Hi everybody,
I have BigBlueButton setup using the Greenlight docker image. My setup is in private network. I have a ssl cert for my bbb domain.
I have a problem about GreenLight connecting to bbb. There are similar issues in other issues. I tried solution advice but i haven't solved yet.
- I checked the endpoint and secret.
I checked my ~/greenlight/.env and i sure it matches the output of bbb-conf --secret
-My BigBlueButton server url (https://server/bigbluebutton/api/) in the browser and i checked to see that it returns SUCCESS
- bbb-conf --status
All active
- bbb-conf --check
No problems
- i checked ~/greenlight/log/production.log logs are bellow.
ERROR: [515f7e14-fbf5-4b23-8a6d-b03fa8ed11a8] BigBlueButtonException: Connection error.
Your URL is probably incorrect: "https://mydomain.com/bigbluebutton/api".
Error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (unable to get local issuer certificate)
INFO: [515f7e14-fbf5-4b23-8a6d-b03fa8ed11a8] method=GET path=/b/adm-er2-tcm format=html controller=RoomsController action=show status=200 duration=62.50 view=29.81 db=4.34 host=greenlight
-I checked bbb url in docker bash but i cannot connect and i receive this message
# curl https://mydomain.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
```
Connecting to myfomain (10.6.7.179:443)
ssl_client: mydomain.com: certificate verification failed: unable to get local issuer certificate
wget: error getting response: Connection reset by peer
**docker run --rm --env-file .env bigbluebutton/greenlight:v2 bundle exec rake conf:check**
````
Checking environment: Passed
Checking Connection: Failed
Error connecting to BigBlueButton server - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (unable to get local issuer certificate)
Hi! you need to add your CA certificate inside docker via changing Dockerfile like this:
COPY --from=base $RAILS_ROOT $RAILS_ROOTCOPY ./CA.pem /usr/local/share/ca-certificates/CA.crt
RUN update-ca-certificates
Thank you @pronichev
Your solution is worked. This problem was solved.
thanks @pronichev , sorry i am less experiment in docker environment . Can you describe a little bit more your solution to achieve it on myself ?
thanks @pronichev , sorry i am less experiment in docker environment . Can you describe a little bit more your solution to achieve it on myself ?
What is your problem? show logs or other stuff please.
in fact it exactly the issue you solved but i don't how to edit "Change DockerFile" and where exactly put the certificate and how re build the package. Sorry it's seems very basics for you but without your help it will be difficult for me.
Hi! you need to add your CA certificate inside docker via changing Dockerfile like this:
- Place your CA certificate in the dir where you are checkout sources
- Change Dockerfile
Add lines like this afterCOPY --from=base $RAILS_ROOT $RAILS_ROOTCOPY ./CA.pem /usr/local/share/ca-certificates/CA.crt RUN update-ca-certificates
- Build and run Greenlight docker
Hi @pronichev
I have try your solution. When I try curl from inside docker, i have success message,
bash-4.4# curl https://webconf.my-domain.com/bigbluebutton/api
<response>
<returncode>SUCCESS</returncode>
<version>2.0</version>
</response>
But when sign in to greenligth in browser, i still got error "Invalid BigBlueButton Endpoint and Secret". Then i check on the production.log (# tail -f ~/greenlight/log/production.log), i got message:
INFO: [e52a69e4-2398-4b9b-b2ab-8af069b884a7] method=POST path=/b/u/login format=html controller=SessionsController action=create status=302 duration=200.61 view=0.00 db=1.95 location=https://webconf.my-domain.com/b/mus-gg2-6pd host=greenlight
ERROR: [12752833-2178-4251-85a3-679fe9225ffb] BigBlueButtonException: Connection error. Your URL is probably incorrect: "https://webconf.my-domain.com/bigbluebutton/api". Error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (unable to get local issuer certificate)
Can you help about this problem?
docker run --rm --env-file .env bigbluebutton/greenlight:v2 bundle exec rake conf:check
- Do the checks
docker run --rm --env-file .env bigbluebutton/greenlight:v2 bundle exec rake conf:check
I build with new tag greenlightxx, and i run this.
sudo docker run --rm --env-file .env greenlightxx bundle exec rake conf:check
Checking environment: Passed
Checking Connection: Failed
Error connecting to BigBlueButton server - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (unable to get local issuer certificate)
How i solve this error? Even though when i try curl inside docker, i got success message.
- Compare your CA cert in the docker. Maybe you're running old docker image without cert?
i have compare in BBB server and inside docker greenlight, i have same CA cert.
FYI : if i use BBB with demo just running normal.
i have exactly the same thing , the goal is to install the CA certificate in the docker environment. I have import the certificate but update-ca-certificates isn't working.
I still have an error with wget https://bbb.mydomain.com
ssl_client: bbb.mydomain.com: certificate verification failed: unable to get local issuer certificate
wget: error getting response: Connection reset by peer
i have try to import the rootCA chain in the docker but can't achieve it.
The certificate is well import but running update-ca-certificates provide me some warning :
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
And it didn't import anything in fact.
I hope i have provide more details :)
how did you update the certificate inside docker environment ? in detail because i didn't understand.
Please :)
custom-project-greenlight, and enter the directory.Dockerfile in the directory and insert this:FROM bigbluebutton/greenlight:v2
COPY files/*crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
files and copy your certificate files suffixed with *.crt in directory files.docker build -t mygreenlight .docker-compose.yml.this method i got from https://github.com/bigbluebutton/bigbluebutton/issues/6139 that is relevant to @pronichev method above
@mmustak Can you look at issuer of our bbb server cert? Is it the same CA? May be you use intermediate CA cert? Intermediate CA must be in docker.
in bbb i have specify the certificate in the configuration files and it work perfectly , presenting bbb webpage with the appropriate certificate.
I can resolve localy wget https://mydomain without any issue.
I am trying mmustak solution . Blocking yet with building my new project.
ok ; done it but when i build i still have :
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
last news :)
i still have an error but it seems better now.
/greenlight2# docker run --rm --env-file .env mygreenlight bundle exec rake conf:check
Checking environment: Passed
Checking Connection: Passed
Checking Secret: Passed
with my new env with my certificate inside with @mmustak solution
My environment is up. but when it try to reach my bbb i have presented in the web page :
Invalid bigbluebutton target and secret.
I am available in live in any way to discuss with you in chat or whatever.
IT WORK !!!! Last issue was behind screen and chair...
I haven't modify my docker-compose.yml to run my env...
So now it is much better and working. I test it and i will put a last comment after to congrats both of you :)
@mmustak Can you look at issuer of our bbb server cert? Is it the same CA? May be you use intermediate CA cert? Intermediate CA must be in docker.
when i check with openssl
openssl s_client -connect webconf.my-domain.com:443
output
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.my-domain.comverify return:1
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.my-domain.comi:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
when i check in mozilla, i export the COMODO RSA Domain Validation Secure Server CA. This intermediate certificate is the same as my ca-bundle which I have imported into the docker. Any suggestion @pronichev ?
@mmustak The last attempt is to place your *.my-domain.com cert inside docker ca-certs store.
Do the checks after.
ca-certs store
where is ca-certs store inside docker? /etc/ssl/certs/?
Can you explain more detils method?
if i check at '/etc/ssl/certs/ca-certificate.crt' inside docker, my cert is already in there.
Method the same. Save your cert in pem format. Add to docker file:
COPY ./your_cert.pem /usr/local/share/ca-certificates/your_cert.crt
RUN update-ca-certificates
Build docker.
Method the same. Save your cert in pem format. Add to docker file:
COPY ./your_cert.pem /usr/local/share/ca-certificates/your_cert.crt
RUN update-ca-certificates
Build docker.
done.
the result is same as before.
when i run docker run --rm --env-file .env addcert-greenlight bundle exec rake conf:check
output:
Checking environment: Passed
Checking Connection: Failed
Error connecting to BigBlueButton server - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (unable to get local issuer certificate)
when i run docker run --rm --env-file .env addcert-greenlight curl https://webconf.my-domain.com/bigbluebutton/api
output:
<response>
<returncode>SUCCESS</returncode>
<version>2.0</version>
</response>
any suggestion?
I surrender!
I surrender!
thanks for your reply @pronichev
For those who have the same problem (cURL is able to validate the certificate but not the Greenlight app), I successfully make it work by make a symbolic link betwteen /etc/ssl/cert.pem (which seems to be the default location in Alpine Linux) and /etc/ssl/ca-certificates.crt.
Here is my Dockerfile
FROM bigbluebutton/greenlight:v2
COPY ./company-ca.crt /root/
RUN cp /root/company-ca.crt /usr/local/share/ca-certificates/ \
&& /usr/sbin/update-ca-certificates
RUN rm /etc/ssl/cert.pem && ln -s /etc/ssl/certs/ca-certificates.crt /etc/ssl/cert.pem
And the docker-compose.yml file
services:
app:
build:
context: .
dockerfile: Dockerfile
entrypoint: [bin/start]
# image: bigbluebutton/greenlight:v2
container_name: greenlight-v2
env_file: .env
restart: unless-stopped
ports:
- 127.0.0.1:5000:80
However it would be a great thing if the usage of a company signed CA was properly documented and supported by Greenfish and BBB.
@pronichev Hello Mr pronichev , i hope you are doing well , i have the same problem with the checking but when i run
*docker run --rm --env-file .env bigbluebutton/greenlight:v2 bundle exec rake conf:check
* , it shows this , i don't where the problem i have been 2 days stuck at it
Checking environment: Passed
Checking Connection: Failed
Error connecting to BigBlueButton server - Failed to open TCP connection to gigobaum.spdns.org:443 (Connection refused - connect(2) for "gigobaum.spdns.org" port 443)
if you could help me , i would be grateful , Thanks in advance
cp /root/company-ca.crt /usr/local/share/ca-certificates/
&& /usr/sbin/update-ca-certificates
@adaigre please can you explain where is that file exactly cause i copy the command , and no such file or directory
cp /root/company-ca.crt /usr/local/share/ca-certificates/
&& /usr/sbin/update-ca-certificates@adaigre please can you explain where is that file exactly cause i copy the command , and no such file or directory
This is my company CA certificate. The COPY command is for copying that CA inside the container.
I suppose I could have copied that file directly to the /usr/local/share/ca-certificates/ folder.
Most helpful comment
IT WORK !!!! Last issue was behind screen and chair...
I haven't modify my docker-compose.yml to run my env...
So now it is much better and working. I test it and i will put a last comment after to congrats both of you :)