Installation

LTI-Advanced_Grading - Can't connect to Moodle (certificate verify failed)

LTI-Advanced_Grading - Can't connect to Moodle (certificate verify failed)

by Josue Oregel -
Number of replies: 5

Hi, all!

We are using LTI-Advanced Authentication to connect WeBWorK 2.16 with Moodle 3.11 to sincronize users successfully, but using LTI-Advanced Grading we are experiencing the problem: Your score was not successfully sent to the LMS.

If I enable the $debug_lti_parameters = 1; and $debug_lti_grade_passback = 1; variables at conf/authen_LTI.conf, the log output shows that WeBWorK "Can't connect to my_moodle_server:443 (certificate verify failed)". Here are some excerpts:

</imsx_POXEnvelopeRequest> _headers HTTP::Headers=HASH(0x55892742d5c0) _uri https://my_moodle_server/mod/lti/service.php at /opt/webwork/webwork2/lib/WeBWorK/Authen/LTIAdvanced/SubmitGrade.pm line 471.
The nonce used is 70acsdfc-c08b-585f-9ce8-5c430dxcc32b__437670c0-ba21-11ec-bde0-bb24c934cabb-step2
473 The response is:
_rc 500 _request HTTP::Request=HASH(0x55892742d6c8) _content Can't connect to my_moodle_server:443 (certificate verify failed)
SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at /usr/share/perl5/LWP/Protocol/http.pm line 50.
_msg Can't connect to my_moodle_server:443 (certificate verify failed) _headers HTTP::Headers=HASH(0x558927466af8) at /opt/webwork/webwork2/lib/WeBWorK/Authen/LTIAdvanced/SubmitGrade.pm line 473.


I think this is because we don't have the full chain certificate on the server, then I have tried to turn off verification of the ssl cert to surpass this, adding code to $gradeRequest and $HTTPRequest at /opt/webwork/webwork2/lib/WeBWorK/Authen/LTIAdvanced/SubmitGrade.pm, somewhat as in WebworkClient.pm, but it isn't working.

# turn off verification of the ssl cert
    $gradeRequest->ssl_opts(verify_hostname=>0,
            SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE);
# end turn off verification of the ssl cert


Could you help me, please?

In reply to Josue Oregel

Re: LTI-Advanced_Grading - Can't connect to Moodle (certificate verify failed)

by Danny Glin -

I don't know a lot about this particular module, but the code you reference has

SSL_verify_mode => 'SSL_VERIFY_NONE'

which is different than the syntax you are using.

After you make the change is the error message in the logs still the same?  Have you tried the syntax used in WebworkClient.pm?

In reply to Danny Glin

Re: LTI-Advanced_Grading - Can't connect to Moodle (certificate verify failed)

by Josue Oregel -
Hi Danny,

I tried both with same error results in the logs:
  • SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE);
  • SSL_verify_mode => 'SSL_VERIFY_NONE');
I have read following documentation at CPAN, trying to find the syntax that I should use:
https://metacpan.org/pod/HTTP::Headers
https://metacpan.org/pod/HTTP::Request
https://metacpan.org/pod/LWP
https://metacpan.org/pod/LWP::UserAgent

Also, I have searched for the phrase that appears in the log ("The response is:") in the entire WeBWorK installation directory, to track the origin of the logs (the variable $response) and rule out the possibility of being incorrectly modifying portions of code. Such phrase appears to be only in the file: /opt/webwork/webwork2/lib/WeBWorK/Authen/LTIAdvanced/SubmitGrade.pm. This is the place where I have been doing the changes in the code, I don't know if I am missing another file.

Thank you for your help, best regards.
In reply to Josue Oregel

Re: LTI-Advanced_Grading - Can't connect to Moodle (certificate verify failed)

by Danny Glin -

A couple more things to try:

Make sure that you restart apache after making any changes to the code, i.e. after you edit SubmitGrade.pm.

A quick internet search indicates that certificate verification sometimes fails due to time discrepancies between the client and the server, so make sure the time on your WW server is accurate.

According to check_modules.pl IO:Socket:SSL needs to be version 2.007 or newer.  Check that you have a new enough version.

What happens if you try to connect directly to the Moodle server from the command line?  e.g. if you run

curl https://your_moodle_server/


In reply to Danny Glin

Re: LTI-Advanced_Grading - Can't connect to Moodle (certificate verify failed)

by Josue Oregel -

Hi, Danny.

Now I'm restarting apache after any change of the code.

I have reviewed the same date on both systems (Moodle and WeBWorK) via terminal, both sinchronizes via NTP.

check_modules.pl says all dependencies are OK, including IO::Socket::SSL found and loaded. Typing in terminal: perl -MIO::Socket::SSL\ 9999, it shows: IO::Socket::SSL version 9999 required--this is only version 2.067.

Finally, when I use curl to check the results I'm obtaining:

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Typing curl https://my_moodle_server/ --insecure, the terminal shows:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://my_moodle_server/">here</a>.</p>

I think I must opt to solve the certificate problem, but I'm not sure how to do that.  My WeBWorK is installed on Ubuntu Server 20.04.3 LTS, I'm newbie updating the system CA store or adding the certificate to the trusted domains list.

Do you have any clue to guide me?

I really appreciate your help, best regards.

In reply to Josue Oregel

Re: LTI-Advanced_Grading - Can't connect to Moodle (certificate verify failed)

by Danny Glin -
Based on the redirect it looks like your Moodle server is redirecting https requests to http.  Do you have SSL enabled on your Moodle server?  Does it have a valid SSL certificate?

The first thing to check with the CA store on your server is that the default certificates are installed.  If not, you should install the ca-certificates package ("sudo apt install ca-certificates").