On Tue, 30 Nov 2021 22:31:11 +0100 Łukasz Moskała <[email protected]> wrote:
> W dniu 30.11.2021 o 16:07, Radek pisze: > > On Tue, 30 Nov 2021 10:04:30 +0100 > > Łukasz Moskała <[email protected]> wrote: > > > >> > >> > >> Dnia 30 listopada 2021 09:45:15 CET, Radek <[email protected]> napisał/a: > >>> On Mon, 29 Nov 2021 11:19:28 +0100 > >>> Łukasz Moskała <[email protected]> wrote: > >>> > >>>> W dniu 28.11.2021 o 18:07, Radek pisze: > >>>>> Hello, > >>>>> following the official guide [1] and few others webites I finally > >>>>> installed my first Ruby on Rails/Puma web app... and it passed the > >>>>> local test by curl (bundle exec rails server webrick -e production) - > >>>>> relayd wasn't configured yet. > >>>>> > >>>>> Then, I ran my app with puma server. I can't figure out how to make it > >>>>> work with FQDN and LetsEncrypt cert. > >>>>> My configs seems to be fine. It's 7.0/amd64. I've read [2], [3]. > >>>>> > >>>>> I started with simple httpd configuration to get certs with acme-clinet > >>>>> and then https://redmine.MY.DOMAIN.COM showed my testing index.html > >>>>> properly. > >>>>> Now /etc/httpd.conf has changed but I assume my certs are still OK. > >>>>> > >>>>> Remote firefox is giving me a "Redirect Loop" error when trying to > >>>>> access https://redmine.MY.DOMAIN.COM > >>>>> > >>>>> Could someone please shed some light on this puzzle? > >>>>> > >>>>> 1. https://www.redmine.org/projects/redmine/wiki/RedmineInstall > >>>>> 2. https://github.com/basicfeatures/openbsd-rails > >>>>> 3. > >>>>> https://gist.github.com/anon987654321/4532cf8d6c59c1f43ec8973faa031103 > >>>>> > >>>>> $ openssl s_client -connect redmine.MY.DOMAIN.COM:443 > >>>>> CONNECTED(00000003) > >>>>> depth=0 CN = redmine.MY.DOMAIN.COM > >>>>> verify error:num=20:unable to get local issuer certificate > >>>>> verify return:1 > >>>>> depth=0 CN = redmine.MY.DOMAIN.COM > >>>>> verify error:num=21:unable to verify the first certificate > >>>>> verify return:1 > >>>>> write W BLOCK > >>>>> --- > >>>>> Certificate chain > >>>>> 0 s:/CN=redmine.MY.DOMAIN.COM > >>>>> i:/C=US/O=Let's Encrypt/CN=R3 > >>>>> --- > >>>>> Server certificate > >>>>> -----BEGIN CERTIFICATE----- > >>>>> [...] > >>>>> -----END CERTIFICATE----- > >>>>> subject=/CN=redmine.MY.DOMAIN.COM > >>>>> issuer=/C=US/O=Let's Encrypt/CN=R3 > >>>>> --- > >>>>> No client certificate CA names sent > >>>>> Server Temp Key: ECDH, X25519, 253 bits > >>>>> --- > >>>>> SSL handshake has read 2403 bytes and written 367 bytes > >>>>> --- > >>>>> New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384 > >>>>> Server public key is 4096 bit > >>>>> Secure Renegotiation IS NOT supported > >>>>> Compression: NONE > >>>>> Expansion: NONE > >>>>> No ALPN negotiated > >>>>> SSL-Session: > >>>>> Protocol : TLSv1.3 > >>>>> Cipher : AEAD-AES256-GCM-SHA384 > >>>>> Session-ID: > >>>>> Session-ID-ctx: > >>>>> Master-Key: > >>>>> Start Time: 1638116582 > >>>>> Timeout : 7200 (sec) > >>>>> Verify return code: 21 (unable to verify the first certificate) > >>>>> --- > >>>>> > >>>>> > >>>>> [redminepk@@redmine70~/redminepk:]bundle exec pumactl27 --config-file > >>>>> config/puma.rb start > >>>>> Puma starting in single mode... > >>>>> * Puma version: 5.5.2 (ruby 2.7.4-p191) ("Zawgyi") > >>>>> * Min threads: 0 > >>>>> * Max threads: 5 > >>>>> * Environment: production > >>>>> * PID: 85983 > >>>>> * Listening on > >>>>> ssl://127.0.0.1:3000?cert=/etc/ssl/redmine.MY.DOMAIN.COM.crt&key=/etc/ssl/private/redmine.MY.DOMAIN.COM.key&verify_mode=none > >>>>> * Listening on http://127.0.0.1:3001 > >>>>> Use Ctrl-C to stop > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> # /home/redminepk/redminepk/config/puma.rb > >>>>> #!/usr/bin/env puma > >>>>> app = "redminepk" > >>>>> ssl_bind "127.0.0.1", "3000", { > >>>>> key: "/etc/ssl/private/redmine.MY.DOMAIN.COM.key", > >>>>> cert: "/etc/ssl/redmine.MY.DOMAIN.COM.crt" > >>>>> } > >>>>> bind "tcp://127.0.0.1:3001" > >>>>> pidfile "/home/#{app}/#{app}/tmp/puma.pid" > >>>>> state_path "/home/#{app}/#{app}/tmp/puma.state" > >>>>> stdout_redirect "/home/#{app}/#{app}/log/puma_access.log", > >>>>> "/home/#{app}/#{app}/log/puma_errors.log" > >>>>> environment "production" > >>>>> > >>>>> > >>>>> # /home/redminepk/redminepk/config/environments/production.rb > >>>>> Rails.application.configure do > >>>>> config.cache_classes = true > >>>>> config.eager_load = true > >>>>> config.consider_all_requests_local = false > >>>>> config.action_controller.perform_caching = true > >>>>> config.action_mailer.raise_delivery_errors = false > >>>>> config.action_mailer.logger = nil > >>>>> config.active_support.deprecation = :log > >>>>> config.force_ssl = true > >>>>> end > >>>>> > >>>>> > >>>>> > >>>>> # /etc/httpd.conf > >>>>> ext_if="vmx0" > >>>>> types { include "/usr/share/misc/mime.types" } > >>>>> server "redmine.MY.DOMAIN.COM" { > >>>>> listen on $ext_if port 80 > >>>>> location "/.well-known/acme-challenge/*" { > >>>>> root "/acme" > >>>>> request strip 2 > >>>>> } > >>>>> location "*" { > >>>>> block return 302 "https://$HTTP_HOST$REQUEST_URI"; > >>>>> } > >>>>> } > >>>>> > >>>>> > >>>>> # /etc/relayd.conf > >>>>> egress="A.B.C.D" > >>>>> table <redminepk> { 127.0.0.1 } > >>>>> redminepk_port="3001" > >>>>> table <httpd> { 127.0.0.1 } > >>>>> httpd_port="80" > >>>>> http protocol "http" { > >>>>> match request header set "Connection" value "close" > >>>>> match response header remove "Server" > >>>>> } > >>>>> http protocol "https" { > >>>>> pass request header "Host" value "redmine.MY.DOMAIN.COM" forward to > >>>>> <redminepk> > >>>>> tls keypair "redmine.MY.DOMAIN.COM" > >>>>> # Preserve address headers > >>>>> match request header append "X-Forwarded-For" value "$REMOTE_ADDR" > >>>>> match request header append "X-Forwarded-Port" value "$REMOTE_PORT" > >>>>> match request header append "X-Forwaded-By" value > >>>>> "$SERVER_ADDR:$SERVER_PORT" > >>>>> match request header set "Connection" value "close" > >>>>> match response header remove "Server" > >>>>> } > >>>>> relay "http" { > >>>>> listen on $egress port http > >>>>> protocol "http" > >>>>> forward to <httpd> port $httpd_port > >>>>> } > >>>>> relay "https" { > >>>>> listen on $egress port https tls > >>>>> protocol "https" > >>>>> forward to <httpd> port $httpd_port > >>>>> forward to <redminepk> port $redminepk_port > >>>>> } > >>>>> > >>>>> $ grep relayd /etc/pf.conf > >>>>> # Allow relayd(8) redirects > >>>>> anchor "relayd/*" > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> On Fri, 12 Nov 2021 20:35:45 +0100 > >>>>> Radek <[email protected]> wrote: > >>>>> > >>>>>> Hello Werner, > >>>>>> thank you for your installation details. I'll give it a try in a few > >>>>>> days. > >>>>>> > >>>>>> On Thu, 11 Nov 2021 23:57:02 +0800 > >>>>>> Werner Boninsegna <[email protected]> wrote: > >>>>>> > >>>>>>> Hello Radek, > >>>>>>> > >>>>>>> I am running Redmine on OpenBSD 6.8 and I just followed the > >>>>>>> installation > >>>>>>> instructions posted on the Redmine page which are quite complete: > >>>>>>> > >>>>>>> https://www.redmine.org/projects/redmine/wiki/Installation_Guide > >>>>>>> > >>>>>>> I installed Postgres and Ruby+Dependencies from the OpenBSD packages. > >>>>>>> > >>>>>>> Werner > >>>>>>> > >>>>>>> On 11/10/21 00:56, Radek wrote: > >>>>>>> > >>>>>>> Hi @misc, > >>>>>>> Does anyone successfully run redmine[1] on OpenBSD? > >>>>>>> I'd like to install redmine on 7.0/amd64 with httpd and > >>>>>>> postgresql. I've never done it before so any advices and hints would > >>>>>>> be appreciated. > >>>>>>> There isn't much up to date info in google about it[2][3]. > >>>>>>> > >>>>>>> 1. https://www.redmine.org/ 2. > >>>>>>> https://www.redmine.org/boards/2/topics/496 3. > >>>>>>> https://web.archive.org/web/20160406041905/http://www.iwebdev.it/blog/?p=229 > >>>>>>> Thank you! > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Radek > >>>>>> > >>>>> > >>>>> > >>>> Hi, > >>>> I have never used relayd (only haproxy), so some things that I say may > >>>> be wrong. Sorry about that in advance. > >>>> > >>>> First of all, what's the point of passing http via relayd? > >>>> > >>>> Now, going back to your issue,why do you have > >>>> >forward to <httpd> port $httpd_port > >>>> in relay "https" ? > >>>> > >>>> It looks like relayd may put those requests to httpd, which will > >>>> redirect them to https. > >>>> > >>>> So, I'd start looking at httpd and puma logs, to check to which daemon > >>>> the requests are actually being sent to. > >>>> > >>>> And, if i'm wrong, and requests are going to puma (or whatever is > >>>> listening on 3001), then most likely puma is trying to redirect users to > >>>> https. Possibly because of this line: > >>>> >config.force_ssl = true > >>>> > >>>> Also, in this case you may try setting header x-forwarded-proto to > >>>> https, but I don't know if puma will actually use it. > >>>> > >>>> > >>>> Let us know if that worked. > >>>> > >>>> Kind regards, > >>>> -- > >>>> Łukasz Moskała > >>> Hello Łukasz, > >>> > >>>> First of all, what's the point of passing http via relayd? > >>> I used to think that all http and https traffic have to be passed via > >>> relayd if relayd is started. > >>> I have never used relayd before. > >>> > >>>> Now, going back to your issue,why do you have > >>>> >forward to <httpd> port $httpd_port > >>>> in relay "https" ? > >>> I think it was pasted there by mistake. I removed this line. > >>> > >>>> So, I'd start looking at httpd and puma logs, to check to which daemon > >>>> the requests are actually being sent to. > >>> Unfortunately, there is nothing in httpd and puma logs. > >>> The only logs I have are from relayd (-dvv): > >>> relay https, tls session 1 established (1 active) > >>> relay_tls_transaction: session 2: scheduling on EV_READ > >>> relay https, tls session 2 established (1 active) > >>> relay_tls_transaction: session 3: scheduling on EV_READ > >>> relay https, tls session 3 established (1 active) > >>> [...] > >>> > >>>> And, if i'm wrong, and requests are going to puma (or whatever is > >>>> listening on 3001), then most likely puma is trying to redirect users to > >>>> https. Possibly because of this line: > >>>> >config.force_ssl = true > >>> I suppose it should work this way but I don't know what actually is going > >>> on there between puma and relayd. > >>> > >>>> Also, in this case you may try setting header x-forwarded-proto to > >>>> https, but I don't know if puma will actually use it. > >>> If the below syntax is correct this option doesn't make any change. > >>> match request header set "X-Forwaded-Proto" value "$SERVER_PORT" > >>> > >>> > >> > >> Now, if I think about it again, you can run tcpdump on lo0, and hopefully > >> see what is going on. > >> > >> Also, I feel like in your case, relayd is unnecessary here, as you can run > >> httpd on port 80, for redirecting to https and acme, and then run puma on > >> port 3000, and use pf to NAT traffic coming on vmx0 to EXT_IP port 443 to > >> 127.0.0.1 port 3000. > >> > >> It would look more or less like this (typing on phone from memory, may not > >> be exactly correct): > >> pass in quick on vmx0 inet proto tcp from any to $EXT_IP rdr-to > >> 127.0.0.1:3000 > >> > >> This way http requests will still be served by httpd, and https requests > >> will go straight to puma. > >> > >> I don't think you need to enable ip forwarding for that, but you can try > >> it if it doesn't work. > >> > >> also, you can try going to https://EXT_IP:3000 and http://EXT_IP:3001, to > >> see what will happen. curl -v will probably show more than browsers. > >> > >> -- > >> Łukasz Moskała > > > > I care about configuring it with relayd. It's a good opportunity to learn > > this field. > > If I can't handle it I will try redirecting 443 to puma/localhost with > > httpd and PF. > > > > Going back to case with enabled relayd.. > > curl -v https://redmine.MY.DOMAIN.COM shows: > > * Expire in 0 ms for 6 (transfer 0x5654a296bfb0) > > * Expire