Re: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall with wildcard certificate

2022-07-25 Thread Mohammad S. AlMutairi 
correct you can force the NodeJS 
>>>> and the starting of the service later to access crdb.dut.ac.za 
>>>> directly using the server local IP instead of going thru the Public-IP/F5. 
>>>> You can do it by adding an entry into /etc/hosts for the server private IP 
>>>> address. The other way of overcoming this issue is by skipping the 
>>>> /etc/hosts file entry and doing the steps you see below:
>>>>
>>>> A) echo "export NODE_EXTRA_CA_CERTS=/etc/certs/crdb.dut.ac.za/cert.pem" 
>>>> >> /etc/environment
>>>> B) source /etc/environment
>>>> C) yarn test:rest
>>>>
>>>> Good luck
>>>> On Friday, July 8, 2022 at 12:24:41 PM UTC+3 sean@gmail.com wrote:
>>>>
>>>>> Ah, but wait, I remembered the chain of events that led to me 
>>>>> installing the cert, whose chain is broken:
>>>>>
>>>>> The F5 firewall seems to provide certification through its wildcard 
>>>>> certificate. So if you visit our current DSpace-CRIS 5 repository at 
>>>>> https://openscholar.dut.ac.za/  and check the connection security for 
>>>>> that site, you will see that it is verified by Sectigo Ltd. However, on 
>>>>> that server, I'm using a self-signed certificate. (It used to be 
>>>>> LetsEncrypt before the F5.)
>>>>>
>>>>> /etc/apache2/sites-enabled/default-ssl.conf
>>>>> SSLCertificateFile 
>>>>>  /etc/ssl/certs/apache-selfsigned.crt
>>>>> SSLCertificateKeyFile 
>>>>> /etc/ssl/private/apache-selfsigned.key
>>>>>
>>>>> That didn't work for DSpace 7 (I forget the exact error, but I suspect 
>>>>> it was the verification error). So I requested the certificate from the 
>>>>> IT 
>>>>> admin, and installed that.
>>>>>
>>>>> But it seems as though that doesn't even get seen by openssl s_client 
>>>>> ...
>>>>>
>>>>> For comparison, if I run 
>>>>> openssl s_client -connect openscholar.dut.ac.za:443
>>>>>
>>>>> I get a similar error: Verification error: unable to verify the first 
>>>>> certificate.
>>>>>
>>>>> I'm really out of my depth here and not sure who or where to seek 
>>>>> help. All I know is that I can get this working unless it's behind the 
>>>>> F5. 
>>>>> But then, in that case, I'm using LetsEncrypt.
>>>>>
>>>>> Sean
>>>>>
>>>>> On Thu, 7 Jul 2022 at 16:11, Sean Carte  wrote:
>>>>>
>>>>>> Thanks, Michael. That's useful. I'll follow up with our IT department.
>>>>>>
>>>>>> Sean
>>>>>>
>>>>>> On Thu, 7 Jul 2022 at 10:23, Plate, Michael <
>>>>>> pl...@bibliothek.uni-kassel.de> wrote:
>>>>>>
>>>>>>> Hi Sean,
>>>>>>>
>>>>>>> your certificate chain is broken:
>>>>>>>
>>>>>>> openssl s_client -connect crdb.dut.ac.za:443
>>>>>>>
>>>>>>> CONNECTED(0003)
>>>>>>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, 
>>>>>>> street = Overport, street = 7 Ritson Road, O = Durban University of 
>>>>>>> Technology, OU = ITSS, CN = *.dut.ac.za
>>>>>>> verify error:num=20:unable to get local issuer certificate
>>>>>>> verify return:1
>>>>>>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, 
>>>>>>> street = Overport, street = 7 Ritson Road, O = Durban University of 
>>>>>>> Technology, OU = ITSS, CN = *.dut.ac.za
>>>>>>> verify error:num=21:unable to verify the first certificate
>>>>>>> verify return:1
>>>>>>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, 
>>>>>>> street = Overport, street = 7 Ritson Road, O = Durban University of 
>>>>>>> Technology, OU = ITSS, CN = *.dut.ac.za
>>>>>>> verify return:1
>>>>>>> ---
>>>>>>> Certificate chain
>>>>>>>  0 s:C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, 
>>>>>>> street = Overport, street = 7 Ritso

Re: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall with wildcard certificate

2022-07-09 Thread Sean Carte 
Thanks for the input, Mark. Unfortunately, I am not in a position to
suggest changes to the F5's configuration. Fortunately, Mohammad's
workaround worked.

