MWStake General - Public Room Timeline

	MWStake General	135 Members
	MediaWIki Stakeholders' Group general discussion https://commonmark.org/help/	29 Servers

Load older messages

Sender	Message	Time
5 Mar 2021
rundg	I'm getting a 404 when trying to use Visual Editor on 1.35 behind an Nginx reverse proxy	22:12:51
rundg	specifically, the debug log says this: [http] GET: http://sandbox1-pcw-wiki.pega.com/rest.php/sandbox1-pcw-wiki.pega.com/v3/page/html/Welcome_to_PegaWiki/14066?redirect=false&stash=true [VisualEditor] ApiParsoidTrait::requestRestbase: Received HTTP 404 from RESTBase	22:13:27
rundg	(note the http instead of https) but... that URL is perfectly returned if I request it in the browser (Nginx forwards it to https)	22:14:26
rundg	Immediately after, in the debug log, there is another error about SqlBagOStuff [MessageCache] MessageCache using store SqlBagOStuff [DBQuery] SqlBagOStuff::fetchBlobMulti [0s] db: SELECT keyname,value,exptime FROM `objectcache` WHERE keyname = 'pega:messages:en' [DBQuery] SqlBagOStuff::fetchBlobMulti [0s] db: SELECT keyname,value,exptime FROM `objectcache` WHERE keyname = 'pega:messages:en:status' [DBQuery] SqlBagOStuff::lock [0s] db: SELECT GET_LOCK('pega:messages:en', 0) AS lockstatus [SQLBagOStuff] SqlBagOStuff::lock failed due to timeout for pega:messages:en.	22:16:24
rundg	FYI, I'm not using RESTBase, so I don't know why that's the error message. Maybe it's just a red herring	22:17:42
rundg	the v1 and v3 REST URLs both work	22:20:22
rundg	https://sandbox1-pcw-wiki.pega.com/rest.php/v1/page/Main_Page	22:20:27
rundg	https://sandbox1-pcw-wiki.pega.com/rest.php/sandbox1-pcw-wiki.pega.com/v3/page/html/Main%20Page/2916	22:20:46
rundg	(just pasting for inspection of URLs, but the wiki is behind a firewall)	22:21:08
rundg	noticed that $wgCanonicalServer was set to use http changing that to https changes the error to Error contacting the Parsoid/RESTBase server: (curl error: 60) SSL peer certificate or SSH remote key was not OK	22:30:50
rundg	so, I think maybe I'm getting somewhere	22:31:14
rundg	Since it's using curl internally, I guess I need to focus on the proper setup of MediaWiki over SSL behind a reverse proxy	22:31:56
6 Mar 2021
	SeriousFun01 left the room.	19:18:48
7 Mar 2021
rundg	I use a GoDaddy certificate, so I'm trying to configure curl on both the host and the container.	14:58:38
rundg	https://curl.se/docs/sslcerts.html	15:05:17
8 Mar 2021
hexmode	freephile: Interesting. I'm surprised you, being "freephile" and all, don't use EFF's LetsEncrypt	16:39:41
rundg	It's for $work	17:21:26
rundg	I almost involuntarily gave up my breakfast when I had to utter GoDadd... 🤮	17:52:22
hexmode	Even $CLIENTs like free security :)	20:14:59
9 Mar 2021
rundg	I finally solved this. While Apache will run fine if you just provide a certificate key and the service certificate, the OpenIDConnect client (and apparently VisualEditor too) run their curl requests as an unprivileged user (www-data). So, you must configure Apache with an intermediate certificate chain file too. `SSLCertificateFile /etc/ssl/private/gd-ucc-wiki.pega.com.crt SSLCertificateChainFile /etc/ssl/private/gd-ucc-bundle-wiki.pega.com.crt SSLCertificateKeyFile /etc/ssl/private/gd-ucc-wiki.pega.com.key` And, those files must be readable by www-data, so although the directory given in my example above says 'private' I had to chmod a+x the directory (which was previously mode 0600) I guess this took me so long to realize because my Apache error logging was so verbose so as to render it useless, and I was focussed on the messages coming from Visual Editor instead of the MediaWiki logs. (Had to turn off the job queue because that was filling debug.log faster than you can read.)	02:12:40
rundg	@c	02:19:49
rundg	cicalese: For the curious, there is a pretty good error message from Pluggable Auth `[PluggableAuth] Class name: OpenIDConnect Jumbojett\OpenIDConnectClientException: Curl error: error setting certificate verify locations: CAfile: /etc/ssl/private/gd-ucc-wiki.pega.com.crt CApath: /etc/ssl/certs in /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php:1052`	02:20:26
rundg	The tip-off was the CAfile and CApath. I made sure those were readable	02:20:51
rundg	I also changed the configuration of NGINX on the host (which serves as a reverse proxy to point 3 domains at the right docker clusters) For nginx, I concatenated the service certificate and intermediate bundle into a single certificate.	05:14:24
rundg	I'm not sure if the change to nginx was actually a change because I found that I had miscopied a file, and I wasn't running etckeeper which would have told me about any changes in /etc/	05:15:34
rundg	Anyway, I will document my setup carefully to assist with any documentation for VE on a private wiki	05:16:18
10 Mar 2021
tgr	News: The annual survey about the usabiltity of Wikimedia developer tools (Phabricator, Gerrit, etc) is out: https://lists.wikimedia.org/pipermail/wikitech-l/2021-March/094317.html Due in two weeks. MediaWiki core and Wikimedia-maintained extensions dropping IE 11 support: https://lists.wikimedia.org/pipermail/wikitech-l/2021-March/094319.html Planning to drop support for old browser not compatible with TLS 1.2: https://lists.wikimedia.org/pipermail/wikitech-l/2021-March/094318.html Feedback period is about a week.	11:03:41
	bits2won joined the room.	19:35:41
15 Mar 2021
rundg	There's also a change to drop MySQL 5.5 support in order to better support lag detection in a DB cluster. https://phabricator.wikimedia.org/T248481	12:56:03
rundg	(Timo posted on Wikitech-l)	12:56:44

Show newer messages

Back to Room ListRoom Version: