I have inherited a Moodle install that I need to enable SSL on.
It is Moodle v2.5x on CentOS 7.6x
I have configured SSL the same way I have for my Wordpress sites that use CentOS/Nginx but when I check the box to use SSL for login I lose access to the site.
Please let me know what files you need to help me get this going.
First, don't compare what you do in WP to Moodle. Doesn't sometimes equate.
Second ... does site respond with https://site:443 ok ... port is opened?
Third: **backup database**, then ...
Untick the use https for login.
2 things to do ...
use http://site/admin/tool/replace/
Search for http://site/ replace with https://site/ ... include protocol in front and trailing slash at the end.
This is why you backed up the database first.
Moodle uses the config.php URL variable to build every internal link in Moodle.
So edit config.php change http:// you see there to https://
Might want to purge the caches right after that change ...
https://site/admin/purgecaches.php
'spirit of sharing', Ken
I've definitely realized that Moodle and WP are not the same. However, from what I have read the Nginx configuration is the same so I used my WP installs as reference. As for the site itself I had made a snapshot prior to making the change so the site is up and running. What I need is some assistance in getting SSL working.
What I shared was what one would have to do to Moodle ... not how one gets certs/ssl to work with web service. However, since you said you had your WP's working, assumed that config of nginx/apache for certs/ssl had been done.
Maybe you need to be more specific with what assistance you need!
Test ... create a static 'hello world' page ... hello.html. It's really a text file with only one word in it ... "Hello!' ... that's it .. no html necessary for the test.
Put it at the root of site + a copy in the moodle code directory.
Hit site using direct URL's ... https://site/hello.html https://moodlesite/hello.html
What does the lock in browser tell ya?
'spirit of sharing', Ken
I agree that the SSL config between both can be the same, it is for us atleast with Apache. Look into your nginx logs and see what errors you are seeing and go from there. I agree with Ken's suggestion of doing just basic html file testing, lets you isolate your ssl config from Moodle itself.
So, the doc got me close. I kind of suspected that I needed to change that value. When I do change it and go to http://.... I get a notice that I need to use https. However, when I use https I am back to my original issue which is:
I do have https enabled in the firewall.
I have SSL installed
I have the certs installed and configured per nginx.
Please note that my version of Moodle is 2.5.
The static file test fails? Then config of nginx/certs - I would think ...
What was the full screen ... did it have something like 'site can be reached via ... blah, blah, blah' or some additional info?
For Moodle ...
https://docs.moodle.org/36/en/Transitioning_to_HTTPS but that's higher version of Moodle than you are running. Instead, you will have to use a hidden tool for replace ...
http://yoursite/admin/tool/replace/
Why? Moodle uses the wwwurl to build *all internal to moodle links* ... currently they are all http:// and need to be changed to https://
Another way to do this ... make a sql dump of database.
Edit the .sql dump with an editor that has search and replace ... nano has it ...
Search for 'http://yoursite/' ... include the protocol (http://) in front of the FQDN of site and also include the 'traling slash'.
Replace with https://yoursite/
You want to replace ONLY internal URL's ... not URL's that might have been used as links in courses.
Save the edited sql dump with a slightly different name ... moodle-edited-ssl.sql.
Create a new DB ... (newmoodlessl) import the moodle-edited-ssl.sql dump.
Change config.php file point to the new DB 'newmoodlessl').
Actually safer to copy the DB name line, then paste it back in ... comment out the original line // in front ... and the new line has 'newmoodlessl' + the https:// in site url.
Purge the caches.
Can do that manually ... in moodledata ... that's moodledata .. remove the contents of ... that's remove the contents of moodledata/cache/ It will rebuild as site is used.
Server logs ... error and maybe you have ssl_error might give a clue hint.
Plus ... if running something that has added protections ... centOS 6-7 for example has sELinux in enforcing mode. Your system ... dunno.
Suggest you PM me the URL this server and let me do some remote poking/probing.
'spirit of sharing', Ken
All, thanks for the tips so far. Let me add some more info that will hopefully help.
First, my comparison to WP was only for the purpose of comparison in terms of the general server setup. I realize that Moodle and WP are much different apps. Also, I didn't mean to imply that both Moodle and WP are running on the same server (VM) only that they are similarly setup at the base level i.e. CentOS 7.6, Nginx 1.12, PHP 5.4, MariaDB 5.5. Lastly, I am very familiar with the noted LEMP setup as I manage about a dozen servers (VMs). However, my familiarity with Moodle is low as we always had a consultant configure and manage it. Management now falls to me so I am trying to come up to speed.
I have requested, installed and configured the SSL cert per the instructions for Nginx. However, when I change the protocol to https in the browser I get a "This site can’t be reached" error.
