How do I fix this? How do I install security measures in VPL?
Error in SSL accept SSL_ERROR_SSL error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
(ip address):Http GET: Url path not found '/'
I will try to help you:
If you use a custom certificate you need to put your public key and private key certificates in pem format in files
files must be owned by root and permission rw owner only "chmod 600".
Notice that cert.pem may also contain the certificates of intermediate CAs if needed.
If you want to change (install/uninstall/replace) your certificates, you must change the content of these files and restart the service vpl-jail-system.
You don't need to install or uninstall the vpl-jail-service to update the certificates.
To better spotting the problem, please, detail the information that gives you the browser about why the connection is marked as untrusted (clicking on the lock).
P.S. See this thread if you want to try the Let's Encrypt option
This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.
cat myIntermediateCACertificate.pem >> /etc/vpl/cert.pem
Notice that pem format is a textual format.
Here is the error I keep getting:
Broadcast message from systemd-journald@ (Fri 2020-06-12 18:11:14 UTC):
vpl-jail-system: SSL_CTX_use_certificate_chain_file() fail: error:0909006C:PEM routines:get_name:no start line
Job for vpl-jail-system.service failed because the service did not take the steps required by its unit configuration.
See "systemctl status vpl-jail-system.service" and "journalctl -xe" for details.
The auto signed certificates generated by the installer are saved at the key.pem and cert.pem files at the /etc/vpl directory.
Please, consider using Let's Encrypt (Free certificates for https).
See the post https://moodle.org/mod/forum/discuss.php?d=403090#p1650116.
If you need other help, please give all details about what are you trying to do and the problem you found.
At this moment, who configure to use http or https are the Moodle administrator by setting the plugin configuration and using HTTP or https at the "Execution servers list" and the teachers with privileges setting the local server list. Also the execution server administrator can control the access to the server by configuring the vpl-jail-service. Notice also that by default if your Moodle server use HTTP connection the browser will use not cyphered WebSocket connections with the execution server.
Parameters at /etc/vpl/vpl-jail-system.conf you can use to control the access to your execution server:
- PORT: Sets the server port number for http and ws. Default 80. If you change this port only users that know the port number can access using HTTP to your server. In a future version, this access can be removed. e.g. http://servername:34377
- URLPATH: Represents the PATH expected in execution requests. It acts as a password, if the URL PATH in the execution request does not match, the request is rejected. By default "/". If you set it only Moodle server that uses this URLPATH can use the service. e.g. http(s)://servername/PASS
- TASK_ONLY_FROM: IPs or networks (type A, B or C ) from which execution requests are accepted. You can set multiple separated by spaces. This parameter only affects Moodle servers, access from clients (browsers) is done using frugal tickets. If this property is not set the server will accept requests from any machine that set the correct URLPATH. Default not set.
I have the same message. How did you use your certificates? Did you replace key.pem and cert.pem?