Sean

On Fri, 8 Jul 2022 at 15:19, Mark H. Wood  wrote:

> On Fri, Jul 08, 2022 at 11:24:37AM +0200, Sean Carte wrote:
> > Ah, but wait, I remembered the chain of events that led to me installing
> > the cert, whose chain is broken:
> >
> > The F5 firewall seems to provide certification through its wildcard
> > certificate. So if you visit our current DSpace-CRIS 5 repository at
> > https://openscholar.dut.ac.za/  and check the connection security for
> that
> > site, you will see that it is verified by Sectigo Ltd. However, on that
> > server, I'm using a self-signed certificate. (It used to be LetsEncrypt
> > before the F5.)
> >
> > /etc/apache2/sites-enabled/default-ssl.conf
> > SSLCertificateFile
> /etc/ssl/certs/apache-selfsigned.crt
> > SSLCertificateKeyFile
> /etc/ssl/private/apache-selfsigned.key
> >
> > That didn't work for DSpace 7 (I forget the exact error, but I suspect it
> > was the verification error). So I requested the certificate from the IT
> > admin, and installed that.
> >
> > But it seems as though that doesn't even get seen by openssl s_client ...
> >
> > For comparison, if I run
> > openssl s_client -connect openscholar.dut.ac.za:443
> >
> > I get a similar error: Verification error: unable to verify the first
> > certificate.
> >
> > I'm really out of my depth here and not sure who or where to seek help.
> All
> > I know is that I can get this working unless it's behind the F5. But
> then,
> > in that case, I'm using LetsEncrypt.
>
> Your wildcard certificate for *.dut.ac.za is signed by "C = GB, ST =
> Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA
> Organization Validation Secure Server CA" but that cert. is not in your
> client's trust store.  It's not in the trusted certificates bundle on
> my workstation, either.  Google has a lot of hits on "sectigo root
> certificate not trusted" which may shed some light.  You may need help
> from Sectigo customer support.  Or there may be some reason why that
> particular cert. is no longer trusted.
>
> Or it may be an intermediate authority whose cert. should be sent out
> with the server cert. to complete the trust chain to the root.  In
> that case, you may need to get a copy of that cert. and install it in
> the F5's trust store (once you're sure that *you* trust it).
>
> A client must be able to construct a path from the certificate
> presented by the site, through that cert.'s issuer cert. ("i:" in the
> certificate chain) via *its* issuer, etc. until it reaches a root
> certificate that it already trusts.
>
> --
> Mark H. Wood
> Lead Technology Analyst
>
> University Library
> Indiana University - Purdue University Indianapolis
> 755 W. Michigan Street
> Indianapolis, IN 46202
> 317-274-0749
> www.ulib.iupui.edu
>
> --
> All messages to this mailing list should adhere to the Code of Conduct:
> https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
> ---
> You received this message because you are subscribed to the Google Groups
> "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dspace-tech+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/dspace-tech/Ysguzgx1FU%2BATiUl%40IUPUI.Edu
> .
>

-- 
All messages to this mailing list should adhere to the Code of Conduct: 
https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhN%3D3G8K2uVYUODc2zoryqjWUnef7CH%3DSLgYLS4nScww%2Bw%40mail.gmail.com.

Re: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall with wildcard certificate

2022-07-09 Thread Sean Carte 
Sorry, Michael, if I understood it myself, I might be able to explain it
better.

But thanks for your help in resolving this.

Sean

On Fri, 8 Jul 2022 at 16:33, Michael Plate 
wrote:

> Hi Sean,
>
> Am 08.07.22 um 11:24 schrieb Sean Carte:
> > Ah, but wait, I remembered the chain of events that led to me installing
> > the cert, whose chain is broken:
> >
> > The F5 firewall seems to provide certification through its wildcard
> > certificate. So if you visit our current DSpace-CRIS 5 repository at
> > https://openscholar.dut.ac.za/   and
> > check the connection security for that site, you will see that it is
> > verified by Sectigo Ltd. However, on that server, I'm using a
> > self-signed certificate. (It used to be LetsEncrypt before the F5.)
> […]
>
> I'm not sure if I can follow you…we only have IP-based FWs, the
> encryption is done always on the host.
> You have a self-signed cert and the F5 decrypts inside - like a browser
> / proxy- and encrypts again with another cert to outside ?
>
> Michael
>
> --
> All messages to this mailing list should adhere to the Code of Conduct:
> https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
> ---
> You received this message because you are subscribed to the Google Groups
> "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dspace-tech+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/dspace-tech/550e7ada-9d67-00bd-8eb7-0b24fb0dc867%40bibliothek.uni-kassel.de
> .
>

-- 
All messages to this mailing list should adhere to the Code of Conduct: 
https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhM-TzzF9SNKFtOGD6yjVD14sumh2gaAo4piCawRENDFmQ%40mail.gmail.com.

Re: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall with wildcard certificate

2022-07-09 Thread Sean Carte 
Thank you, Mohammad! I added an entry to /etc/hosts and it does appear to
work.

