu Nov 17 13:04:23.682918 2022] [ssl:emerg] [pid 5624:tid 480] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
AH00016: Configuration Failed

I used OpenSSL v3.0.7 to create the cert and key. Please advise on how I can fix this error.

Sonia

[Michael Plate]

Hi,

Am 17.11.22 um 18:16 schrieb Sonia R Thompson:

> SSLPassPhraseDialog builtin is not supported on Win32

[…]

I assume your key is protected by a password,
maybe this helps:

https://bobcares.com/blog/sslpassphrasedialog-builtin-is-not-supported-on-win32-how-we-fix-this-error/

and I have the "RequestHeader set X-Forwarded-Proto https" enabled.

CU

Michael

[Sonia R Thompson]

Hello Michael,

Thanks for the info.  I successfully removed the passphrase on the server.key file and Apache2 successfully started.

However, when I enabled "RequestHeader set X-Forwarded-Proto https" and tried to restart Apache2, it won't start now.  I checked the error.log and I am getting the following error.

[Thu Nov 17 14:16:28.372521 2022] [ssl:warn] [pid 4220:tid 480] AH01909: servername:443:0 server certificate does NOT include an ID which matches the server name
[Thu Nov 17 14:16:28.872536 2022] [ssl:warn] [pid 4220:tid 480] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Thu Nov 17 14:16:28.872536 2022] [ssl:warn] [pid 4220:tid 480] AH01909:  servername :443:0 server certificate does NOT include an ID which matches the server name
[Thu Nov 17 14:16:28.872536 2022] [mpm_winnt:notice] [pid 4220:tid 480] AH00455: Apache/2.4.54 (Win64) OpenSSL/1.1.1p configured -- resuming normal operations
[Thu Nov 17 14:16:28.872536 2022] [mpm_winnt:notice] [pid 4220:tid 480] AH00456: Apache Lounge VS16 Server built: Jun 22 2022 09:58:15
[Thu Nov 17 14:16:28.872536 2022] [core:notice] [pid 4220:tid 480] AH00094: Command line: 'C:\\Apache24\\bin\\httpd.exe -d C:/Apache24'
[Thu Nov 17 14:16:30.388192 2022] [mpm_winnt:notice] [pid 4220:tid 480] AH00418: Parent: Created child process 916
[Thu Nov 17 14:16:31.125950 2022] [ssl:warn] [pid 916:tid 496] AH01909:  servername :443:0 server certificate does NOT include an ID which matches the server name
[Thu Nov 17 14:16:31.500953 2022] [ssl:warn] [pid 916:tid 496] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Thu Nov 17 14:16:31.500953 2022] [ssl:warn] [pid 916:tid 496] AH01909:  servername :443:0 server certificate does NOT include an ID which matches the server name
[Thu Nov 17 14:16:31.500953 2022] [mpm_winnt:notice] [pid 916:tid 496] AH00354: Child: Starting 64 worker threads.
[Thu Nov 17 14:19:00.488578 2022] [mpm_winnt:notice] [pid 4220:tid 480] AH00422: Parent: Received shutdown signal -- Shutting down the server.
[Thu Nov 17 14:19:30.745334 2022] [mpm_winnt:notice] [pid 4220:tid 480] AH00431: Parent: Forcing termination of child process 916

Tried searching for the resolution without success.  I am wondering if I have to redo the server.crt.

Any ideas?

Sonia

[Michael Plate]

Hi Sonia,

Am 17.11.22 um 20:12 schrieb Sonia R Thompson:

> servername:443:0 server certificate does NOT include an ID which matches
> the server name

this is a warning - Apache should be running (try to open der
REST-backend <your-server>/server.

Anyway the name of the server in the certificate (CN) does not match the
"ServerName" directive in your Apache config, I think.

CU

Michael

[Mohammad S. AlMutairi]

On Tuesday, November 1, 2022 at 9:53:55 PM UTC+3 Tim Donohue wrote:

Hi Sonia,

Because of how cookies work in modern web browsers (Safari, Firefox, Chrome, all of them), unfortunately it's not possible to run the DSpace v7 REST API under HTTP unless your only client is the same machine (i.e. localhost).  So, for development scenarios, many active developers do run DSpace 7 on HTTP... but that means you can only use "http://localhost" style URLs.  As soon as you want to use a different, non-localhost URL, you have to use HTTPS or else your web browser will block the cookies that the DSpace 7 REST API requires to support authentication, etc.

Hi Tim,

Have a look on this reply and check out the attached video for a confirmation it does work https://groups.google.com/g/dspace-tech/c/UwMvhb6QWnk/m/NarpUq-yBgAJ

 Cheers

[Mohammad S. AlMutairi]

Hi Sonia,

It is what Michael says it is but you need to create a SAN certificate to satisfy Chromium based browsers. To do that just follow the steps you see below.

# I'm assuming you have installed Apache in C:\Apache24 if that's not where you installed it you need to change the path to match yours for openssl.exe, the certificate and it's key file you might also want to change the domain names and the IP. 

 # If you need to tell openssl where to find it's configuration file.

1) dir /s \openssl.c*

2) set "OPENSSL_CONF=C:\Apache24\conf\openssl.cnf"

3) C:\Apache24\bin\openssl.exe req -x509 -nodes -days 3650 -newkey rsa:4096 -sha256 -keyout "C:/Apache24/conf/ssl/server.key" -out "C:/Apache24/conf/ssl/server.crt" -subj "/CN=myspace.xyz" -addext "subjectAltName=DNS:myspace.xyz,DNS:www.myspace.xyz,IP:10.0.0.10"

Good luck

[Mohammad S. AlMutairi]