These are chat archives for fanout/pushpin

5th
Jun 2018
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 14:48
@jkarneges could you tell me where I should put SSL certificates because maybe I’m too noob yet
this guide is what I’m following https://pushpin.org/docs/configuration/#ssl but it say just runner/ folder
using find I get two possibilities:
/etc/pushpin/runner
/usr/lib/pushpin/runner
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 16:12
@jkarneges I’m working to add SSL to pushpin on Dockerfile, but could not get it working.
Tue, 05 Jun 2018 16:11:10 GMT [ERROR] (src/server.c:212: errno: No such file or directory) Failed to load cert from /etc/pushpin/runner/certs/default_4430.crt
Tue, 05 Jun 2018 16:11:10 GMT [ERROR] (src/server.c:305: errno: None) Failed to initialize ssl for server default_4430
Tue, 05 Jun 2018 16:11:10 GMT [ERROR] (src/config/config.c:359: errno: None) Failed to create server default_4430
Tue, 05 Jun 2018 16:11:10 GMT [ERROR] (src/mongrel2.c:147: errno: None) Failed to load server default_4430 from /var/run/pushpin/mongrel2.sqlite
Tue, 05 Jun 2018 16:11:10 GMT [ERROR] (src/mongrel2.c:413: errno: None) Aborting since can't load server.
Tue, 05 Jun 2018 16:11:10 GMT [ERROR] (src/mongrel2.c:451: errno: None) Exiting due to error.
That error is under mongrel2_4430.log

I have pushpin.conf with this line added:

list of HTTPS ports that mongrel2 should listen on (you must have certs set)

https_ports=4430

also I add certs to the right path (I think)
ls -la /etc/pushpin/runner/certs
sem-pushpin | total 20
sem-pushpin | drwxr-xr-x 1 root root 4096 Jun 5 16:09 .
sem-pushpin | drwxr-xr-x 1 root root 4096 Jan 26 01:19 ..
sem-pushpin | -rw-r--r-- 1 root root 17 Jan 25 22:00 README
sem-pushpin | -rw-r--r-- 1 root root 590 Jun 5 15:37 default_4430.crt
sem-pushpin | -rw-r--r-- 1 root root 891 Jun 5 15:36 default_4430.key
could you give some idea why it can’t read it?
Justin Karneges
@jkarneges
Jun 05 2018 16:43
@jorgecuesta hmm, path looks right and logs look like it is trying to read the file. can you try again with an unimportant/self-signed cert and if it still doesn't work give me that cert and I'll test here
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 16:44
yes that was with a self-signed
Justin Karneges
@jkarneges
Jun 05 2018 16:44
okay you can paste the contents as a private message
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 16:46
@jkarneges I sent entire set of files through private message
Justin Karneges
@jkarneges
Jun 05 2018 16:46
alright I see one issue at least. the .crt file is a cert request rather than a cert
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 16:47
that is what I wanna share
openssl genrsa -out server.key 1024
my self-signed commands
openssl req -new -key server.key -out server.csr
ofcourse with different names
Justin Karneges
@jkarneges
Jun 05 2018 16:52
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
that should make a crt out of a csr. note that I'm not an openssl cli expert, I just googled :)
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 16:53
yes me neither but here I’m fighting with it :smile:
Justin Karneges
@jkarneges
Jun 05 2018 16:55
what's nice about most of this crypto formats is they are text with "-----BEGIN ..." as the first line so you can always double check that to see if you have the correct types
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 16:56
let me try with the new cat and key
@jkarneges you are my hero
[INFO] 2018-06-05 16:57:30.989 starting...
sem-pushpin | [INFO] 2018-06-05 16:57:30.989 using config: /etc/pushpin/pushpin.conf
sem-pushpin | [INFO] 2018-06-05 16:57:31.007 starting m2 http:7999
sem-pushpin | [INFO] 2018-06-05 16:57:31.008 starting m2 https:4430
sem-pushpin | [INFO] 2018-06-05 16:57:31.014 [m2a] starting...
is working
Justin Karneges
@jkarneges
Jun 05 2018 16:58
wondeful :D
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 16:58
So now with this route --route=\"*,ssl=yes ${target},ssl,over_http
I could handle wss:// to forward it through https?
Justin Karneges
@jkarneges
Jun 05 2018 16:59
yes
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 16:59
I need add ,insecure to route right?
Justin Karneges
@jkarneges
Jun 05 2018 17:00
does the target server use a valid cert?
if so you can use host instead
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 17:01
No is self signed too (we are under development) but trying to be so close of deploy state
to prevent any kind of weird secure issues
Justin Karneges
@jkarneges
Jun 05 2018 17:01
then insecure yes
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 17:04
@jkarneges about my last comment I do this on an entry point of dockerfile to skip it keep in restarting loop
if [ -f /var/run/pushpin/mongrel2_7999.pid ]; then
rm -f /var/run/pushpin/mongrel2_7999.pid
fi
I think now I need add ssl port too right?
because could have the same throubble
Justin Karneges
@jkarneges
Jun 05 2018 17:05
indeed, each mongrel2 instance will have its own pid file
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 17:06
nice, so if I just wanna use ssl port comment http_port=7999 on pushpin.conf` and everything should work properly right?
Justin Karneges
@jkarneges
Jun 05 2018 17:07
yes
or, hmm, I'm not sure about that
it seems the runner always runs a plain http instance. if unset, it'll default to 7999 anyway
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 17:16
I’m trying just as curious
yes it make both
so last questing hero!

what about use ssl on this

addr/port to listen on for receiving publish commands via HTTP

push_in_http_addr=0.0.0.0
push_in_http_port=5561

to send http commands or message to dispatch on a channel
Justin Karneges
@jkarneges
Jun 05 2018 17:23
ssl is not supported on the control port
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 17:23
0 security there so ...
Justin Karneges
@jkarneges
Jun 05 2018 17:23
the assumption is pushpin usually lives on the same internal network as the publisher
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 17:24
yes that is right, but I think that all should be protected under ssl
maybe is my wrong
Justin Karneges
@jkarneges
Jun 05 2018 17:27
in very strict security environments I suppose it could be useful. in any case it would need to be handled outside of pushpin somehow, e.g. with stunnel or some other proxy
for fanout cloud, we bind to localhost and don't expose port 5561 to the outside world. published messages must arrive through our public API (with https), which are then relayed to pushpin
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 17:31
I see we maybe do something similar, using internal network and public api through kong to external one
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 21:16
@jkarneges have you some idea about this "Client not allowed to send WebSocket events directly.\n"
Jorge S. Cuesta
@jorgecuesta
Jun 05 2018 21:41
@jkarneges I found a problem with ssl, maybe is just an issue on my side, when try to access wss://foo.domain.loc:4430 it log this:
Tue, 05 Jun 2018 21:40:41 GMT [ERROR] (src/connection.c:995: errno: No such file or directory) Failed to find cert for foo.domain.loc
when I make the certificate on Common Name I use *.domain.loc
have you some idea why that is happening?
Justin Karneges
@jkarneges
Jun 05 2018 22:39
it's a good idea to also create certs for each domain. e.g. foo.domain.loc.[crt,key]
Justin Karneges
@jkarneges
Jun 05 2018 22:50
basically a domain-specific cert is looked up first, else default is used
"client not allowed to send websocket events directly" sounds like an HTTP request containing application/websocket-events content was made to Pushpin