cancel
Showing results for 
Search instead for 
Did you mean: 

SSL Problems

tman247
Champ in-the-making
Champ in-the-making
Pulling my hair out over this one.

Ultimately, we needed to change the internal SSL certificate in Alfresco to a public signed one. Getting the cert isn't a problem. Getting Alfresco to use it is. I spent ages using keytool to try and inject the new cert and signing chain, and even though in the end it looked ok, Alfresco just keep using its self-signed one, so I gave up, and moved onto the second option.

So, now I want to try and use Apache as a proxy front to Alfresco/Tomcat, and I want to use the standard TCP443, not 8443. Adding a cert to Apache is easy, but as it turns out, getting the correct code into httpd.conf isn't. There are a few guides kicking around, all say something different and no two bits of information are the same, so I have to cobble together what I can from different sites. I'm not sure if this is correct, but it doesn't seem to be working. I can get Apache listening on 443, but there's no hand off taking place to Tomcat as far as I can tell. Connecting to the Alfresco server on 443 just shows the Apache landing page.

Some details if someone can shed any light on this;

O/S: CentOS 6.3 x64
Alfresco: 4.2d installed in /data/alfresco-4.2.d
Apache: 2.2.15

I've modified server.xml so it includes the necessary AJP entries. That doesn't seem to be the problem.


httpd.conf is configured to load all the necessary proxy modules, and the jk_module. I've added this code to httpd.conf;


NameVirtualHost *
<VirtualHost *>
        ServerName myserver.yyy.co.uk

        ProxyRequests Off
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>


        ProxyPass / ajp://localhost:8009/
        ProxyPassReverse / ajp://localhost:8009/
        <Location />
                Order allow,deny
                Allow from all
        </Location>
</VirtualHost>

JkMount /samples/* worker1
JkMount /alfresco/* worker1
JkMount /share/* worker1

# Tomcat Integration settings
JkWorkersFile conf/workers.properties
JkLogFile logs/mod_jk.log
JkShmFile logs/mod_jk.shm
JkLoglevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"

In CentOS, the SSL tags are loaded via ssl.conf, but I could possibly add them straight to httpd.conf is necessary, but I was hoping not to have to. Some of the docs show the SSL commands embedded in the 'Virtual Host' sections.

CentOS httpd uses the 'apache' account, and this normally has access to DocumentRoot, but I did notice that there are errors in the /var/log/httpd/ssl_error.log which say "Directory index forbidden by Options directive: /var/www/html/", but should the DocumentRoot now be the same as the Alfresco doc root or not? I think not.

Anyhow, when I try to connect to https://myalfrescoserver/share, I just get a browser message; "The requested URL /share was not found on this server."

Anyone have any idea what I might be missing?

Thanks


5 REPLIES 5

eswbitto
Confirmed Champ
Confirmed Champ
I may or may not get a double post here. I originally sent a link, but it didn't show up so I'm doing it again.

https://forums.alfresco.com/forum/installation-upgrades-configuration-integration/installation-upgra...

I think your issue is on your virtual hosts in the httpd.conf you are not pointing to your certificates.

Edit by AFaust: Previous/double post removed.

rjohnson
Star Contributor
Star Contributor
We use the approach you mention on several installations. I have an installation guide (more notes to self really as I don't do it that often) but its PDF. Send me a private message with your email address and I will email it to you.

tman247
Champ in-the-making
Champ in-the-making
Really appreciate the link. I'll work through that next week.

I had actually gone back to see if I can get Alfresco working with a different SSL cert using the native tomcat settings. My god, I can only say it's painful. I've tried absolutely everything I can think of, but no matter what I try, Alfresco continues to use it's own internal self-signed certificate. Even hard-coding the new keystores I created into into server.xml doesn't work. The log file (catalina.out) just keeps telling me that "unable to find valid certification path to requested target". I double checked everything as well. Frustrating or what. All I want to do it switch to a new cert and (ideally) get back on the standard SSL port.

