[LON-CAPA-admin] Unable to see resources from uiuc domain
raeburn at msu.edu
raeburn at msu.edu
Thu Feb 2 09:48:06 EST 2017
Bob,
The problem here appears to be the SSL certificate installed on the
UIUC library server. If I run the command:
openssl s_client -connect library1.lon-capa.uiuc.edu:443
The response includes:
verify error:num=20:unable to get local issuer certificate
verify error:num=27:certificate not trusted
verify error:num=21:unable to verify the first certificate
Because of this certificate problem you will be unable to view
previously unreplicated resources in the uiuc domain on a LON-CAPA
server running a Linux distro/version which includes perl-libwww-perl
version 6.
That includes the binghamton LON-CAPA servers, but not the MSU
LON-CAPA servers.
On a server with perl-libwww-perl version 6, you could implement a
temporary workaround by modifying the repcopy() routine in
/home/httpd/lib/perl/Apache/lonnet.pm to include this line:
$ua->ssl_opts( verify_hostname => 0 );
and then reload Apache.
>
> Is is somehow related to the ssl request on port 443? I am not running ssl
> in the binghamton domain. However, I can see resources on other domains
> (e.g. msu) that are running ssl.
>
Yes, it is related to the fact that the uiuc LON-CAPA library server
is using https.
Other LON-CAPA servers also use https (including educog.com and
s10.lite.msu.edu), and for those servers the openssl s_client command
above does not report any errors, so this issue looks to be specific
to the certificate on the uiuc LON-CAPA library server.
The fact that you do not use Apache/SSL for the binghamton LON-CAPA
domain servers is not relevant here. Although I would encourage you
in the longer term to consider using Apache/SSL in the binghamton
domain for security reasons.
letsencrypt.org has an automated process for obtaining SSL
certificates to use with the Apache web server, at no cost.
Stuart Raeburn
LON-CAPA Academic Consortium
> Hi All,
>
> I've got a situation where none of my servers can view the actual resources
> from the uiuc domain. They can all browse to any subdirectory and can look
> at the metadata for any resource. But they can't see the contents of a
> resource file. The window that shows the rendered resource does open but
> just has the one line "Unable to find SomeFileName.problem" for problems
> and "Sorry! Resource not available." for images in it.
>
> For each resource that can't be viewed there is a line in lonnet.log like
> this:
>
> LWP get: 500 Can't connect to library1.lon-capa.uiuc.edu:443:
> /home/httpd/html/res/uiuc/cyerkes/Chem_102_/problems/Homework_4_QDB_8051158
> /LandingFieldArrival.jpg
>
> I had the network IT guy for the university look at the edge firewall logs
> and he could see my requests going out but he didn't see any answers coming
> back from the uiuc server. He wasn't 100% sure that he logs everything
> coming in though so it's not definitive that they aren't coming back.
> Though the message above would lead one to think that uiuc is not replying
> or not getting my request.
>
> I can browse to and see resources in other domains. I also logged into my
> course using a msu access server and was successful viewing uiuc
> resources.
>
> Entries in lonc.log and lond.log show that connections are being made and
> the fact that I can browse the subdirectorys says some things are OK.
>
> Is is somehow related to the ssl request on port 443? I am not running ssl
> in the binghamton domain. However, I can see resources on other domains
> (e.g. msu) that are running ssl.
>
> Using nmap against library1.lon-capa.uiuc.edu shows port 443 open.
>
> Thanks,
> Bob Gonzales
> Binghamton University
More information about the LON-CAPA-admin
mailing list