in 1 ms for 1 (transfer 0x5654a296bfb0) > > [...] > > * Expire in 15 ms for 1 (transfer 0x5654a296bfb0) > > * Expire in 50 ms for 1 (transfer 0x5654a296bfb0) > > * Trying A.B.C.D... > > * TCP_NODELAY set > > * Expire in 200 ms for 4 (transfer 0x5654a296bfb0) > > * Connected to redmine.MY.DOMAIN.COM (A.B.C.D) port 443 (#0) > > * ALPN, offering h2 > > * ALPN, offering http/1.1 > > * successfully set certificate verify locations: > > * CAfile: none > > CApath: /etc/ssl/certs > > * TLSv1.3 (OUT), TLS handshake, Client hello (1): > > * TLSv1.3 (IN), TLS handshake, Server hello (2): > > * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): > > * TLSv1.3 (IN), TLS handshake, Certificate (11): > > * TLSv1.3 (OUT), TLS alert, unknown CA (560): > > * SSL certificate problem: unable to get local issuer certificate > > * Closing connection 0 > > curl: (60) SSL certificate problem: unable to get local issuer certificate > > More details here: https://curl.haxx.se/docs/sslcerts.html > > > > tcpdump -i lo0 shows nothing > > > > > > relayd -dvv shows: > > relay_tls_transaction: session 5: scheduling on EV_READ > > relay_close: sessions inflight decremented, now 0 > > > > > > Curl did connect to relayd, and didn't send any request, because it > didn't accept certificate presented by relayd, so relayd didn't try to > pass this any further. > > It looks like relayd didn't send all intermidiate certificates, thus > curl was not able to find complete trust chain, resulting in this error. > You can deal with it later, for now you can add option -k or --insecure > to curl, to ignore certificate verification. > > Then you could look again in tcpdump, logs, and curl output. > > Again, I think you are really making your life difficult trying to use > relayd. Relayd is supposed to be used as a load-balancer running on a > router, to split traffic between multiple servers, optionally > terminating TLS connection, but in your case there's only one server, so > no need to load-balance, and puma can listen on TLS on it's own, so no > need to terminate TLS connection. > Also it will add you a little bit of overhead, since relayd in layer7 > has to accept the connection, and then relayd opens another connection > to puma. > > -- > Łukasz Moskała Ok, I need to run Redmine ASAP so I give up with relayd configuration. Puma seems to work fine with port redirecting [1], but there is also one issue with ssl key permission. I run the redmine app as a normal user so puma can't read the /etc/ssl/private/redmine.MY.DOMAIN.COM.key (default perm 400). The website doesn't load on Firefox (PR_END_OF_FILE_ERROR) and Puma shows error: 2021-12-06 04:40:55 +0100 SSL error, peer: A.B.C.D, peer cert: : #<Puma::MiniSSL::SSLError: OpenSSL error: error:14FFF0A8:SSL routines:(UNKNOWN)SSL_internal:missing rsa certificate - 168> $ curl -k https://redmine.MY.DOMAIN.COM curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to redmine.MY.DOMAIN.COM:443 If I change perm /etc/ssl/private/redmine.MY.DOMAIN.COM.key to 555 website loads on FF correctly (no errors on puma) but I still got an error on curl: $ curl https://redmine.MY.DOMAIN.COM curl: (35) error:1404B418:SSL routines:ST_CONNECT:tlsv1 alert unknown ca puma also shows error on curl request: 2021-12-06 05:04:06 +0100 SSL error, peer: A.B.C.D, peer cert: : #<Puma::MiniSSL::SSLError: OpenSSL error: error:1403F418:SSL routines:ACCEPT_SR_FINISHED:tlsv1 alert unknown ca - 1048> curl -k loads the page and puma doesn't show any errors. If I have ssl key permission set to 555 I also got an error from acme client: $ acme-client -v redmine.MY.DOMAIN.COM acme-client: /etc/ssl/private/redmine.MY.DOMAIN.COM.key: group read/writable or world read/writable Did I miss any obvious thing? I'm not sure if running the app as root to solve the ssl key permission problem is a goor idea... 1. pass in quick inet proto tcp from any to egress port 80 pass in quick on egress inet proto tcp from any rdr-to 127.0.0.1 port 3000 -- Radek