(I also tried your /etc/environment suggestion, but still got the 'unable
to verify the first certificate' error.)

Thanks again, I really appreciate your help.

Sean

On Sat, 9 Jul 2022 at 06:06, Mohammad S. AlMutairi  wrote:

> If your apache SSL configuration is correct you can force the NodeJS and
> the starting of the service later to access crdb.dut.ac.za directly using
> the server local IP instead of going thru the Public-IP/F5. You can do it
> by adding an entry into /etc/hosts for the server private IP address. The
> other way of overcoming this issue is by skipping the /etc/hosts file entry
> and doing the steps you see below:
>
> A) echo "export NODE_EXTRA_CA_CERTS=/etc/certs/crdb.dut.ac.za/cert.pem"
> >> /etc/environment
> B) source /etc/environment
> C) yarn test:rest
>
> Good luck
> On Friday, July 8, 2022 at 12:24:41 PM UTC+3 sean@gmail.com wrote:
>
>> Ah, but wait, I remembered the chain of events that led to me installing
>> the cert, whose chain is broken:
>>
>> The F5 firewall seems to provide certification through its wildcard
>> certificate. So if you visit our current DSpace-CRIS 5 repository at
>> https://openscholar.dut.ac.za/  and check the connection security for
>> that site, you will see that it is verified by Sectigo Ltd. However, on
>> that server, I'm using a self-signed certificate. (It used to be
>> LetsEncrypt before the F5.)
>>
>> /etc/apache2/sites-enabled/default-ssl.conf
>> SSLCertificateFile
>>  /etc/ssl/certs/apache-selfsigned.crt
>> SSLCertificateKeyFile
>> /etc/ssl/private/apache-selfsigned.key
>>
>> That didn't work for DSpace 7 (I forget the exact error, but I suspect it
>> was the verification error). So I requested the certificate from the IT
>> admin, and installed that.
>>
>> But it seems as though that doesn't even get seen by openssl s_client ...
>>
>> For comparison, if I run
>> openssl s_client -connect openscholar.dut.ac.za:443
>>
>> I get a similar error: Verification error: unable to verify the first
>> certificate.
>>
>> I'm really out of my depth here and not sure who or where to seek help.
>> All I know is that I can get this working unless it's behind the F5. But
>> then, in that case, I'm using LetsEncrypt.
>>
>> Sean
>>
>> On Thu, 7 Jul 2022 at 16:11, Sean Carte  wrote:
>>
>>> Thanks, Michael. That's useful. I'll follow up with our IT department.
>>>
>>> Sean
>>>
>>> On Thu, 7 Jul 2022 at 10:23, Plate, Michael <
>>> pl...@bibliothek.uni-kassel.de> wrote:
>>>
>>>> Hi Sean,
>>>>
>>>> your certificate chain is broken:
>>>>
>>>> openssl s_client -connect crdb.dut.ac.za:443
>>>>
>>>> CONNECTED(0003)
>>>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban,
>>>> street = Overport, street = 7 Ritson Road, O = Durban University of
>>>> Technology, OU = ITSS, CN = *.dut.ac.za
>>>> verify error:num=20:unable to get local issuer certificate
>>>> verify return:1
>>>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban,
>>>> street = Overport, street = 7 Ritson Road, O = Durban University of
>>>> Technology, OU = ITSS, CN = *.dut.ac.za
>>>> verify error:num=21:unable to verify the first certificate
>>>> verify return:1
>>>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban,
>>>> street = Overport, street = 7 Ritson Road, O = Durban University of
>>>> Technology, OU = ITSS, CN = *.dut.ac.za
>>>> verify return:1
>>>> ---
>>>> Certificate chain
>>>>  0 s:C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street
>>>> = Overport, street = 7 Ritson Road, O = Durban University of Technology, OU
>>>> = ITSS, CN = *.dut.ac.za
>>>>    i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
>>>> CN = Sectigo RSA Organization Validation Secure Server CA
>>>> ---
>>>> […]
>>>>
>>>> browsers accept this, other programs are more picky about chain order .
>>>> If you cant't get around it, try letsencrypt and install certbot (its
>>>> in debian packages, no need for snap)
>>>>
>>>>
>>>> Michael
>>>>
>>>> 
>>>> Von: dspac...@goo

Re: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall with wildcard certificate

2022-07-08 Thread Mohammad S. AlMutairi 
If your apache SSL configuration is correct you can force the NodeJS and 
the starting of the service later to access crdb.dut.ac.za directly using 
the server local IP instead of going thru the Public-IP/F5. You can do it 
by adding an entry into /etc/hosts for the server private IP address. The 
other way of overcoming this issue is by skipping the /etc/hosts file entry 
and doing the steps you see below:

A) echo "export NODE_EXTRA_CA_CERTS=/etc/certs/crdb.dut.ac.za/cert.pem" >> 
/etc/environment
B) source /etc/environment
C) yarn test:rest

Good luck
On Friday, July 8, 2022 at 12:24:41 PM UTC+3 sean@gmail.com wrote:

> Ah, but wait, I remembered the chain of events that led to me installing 
> the cert, whose chain is broken:
>
> The F5 firewall seems to provide certification through its wildcard 
> certificate. So if you visit our current DSpace-CRIS 5 repository at 
> https://openscholar.dut.ac.za/  and check the connection security for 
> that site, you will see that it is verified by Sectigo Ltd. However, on 
> that server, I'm using a self-signed certificate. (It used to be 
> LetsEncrypt before the F5.)
>
> /etc/apache2/sites-enabled/default-ssl.conf
> SSLCertificateFile 
>  /etc/ssl/certs/apache-selfsigned.crt
> SSLCertificateKeyFile 
> /etc/ssl/private/apache-selfsigned.key
>
> That didn't work for DSpace 7 (I forget the exact error, but I suspect it 
> was the verification error). So I requested the certificate from the IT 
> admin, and installed that.
>
> But it seems as though that doesn't even get seen by openssl s_client ...
>
> For comparison, if I run 
> openssl s_client -connect openscholar.dut.ac.za:443
>
> I get a similar error: Verification error: unable to verify the first 
> certificate.
>
> I'm really out of my depth here and not sure who or where to seek help. 
> All I know is that I can get this working unless it's behind the F5. But 
> then, in that case, I'm using LetsEncrypt.
>
> Sean
>
> On Thu, 7 Jul 2022 at 16:11, Sean Carte  wrote:
>
>> Thanks, Michael. That's useful. I'll follow up with our IT department.
>>
>> Sean
>>
>> On Thu, 7 Jul 2022 at 10:23, Plate, Michael <
>> pl...@bibliothek.uni-kassel.de> wrote:
>>
>>> Hi Sean,
>>>
>>> your certificate chain is broken:
>>>
>>> openssl s_client -connect crdb.dut.ac.za:443
>>>
>>> CONNECTED(0003)
>>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, 
>>> street = Overport, street = 7 Ritson Road, O = Durban University of 
>>> Technology, OU = ITSS, CN = *.dut.ac.za
>>> verify error:num=20:unable to get local issuer certificate
>>> verify return:1
>>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, 
>>> street = Overport, street = 7 Ritson Road, O = Durban University of 
>>> Technology, OU = ITSS, CN = *.dut.ac.za
>>> verify error:num=21:unable to verify the first certificate
>>> verify return:1
>>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, 
>>> street = Overport, street = 7 Ritson Road, O = Durban University of 
>>> Technology, OU = ITSS, CN = *.dut.ac.za
>>> verify return:1
>>> ---
>>> Certificate chain
>>>  0 s:C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street = 
>>> Overport, street = 7 Ritson Road, O = Durban University of Technology, OU = 
>>> ITSS, CN = *.dut.ac.za
>>>i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, 
>>> CN = Sectigo RSA Organization Validation Secure Server CA
>>> ---
>>> […]
>>>
>>> browsers accept this, other programs are more picky about chain order .
>>> If you cant't get around it, try letsencrypt and install certbot (its in 
>>> debian packages, no need for snap)
>>>
>>>
>>> Michael
>>>
>>> 
>>> Von: dspac...@googlegroups.com  im Auftrag 
>>> von Sean Carte 
>>> Gesendet: Donnerstag, 7. Juli 2022 07:54
>>> An: Thiago Henrique Carvalho da Costa
>>> Cc: DSpace Technical Support
>>> Betreff: Re: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall 
>>> with wildcard certificate
>>>
>>> […]
>>>
>>> -- 
>>> All messages to this mailing list should adhere to the Code of Conduct: 
>>> https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "DSpace T

Re: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall with wildcard certificate

2022-07-08 Thread Michael Plate 

Hi Sean,

Am 08.07.22 um 11:24 schrieb Sean Carte:
Ah, but wait, I remembered the chain of events that led to me installing 
the cert, whose chain is broken:


The F5 firewall seems to provide certification through its wildcard 
certificate. So if you visit our current DSpace-CRIS 5 repository at 
https://openscholar.dut.ac.za/   and 
check the connection security for that site, you will see that it is 
verified by Sectigo Ltd. However, on that server, I'm using a 
self-signed certificate. (It used to be LetsEncrypt before the F5.)

[…]

I'm not sure if I can follow you…we only have IP-based FWs, the 
encryption is done always on the host.
You have a self-signed cert and the F5 decrypts inside - like a browser 
/ proxy- and encrypts again with another cert to outside ?