Oh well, back to looking at Apache+Alfresco again then!

tman247
Champ in-the-making
Champ in-the-making
I've been spending some more time looking at the integration with apache. I've followed the guide in the link (we don't use the SharePoint functionality, so I skipped that part). After much trial and error, I'm almost there, but not quite. I've added the following block of code to httpd.conf;


<VirtualHost *:443>

  ServerName collab2

  SSLEngine on
  SSLCertificateKeyFile /etc/httpd/ssl/collab2-private.key
  SSLCertificateFile /etc/httpd/ssl/collab2.crt
  SSLCACertificateFile /etc/httpd/ssl/certchain.crt
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  SSLProtocol all -SSLv2
  ErrorLog logs/ssl_error_log
  TransferLog logs/ssl_access_log
  LogLevel warn

  #ProxyPass /paste http://localhost/paste/
  #ProxyPassReverse /paste http://localhost/paste/

  RequestHeader set X-Forwarded-Proto "https"
  ProxyPass / http://collab2:8080/
  ProxyPassReverse / http://collab2:8080/

  ProxyTimeout 300
  SSLProxyEngine on

  <Proxy *>

  allow from all

  </Proxy>

</VirtualHost>


With this, I can get the Alfresco logon page up using Apache (https://collab2/share). I've verified the correct cert is being used now, but after entering logon credentials, I just get the following message;

<blockquote>
A server error has occurred.

There are a number of reasons why this could have happened:

    You have attempted to access a page that does not exist - check the URL in the address bar.
    You have attempted to access a page that is not accessible to you, such as a private Site dashboard.
    A valid page has been requested but the server was unable to render it due to an internal error - contact your administrator.


Return to your dashboard page


Alfresco Software Inc. © 2005-2015 All rights reserved.
</blockquote>

I don't know exactly where the problem could be. The Apache ssl_access_log doesn't show any errors. Is something not being proxied properly still? Any ideas welcome.

eswbitto
Confirmed Champ
Confirmed Champ
I would upgrade to Alfresco 4.2.f
If you have a firewall on your centos turn it off and see if that could be the issue.

The error that you get usually means that Alfresco hasn't really started. The sure fire way to know is to actually go to https://collab2/alfresco and see if you can use the old interface.


Edit:
I'm wondering if you don't have your share-config-custome.xml setup or not. Here is a copy of what I have. I've edited it to put in "FQDN" so search for that in the document and replace it with your own fqdn.

/alfinstall/tomcat/shared/classes/alfresco/web-extension


<alfresco-config>

   <!– Example config to turn off the CSRF filter
   <config evaluator="string-compare" condition="CSRFPolicy" replace="true">
      <filter/>
   </config>–>
  
   <!– Configuration for Apache reverse proxy on localhost:8089 –>
   <config evaluator="string-compare" condition="CSRFPolicy" replace="true">

      <!–
         Will be used and exposed to the client side code in Alfresco.contants.CSRF_POLICY.
         Use the Alfresco.util.CSRFPolicy.getHeader() or Alfresco.util.CSRFPolicy.getParameter() with Alfresco.util.CSRFPolicy.getToken()
         to set the token in custom 3rd party code.
       –>
      <client>
         <cookie>Alfresco-CSRFToken</cookie>
         <header>Alfresco-CSRFToken</header>
         <parameter>Alfresco-CSRFToken</parameter>
      </client>

      <!– The first rule with a matching request will get its action invoked, the remaining rules will be ignored. –>
      <filter>
         <!–
            Certain Surf POST requests form the WebScript console must be allowed to pass without a token since
            the Surf WebScript console code can't be dependent on a Share specific filter.
         –>
         <rule>
            <request>
               <method>POST</method>
               <path>^\/page\/caches\/dependency\/clear|^\/page\/index|^\/page\/surfBugStatus|^\/page\/modules\/deploy|^\/page\/modules\/module|^\/page\/api\/javascript\/debugger</path>
            </request>
            <action name="assertReferer">
               <param name="always">false</param>
               <param name="referer">https://FQDN.ca/.*</param>
            </action>
            <action name="assertOrigin">
               <param name="always">false</param>
               <param name="origin">https://FQDN</param>
            </action>
         </rule>