My current thought is that Moodle is not seeing the Nginx config and therefore not seeing the SSL settings. My reasoning behind this is that I have renamed ALL of the Nginx files, restarted Nginx and the site still runs. This tells me that while Nginx is the web engine all of the running parameters are in Moodle or ???
I hope this helps explain where I am on this.
Maybe this will help?
http://nginx.org/en/docs/http/configuring_https_servers.html
'spirit of sharing', Ken
Going back to first posting ...
This ... "when I check the box to use SSL for login I lose access to the site"
2.5.x is very old. That version did have an option to use https on login.
Newer versions of Moodle do not. Most folks in these forums probably
don't run a 2.5.x any more.
Did you un-do this:
"when I check the box to use SSL for login ... "
Since site will be full time https don't need moodle to do anything special on logins.
If you didn't undo and now can't login to the site one way or another, might try this in config.php
$CFG->httpsonlogin='0';
To be honesst, that's a guess ... most variables in a moodle can be set via config.php file ... don't re-called what the shortname of that config item was it's been so long ago.
You might be able to do same by changing that setting in mdl_config or mdl_config_setting tables ... IF a 2.5.x has those tables. Try mdl_config first.
And ... just to check ... you did replace all internal URL's to the site in the DB from http:// to https:// right?
Have sent you a PM question here on Moodle.org ... please respond.
'spirit of sharing', Ken
I wish this wasn't v2.5. I have asked the etcportal group to consider an upgrade and they have declined for now.
After checking that fateful box I actually restored from a snapshot that I made just prior to to implementing it.
My goal would be to have full time https and not just at the login.
I will know more once I get a new SSL cert.
This goes deeper than what appears ...
Think you have more work than just https and upgrading the 2.5.x
CentOS 7 release date: 7 July 2014
Came with PHP ver 5.4? MySQL 5.5 or 5.6? if I re-call - 5 years ago.
moodle 2.5. released May 2013 - 6 years ago
What specific version of code do you have?
fgrep '$release' /path/to/moodlecode/version.php
https://docs.moodle.org/dev/Moodle_2.5_release_notes
min version for PHP was 5.3.3
With a brand new CentOS you might need to install a minimal OS ... so you can get older PHP from 3rd party repos. Moodle 2.5.x -> 3.0 can do up to PHP 5.6 but not PHP 7.0+ and your skills with yum and 3rd party repos to get lower versions of PHP (assuming they are still in repos) will be tested. :|
So this really like a migration ... have to plan up'ing PHP/MySQL + Moodle at he same time
in a "march". Once you do get the 2.5.x up, take stock of addons and plugins.
Predict 2.5 will get some strange errors - may not launch at all with PHP 7-> and who knows with MySQL/MariaDB.
So what do we currently have for:
php -v
php -m
mysql -V
yum repolist
Not sure I'd stick a 2.5.x of Moodle out on public_internet .... no one should be surprised about pokes and probes these days - given that within 1 minute of server getting on the net will have it's first poke/probe.
'spirit of sharing', Ken
I am so with you on the upgrade but it is out of my hands. When I first got my hands on this I said they need to upgrade because of how old and possible insecure this version is. However, they balked for multiple reasons. I at least talked them into getting an SSL which I am still hoping to get working. If I am unable to because of the version then I will push harder for an upgrade or outright retirement which is an actual possibility.
So, I just had a minor success.
After getting a new SSL cert and installing it I was able to get a plain html file to answer to https. This confirms my suspicion that I had an error in my SSL CSR. However, I was not able to get the Moodle install to answer to https in fact I couldn't even get it to answer to http for several panicked minutes after removing the changes.
At this point I know the server itself works with SSL as configured. However, Moodle still won't work with SSL.
Progress ... good!
But again ... Did you un-do this:
"when I check the box to use SSL for login ... "t
That was a setting (check box un-ticked) by default.
I can see the site also ... but have to use site/login/index.php ... a /login/ goes back to nginx welcome page ... which still displays a Fedora icon ... even though we know it's CentOS. So is index.php in the list of default pages to serve and is it first in the order?
I cannot access anything using https:// ... should a least see broken lock (meaning mix).
Humor me ... setup/allow port 443 - or don't ... mox nix to me!
curl -I https://yoursite begets
curl: (7) Failed to connect to your site port 443: Connection refused
'spirit of sharing', Ken
don't run nginx but OS 7 I do. Googling found a person having similar issue ... wasn't redirecting for https.
the default site configuration from /etc/nginx/sites-enabled/ still present deleting that symbolic link fixes the problem
i can get to http://site/ but only if include index.php which wouldn't be doing site redirect to https. otherwse https begets FF error unable 2 connect.
'spirit of sharing' Ken
