Installation

Using SSL with Hypnotoad in WW 2.18

Using SSL with Hypnotoad in WW 2.18

by Sean Fitzpatrick -
Number of replies: 8

I've upgraded my development server to 2.18. Right now I'm trying to use the first option, serving WeBWorK directly using Hypnotoad.

I have existing SSL certificates that were issued for the Apache configuration in 2.17. The files consist of a ServerCertificate.crt, ChainBundle2.crt, and the key file. 

I think I've set up SSL according to the instructions, but once I restart the webwork2 service and visit the website, I get a "site unexpectedly closed the connection" error. Do I need different certificates to serve using hypnotoad with SSL? If so, I'll proxy through Apache for now.

In my webwork2.mojolicious.yml I have the following, and I've got https in site.conf.

redirect_http_to_https: 1


# hypnotoad server configuration

# See https://docs.mojolicious.org/Mojo/Server/Daemon

# Any of the attributes listed there can be set in this section.

# Make sure to convert the Perl notation there to YAML.

hypnotoad:

  listen:

    - http://*:80

    # Below is an example of how to use ssl certificates when serving directly via hypnotoad.

    - https://*:443?cert=/etc/ssl/certs/ServerCertificate.crt&key=/etc/ssl/webwork-dev.key

    # Below is an example of how to use ssl certificates when using the docker build.

    #- https://*:8080?cert=/etc/ssl/local/fullchain.pem&key=/etc/ssl/local/privkey.pem


In reply to Sean Fitzpatrick

Re: Using SSL with Hypnotoad in WW 2.18

by Glenn Rice -
Your webwork2.mojolicious.yml file looks generally right. Although I am not certain on the "listen" line for https://*:8080 with the certificates. Can you share your previous apache2 configuration where those files were used? These lines should look something like

SSLCertificateFile /etc/ssl/certs/ServerCertificate.crt
SSLCertificateKeyFile /set/ssl/webwork-dev.key
SSLCertificateChainFile ...

for example. You may not have all of the above variables. The point here is that you list a certificate and bundle crt file. The hypnotoad configuration can only take one cert file. Technically the SSLCertificateChainFile is deprecated for apach2 also, and apache2 is only supposed to be used with one file as well. That doesn't mean that the files you have are not valid, it just means that they have to be put together. I forget the correct way to do that right now, but some Google searching will probably give the answer.  I believe that you just concatenate the files together, but the order is important.  It is also possible that the ChainBundle2.crt file is already the concatenation of the server certificate with the chain certificates.  In that case, you just need to use that file for cert instead.

Another thing to check is the permissions of the certificate and key files. Those must be readable by the server user or they won't work with hypnotoad. Note that this is a little different than for apache2.
In reply to Glenn Rice

Re: Using SSL with Hypnotoad in WW 2.18

by Sean Fitzpatrick -

The lines that are commented out are part of the default .yml file.

I'm now using the apache2 proxy with ssl enabled, and everything is working OK.
The ChainBundle2.crt file contains the contents of the ServerCertificate.crt file, follwed by an additional certificate.
Permissions: the key file is owned root:root and the other two are wwadmin:wwadmin. But the permissions seem limited, so maybe that's the issue.

Contents of the default-ssl.conf file include:

<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
 DocumentRoot /var/www/html
                # Redirect webwork root to webwork2
                <Directory /var/www/>
                        RedirectMatch ^/$ /webwork2/
                </Directory>
 # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
 # error, crit, alert, emerg.
 # It is also possible to configure the loglevel for particular
 # modules, e.g.
 #LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
 # enabled or disabled at a global level, it is possible to
 # include a line for only one particular virtual host. For example the
 # following line enables the CGI configuration for this host only
 # after it has been globally disabled with "a2disconf".
 #Include conf-available/serve-cgi-bin.conf

#   SSL Engine Switch:
 #   Enable/Disable SSL for this virtual host.
 SSLEngine on

#   A self-signed (snakeoil) certificate can be created by installing
 #   the ssl-cert package. See
 #   /usr/share/doc/apache2/README.Debian.gz for more info.
 #   If both key and certificate are stored in the same file, only the
 #   SSLCertificateFile directive is needed.
 SSLCertificateFile /etc/ssl/certs/ServerCertificate.crt
 SSLCertificateKeyFile /etc/ssl/webwork-dev.key

