LTI 1.3 OpenSSL Error in Windows

LTI 1.3 OpenSSL Error in Windows

by Reed Sorensen -
Number of replies: 4

We are trying to add an LTI 1.3 tool from an external provider and they have given us instructions and a custom URL to setup on the Plugins -> Activity Modules -> External Tools -> Manage Tools page.  When we try to add the tool we receive an error saying "Exception - OpenSSL unable to sign data".  When looking at the PHP log, we see the lines below:


PHP Warning:  openssl_sign(): supplied key param cannot be coerced into a private key in C:\inetpub\wwwroot\moodle\lib\php-jwt\src\JWT.php on line 209

Default exception handler: Exception - OpenSSL unable to sign data Debug:

Error code: generalexceptionmessage

* line 211 of \lib\php-jwt\src\JWT.php: DomainException thrown

* line 180 of \lib\php-jwt\src\JWT.php: call to Firebase\JWT\JWT::sign()

* line 74 of \mod\lti\startltiadvregistration.php: call to Firebase\JWT\JWT::encode()


For some backgroup, we're running Moodle on:

OS: Windows Server 2012 R2

Web server: IIS 8

Moodle Version: 3.11.4

PHP Version: 7.4.27


I've added $CFG->opensslcnf = 'C:/PHP/extras/ssl/openssl.cnf'; to the config.php file, but I'm not 100% sure what the correct syntax is for the path since I've seen it a few different ways.  I've also set an Environment Variable in Windows for OPENSSL_CONF to C:\PHP\extras\ssl\openssl.cnf, and made sure the openssl.dll PHP extension is enabled.  Beyond that, I'm not sure what else to try.


Any help or suggestions would be much appreciated.  Thanks.

Average of ratings: -
In reply to Reed Sorensen

Re: LTI 1.3 OpenSSL Error in Windows

by Jake Dallimore -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Testers
Hi Reed,

I'm no expert on Windows Server setup steps for OpenSSL/Moodle, so I can't comment on that. What I do know and can comment about is how the External Tool module works.

First things first: Are you sure the tool supports Dynamic Registration? That field on manage tools is exclusively for use with that specification. If the tool gave you a registration URL, then we're ok. If not, and they gave you instructions on how to setup up manually, then you need to be using the "Configure a tool manually" link. So that's the first thing to check and be sure about.

Next, we need to openssl conf to be correctly configured in order to generate a private key for use with LTI signing. Currently, this happens in two places:
  1. During install/upgrade of a Moodle site (a notice will be thrown if the key couldn't be generated using openssl)
  2. When manually configuring a tool
As far as I know, we don't try to generate a key when using dynamic registration, and that could be what's tripping you up (and perhaps also needs a fix).

Can you please check (but don't post here!) that you have a private key in the mdl_config_plugins table? You can check by running this SQL:

SELECT * FROM mdl_config_plugins WHERE plugin = 'mod_lti' AND name = 'privatekey';

Substituting mdl_ with your DB prefix of course. If you see no records, then that's likely the issue here.

Let me know how you go.

Cheers,
Jake

Average of ratings: -
In reply to Jake Dallimore

Re: LTI 1.3 OpenSSL Error in Windows

by Reed Sorensen -
Thanks for tips Jake. The instructions they provided to setup the tool only say to enter the URL they provided and click the Add LTI Advantage button, so I'm thinking it is setup for dynamic registration.

Running that SQL query did indeed return no results, so I hope that means we're onto something.

A couple questions:
1. Do I need to configure openssl.cnf in any way?
2. How would I go about creating a private key? Would upgrading from 3.11.4 to 3.11.5 for instance cause one to be generated?
3. Is there a way to confirm that Moodle can find openssl.cnf to make sure I have the syntax to the file path correct in config.php? I've seen the syntax of the file path a few different ways, but no way to verify which one is correct. I've seen different slashes used: C:\PHP\extras\ssl\openssl.cnf, C:/PHP/extras/ssl/openssl.cnf, C:\PHP\extras\ssl/openssl.cnf, and C:\\PHP\\extras\\ssl\\openssl.cnf.

Once again, thanks for your help.
Average of ratings: -
In reply to Reed Sorensen

Re: LTI 1.3 OpenSSL Error in Windows

by Jake Dallimore -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Testers
Hi Reed,

I'm not 100% sure on the config file requirements for windows.

You won't hit that code as part of the upgrade, since that was a step run way back in 3.6.x (IIRC). There is a workaround for your case though. Given Moodle can't generate a key for us during dynamic registration (yet), we'll just hit the manual registration code with a dummy entry, triggering the key generation. Try the following:
  1. Go to the manage tools page
  2. Click the "Configure a tool manually" link
  3. Enter a tool name "Dummy"
  4. Enter a tool URL "http://google.com"
  5. Change the "LTI version" to "LTI 1.3"
  6. Save
  7. This part can go one of 2 ways:
    1. If the form saved without any errors, you should be ok. Run your SQL again to check the existence of the key. It should be there.
    2. If you see a validation message like "LTI 1.3 requires a valid openssl.cnf to be configured and available to your web server. Please contact the site administrator to configure and enable openssl for this site." it means your openssl config is not quite right yet and you'll need to fix that and re-run the process again.
  8. Once you're done, delete the dummy tool entry from the manage tools page. You now have a stored private key and can use the dynamic registration URL without issue.
The above process will confirm the openssl.cnf is configured properly and available to the webserver. If it's not, you'll keep seeing the validation error.

I'm going to create an issue in tracker to deal with automatically detecting + fixing this in the dynamic registration workflow, just as we do here for manual. See MDL-74604 which deals with adding this necessary check.

Hope that helps!

Cheers
Jake
Average of ratings: -
In reply to Jake Dallimore

Re: LTI 1.3 OpenSSL Error in Windows

by Reed Sorensen -
Thank you so much for the assistance and for creating the issue in tracker! Your instructions worked like a charm.

Creating the dummy manual external tool did create a private key as confirmed by running the SQL query. I then deleted the dummy external tool and was able to add the real tool by entering the URL and clicking Add LTI Advantage.

In case someone else stumbles across this, I did not need to make any edits to openssl.cnf. In config.php I used the syntax $CFG->opensslcnf = 'C:\PHP\extras\ssl\openssl.cnf';.
Average of ratings: -