Sender | Message | Time |
---|---|---|
5 Mar 2021 | ||
rundg | I'm getting a 404 when trying to use Visual Editor on 1.35 behind an Nginx reverse proxy | 22:12:51 |
rundg | specifically, the debug log says this: [http] GET: http://sandbox1-pcw-wiki.pega.com/rest.php/sandbox1-pcw-wiki.pega.com/v3/page/html/Welcome_to_PegaWiki/14066?redirect=false&stash=true [VisualEditor] ApiParsoidTrait::requestRestbase: Received HTTP 404 from RESTBase | 22:13:27 |
rundg | (note the http instead of https) but... that URL is perfectly returned if I request it in the browser (Nginx forwards it to https) | 22:14:26 |
rundg | Immediately after, in the debug log, there is another error about SqlBagOStuff [MessageCache] MessageCache using store SqlBagOStuff | 22:16:24 |
rundg | FYI, I'm not using RESTBase, so I don't know why that's the error message. Maybe it's just a red herring | 22:17:42 |
rundg | the v1 and v3 REST URLs both work | 22:20:22 |
rundg | https://sandbox1-pcw-wiki.pega.com/rest.php/v1/page/Main_Page | 22:20:27 |
rundg | https://sandbox1-pcw-wiki.pega.com/rest.php/sandbox1-pcw-wiki.pega.com/v3/page/html/Main%20Page/2916 | 22:20:46 |
rundg | (just pasting for inspection of URLs, but the wiki is behind a firewall) | 22:21:08 |
rundg | noticed that $wgCanonicalServer was set to use http changing that to https changes the error to Error contacting the Parsoid/RESTBase server: (curl error: 60) SSL peer certificate or SSH remote key was not OK | 22:30:50 |
rundg | so, I think maybe I'm getting somewhere | 22:31:14 |
rundg | Since it's using curl internally, I guess I need to focus on the proper setup of MediaWiki over SSL behind a reverse proxy | 22:31:56 |
6 Mar 2021 | ||
SeriousFun01 left the room. | 19:18:48 | |
7 Mar 2021 | ||
rundg | I use a GoDaddy certificate, so I'm trying to configure curl on both the host and the container. | 14:58:38 |
rundg | https://curl.se/docs/sslcerts.html | 15:05:17 |
8 Mar 2021 | ||
hexmode | freephile: Interesting. I'm surprised you, being "freephile" and all, don't use EFF's LetsEncrypt | 16:39:41 |
rundg | It's for $work | 17:21:26 |
rundg | I almost involuntarily gave up my breakfast when I had to utter GoDadd... 🤮 | 17:52:22 |
hexmode | Even $CLIENTs like free security :) | 20:14:59 |
9 Mar 2021 | ||
rundg | I finally solved this. While Apache will run fine if you just provide a certificate key and the service certificate, the OpenIDConnect client (and apparently VisualEditor too) run their curl requests as an unprivileged user (www-data). So, you must configure Apache with an intermediate certificate chain file too.
And, those files must be readable by www-data, so although the directory given in my example above says 'private' I had to chmod a+x the directory (which was previously mode 0600) I guess this took me so long to realize because my Apache error logging was so verbose so as to render it useless, and I was focussed on the messages coming from Visual Editor instead of the MediaWiki logs. (Had to turn off the job queue because that was filling debug.log faster than you can read.) | 02:12:40 |
rundg | @c | 02:19:49 |
rundg | cicalese: For the curious, there is a pretty good error message from Pluggable Auth
| 02:20:26 |
rundg | The tip-off was the CAfile and CApath. I made sure those were readable | 02:20:51 |
rundg | I also changed the configuration of NGINX on the host (which serves as a reverse proxy to point 3 domains at the right docker clusters) For nginx, I concatenated the service certificate and intermediate bundle into a single certificate. | 05:14:24 |
rundg | I'm not sure if the change to nginx was actually a change because I found that I had miscopied a file, and I wasn't running etckeeper which would have told me about any changes in /etc/ | 05:15:34 |
rundg | Anyway, I will document my setup carefully to assist with any documentation for VE on a private wiki | 05:16:18 |
10 Mar 2021 | ||
tgr | News:
| 11:03:41 |
bits2won joined the room. | 19:35:41 | |
15 Mar 2021 | ||
rundg | There's also a change to drop MySQL 5.5 support in order to better support lag detection in a DB cluster. https://phabricator.wikimedia.org/T248481 | 12:56:03 |
rundg | (Timo posted on Wikitech-l) | 12:56:44 |