Koozali.org: home of the SME Server

[NEW HOWTO] Rocket.Chat

Offline ReetP

  • *
  • 3,323
  • +5/-0
Re: [NEW HOWTO] Rocket.Chat
« Reply #60 on: May 06, 2016, 02:57:48 PM »
@ReetP

I'm not sure what's going on with your setup (or mine, for that matter), but I was able to get an LE cert, using your RPM, after setting up the proxy.

Dan, I just setup a fresh Rocket, then converted to https.

In Firefox it seems fine with a green padlock and seems happy with a cert from reetspetit.info , but Chrome (and the mobile apps which are Chrome based) refuse to connect with an untrusted cert warning. They seem to want chat.reetspetit.info

I then decided to get a new cert for the chat.reetspetit.info domain and that failed :

ERROR: Challenge is invalid! (returned: invalid) (result: {"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http://chat.reetspetit.info/.well-known/acme-challenge/wlq0-2LB6zE4OFjDTsKIv1YyzEucxcv0QhjMr9tD5Cc [212.83.164.73]: 403"},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/wspQmnDgEj67loPwElX78KFtSFfUBjhwD5nvBZlMc68/75050731","token":"wlq0-2LB6zE4OFjDTsKIv1YyzEucxcv0QhjMr9tD5Cc","keyAuthorization":"wlq0-2LB6zE4OFjDTsKIv1YyzEucxcv0QhjMr9tD5Cc._IYt1sNfNVNxGFTcIFNdJOP9E8mKxnAdY8DKER_1h1M","validationRecord":[{"url":"http://chat.reetspetit.info/.well-known/acme-challenge/wlq0-2LB6zE4OFjDTsKIv1YyzEucxcv0QhjMr9tD5Cc","hostname":"chat.reetspetit.info","port":"80","addressesResolved":["212.83.164.73"],"addressUsed":"212.83.164.73"}]})

httpd error_log

[error] [client 66.133.109.36] access to /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/wlq0-2LB6zE4OFjDTsKIv1YyzEucxcv0QhjMr9tD5Cc failed, reason: SSL connection required

Clearly there is still something not quite right. I'm not sure how I can get chat.reetspetit.info to access the .well-know directory.

Any bright ideas ?

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: [NEW HOWTO] Rocket.Chat
« Reply #61 on: May 06, 2016, 03:09:25 PM »
[error] [client 66.133.109.36] access to /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/wlq0-2LB6zE4OFjDTsKIv1YyzEucxcv0QhjMr9tD5Cc failed, reason: SSL connection required

Your Primary ibay is set to require SSL on, without a transparent redirection. So Letsencrypt servers tries to verify your challenge, but can't get it. You should allow plain http access to the Primary ibay (or at least send a 301 redirect to the HTTPS equivalent, but there's no real point in having ACME challenges sent over HTTPS, as your certificate won't be validated by Letsencrypt servers). Why would this only affect chat.reetspetit.info is a mystery.
C'est la fin du monde !!! :lol:

Offline ReetP

  • *
  • 3,323
  • +5/-0
Re: [NEW HOWTO] Rocket.Chat
« Reply #62 on: May 06, 2016, 03:32:07 PM »
Your Primary ibay is set to require SSL on, without a transparent redirection. So Letsencrypt servers tries to verify your challenge, but can't get it. You should allow plain http access to the Primary ibay (or at least send a 301 redirect to the HTTPS equivalent, but there's no real point in having ACME challenges sent over HTTPS, as your certificate won't be validated by Letsencrypt servers). Why would this only affect chat.reetspetit.info is a mystery.

Thanks Daniel. I'll do that as it matters not on this particular box, though it may be an issue if someone wants everything https

Just disabled SSL

db accounts setprop Primary SSL disabled
signal-event ibay-modify

Then ran letsencrypt and it worked OK

Just wondering whether we could use say an .htaccess file in there to divert any normal request to https but let requests to .well-known go through as http ?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: [NEW HOWTO] Rocket.Chat
« Reply #63 on: May 06, 2016, 03:41:54 PM »
Just wondering whether we could use say an .htaccess file in there to divert any normal request to https but let requests to .well-known go through as http ?

In smeserver-webapps-common when a domain is set to be SSL only, I add this:

Code: [Select]
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
    RewriteRule ^/(.*|$) https://%{HTTP_HOST}/$1 [L,R]

This way, all requests using plain HTTP are redirected to their HTTPS equivalent, except for ACME challenges. To have the same working on the Primary domain would require a small template addition
C'est la fin du monde !!! :lol:

Offline ReetP

  • *
  • 3,323
  • +5/-0
Re: [NEW HOWTO] Rocket.Chat
« Reply #64 on: May 06, 2016, 04:24:36 PM »
In smeserver-webapps-common when a domain is set to be SSL only, I add this:

Code: [Select]
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
    RewriteRule ^/(.*|$) https://%{HTTP_HOST}/$1 [L,R]

This way, all requests using plain HTTP are redirected to their HTTPS equivalent, except for ACME challenges. To have the same working on the Primary domain would require a small template addition

Yes for this I am using your contrib. Would be a nice addition :-)

Oddly on my other boxes with SSL set to enabled letsencrypt does not seem to have a problem, so there is something weird going on ! I did wonder if it was that the domain had no default Content set but I tried to add Primary and it still tries to jump to https and rocketchat and then just hangs there.

http://test.reetspetit.info/.well-known/acme-challenge/ - you can see the directory
http://chat.reetspetit.info/.well-known/acme-challenge/ - tries to connect to Rocket and hangs

:confused.com:
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,323
  • +5/-0
Re: [NEW HOWTO] Rocket.Chat
« Reply #65 on: May 06, 2016, 04:27:34 PM »
Another issue...

