Manually Setting Up HTTPS

[Aaron Gibson]

Setting up a local development install of BBB via vagrant. I can't use the default bbb-install.sh as it's not a public IP, so I have stepped through the install script to manually install bbb and the html5 client as well as webrtc. I have applied my self signed certificate for nginx and get get the https version of the site to work, however when I try to join via the html5 client, the URL is http and not https, when I try the https version I am asked to login again and the site blows up. Is there a location I can correct all new requests to https?

Thanks!

-Aaron.

[Chad Pilkey]

Did you follow all of the steps in the documentation for setting up HTTPS access? http://docs.bigbluebutton.org/install/install.html#configuring-ssl-on-your-bigbluebutton-server

In particular there's a section about configuring BBB to load the client as HTTPS http://docs.bigbluebutton.org/install/install.html#configure-bigbluebutton-to-load-session-via-https

[Aaron Gibson]

Thanks for the direction Chad, I have followed the docs you listed. I am seeing a 500 error and getting the following exeception:

java.lang.NullPointerException
	at org.apache.jsp.demo1_jsp.getJoinURLExtended(demo1_jsp.java:259)
	at org.apache.jsp.demo1_jsp.getJoinURL(demo1_jsp.java:182)
	at org.apache.jsp.demo1_jsp._jspService(demo1_jsp.java:1241)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

Any thoughts?

[Fred Dixon]

Hi,

Can you try 

  wget -O- -q https://your host

and see if you get back the index page or an error from trying to load the SSL certificate.

Regards,... Fred

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-Setup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-s...@googlegroups.com.
To post to this group, send email to bigbluebu...@googlegroups.com.
Visit this group at https://groups.google.com/group/bigbluebutton-setup.
For more options, visit https://groups.google.com/d/optout.

--

BigBlueButton Developer

http://bigbluebutton.org/

@bigbluebutton

[Aaron Gibson]

Fred,

Here is my response: 

vagrant@ubuntu-xenial:~$ wget -O- -q https:/my_host

vagrant@ubuntu-xenial:~$

Looks like I don't get back either, no error or index page. I did try a simple curl and got back this:

vagrant@ubuntu-xenial:~$ curl https://my_host

curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"

 of Certificate Authority (CA) public keys (CA certs). If the default

 bundle file isn't adequate, you can specify an alternate file

 using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in

 the bundle, the certificate verification probably failed due to a

 problem with the certificate (it might be expired, or the name might

 not match the domain name in the URL).

If you'd like to turn off curl's verification of the certificate, use

 the -k (or --insecure) option.

vagrant@ubuntu-xenial:~$

-Aaron.

To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-setup+unsub...@googlegroups.com.

To post to this group, send email to bigbluebu...@googlegroups.com.
Visit this group at https://groups.google.com/group/bigbluebutton-setup.
For more options, visit https://groups.google.com/d/optout.

[Aaron Gibson]

Also note, I added my .crt to /usr/local/share/ca-certificates/ and updated ca-certificates. I can not get an index page when loading via curl. But I still see the 500 mentioned above after a bbb-conf --restart.

Ideas?

On Monday, September 10, 2018 at 7:35:16 PM UTC-6, Fred Dixon wrote:

To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-setup+unsub...@googlegroups.com.

To post to this group, send email to bigbluebu...@googlegroups.com.
Visit this group at https://groups.google.com/group/bigbluebutton-setup.
For more options, visit https://groups.google.com/d/optout.

[Chad Pilkey]

I just realized you're using a self-signed certificate. You have to add your certificate to the Java KeyStore on your server in order for tomcat to accept it. We don't have documentation for this as we don't officially support it. I think this is the right documentation for Java https://docs.microsoft.com/en-us/java/azure/java-sdk-add-certificate-ca-store?view=azure-java-stable.

[Aaron Gibson]

Chad,

I was able to import into a new keystore, how do i tell tomcat to use this new keystore? Or, should I just import into the a local system wide keystore? Where might that be?

Thanks!

-Aaron.

[Aaron Gibson]

Follow Up:

I did import into the system keystore, completed this command:

keytool -import -v -trustcacerts -alias *our_domain -file /root/certs/our_cert.crt -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -keypass  -storepass

Used the java default for keypass and storepass. The cert imported correctly reported by the keytool. I then restarted BBB and still get the same 500 error listed above. I can curl the domain and I do get back an index page per recommendations by Fred.

What should we try next?

-Aaron.

[Chad Pilkey]

I'm not really sure, sorry. I've never gone down the path of using a self-signed certificate. A different thread has a post about doing Let's Encrypt DNS validation and that should work on a private server also https://groups.google.com/d/msg/bigbluebutton-setup/Q61K4rHnpyY/2kdt_3pSBwAJ. I haven't done that myself either, but it might be something else to investigate.