Asset Server Configuration Issue with Containerized SP-7 Using Domain Name and SSL Certificate

Hi @markp,

Thanks for the very helpful information! I have Apache acting as a reverse proxy to direct http & https traffic to my rootless Podman setup, which hosts all my containerized Specify-7 components. My SSL certificat is configured in Apache.

After reading your post, I attempted to override the web_asset_store.xml with the correct https and port settings, as suggested here: Python Error SSL: CERTIFICATE_VERIFY_FAILED] with SSL requests - #2 by wphillip

<?xml version="1.0" encoding="UTF-8"?>
<urls>
    <url type="read"><![CDATA[https://mycology.devsp.cfs.nrcan.gc.ca/fileget]]></url>
    <url type="write"><![CDATA[https://mycology.devsp.cfs.nrcan.gc.ca/fileupload]]></url>
    <url type="delete"><![CDATA[https://mycology.devsp.cfs.nrcan.gc.ca/filedelete]]></url>
    <url type="getmetadata"><![CDATA[https://mycology.devsp.cfs.nrcan.gc.ca/getmetadata]]></url>
    <url type="testkey">https://mycology.devsp.cfs.nrcan.gc.ca/testkey</url>
</urls>

I managed to implement the override, but it led to additional SSL issues, as shown in my pod logs:

b913c6b5504f File "/opt/specify7/ve/lib/python3.8/site-packages/requests/adapters.py", line 620, in send

b913c6b5504f raise SSLError(e, request=request)

b913c6b5504f requests.exceptions.SSLError: HTTPSConnectionPool(host='mycology.devsp.cfs.nrcan.gc.ca', port=443): Max retries exceeded with url: /web_asseED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)')))

Thanks for any further guidance you can provide!

Héryk

PS. This is my Apache configuration file…


<VirtualHost *:80>

ServerName mycology.devsp.cfs.nrcan.gc.ca

Redirect permanent / https://mycology.devsp.cfs.nrcan.gc.ca/

</VirtualHost>

<VirtualHost *:80>

ServerName mycologie.devsp.scf.rncan.gc.ca

Redirect permanent / https://mycologie.devsp.scf.rncan.gc.ca/

</VirtualHost>

<VirtualHost *:443>

ServerAdmin lfc.imit-cfl.giti@rncan-nrcan.gc.ca

ServerName mycology.devsp.cfs.nrcan.gc.ca

ServerAlias mycologie.devsp.scf.rncan.gc.ca

ProxyPass / http://localhost:5003/

ProxyPassReverse / http://localhost:5003/

# Set X-Original-Host, Host, and X-Forwarded-Proto headers

RequestHeader set X-Forwarded-Proto "https"

#ProxyAddHeaders On

ProxyPreserveHost On

ErrorLog "logs/lfc/mycology_devsp_error_log"

CustomLog "logs/lfc/mycology_devsp_access_log" combined

SSLCertificateFile "/mnt/opt/httpd/conf/extra/custom/lfc/devsp_cfs_nrcan_gc_ca.crt"

SSLCertificateKeyFile "/mnt/opt/httpd/conf/extra/custom/lfc/devsp_cfs_nrcan_gc_ca.key"

</VirtualHost>

Here is my NGINX file used inside POD NGINX container. There is no listening section for port 443 in my NGINX file since all https traffic is captured by Apache, decrypted and then reversed proxied to NGINX:


server {
    listen 80; # ssl;
    #ssl_certificate /etc/letsencrypt/fullchain.pem;
    #ssl_certificate_key /etc/letsencrypt/privkey.pem;
    server_name www.demo-assets.specifycloud.org;

    root /usr/share/nginx;
    #client_max_body_size 128M;
    client_max_body_size 500M;

    # serve static files directly
    location /static/ {
        client_max_body_size 0;
        root /volumes;
        rewrite ^/static/config/(.*)$ /specify6/config/$1 break;
        rewrite ^/static/depository/(.*)$ /static-files/depository/$1 break;
        rewrite ^/static/(.*)$ /static-files/frontend-static/$1 break;
    }

    # proxy these urls to the asset server
    location ~ ^/(fileget|fileupload|filedelete|getmetadata|testkey|web_asset_store.xml) {
        client_max_body_size 0;
        resolver 127.0.0.11 valid=30s;
        set $backend "http://0.0.0.0:5050";
        proxy_pass $backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    # proxy everything else to specify 7
    location / {
        client_max_body_size 400M;
        client_body_buffer_size 400M;
        client_body_timeout 120;
        resolver 127.0.0.11 valid=30s;
        set $backend "http://0.0.0.0:8000";
        proxy_pass $backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}