Michael

--
All messages to this mailing list should adhere to the Code of Conduct: 
https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
--- 
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/550e7ada-9d67-00bd-8eb7-0b24fb0dc867%40bibliothek.uni-kassel.de.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall with wildcard certificate

2022-07-08 Thread Mark H. Wood 
On Fri, Jul 08, 2022 at 11:24:37AM +0200, Sean Carte wrote:
> Ah, but wait, I remembered the chain of events that led to me installing
> the cert, whose chain is broken:
> 
> The F5 firewall seems to provide certification through its wildcard
> certificate. So if you visit our current DSpace-CRIS 5 repository at
> https://openscholar.dut.ac.za/  and check the connection security for that
> site, you will see that it is verified by Sectigo Ltd. However, on that
> server, I'm using a self-signed certificate. (It used to be LetsEncrypt
> before the F5.)
> 
> /etc/apache2/sites-enabled/default-ssl.conf
> SSLCertificateFile  /etc/ssl/certs/apache-selfsigned.crt
> SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
> 
> That didn't work for DSpace 7 (I forget the exact error, but I suspect it
> was the verification error). So I requested the certificate from the IT
> admin, and installed that.
> 
> But it seems as though that doesn't even get seen by openssl s_client ...
> 
> For comparison, if I run
> openssl s_client -connect openscholar.dut.ac.za:443
> 
> I get a similar error: Verification error: unable to verify the first
> certificate.
> 
> I'm really out of my depth here and not sure who or where to seek help. All
> I know is that I can get this working unless it's behind the F5. But then,
> in that case, I'm using LetsEncrypt.

Your wildcard certificate for *.dut.ac.za is signed by "C = GB, ST =
Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA
Organization Validation Secure Server CA" but that cert. is not in your
client's trust store.  It's not in the trusted certificates bundle on
my workstation, either.  Google has a lot of hits on "sectigo root
certificate not trusted" which may shed some light.  You may need help
from Sectigo customer support.  Or there may be some reason why that
particular cert. is no longer trusted.

Or it may be an intermediate authority whose cert. should be sent out
with the server cert. to complete the trust chain to the root.  In
that case, you may need to get a copy of that cert. and install it in
the F5's trust store (once you're sure that *you* trust it).

A client must be able to construct a path from the certificate
presented by the site, through that cert.'s issuer cert. ("i:" in the
certificate chain) via *its* issuer, etc. until it reaches a root
certificate that it already trusts.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

-- 
All messages to this mailing list should adhere to the Code of Conduct: 
https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/Ysguzgx1FU%2BATiUl%40IUPUI.Edu.


signature.asc
Description: PGP signature

Re: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall with wildcard certificate

2022-07-08 Thread Sean Carte 
Ah, but wait, I remembered the chain of events that led to me installing
the cert, whose chain is broken:

The F5 firewall seems to provide certification through its wildcard
certificate. So if you visit our current DSpace-CRIS 5 repository at
https://openscholar.dut.ac.za/  and check the connection security for that
site, you will see that it is verified by Sectigo Ltd. However, on that
server, I'm using a self-signed certificate. (It used to be LetsEncrypt
before the F5.)

/etc/apache2/sites-enabled/default-ssl.conf
SSLCertificateFile  /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

That didn't work for DSpace 7 (I forget the exact error, but I suspect it
was the verification error). So I requested the certificate from the IT
admin, and installed that.

But it seems as though that doesn't even get seen by openssl s_client ...

For comparison, if I run
openssl s_client -connect openscholar.dut.ac.za:443

I get a similar error: Verification error: unable to verify the first
certificate.

I'm really out of my depth here and not sure who or where to seek help. All
I know is that I can get this working unless it's behind the F5. But then,
in that case, I'm using LetsEncrypt.

Sean

On Thu, 7 Jul 2022 at 16:11, Sean Carte  wrote:

