[ww-devel] The library browser not updating problem

Jason Aubrey aubreyja at gmail.com
Wed Aug 27 14:19:14 EDT 2014 

I'll need to track down who really needs the cert, but in this case it's
not the browser.  I *think* it's LWP::UserAgent via LWP::Protocol::https.
You can see here

http://search.cpan.org/~mschilli/LWP-Protocol-https-6.06/lib/LWP/Protocol/https.pm

It's description of how ssl requests can fail (which sounds like how ours
are failing.)  So, the deeper solution might be to fix it here by disabling
the check:

If hostname verification is requested by LWP::UserAgent's ssl_opts, and
> neither SSL_ca_file nor SSL_ca_path is set, then SSL_ca_file is implied
> to be the one provided by Mozilla::CA. If the Mozilla::CA module isn't
> available SSL requests will fail. Either install this module, set up an
> alternative SSL_ca_file or disable hostname verification
>

That's if I'm right about who is complaining.

Jason



On Wed, Aug 27, 2014 at 11:08 AM, Arnold Pizer <apizer at math.rochester.edu>
wrote:

> Hi John et all,
>
> I'm pretty sure I'm having the same problem.  When I look at things
> following Matt's suggestion, I see that the last module called is instructorXMLHandler.pm
> and I see the error msg
> Errors: 500 Can't connect to 192.168.56.101:443 (certificate verify
> failed) at /opt/webwork/webwork2/lib/WebworkClient.pm line 158. End Errors
>
> My problem is that I'm using a selfsigned certificate for testing.  So I
> don't think creating a self signed SSLCA certificate alone will solve the
> problem.  I think I should be able to get the browser to trust the
> certificate and if this works it will be OK as long as only instructors
> have this problem.  Are there any things that students do (or will do) that
> will bring up similar problems?  If so, the option of using self signed
> certificates will have to be abandoned.
>
> If anyone has gotten a browser to trust a self signed certificate or can
> point me to a good reference, I would appreciate the hint.  There seem to
> be quite a few references, but I haven't found one that works yet.  At
> least now I know the problem is really with the SSL certificate.
>
> Arnie
>
>
> On Wed, Aug 27, 2014 at 11:50 AM, John Jones <jj at asu.edu> wrote:
>
>> Can someone write a version of this explanation a la an apache for
>> dummies?
>>
>> Arnie, can you check to see if this fixes the problem you encountered
>> during mathfest?
>>
>> John
>>
>>
>>
>> On Wed, Aug 27, 2014 at 8:40 AM, Jason Aubrey <aubreyja at gmail.com> wrote:
>>
>>> Thanks Matt - that worked!
>>>
>>> Jason
>>>
>>>
>>> On Tue, Aug 26, 2014 at 4:56 PM, Matt Haught <matt_haught at ncsu.edu>
>>> wrote:
>>>
>>>> Same problem here on our devel server but not our production. I have
>>>> been scratching my head with it today.  Our devel server also uses the
>>>> incommon certs while the production is using godaddy from before we
>>>> could get incommon.  So that got me thinking...  I have something for
>>>> you to try that appears to have worked for us.
>>>>
>>>> Add a SSLCACertificateFile apache conf line and have it use the
>>>> intermediate/root only cert (2nd link down in the InCommon email)
>>>>
>>>> Matt Haught
>>>> North Carolina State University
>>>>
>>>>
>>>> On Tue, Aug 26, 2014 at 5:49 PM, Jason Aubrey <aubreyja at gmail.com>
>>>> wrote:
>>>> > Well, at this point I think the error has something to do with how my
>>>> ssl is
>>>> > configured.  Here is some evidence from my apache log with LogLevel
>>>> info:
>>>> >
>>>> > There were a lot of errors: 500 Can't connect to
>>>> > webwork.math.arizona.edu:443
>>>> <https://urldefense.proofpoint.com/v1/url?u=http://webwork.math.arizona.edu:443&k=p4Ly7qpEBiYPBVenR9G2iQ%3D%3D%0A&r=g5j9%2FzBITNFXnOqzhQf%2B0b%2F2j5jSmy74eqJk2rpyoc4%3D%0A&m=hIi8Y6c%2BF6urweTkKtsDeHM2YeEf66fH%2BdSLpZNJEOE%3D%0A&s=659704ee979814c39994ceb4ce07d99d6c2c6560c6cac50cdf09c2cb8a72a7bf>
>>>> at /opt/webwork/webwork2/lib/WebworkClient.pm
>>>> > line 158
>>>> >
>>>> > [Tue Aug 26 14:35:13 2014] [info] [client 127.0.0.1] SSL library
>>>> error 1 in
>>>> > handshake (server webwork.math.arizona.edu:443