         <!– Certain Share POST requests does NOT require a token –>
         <rule>
            <request>
               <method>POST</method>
               <path>^/page/dologin.*|^\/page/site\/[^\/]+\/start-workflow|^\/page/start-workflow</path>
            </request>
            <action name="assertReferer">
               <param name="always">false</param>
               <param name="referer">https://FQDN/.*</param>
            </action>
            <action name="assertOrigin">
               <param name="always">false</param>
               <param name="origin">https://FQDN</param>
            </action>
         </rule>

         <!– Clear the token when logging out –>
         <rule>
            <request>
               <method>GET</method>
               <path>^/page/dologout.*</path>
            </request>
            <action name="clearToken">
               <param name="session">Alfresco-CSRFToken</param>
               <param name="cookie">Alfresco-CSRFToken</param>
            </action>
         </rule>

         <!– Make sure the first token is generated –>
         <rule>
            <request>
               <session>
                  <attribute name="_alf_USER_ID">.*</attribute>
                  <attribute name="Alfresco-CSRFToken"/>
                  <!– empty attribute element indicates null –>
               </session>
            </request>
            <action name="generateToken">
               <param name="session">Alfresco-CSRFToken</param>
               <param name="cookie">Alfresco-CSRFToken</param>
            </action>
         </rule>

         <!– Refresh token on new "page" visit when a user is logged in –>
         <rule>
            <request>
               <method>GET</method>
               <path>^/page/.*</path>
               <session>
                  <attribute name="_alf_USER_ID">.*</attribute>
                  <attribute name="Alfresco-CSRFToken">.*</attribute>
               </session>
            </request>
            <action name="generateToken">
               <param name="session">Alfresco-CSRFToken</param>
               <param name="cookie">Alfresco-CSRFToken</param>
            </action>
         </rule>

         <!– Verify multipart requests contains the token as a parameter and also correct referer & origin header if available –>
         <rule>
            <request>
               <method>POST</method>
               <header name="Content-Type">^multipart/.*</header>
               <session>
                  <attribute name="_alf_USER_ID">.*</attribute>
               </session>
            </request>
            <action name="assertToken">
               <param name="session">Alfresco-CSRFToken</param>
               <param name="parameter">Alfresco-CSRFToken</param>
            </action>
            <action name="assertReferer">
               <param name="always">false</param>
               <param name="referer">https://FQDN/.*</param>
            </action>
            <action name="assertOrigin">
               <param name="always">false</param>
               <param name="origin">https://FQDN</param>
            </action>
         </rule>

         <!–
            Verify there is a token in the header for remaining state changing requests and also correct
            referer & origin headers if available. We "catch" all content types since just setting it to
            "application/json.*" since a webscript that doesn't require a json request body otherwise would be
            successfully executed using i.e. "text/plain".
         –>
         <rule>
            <request>
               <method>POST|PUT|DELETE</method>
               <session>
                  <attribute name="_alf_USER_ID">.*</attribute>
               </session>
            </request>
            <action name="assertToken">
               <param name="session">Alfresco-CSRFToken</param>
               <param name="header">Alfresco-CSRFToken</param>
            </action>
            <action name="assertReferer">
               <param name="always">false</param>
               <param name="referer">FQDN/.*</param>
            </action>
            <action name="assertOrigin">
               <param name="always">false</param>
               <param name="origin">https://FQDN.ca</param>
            </action>

         </rule>
      </filter>
   </config>
  
</alfresco-config>

Getting started

Tags


Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.