Re: [semanticturkey-user] Help with running Semantic Turkey 12.1 on https

10 views

Skip to first unread message

Manuel Fiorelli

unread,

Jul 30, 2024, 1:19:15 PM7/30/24

to Bruno Almeida, semantict...@googlegroups.com

Hi Bruno,

Sorry for the late reply.
When I need to install VocBench using HTTPS and Let's Encrypt (which is quite common nowadays), I usually implement HTTPS on a reverse proxy (like Nginx or Apache) and then let this communicate with VocBench locally using plain HTTP.

This configuration may introduce some overhead, but I think it's easier in the end, especially since in your case you have a domain dedicated to VocBench and you're already using Apache to get a certificate from Let's Encrypt (and probably Apache is already bound to the standard port for HTTPS). You may need to learn a bit about proxing in Apache, which is a matter of a few directives.

Manuel

On Mon, Jul 1, 2024 at 1:07 PM Bruno Almeida <brunoa...@fcsh.unl.pt> wrote:

Dear ST users,

I'm having trouble running ST on https in our VocBench 12.1 installation with OpenJDK 17.0.11: https://vocbench.rossio.fcsh.unl.pt. Any help would be greatly appreciated.

ST is running via the 1979 port, and the VocBench application is running through Apache via the 443 port. I got a certificate for the site through certbot/Let's Encrypt. With the change from Karaf to Spring Boot, it seems we no longer have to convert PEM certificates to JKS or P12. I just added the following to the default application.yml file:

server:
ssl:
certificate: /etc/letsencrypt/live/vocbench.rossio.fcsh.unl.pt/fullchain.pem
certificate-private-key: /etc/letsencrypt/live/vocbench.rossio.fcsh.unl.pt/privkey.pem
port: 1979

On Chrome it seems to work fine, but on Firefox users have to set security.ssl.enable_ocsp_must_staple to False in about:config, otherwise they get "Connection with ST server (https://vocbench.rossio.fcsh.unl.pt:1979) has failed; please check your internet connection".

Earlier today I tried force-renewing the certificate with "must-staple = False" in letsencrypt config file (cli.ini), but the problem persists. I suspect I'm missing some Java option for running ST with support for OCSP stapling. There seems to be a difference between how the certificate is setup in Apache and ST. The output of "openssl s_client -connect vocbench.rossio.fcsh.unl.pt:443 -status" includes:

OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response

while the output of "openssl s_client -connect vocbench.rossio.fcsh.unl.pt:1979 -status" just shows:

OCSP response: no response sent

--
You received this message because you are subscribed to the Google Groups "semanticturkey-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to semanticturkey-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/semanticturkey-user/38edb0d4-d20c-4126-9a5e-7d1cacb71850n%40googlegroups.com.