>>>> <https://urldefense.proofpoint.com/v1/url?u=http://webwork.math.arizona.edu:443&k=p4Ly7qpEBiYPBVenR9G2iQ%3D%3D%0A&r=g5j9%2FzBITNFXnOqzhQf%2B0b%2F2j5jSmy74eqJk2rpyoc4%3D%0A&m=hIi8Y6c%2BF6urweTkKtsDeHM2YeEf66fH%2BdSLpZNJEOE%3D%0A&s=659704ee979814c39994ceb4ce07d99d6c2c6560c6cac50cdf09c2cb8a72a7bf>
>>>> )
>>>> > [Tue Aug 26 14:35:13 2014] [info] SSL Library Error: 336151576
>>>> > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>>>> > [Tue Aug 26 14:35:13 2014] [info] [client 127.0.0.1] Connection
>>>> closed to
>>>> > child 0 with abortive shutdown (server webwork.math.arizona.edu:443
>>>> <https://urldefense.proofpoint.com/v1/url?u=http://webwork.math.arizona.edu:443&k=p4Ly7qpEBiYPBVenR9G2iQ%3D%3D%0A&r=g5j9%2FzBITNFXnOqzhQf%2B0b%2F2j5jSmy74eqJk2rpyoc4%3D%0A&m=hIi8Y6c%2BF6urweTkKtsDeHM2YeEf66fH%2BdSLpZNJEOE%3D%0A&s=659704ee979814c39994ceb4ce07d99d6c2c6560c6cac50cdf09c2cb8a72a7bf>
>>>> )
>>>> >
>>>> > So, you can see (1) that 'it' can't connect to
>>>> webwork.math.arizona.edu:443
>>>> <https://urldefense.proofpoint.com/v1/url?u=http://webwork.math.arizona.edu:443&k=p4Ly7qpEBiYPBVenR9G2iQ%3D%3D%0A&r=g5j9%2FzBITNFXnOqzhQf%2B0b%2F2j5jSmy74eqJk2rpyoc4%3D%0A&m=hIi8Y6c%2BF6urweTkKtsDeHM2YeEf66fH%2BdSLpZNJEOE%3D%0A&s=659704ee979814c39994ceb4ce07d99d6c2c6560c6cac50cdf09c2cb8a72a7bf>
>>>> > and (2) the ssl handshake seems to be dying due to an unknown
>>>> certificate
>>>> > authority.  But if you looked at my server, you would see (3) that my
>>>> > certificate authority is in fact well known:
>>>> >>
>>>> >> Issued By
>>>> >>
>>>> >> Common Name (CN) InCommon Server CA
>>>> >>
>>>> >> Organizaton (O) Internet2
>>>> >>
>>>> >> etc...
>>>> >
>>>> > Also, there is the fact that (4) my web browsers have no problem
>>>> connecting
>>>> > to the https site.
>>>> > So,
>>>> > (a) Maybe the perl module(s) running the webservice calls (LWP?) don't
>>>> > recognize the certificate authority.
>>>> > (b) Maybe the way my redirect to ssl is set up is messing with the web
>>>> > service calls. (Permanent redirect to a *:443 vhost)
>>>> > (c) Maybe there is some other configuration problem with my ssl set
>>>> up.
>>>> > (d) Maybe this is completely unrelated to the actual problem.
>>>> >
>>>> > Thanks for any ideas.
>>>> > Jason
>>>> >
>>>> _______________________________________________
>>>> webwork-devel mailing list
>>>> webwork-devel at webwork.maa.org
>>>> http://webwork.maa.org/mailman/listinfo/webwork-devel
>>>> <https://urldefense.proofpoint.com/v1/url?u=http://webwork.maa.org/mailman/listinfo/webwork-devel&k=p4Ly7qpEBiYPBVenR9G2iQ%3D%3D%0A&r=g5j9%2FzBITNFXnOqzhQf%2B0b%2F2j5jSmy74eqJk2rpyoc4%3D%0A&m=hIi8Y6c%2BF6urweTkKtsDeHM2YeEf66fH%2BdSLpZNJEOE%3D%0A&s=f02b3d4aa31c9f5bdb0b9e2da8bbe66c3f5c55044c9d192f6f36541793737fbd>
>>>>
>>>
>>>
>>> _______________________________________________
>>> webwork-devel mailing list
>>> webwork-devel at webwork.maa.org
>>> http://webwork.maa.org/mailman/listinfo/webwork-devel
>>> <https://urldefense.proofpoint.com/v1/url?u=http://webwork.maa.org/mailman/listinfo/webwork-devel&k=p4Ly7qpEBiYPBVenR9G2iQ%3D%3D%0A&r=g5j9%2FzBITNFXnOqzhQf%2B0b%2F2j5jSmy74eqJk2rpyoc4%3D%0A&m=hIi8Y6c%2BF6urweTkKtsDeHM2YeEf66fH%2BdSLpZNJEOE%3D%0A&s=f02b3d4aa31c9f5bdb0b9e2da8bbe66c3f5c55044c9d192f6f36541793737fbd>
>>>
>>>
>>
>> _______________________________________________
>> webwork-devel mailing list
>> webwork-devel at webwork.maa.org
>>
>> https://urldefense.proofpoint.com/v1/url?u=http://webwork.maa.org/mailman/listinfo/webwork-devel&k=p4Ly7qpEBiYPBVenR9G2iQ%3D%3D%0A&r=g5j9%2FzBITNFXnOqzhQf%2B0b%2F2j5jSmy74eqJk2rpyoc4%3D%0A&m=hIi8Y6c%2BF6urweTkKtsDeHM2YeEf66fH%2BdSLpZNJEOE%3D%0A&s=f02b3d4aa31c9f5bdb0b9e2da8bbe66c3f5c55044c9d192f6f36541793737fbd
>>
>>
>
>
> --
> Prof. Arnold K. Pizer
> Dept. of Mathematics
> University of Rochester
> Rochester, NY 14627
> (585) 766-8812
>
> _______________________________________________
> webwork-devel mailing list
> webwork-devel at webwork.maa.org
> http://webwork.maa.org/mailman/listinfo/webwork-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://webwork.maa.org/pipermail/webwork-devel/attachments/20140827/71d3f1fe/attachment.html>

More information about the webwork-devel mailing list