SSL problems

[Jorge Alberto Bonilla Castaneda]

SSL issues

Good morning, when I hosted my dspace 7.4 on the web, I realized that it is not possible to use the front-end if the back-end does not have a secure certificate.

At the moment we can't get this certificate, but to continue with the implementation and configuration of it I wanted to use a self-generated certificate, so in a local copy of the machine in the cloud, I started trying, generating the certificate with keytool and doing the modifications in the urls of dspace.cfg and config.prod.yml

Well now my back-end was using the 8443.


however the front-end gave me the following error:

what could be doing wrong? Is it because it is a self generated certificate? 

[mmsz]

The Common Name (CN) in your certificate should mention the domain of the server it is issued for. In case of i.e. 'localhost', the CN should be 'localhost'. In your case, it should be the IP address 172.16.97.48

[Jorge Alberto Bonilla Castaneda]

Hello, thanks for your answer, but even making that change, it still fails. Could it be that using self-generated insurance certificates is not correct?

[Mohammad S. AlMutairi]

You  don't need to use a self-signed certificate to continue your implementation ( You can use it but you don't have to ).  Recent DSpace versions are forgiving. You can configure both DSpace ends using domain names using (http) or IP that's include private or public IP without SSL and DSpace still works.

*** You need to stop the Webserver and have port 80 and 8443 publicly accessible for this to work. ***

** dspace.cfg or local.cfg

dspace.server.url = http://server-public-ip:8443/server
dspace.ui.url =  http://server-public-ip

** config.prod.yml
ui:
  ssl: false
  host: server-private-ip
  port: 80

rest:
  ssl: false
  host: server-public-ip
  port: 8080
  nameSpace: /server

1) yarn test:rest
2) yarn start:prod
3) Access DSpace at http://server-public-ip

The above setup should keep you going till you get your public cert but If you still need to get the self-signed cert working you need to post the OS and the webserver you are using. Posting the reverse proxy will help.

Mo.

[Jorge Alberto Bonilla Castaneda]

good morning

Well, that configuration works for me when we talk about a local network, but when that configuration is already used in servers hosted in the cloud, the front-end stops working

verify that the required addresses are publicly accessible:
http://150.136.129.10:8983/solr/#/
http://150.136.129.10:8080/server/#/server/api

but the front end keeps giving the same error:
http://150.136.129.10/


and my configuration is the following


What could it be ?

[Jorge Alberto Bonilla Castaneda]

also add that the front end log shows me this error

[Mohammad S. AlMutairi]

Good Morning,

I think the public access to your server is natted from the public IP (150.136.129.10) to the server private IP address (unknown). You have to find out the frontend server private IP address and use it or as an alternative you can use 0.0.0.0 instead to have the service run on every adapter on the frontend server. Try the setup you see below ( You have to make sure no other service is running on port 80 "APache or Nginx" so stop the weserver it its running).

ui:
  ssl: false

  #host: server-private-ip-address
  host: 0.0.0.0
  port: 4000
  nameSpace: /
  useProxies: true

rest:
  ssl: false
  host: 150.136.129.10
  port: 8080
  nameSpace: /server

** Make sure tomcat port 8080 do match the real port tomcat is running on. You can find out which one is used by running (ss -nlp | grep ":8443\|:8080")

Mo.

[Mohammad S. AlMutairi]

Correction: port: 4000 should be  port: 80

[Jorge Alberto Bonilla Castaneda]

It worked!

thank you very much, I changed the ip to 0.0.0.0 in the .json of the front-end and it worked

[Mohammad S. AlMutairi]

You most welcome. You could've used Let's Encrypt or the self-signed certs, doing so will save you some extra work at a later time if your current implementation involve ingesting items or anything relies on the DSpace naming. What I mean by that is you might need to replace http://150.136.129.10 back to the real domain name https://example.net in the database).

Cheers,

Mo.