Just trying to figure out how to get over this error

WebSocket connection to 'wss://chat.reetspetit.info/sockjs/929/yy5rc90p/websocket' failed: Error during WebSocket handshake: Unexpected response code: 400

I then added the wss2 line and that seemed to clear the error - I could add a template fragment for this in the RocketChat contrib

    ProxyPass /.well-known/acme-challenge/ !
    ProxyPass /wss2/ wss://localhost:3000/
    ProxyPass / http://localhost:3000/
    ProxyPassReverse / http://localhost:3000/

Issue reported all over the place - here is a solution using nginx

https://forums.meteor.com/t/how-do-you-fix-websocket-error/2827/7

Video/Audio still not working properly - sometimes it does, and sometimes not, sometimes a call will go one way but not another. All a bit hit and miss !
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: [NEW HOWTO] Rocket.Chat
« Reply #66 on: May 06, 2016, 04:31:33 PM »
Apache on SME9 has no support for WebSocket proxypass, so:

Code: [Select]
ProxyPass /wss2/ wss://

Won't work. I guess the JS client lib has some fallback mechanism when WS isn't available (using HTTP and tricks like polling). At least, Socket.IO has this. Don't know what Rocket is using.
C'est la fin du monde !!! :lol:

Offline ReetP

  • *
  • 3,323
  • +5/-0
Re: [NEW HOWTO] Rocket.Chat
« Reply #67 on: May 06, 2016, 05:07:41 PM »
W
Apache on SME9 has no support for WebSocket proxypass, so:

Code: [Select]
ProxyPass /wss2/ wss://

Won't work. I guess the JS client lib has some fallback mechanism when WS isn't available (using HTTP and tricks like polling). At least, Socket.IO has this. Don't know what Rocket is using.

Odd as the only way I could get rid of the error was as above..... I read that apache 2.4 on CentOS 6 seems to handle this ?

e.g. https://www.softwareab.net/wordpress/websockets-centos-6-apache-2-4/
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: [NEW HOWTO] Rocket.Chat
« Reply #68 on: May 06, 2016, 05:20:08 PM »
Apache 2.4 from SCL should support it, but stock apache on SME9 is 2.2
C'est la fin du monde !!! :lol:

Offline ReetP

  • *
  • 3,323
  • +5/-0
Re: [NEW HOWTO] Rocket.Chat
« Reply #69 on: May 06, 2016, 05:30:41 PM »
Apache 2.4 from SCL should support it, but stock apache on SME9 is 2.2

Not sure if I have an SCL upgrade on this v9 box but I get

[root@test conf]# rpm -qa |grep apache
e-smith-apache-2.4.0-15.el6.sme.noarch

root@test conf]# rpm -qi e-smith-apache-2.4.0-15.el6.sme.noarch
Name        : e-smith-apache               Relocations: (not relocatable)
Version     : 2.4.0                             Vendor: Contribs.org <http://contribs.org>
Release     : 15.el6.sme                    Build Date: Sat 23 Jan 2016 06:23:56 PM CET
Install Date: Tue 15 Mar 2016 10:51:54 AM CET      Build Host: builder.koozali.org
Group       : Networking/Daemons            Source RPM: e-smith-apache-2.4.0-15.el6.sme.src.rpm
Size        : 49944                            License: GPL
Signature   : DSA/SHA1, Sat 23 Jan 2016 06:45:04 PM CET, Key ID 3d7205081e9c9308
Packager    : Contribs.org <http://contribs.org>
Summary     : e-smith server and gateway - apache module
Description :
e-smith server and gateway software - apache module.

So I think it is 2.4 ?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: [NEW HOWTO] Rocket.Chat
« Reply #70 on: May 06, 2016, 05:48:21 PM »
Nop. This is the version for the smeserver integration package. To get the engine version, use rpm -q httpd
C'est la fin du monde !!! :lol:

Offline ReetP

  • *
  • 3,323
  • +5/-0
Re: [NEW HOWTO] Rocket.Chat
« Reply #71 on: May 06, 2016, 05:58:20 PM »
Nop. This is the version for the smeserver integration package. To get the engine version, use rpm -q httpd

[root@test ~]# rpm -q httpd
httpd-2.2.15-47.el6.centos.4.x86_64

Odd as the errors stopped after I added it. Hmmmm... maybe this is part of the issue with the video/audio then
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,323
  • +5/-0
Re: [NEW HOWTO] Rocket.Chat
« Reply #72 on: May 06, 2016, 06:35:50 PM »
Actually tried it again and sometimes you see them on login but not thereafter. Hmmmmm
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,323
  • +5/-0
Re: [NEW HOWTO] Rocket.Chat
« Reply #73 on: May 07, 2016, 10:20:11 AM »
Apache on SME9 has no support for WebSocket proxypass, so:

Code: [Select]
ProxyPass /wss2/ wss://

Won't work. I guess the JS client lib has some fallback mechanism when WS isn't available (using HTTP and tricks like polling). At least, Socket.IO has this. Don't know what Rocket is using.

Just for ref when looking at this I saw

https://github.com/socketio/socket.io/issues/1696

Comment from Toub that he got it running for socket.io on 2.22 so a possible solution there but way beyong my skillset
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: [NEW HOWTO] Rocket.Chat
« Reply #74 on: May 07, 2016, 10:30:55 AM »
I have a compiled mod_proxy_wstunnel for el6 in my repo, but I haven't tested it at all (yet)
C'est la fin du monde !!! :lol: