I'm using BBB 2.2.11 and Greenlight 2.5.6 in a lan environment with our own CA to issue certificates. This works well with BBB although the official documentation doesn't cover this kind of deployment (e.g. you have to tell Tomcat to deliver your CA root cert).
So, at the moment I've BBB working fine but I can't get Greenlight to work with BBB because it's complaining about an uncertified cert. This is ok because our root cert isn't in its cert stores.
It seems possible to skip the verification of the cert for Ruby by setting http.verify_mode = OpenSSL::SSL::VERIFY_NONE but frankly I don't know how to do this. In my environment this would be ok from the security point of view. Maybe you can add a config option for this?
The other, much better way would be to add the possibility to have the root CA be added to the docker file permenantly by using docker volumes!?!?
root@server:~/greenlight# docker run --rm --env-file .env bigbluebutton/greenlight:v2 bundle exec rake conf:check
Checking environment: Passed
Checking Connection: Failed
Error connecting to BigBlueButton server - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (unable to get local issuer certificate)
It's the same like here https://groups.google.com/forum/#!searchin/bigbluebutton-setup/certificate$20verify$20failed|sort:date/bigbluebutton-setup/t4EIijzbKik/TN5Z4BrfAwAJ
But how do I do that in Docker?
Hi @Klepptor,
I did it this way. You might know german, so there you go. There is a workaround. it would be far nicer to have it "the right way".
https://wiki.linuxmuster.net/community/anwenderwiki:webapps:bigbluebutton
Thx a Lot @jolly-jump !!
Just a few hours ago I got it to work (had some other issues with BBB itself either, blank presentation, no breakout rooms), but now both BBB and GL work well in our LAN with our own CA certs.
Thanks to your link I will have a deeper look into GL and LDAP/Active Directory tomorrow!
@klepptor, Thank you for opening this issue concerning bbb and greenlight. I want to ask you to elaborate on exactly how you make greenlight accept your self-signed certificate, if you can in step-by-step level. Please, I'm on it for the last two weeks straight and I couldn't do it. I would appreciate your help on this. Thanks in advance.
Hi @yoni-it ,
you've to build the greenlight docker image yourself and add your certificate in the build process. This is what I did:
cd /home/myuser
git clone https://github.com/klepptor/greenlight
git fetch upstream
git checkout -b custom-changes upstream/v2
git status
mkdir /home/myuser/greenlight/mycerts
copy <allmycerts> /home/myuser/greenlight/mycerts
chmod 0600 /home/myuser/greenlight/mycerts/*
nano /home/adminuser/greenlight/DockerfileRUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*
COPY ./mycerts/servercert.crt /usr/local/share/ca-certificates/servercert.crt
COPY ./mycerts/intermediatecert.crt /usr/local/share/ca-certificates/intermediatecert.crt
COPY ./mycerts/ownRootCA.crt /usr/local/share/ca-certificates/ownRootCA.crt.crt
RUN update-ca-certificates
nano /home/adminuser/greenlight/scripts/image_build.shif [ -z $CD_DOCKER_REPO ]; then
export CD_DOCKER_REPO=$CD_REF_SLUG
fi
echo "#### Docker image $CD_DOCKER_REPO:$CD_REF_NAME is being built"
docker build --build-arg http_proxy=myproxy.lan.local:8080 --build-arg version_code="${CD_VERSION_CODE}" -t $CD_DOCKER_REPO:$CD_REF_NAME .
build the image
./scripts/image_build.sh gl-test release-v2
change docker-compose.yml
version: '3'
services:
app:
entrypoint: [bin/start]
image: gl-test:release-v2
container_name: greenlight-v2(...)
volumes:
- ./log:/usr/src/app/log
- ./mycerts:/usr/local/share/ca-certificates
@klepptor, Thank you for the detailed description that you've provided as per my request. But I have to confess that I'm a newbie in the docker world and Linux administration. I have to ask you again to elaborate, when you issue a command to copy
My second question is I have already installed greenlight after I setup docker and docker-compose, I pulled a wiget from github to install greenlight. My question is do I need to do it just as you mentioned above by cloning the "https://github.com/klepptor/greenlight" URL or resume from the greenlight install that I've already done. By the way, the greenlight page is throwing a Invalid BigBlueButton Endpoint and Secret error. I suspect its because of a cert issue
Thank again.
@yoni-it please read https://docs.bigbluebutton.org/greenlight/gl-customize.html. This way you can make changes to the Dockerfile and build it with your own certs. The normal installation from https://docs.bigbluebutton.org/greenlight/gl-install.html is not the right way for your problem!
@klepptor , @yoni-it , or with stupid "workaround" (for "default" greenlight install, from repository/by bbb-install.sh) - set up bbb back to http/ws, change to http in ~/greenlight/.env file, run check, restart all with bbb-conf --restart (and restart greenlight with docker-compose [with down/up -d]), then roll back again configs to https/wss, but not change ~/greenlight/.env (still with http), and restart all again with bbb-conf --restart - now all works =D
(The main "thing" - change ~/greenlight/.env to http and restart greenlight docker container, because nginx for bbb works both on 80 and 443 port with "default" config [from docs])
@farhatahmad , Is it possible somehow implement this "feuture" - some kind of config/import custom CA certs - for dev branch of Greenlight and BBB 2.3 branch? I upvoted for this "feuture" (feuture request =)
Most helpful comment
Hi @Klepptor,
I did it this way. You might know german, so there you go. There is a workaround. it would be far nicer to have it "the right way".
https://wiki.linuxmuster.net/community/anwenderwiki:webapps:bigbluebutton