Installation

ssl not working with Hypnotoad for 2.19 on Ubuntu 24.04 virtual server

ssl not working with Hypnotoad for 2.19 on Ubuntu 24.04 virtual server

by Qing Xia -
Number of replies: 5

I just installed webwork 2.19 on a ubuntu 24.04 virtual provided my University IT. I followed instructions on the wiki and the rest worked except the ssl part. 

For the ssl part, I followed:

Set up Hypnotoad to use SSL (Option 1)
The only thing that needs to be done is to tell hypnotoad where the certificates are.  For this edit /opt/webwork/webwork2/conf/webwork2.mojolicious.yml and in the hypnotoad: s>
listen:
 - http://*:8080
to
listen:
 - https://*:443?cert=/etc/ssl/certs/ssl-cert-snakeoil.pem&key=/etc/ssl/private/ssl-cert-snakeoil.key
Make sure that the files are readable by the webwork2 app.

$ sudo chown www-data /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key

Part of yml file:

hypnotoad:
  listen:
    - https://*:443?cert=/etc/ssl/certs/ssl-cert-snakeoil.pem&key=/etc/ssl/private/ssl-cert-snakeoil.key
    #- https://*:443?cert=/etc/ssl/certs/myedu_cert_chain.pem&key=/etc/ssl/private/myedu_key.key
    - http://*:80
    # - http://*:8080-
    # Below is an example of how to use ssl certificates when serving directly via hypnotoad.
    #- https://*:443?cert=/etc/ssl/local/fullchain.pem&key=/etc/ssl/local/privkey.pem
    # Below is an example of how to use ssl certificates when using the docker build.
    #- https://*:8080?cert=/etc/ssl/local/fullchain.pem&key=/etc/ssl/local/privkey.pem
site.conf: https is also used.

Problem:

  • The https version does not work, with info: unexpectedly closed the connection. 
  • The http version is ok. 
  • Played with the self-signed ssl and my institute ssl, but neither worked.
Port 80 and 443/tcp are allowed in the firewall. Where could the problem possibly be? Thank you very much.

In reply to Qing Xia

Re: ssl not working with Hypnotoad for 2.19 on Ubuntu 24.04 virtual server

by Sean Fitzpatrick -

You may need to edit the owner/permissions for the folder where the certificates are stored.

I think the instructions include running CertBot with a post-hook command that does this step.

Apache and Nginx load as root before switching to www-data, so it's fine that the certificate folder is owned by root.

But Hypnotoad doesn't do this, so you need to change settings on that folder.

In reply to Sean Fitzpatrick

Re: ssl not working with Hypnotoad for 2.19 on Ubuntu 24.04 virtual server

by Qing Xia -

Solved. Indeed the permission of the upper directory should be set using chmod 755 *. Thank you both very much.

In reply to Qing Xia

Re: ssl not working with Hypnotoad for 2.19 on Ubuntu 24.04 virtual server

by Andras Balogh -

I might be wrong, but maybe making the private certificate readable by everybody is not a good idea. 

What I did to make it work was:  chown www-data private

In reply to Andras Balogh

Re: ssl not working with Hypnotoad for 2.19 on Ubuntu 24.04 virtual server

by Danny Glin -

I don't know best practices either, but it seems to me that having the file owned by the user running the web server might be a bad idea since it would then be writeable by that user, which introduces the possibility of overwriting the certificate from the web (though this would involve finding an exploit in the application that would allow saving to an arbitrary location).

If it is a dedicated WeBWorK server then having the certificate readable by everybody might not be a big deal since the only users on the server are system accounts and administrators.

If you wanted to get strict, I would think that the right approach would be to make the files readable by a group that the user running the web server belongs to.