Thank you, Mohammad! I added an entry to /etc/hosts and it does appear to work.
(I also tried your /etc/environment suggestion, but still got the 'unable to verify the first certificate' error.) Thanks again, I really appreciate your help. Sean On Sat, 9 Jul 2022 at 06:06, Mohammad S. AlMutairi <[email protected]> wrote: > If your apache SSL configuration is correct you can force the NodeJS and > the starting of the service later to access crdb.dut.ac.za directly using > the server local IP instead of going thru the Public-IP/F5. You can do it > by adding an entry into /etc/hosts for the server private IP address. The > other way of overcoming this issue is by skipping the /etc/hosts file entry > and doing the steps you see below: > > A) echo "export NODE_EXTRA_CA_CERTS=/etc/certs/crdb.dut.ac.za/cert.pem" > >> /etc/environment > B) source /etc/environment > C) yarn test:rest > > Good luck > On Friday, July 8, 2022 at 12:24:41 PM UTC+3 [email protected] wrote: > >> Ah, but wait, I remembered the chain of events that led to me installing >> the cert, whose chain is broken: >> >> The F5 firewall seems to provide certification through its wildcard >> certificate. So if you visit our current DSpace-CRIS 5 repository at >> https://openscholar.dut.ac.za/ and check the connection security for >> that site, you will see that it is verified by Sectigo Ltd. However, on >> that server, I'm using a self-signed certificate. (It used to be >> LetsEncrypt before the F5.) >> >> /etc/apache2/sites-enabled/default-ssl.conf >> SSLCertificateFile >> /etc/ssl/certs/apache-selfsigned.crt >> SSLCertificateKeyFile >> /etc/ssl/private/apache-selfsigned.key >> >> That didn't work for DSpace 7 (I forget the exact error, but I suspect it >> was the verification error). So I requested the certificate from the IT >> admin, and installed that. >> >> But it seems as though that doesn't even get seen by openssl s_client ... >> >> For comparison, if I run >> openssl s_client -connect openscholar.dut.ac.za:443 >> >> I get a similar error: Verification error: unable to verify the first >> certificate. >> >> I'm really out of my depth here and not sure who or where to seek help. >> All I know is that I can get this working unless it's behind the F5. But >> then, in that case, I'm using LetsEncrypt. >> >> Sean >> >> On Thu, 7 Jul 2022 at 16:11, Sean Carte <[email protected]> wrote: >> >>> Thanks, Michael. That's useful. I'll follow up with our IT department. >>> >>> Sean >>> >>> On Thu, 7 Jul 2022 at 10:23, Plate, Michael < >>> [email protected]> wrote: >>> >>>> Hi Sean, >>>> >>>> your certificate chain is broken: >>>> >>>> openssl s_client -connect crdb.dut.ac.za:443 >>>> >>>> CONNECTED(00000003) >>>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, >>>> street = Overport, street = 7 Ritson Road, O = Durban University of >>>> Technology, OU = ITSS, CN = *.dut.ac.za >>>> verify error:num=20:unable to get local issuer certificate >>>> verify return:1 >>>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, >>>> street = Overport, street = 7 Ritson Road, O = Durban University of >>>> Technology, OU = ITSS, CN = *.dut.ac.za >>>> verify error:num=21:unable to verify the first certificate >>>> verify return:1 >>>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, >>>> street = Overport, street = 7 Ritson Road, O = Durban University of >>>> Technology, OU = ITSS, CN = *.dut.ac.za >>>> verify return:1 >>>> --- >>>> Certificate chain >>>> 0 s:C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street >>>> = Overport, street = 7 Ritson Road, O = Durban University of Technology, OU >>>> = ITSS, CN = *.dut.ac.za >>>> i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, >>>> CN = Sectigo RSA Organization Validation Secure Server CA >>>> --- >>>> […] >>>> >>>> browsers accept this, other programs are more picky about chain order . >>>> If you cant't get around it, try letsencrypt and install certbot (its >>>> in debian packages, no need for snap) >>>> >>>> >>>> Michael >>>> >>>> ________________________________________ >>>> Von: [email protected] <[email protected]> im Auftrag >>>> von Sean Carte <[email protected]> >>>> Gesendet: Donnerstag, 7. Juli 2022 07:54 >>>> An: Thiago Henrique Carvalho da Costa >>>> Cc: DSpace Technical Support >>>> Betreff: Re: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall >>>> with wildcard certificate >>>> >>>> […] >>>> >>>> -- >>>> All messages to this mailing list should adhere to the Code of Conduct: >>>> https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "DSpace Technical Support" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/dspace-tech/d00aa2e38fde4d2b8d28b164d724ce99%40bibliothek.uni-kassel.de >>>> . >>>> >>> -- > All messages to this mailing list should adhere to the Code of Conduct: > https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx > --- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/dspace-tech/15623b2a-d4c2-49f9-bb8a-88e21b67cc51n%40googlegroups.com > <https://groups.google.com/d/msgid/dspace-tech/15623b2a-d4c2-49f9-bb8a-88e21b67cc51n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhNHet6%3DzKgpbK-shZvDO0iy7M6c7AbAqxDdYK9bft9dHw%40mail.gmail.com.
