If your apache SSL configuration is correct you can force the NodeJS and the starting of the service later to access crdb.dut.ac.za directly using the server local IP instead of going thru the Public-IP/F5. You can do it by adding an entry into /etc/hosts for the server private IP address. The other way of overcoming this issue is by skipping the /etc/hosts file entry and doing the steps you see below:
A) echo "export NODE_EXTRA_CA_CERTS=/etc/certs/crdb.dut.ac.za/cert.pem" >> /etc/environment B) source /etc/environment C) yarn test:rest Good luck On Friday, July 8, 2022 at 12:24:41 PM UTC+3 sean....@gmail.com wrote: > Ah, but wait, I remembered the chain of events that led to me installing > the cert, whose chain is broken: > > The F5 firewall seems to provide certification through its wildcard > certificate. So if you visit our current DSpace-CRIS 5 repository at > https://openscholar.dut.ac.za/ and check the connection security for > that site, you will see that it is verified by Sectigo Ltd. However, on > that server, I'm using a self-signed certificate. (It used to be > LetsEncrypt before the F5.) > > /etc/apache2/sites-enabled/default-ssl.conf > SSLCertificateFile > /etc/ssl/certs/apache-selfsigned.crt > SSLCertificateKeyFile > /etc/ssl/private/apache-selfsigned.key > > That didn't work for DSpace 7 (I forget the exact error, but I suspect it > was the verification error). So I requested the certificate from the IT > admin, and installed that. > > But it seems as though that doesn't even get seen by openssl s_client ... > > For comparison, if I run > openssl s_client -connect openscholar.dut.ac.za:443 > > I get a similar error: Verification error: unable to verify the first > certificate. > > I'm really out of my depth here and not sure who or where to seek help. > All I know is that I can get this working unless it's behind the F5. But > then, in that case, I'm using LetsEncrypt. > > Sean > > On Thu, 7 Jul 2022 at 16:11, Sean Carte <sean....@gmail.com> wrote: > >> Thanks, Michael. That's useful. I'll follow up with our IT department. >> >> Sean >> >> On Thu, 7 Jul 2022 at 10:23, Plate, Michael < >> pl...@bibliothek.uni-kassel.de> wrote: >> >>> Hi Sean, >>> >>> your certificate chain is broken: >>> >>> openssl s_client -connect crdb.dut.ac.za:443 >>> >>> CONNECTED(00000003) >>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, >>> street = Overport, street = 7 Ritson Road, O = Durban University of >>> Technology, OU = ITSS, CN = *.dut.ac.za >>> verify error:num=20:unable to get local issuer certificate >>> verify return:1 >>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, >>> street = Overport, street = 7 Ritson Road, O = Durban University of >>> Technology, OU = ITSS, CN = *.dut.ac.za >>> verify error:num=21:unable to verify the first certificate >>> verify return:1 >>> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, >>> street = Overport, street = 7 Ritson Road, O = Durban University of >>> Technology, OU = ITSS, CN = *.dut.ac.za >>> verify return:1 >>> --- >>> Certificate chain >>> 0 s:C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street = >>> Overport, street = 7 Ritson Road, O = Durban University of Technology, OU = >>> ITSS, CN = *.dut.ac.za >>> i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, >>> CN = Sectigo RSA Organization Validation Secure Server CA >>> --- >>> […] >>> >>> browsers accept this, other programs are more picky about chain order . >>> If you cant't get around it, try letsencrypt and install certbot (its in >>> debian packages, no need for snap) >>> >>> >>> Michael >>> >>> ________________________________________ >>> Von: dspac...@googlegroups.com <dspac...@googlegroups.com> im Auftrag >>> von Sean Carte <sean....@gmail.com> >>> Gesendet: Donnerstag, 7. Juli 2022 07:54 >>> An: Thiago Henrique Carvalho da Costa >>> Cc: DSpace Technical Support >>> Betreff: Re: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall >>> with wildcard certificate >>> >>> […] >>> >>> -- >>> All messages to this mailing list should adhere to the Code of Conduct: >>> https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "DSpace Technical Support" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to dspace-tech...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/dspace-tech/d00aa2e38fde4d2b8d28b164d724ce99%40bibliothek.uni-kassel.de >>> . >>> >> -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/15623b2a-d4c2-49f9-bb8a-88e21b67cc51n%40googlegroups.com.
