Greenlight: BigBlueButton Endpoint and Secret

Created on 15 Apr 2020  路  26Comments  路  Source: bigbluebutton/greenlight

Hi everybody,

I have BigBlueButton setup using the Greenlight docker image. My setup is in private network. I have a ssl cert for my bbb domain.

I have a problem about GreenLight connecting to bbb. There are similar issues in other issues. I tried solution advice but i haven't solved yet.

- I checked the endpoint and secret.
I checked my ~/greenlight/.env and i sure it matches the output of bbb-conf --secret

-My BigBlueButton server url (https://server/bigbluebutton/api/) in the browser and i checked to see that it returns SUCCESS

- bbb-conf --status
All active

- bbb-conf --check
No problems

- i checked ~/greenlight/log/production.log logs are bellow.

ERROR: [515f7e14-fbf5-4b23-8a6d-b03fa8ed11a8] BigBlueButtonException: Connection error. 
Your URL is probably incorrect: "https://mydomain.com/bigbluebutton/api". 
Error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (unable to get local issuer certificate) 
INFO: [515f7e14-fbf5-4b23-8a6d-b03fa8ed11a8] method=GET path=/b/adm-er2-tcm format=html controller=RoomsController action=show status=200 duration=62.50 view=29.81 db=4.34 host=greenlight 

-I checked bbb url in docker bash but i cannot connect and i receive this message

# curl https://mydomain.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

```
Connecting to myfomain (10.6.7.179:443)
ssl_client: mydomain.com: certificate verification failed: unable to get local issuer certificate
wget: error getting response: Connection reset by peer

**docker run --rm --env-file .env bigbluebutton/greenlight:v2 bundle exec rake conf:check**
````
Checking environment: Passed
Checking Connection: Failed
Error connecting to BigBlueButton server - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (unable to get local issuer certificate)

Most helpful comment

IT WORK !!!! Last issue was behind screen and chair...
I haven't modify my docker-compose.yml to run my env...
So now it is much better and working. I test it and i will put a last comment after to congrats both of you :)

All 26 comments

Hi! you need to add your CA certificate inside docker via changing Dockerfile like this:

  1. Place your CA certificate in the dir where you are checkout sources
  2. Change Dockerfile
    Add lines like this after COPY --from=base $RAILS_ROOT $RAILS_ROOT
COPY ./CA.pem /usr/local/share/ca-certificates/CA.crt 
RUN update-ca-certificates 
  1. Build and run Greenlight docker

Thank you @pronichev

Your solution is worked. This problem was solved.

thanks @pronichev , sorry i am less experiment in docker environment . Can you describe a little bit more your solution to achieve it on myself ?

thanks @pronichev , sorry i am less experiment in docker environment . Can you describe a little bit more your solution to achieve it on myself ?

What is your problem? show logs or other stuff please.

in fact it exactly the issue you solved but i don't how to edit "Change DockerFile" and where exactly put the certificate and how re build the package. Sorry it's seems very basics for you but without your help it will be difficult for me.

Hi! you need to add your CA certificate inside docker via changing Dockerfile like this:

  1. Place your CA certificate in the dir where you are checkout sources
  2. Change Dockerfile
    Add lines like this after COPY --from=base $RAILS_ROOT $RAILS_ROOT
COPY ./CA.pem /usr/local/share/ca-certificates/CA.crt 
RUN update-ca-certificates 
  1. Build and run Greenlight docker

Hi @pronichev
I have try your solution. When I try curl from inside docker, i have success message,

bash-4.4# curl https://webconf.my-domain.com/bigbluebutton/api
<response>
<returncode>SUCCESS</returncode>
<version>2.0</version>
</response>

But when sign in to greenligth in browser, i still got error "Invalid BigBlueButton Endpoint and Secret". Then i check on the production.log (# tail -f ~/greenlight/log/production.log), i got message:

INFO: [e52a69e4-2398-4b9b-b2ab-8af069b884a7] method=POST path=/b/u/login format=html controller=SessionsController action=create status=302 duration=200.61 view=0.00 db=1.95 location=https://webconf.my-domain.com/b/mus-gg2-6pd host=greenlight
ERROR: [12752833-2178-4251-85a3-679fe9225ffb] BigBlueButtonException: Connection error. Your URL is probably incorrect: "https://webconf.my-domain.com/bigbluebutton/api". Error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (unable to get local issuer certificate)

Can you help about this problem?

  1. Do the checks
    docker run --rm --env-file .env bigbluebutton/greenlight:v2 bundle exec rake conf:check
  2. Compare your CA cert in the docker. Maybe you're running old docker image without cert?
  1. Do the checks
    docker run --rm --env-file .env bigbluebutton/greenlight:v2 bundle exec rake conf:check

I build with new tag greenlightxx, and i run this.

sudo docker run --rm --env-file .env greenlightxx bundle exec rake conf:check

Checking environment: Passed
Checking Connection: Failed
Error connecting to BigBlueButton server - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (unable to get local issuer certificate)

How i solve this error? Even though when i try curl inside docker, i got success message.

  1. Compare your CA cert in the docker. Maybe you're running old docker image without cert?

i have compare in BBB server and inside docker greenlight, i have same CA cert.