> Thanks, Michael. That's useful. I'll follow up with our IT department.
>
> Sean
>
> On Thu, 7 Jul 2022 at 10:23, Plate, Michael <
> pl...@bibliothek.uni-kassel.de> wrote:
>
>> Hi Sean,
>>
>> your certificate chain is broken:
>>
>> openssl s_client -connect crdb.dut.ac.za:443
>>
>> CONNECTED(0003)
>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street
>> = Overport, street = 7 Ritson Road, O = Durban University of Technology, OU
>> = ITSS, CN = *.dut.ac.za
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street
>> = Overport, street = 7 Ritson Road, O = Durban University of Technology, OU
>> = ITSS, CN = *.dut.ac.za
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street
>> = Overport, street = 7 Ritson Road, O = Durban University of Technology, OU
>> = ITSS, CN = *.dut.ac.za
>> verify return:1
>> ---
>> Certificate chain
>>  0 s:C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street =
>> Overport, street = 7 Ritson Road, O = Durban University of Technology, OU =
>> ITSS, CN = *.dut.ac.za
>>i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
>> CN = Sectigo RSA Organization Validation Secure Server CA
>> ---
>> […]
>>
>> browsers accept this, other programs are more picky about chain order .
>> If you cant't get around it, try letsencrypt and install certbot (its in
>> debian packages, no need for snap)
>>
>>
>> Michael
>>
>> ________________
>> Von: dspace-tech@googlegroups.com  im
>> Auftrag von Sean Carte 
>> Gesendet: Donnerstag, 7. Juli 2022 07:54
>> An: Thiago Henrique Carvalho da Costa
>> Cc: DSpace Technical Support
>> Betreff: Re: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall
>> with wildcard certificate
>>
>> […]
>>
>> --
>> All messages to this mailing list should adhere to the Code of Conduct:
>> https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "DSpace Technical Support" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to dspace-tech+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/dspace-tech/d00aa2e38fde4d2b8d28b164d724ce99%40bibliothek.uni-kassel.de
>> .
>>
>

-- 
All messages to this mailing list should adhere to the Code of Conduct: 
https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhPm8wh6rBDKk9UQyzLGy%2Bf0tu_YXrUfTGMb%2B5Z8w_qoig%40mail.gmail.com.

Re: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall with wildcard certificate

2022-07-07 Thread Sean Carte 
Thanks, Michael. That's useful. I'll follow up with our IT department.

Sean

On Thu, 7 Jul 2022 at 10:23, Plate, Michael 
wrote:

> Hi Sean,
>
> your certificate chain is broken:
>
> openssl s_client -connect crdb.dut.ac.za:443
>
> CONNECTED(0003)
> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street
> = Overport, street = 7 Ritson Road, O = Durban University of Technology, OU
> = ITSS, CN = *.dut.ac.za
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street
> = Overport, street = 7 Ritson Road, O = Durban University of Technology, OU
> = ITSS, CN = *.dut.ac.za
> verify error:num=21:unable to verify the first certificate
> verify return:1
> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street
> = Overport, street = 7 Ritson Road, O = Durban University of Technology, OU
> = ITSS, CN = *.dut.ac.za
> verify return:1
> ---
> Certificate chain
>  0 s:C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street =
> Overport, street = 7 Ritson Road, O = Durban University of Technology, OU =
> ITSS, CN = *.dut.ac.za
>i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN
> = Sectigo RSA Organization Validation Secure Server CA
> ---
> […]
>
> browsers accept this, other programs are more picky about chain order .
> If you cant't get around it, try letsencrypt and install certbot (its in
> debian packages, no need for snap)
>
>
> Michael
>
> 
> Von: dspace-tech@googlegroups.com  im
> Auftrag von Sean Carte 
> Gesendet: Donnerstag, 7. Juli 2022 07:54
> An: Thiago Henrique Carvalho da Costa
> Cc: DSpace Technical Support
> Betreff: Re: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall
> with wildcard certificate
>
> […]
>
> --
> All messages to this mailing list should adhere to the Code of Conduct:
> https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
> ---
> You received this message because you are subscribed to the Google Groups
> "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dspace-tech+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/dspace-tech/d00aa2e38fde4d2b8d28b164d724ce99%40bibliothek.uni-kassel.de
> .
>

-- 
All messages to this mailing list should adhere to the Code of Conduct: 
https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhNMDoTNq4X-L0_V4A6eRF2Zx6n7iZa7xw9C-ApUpgWj9g%40mail.gmail.com.

AW: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall with wildcard certificate

2022-07-07 Thread Plate, Michael 
Hi Sean,

your certificate chain is broken:

openssl s_client -connect crdb.dut.ac.za:443

CONNECTED(0003)
depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street = 
Overport, street = 7 Ritson Road, O = Durban University of Technology, OU = 
ITSS, CN = *.dut.ac.za
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street = 
Overport, street = 7 Ritson Road, O = Durban University of Technology, OU = 
ITSS, CN = *.dut.ac.za
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street = 
Overport, street = 7 Ritson Road, O = Durban University of Technology, OU = 
ITSS, CN = *.dut.ac.za
verify return:1
---
Certificate chain
 0 s:C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street = 
Overport, street = 7 Ritson Road, O = Durban University of Technology, OU = 
ITSS, CN = *.dut.ac.za
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = 
Sectigo RSA Organization Validation Secure Server CA
---
[…]

browsers accept this, other programs are more picky about chain order .
If you cant't get around it, try letsencrypt and install certbot (its in debian 
packages, no need for snap)


Michael


Von: dspace-tech@googlegroups.com  im Auftrag von 
Sean Carte 
Gesendet: Donnerstag, 7. Juli 2022 07:54
An: Thiago Henrique Carvalho da Costa
Cc: DSpace Technical Support
Betreff: Re: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall with 
wildcard certificate

[…]

-- 
All messages to this mailing list should adhere to the Code of Conduct: 
https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/d00aa2e38fde4d2b8d28b164d724ce99%40bibliothek.uni-kassel.de.