#   Server Certificate Chain:
 #   Point SSLCertificateChainFile at a file containing the
 #   concatenation of PEM encoded CA certificates which form the
 #   certificate chain for the server certificate. Alternatively
 #   the referenced file can be the same as SSLCertificateFile
 #   when the CA certificates are directly appended to the server
 #   certificate for convinience.
 SSLCertificateChainFile /etc/ssl/certs/ChainBundle2.crt



In reply to Sean Fitzpatrick

Re: Using SSL with Hypnotoad in WW 2.18

by Glenn Rice -
Based on your apache2 configuration, and your remark that the ChainBundle2.crt file already contains the contents of the ServerCertificat.crt, I think that you will need to use the ChainBundle2.crt file in the webwork2.mojolicious.yml file for the cert.

Also, both the ChainBunde2.crt and webwork-dev.key file should be owned by the user that the webwork2 app is run as. That shouldn't be wwadmin. It should be www-data if you are on Ubuntu.
In reply to Glenn Rice

Re: Using SSL with Hypnotoad in WW 2.18

by Sean Fitzpatrick -

OK, I got it working. I had to change file permissions, and the right file to use was ServerCertificate.crt, not the chain bundle.

We are using an enterprise certificate right now, but will be switching to CertBot soon. One thing I haven't figured out: what is the document root with hypnotoad? It is no longer /var/www/html. Is it now /opt/webwork/webwork2/htdocs?


In reply to Sean Fitzpatrick

Re: Using SSL with Hypnotoad in WW 2.18

by Glenn Rice -

There is no document root with hypnotoad.  With Mojolicious and hypnotoad or morbo nothing is served except what is coded to be served.  There are several options that we offer.  One is to redirect the root url to some other location on a different server.  Another is to copy /opt/webwork/webwork2/htdocs/index.dist.html to /opt/webwork/webwork2/htdocs/index.html and put whatever content you desire into that file.  If you want more, then the last option is to proxy via apache2 or nginx.  The last option is the only way to have other links outside of those served by the webwork2 app.

In reply to Glenn Rice

Re: Using SSL with Hypnotoad in WW 2.18

by Sean Fitzpatrick -
OK. The reason I ask is that the usual method for geting a certificate from Let's Encrypt using CertBot (if you are not using a common config like Apache or nginx) is to use the --webroot option.
Although it looks like someone has written an ACME client for Mojolicious, so maybe one option is to install Mojo::ACME:
https://blogs.perl.org/users/joel_berger/2016/03/super-easy-ssl-certs-for-mojolicious-apps.html

Otherwise it seems like the process for getting an SSL cert using CertBot would be to install Apache, set up the Apache proxy, get your certificates, and then turn off the proxy. That doesn't seem like the best way. (I don't know if my IT will react well if I put in a request asking for an SSL cert for hypnotoad...)

One other note: using the ServerCertificate file with hypnotoad, I do not pass all SSL checks, since the chain bundle is missing.
But if I try to use the ChainBundle2 file instead, I get a refused connection.
In reply to Sean Fitzpatrick

Re: Using SSL with Hypnotoad in WW 2.18

by Glenn Rice -
I tested the Mojo::ACME package, and it no longer works. It is calling a method in Mojo::Transaction::HTTP that was deprecated in 2018 and removed in Mojolicious version 9.0 which was released in 2021. Webwork requires Mojolicious version 9.2 or newer. I notice that the Mojo::ACME package is not maintained, and has not been updated since 2018.

Note that you can use CertBot without a document root. The webwork2/hypnotoad server has to be stopped. Then run "sudo certbot certonly --standalone". That is much easier than installing and setting up apache2 temporarily to obtain/update certificates.

Note that certificates are not specific to the server you are using. They are only specific to the domain name. So any certificate that works for apache2 will work for hypnotoad and vice versa. If your IT provides certificates, they only need to know the domain name, not what server you are using.

I am rather certain that you need to be using the ChainBundle2.crt file since you are using it in your apache2 configuration. What happens if you modify your apache2 configuration by commenting out the SSLCertificateChainFile line? Does it work, and does the browser show the connection is secure? Alternately, what happens if you change it so that the SSLCertificateFile is the ChainBundle2.crt file? Does that work?

You could also try using
    https://*:443?cert=/etc/ssl/certs/ServerCertificate.crt&key=/etc/ssl/webwork-dev.key&ca=/etc/ssl/certs/ChainBundle2.crt