FYI : if i use BBB with demo just running normal.

i have exactly the same thing , the goal is to install the CA certificate in the docker environment. I have import the certificate but update-ca-certificates isn't working.
I still have an error with wget https://bbb.mydomain.com
ssl_client: bbb.mydomain.com: certificate verification failed: unable to get local issuer certificate
wget: error getting response: Connection reset by peer

i have try to import the rootCA chain in the docker but can't achieve it.
The certificate is well import but running update-ca-certificates provide me some warning :
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
And it didn't import anything in fact.
I hope i have provide more details :)

how did you update the certificate inside docker environment ? in detail because i didn't understand.
Please :)

  1. create new directory. example custom-project-greenlight, and enter the directory.
  2. create file with name Dockerfile in the directory and insert this:

FROM bigbluebutton/greenlight:v2

COPY files/*crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

  1. create directory named files and copy your certificate files suffixed with *.crt in directory files.
  2. build it with docker build -t mygreenlight .
  3. Now you can use this new docker image in your docker-compose.yml.

this method i got from https://github.com/bigbluebutton/bigbluebutton/issues/6139 that is relevant to @pronichev method above

@mmustak Can you look at issuer of our bbb server cert? Is it the same CA? May be you use intermediate CA cert? Intermediate CA must be in docker.

in bbb i have specify the certificate in the configuration files and it work perfectly , presenting bbb webpage with the appropriate certificate.
I can resolve localy wget https://mydomain without any issue.
I am trying mmustak solution . Blocking yet with building my new project.

ok ; done it but when i build i still have :
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping

last news :)
i still have an error but it seems better now.
/greenlight2# docker run --rm --env-file .env mygreenlight bundle exec rake conf:check

Checking environment: Passed
Checking Connection: Passed
Checking Secret: Passed

with my new env with my certificate inside with @mmustak solution
My environment is up. but when it try to reach my bbb i have presented in the web page :
Invalid bigbluebutton target and secret.
I am available in live in any way to discuss with you in chat or whatever.

IT WORK !!!! Last issue was behind screen and chair...
I haven't modify my docker-compose.yml to run my env...
So now it is much better and working. I test it and i will put a last comment after to congrats both of you :)

@mmustak Can you look at issuer of our bbb server cert? Is it the same CA? May be you use intermediate CA cert? Intermediate CA must be in docker.

when i check with openssl

openssl s_client -connect webconf.my-domain.com:443

output

CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.my-domain.com

verify return:1

Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.my-domain.com

i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

when i check in mozilla, i export the COMODO RSA Domain Validation Secure Server CA. This intermediate certificate is the same as my ca-bundle which I have imported into the docker. Any suggestion @pronichev ?

@mmustak The last attempt is to place your *.my-domain.com cert inside docker ca-certs store.
Do the checks after.

ca-certs store

where is ca-certs store inside docker? /etc/ssl/certs/?
Can you explain more detils method?

if i check at '/etc/ssl/certs/ca-certificate.crt' inside docker, my cert is already in there.

Method the same. Save your cert in pem format. Add to docker file:
COPY ./your_cert.pem /usr/local/share/ca-certificates/your_cert.crt
RUN update-ca-certificates
Build docker.

Method the same. Save your cert in pem format. Add to docker file:
COPY ./your_cert.pem /usr/local/share/ca-certificates/your_cert.crt
RUN update-ca-certificates
Build docker.

done.
the result is same as before.

when i run docker run --rm --env-file .env addcert-greenlight bundle exec rake conf:check
output:
Checking environment: Passed
Checking Connection: Failed
Error connecting to BigBlueButton server - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (unable to get local issuer certificate)

when i run docker run --rm --env-file .env addcert-greenlight curl https://webconf.my-domain.com/bigbluebutton/api
output:
<response>
<returncode>SUCCESS</returncode>
<version>2.0</version>
</response>

any suggestion?

I surrender!

I surrender!

thanks for your reply @pronichev

For those who have the same problem (cURL is able to validate the certificate but not the Greenlight app), I successfully make it work by make a symbolic link betwteen /etc/ssl/cert.pem (which seems to be the default location in Alpine Linux) and /etc/ssl/ca-certificates.crt.

Here is my Dockerfile

FROM bigbluebutton/greenlight:v2
COPY ./company-ca.crt /root/
RUN cp /root/company-ca.crt /usr/local/share/ca-certificates/ \
        && /usr/sbin/update-ca-certificates
RUN rm /etc/ssl/cert.pem && ln -s /etc/ssl/certs/ca-certificates.crt /etc/ssl/cert.pem

And the docker-compose.yml file

services:
  app:
    build:
      context: .
      dockerfile: Dockerfile
    entrypoint: [bin/start]
    # image: bigbluebutton/greenlight:v2
    container_name: greenlight-v2
    env_file: .env
    restart: unless-stopped
    ports:
      - 127.0.0.1:5000:80

However it would be a great thing if the usage of a company signed CA was properly documented and supported by Greenfish and BBB.

@pronichev Hello Mr pronichev , i hope you are doing well , i have the same problem with the checking but when i run

*docker run --rm --env-file .env bigbluebutton/greenlight:v2 bundle exec rake conf:check
*
, it shows this , i don't where the problem i have been 2 days stuck at it

Checking environment: Passed
Checking Connection: Failed
Error connecting to BigBlueButton server - Failed to open TCP connection to gigobaum.spdns.org:443 (Connection refused - connect(2) for "gigobaum.spdns.org" port 443)

if you could help me , i would be grateful , Thanks in advance

cp /root/company-ca.crt /usr/local/share/ca-certificates/
&& /usr/sbin/update-ca-certificates

@adaigre please can you explain where is that file exactly cause i copy the command , and no such file or directory

cp /root/company-ca.crt /usr/local/share/ca-certificates/
&& /usr/sbin/update-ca-certificates

@adaigre please can you explain where is that file exactly cause i copy the command , and no such file or directory

This is my company CA certificate. The COPY command is for copying that CA inside the container.
I suppose I could have copied that file directly to the /usr/local/share/ca-certificates/ folder.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

notaus557 picture notaus557  路  4Comments

bixmatech picture bixmatech  路  3Comments

trs80 picture trs80  路  3Comments

iangilmour picture iangilmour  路  5Comments

ffdixon picture ffdixon  路  4Comments