Re: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall with wildcard certificate

2022-07-06 Thread Sean Carte 
Hi Thiago

No, I'm still stuck with this problem.

Sean

On Wed, 6 Jul 2022 at 18:19, Thiago Henrique Carvalho da Costa <
thiago.inst...@gmail.com> wrote:

> I have the same problem, did anyone manage to solve it?
> Ícone "Verificada pela comunidade"
>
> Em terça-feira, 31 de maio de 2022 às 09:45:24 UTC-3, john...@gmail.com
> escreveu:
>
>> come in the dspace slack and maybe I can help you
>>
>> On Tuesday, May 31, 2022 at 6:48:53 AM UTC-4 sean@gmail.com wrote:
>>
>>> I'm starting to think that it might not be possible to do this, but I'm
>>> hoping someone will tell me how very wrong I am.
>>>
>>> I have a server that is in our institution's DC, which is behind an F5
>>> firewall and there is a wildcard Sectigo certificate installed.
>>>
>>> My dspace local.cfg has the following settings:
>>> dspace.server.url = https://crdb.dut.ac.za/server
>>> dspace.ui.url = https://crdb.dut.ac.za
>>>
>>> I requested a certificate and key from the administrator and have this
>>> in /etc/apache2/sites-enabled/ssl.conf
>>>
>>> SSLCertificateFile /etc/certs/crdb.dut.ac.za/cert.pem
>>> SSLCertificateKeyFile /etc/certs/crdb.dut.ac.za/privkey.pem
>>> SSLCertificateChainFile /etc/certs/crdb.dut.ac.za/chain.pem
>>> Include /etc/certs/options-ssl-apache.conf
>>>
>>> # Proxy all HTTPS requests to "/server" from Apache to Tomcat via
>>> AJP connector
>>> ProxyPass /server ajp://localhost:8009/server
>>> ProxyPassReverse /server ajp://localhost:8009/server
>>>
>>> # Proxy all HTTPS requests from Apache to PM2 on port 4000
>>> ProxyPass / http://localhost:4000/
>>> ProxyPassReverse / http://localhost:4000/
>>>
>>> config.prod.yml
>>> ui:
>>>   ssl: false
>>>   host: localhost
>>>   port: 4000
>>>   nameSpace: /
>>> rest:
>>>   ssl: true
>>>   host: crdb.dut.ac.za
>>>   port: 443
>>>   nameSpace: /server
>>>
>>> When I run yarn test:rest:
>>> ...Testing connection to REST API at https://crdb.dut.ac.za/server/api.
>>> ..
>>>
>>> ERROR connecting to REST API
>>> Error: unable to verify the first certificate
>>>
>>> As expected, if I run node ./dist/server/main.js, I get the dreaded 'No
>>> _links section' error:
>>>
>>> GET / 500 1356.467 ms - 231171
>>> No _links section found at https://crdb.dut.ac.za/server/api
>>>
>>> Am I wasting my time with this, or has anybody managed to get this
>>> working in a similar situation with a proxy firewall handing out a wildcard
>>> certificate?
>>>
>>> Sean
>>>
>> --
> All messages to this mailing list should adhere to the Code of Conduct:
> https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
> ---
> You received this message because you are subscribed to the Google Groups
> "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dspace-tech+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/dspace-tech/33a6bd12-384e-477f-a165-6dedf18b3d98n%40googlegroups.com
> 
> .
>

-- 
All messages to this mailing list should adhere to the Code of Conduct: 
https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhMgqiiy%3DdmRhHG57bT%2BWDxMhJ75Bomin80s%3Dz%3DXwoj%2Bnw%40mail.gmail.com.

[dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall with wildcard certificate

2022-07-06 Thread Thiago Henrique Carvalho da Costa 
I have the same problem, did anyone manage to solve it?
Ícone "Verificada pela comunidade"

Em terça-feira, 31 de maio de 2022 às 09:45:24 UTC-3, john...@gmail.com 
escreveu:

> come in the dspace slack and maybe I can help you 
>
> On Tuesday, May 31, 2022 at 6:48:53 AM UTC-4 sean@gmail.com wrote:
>
>> I'm starting to think that it might not be possible to do this, but I'm 
>> hoping someone will tell me how very wrong I am.
>>
>> I have a server that is in our institution's DC, which is behind an F5 
>> firewall and there is a wildcard Sectigo certificate installed.
>>
>> My dspace local.cfg has the following settings:
>> dspace.server.url = https://crdb.dut.ac.za/server
>> dspace.ui.url = https://crdb.dut.ac.za
>>
>> I requested a certificate and key from the administrator and have this in 
>> /etc/apache2/sites-enabled/ssl.conf 
>>
>> SSLCertificateFile /etc/certs/crdb.dut.ac.za/cert.pem
>> SSLCertificateKeyFile /etc/certs/crdb.dut.ac.za/privkey.pem
>> SSLCertificateChainFile /etc/certs/crdb.dut.ac.za/chain.pem
>> Include /etc/certs/options-ssl-apache.conf
>>
>> # Proxy all HTTPS requests to "/server" from Apache to Tomcat via AJP 
>> connector
>> ProxyPass /server ajp://localhost:8009/server
>> ProxyPassReverse /server ajp://localhost:8009/server
>>
>> # Proxy all HTTPS requests from Apache to PM2 on port 4000
>> ProxyPass / http://localhost:4000/
>> ProxyPassReverse / http://localhost:4000/
>>
>> config.prod.yml
>> ui:
>>   ssl: false
>>   host: localhost
>>   port: 4000
>>   nameSpace: /
>> rest:
>>   ssl: true
>>   host: crdb.dut.ac.za
>>   port: 443
>>   nameSpace: /server
>>
>> When I run yarn test:rest:
>> ...Testing connection to REST API at https://crdb.dut.ac.za/server/api...
>>
>> ERROR connecting to REST API
>> Error: unable to verify the first certificate
>>
>> As expected, if I run node ./dist/server/main.js, I get the dreaded 'No 
>> _links section' error:
>>
>> GET / 500 1356.467 ms - 231171
>> No _links section found at https://crdb.dut.ac.za/server/api
>>
>> Am I wasting my time with this, or has anybody managed to get this 
>> working in a similar situation with a proxy firewall handing out a wildcard 
>> certificate?
>>
>> Sean
>>
>

-- 
All messages to this mailing list should adhere to the Code of Conduct: 
https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/33a6bd12-384e-477f-a165-6dedf18b3d98n%40googlegroups.com.

[dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall with wildcard certificate

2022-05-31 Thread John Bain 
come in the dspace slack and maybe I can help you 

On Tuesday, May 31, 2022 at 6:48:53 AM UTC-4 sean@gmail.com wrote:

> I'm starting to think that it might not be possible to do this, but I'm 
> hoping someone will tell me how very wrong I am.
>
> I have a server that is in our institution's DC, which is behind an F5 
> firewall and there is a wildcard Sectigo certificate installed.
>
> My dspace local.cfg has the following settings:
> dspace.server.url = https://crdb.dut.ac.za/server
> dspace.ui.url = https://crdb.dut.ac.za
>
> I requested a certificate and key from the administrator and have this in 
> /etc/apache2/sites-enabled/ssl.conf 
>
> SSLCertificateFile /etc/certs/crdb.dut.ac.za/cert.pem
> SSLCertificateKeyFile /etc/certs/crdb.dut.ac.za/privkey.pem
> SSLCertificateChainFile /etc/certs/crdb.dut.ac.za/chain.pem
> Include /etc/certs/options-ssl-apache.conf
>
> # Proxy all HTTPS requests to "/server" from Apache to Tomcat via AJP 
> connector
> ProxyPass /server ajp://localhost:8009/server
> ProxyPassReverse /server ajp://localhost:8009/server
>
> # Proxy all HTTPS requests from Apache to PM2 on port 4000
> ProxyPass / http://localhost:4000/
> ProxyPassReverse / http://localhost:4000/
>
> config.prod.yml
> ui:
>   ssl: false
>   host: localhost
>   port: 4000
>   nameSpace: /
> rest:
>   ssl: true
>   host: crdb.dut.ac.za
>   port: 443
>   nameSpace: /server
>
> When I run yarn test:rest:
> ...Testing connection to REST API at https://crdb.dut.ac.za/server/api...
>
> ERROR connecting to REST API
> Error: unable to verify the first certificate
>
> As expected, if I run node ./dist/server/main.js, I get the dreaded 'No 
> _links section' error:
>
> GET / 500 1356.467 ms - 231171
> No _links section found at https://crdb.dut.ac.za/server/api
>
> Am I wasting my time with this, or has anybody managed to get this working 
> in a similar situation with a proxy firewall handing out a wildcard 
> certificate?
>
> Sean
>

-- 
All messages to this mailing list should adhere to the Code of Conduct: 
https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/dacddc9f-bf10-4753-a5b5-c1fba284a0d4n%40googlegroups.com.