working ssl certificate but not with moodle

working ssl certificate but not with moodle

Attila Teiermayer -
Atsakymų skaičius: 11

Hi, 

I am installing Moodle 3.9 onto a Azure Ubuntu VM using the website: https://docs.moodle.org/39/en/Step-by-step_Installation_Guide_for_Ubuntu

I've set up an SSL certificate to the IP of the virtual machine using certbot and it works well, if I type the domain name it comes up as https://domain name etc. and I see the apache server's default page.

However, if I type https://domain name/moodle, (as I am told in the instruction) it turns to http://IP address/moodle.

In the SSL config files, certbot set a redirection rule, and it looks working, so I suppose the issue is from Moodle, but I don't know where.

Whilst following the documentation, I am at environment check (server check) and I am warned that the site is not secure which is true. I don't want to carry on with the installation until fixing the problem.

Could anyone help me with this please?

Įvertinimų vidurkis: -
Atsakymas į Attila Teiermayer

Re: working ssl certificate but not with moodle

Visvanath Ratnaweera -
Particularly helpful Moodlers paveikslėlis Translators paveikslėlis
Does your config.php have a line $CFG->wwwroot='https://domain/moodle'?
Įvertinimų vidurkis: -
Atsakymas į Attila Teiermayer

Re: working ssl certificate but not with moodle

Attila Teiermayer -
Thank you, I checked the config-dist.php, added the line you recommended but nothing changed unfortunately.
Įvertinimų vidurkis: -
Atsakymas į Attila Teiermayer

Re: working ssl certificate but not with moodle

Howard Miller -
Core developers paveikslėlis Documentation writers paveikslėlis Particularly helpful Moodlers paveikslėlis Peer reviewers paveikslėlis Plugin developers paveikslėlis
config.php, not config-dist.php (like he said)

....and you don't add it. $CFG->wwwroot (like I said) is already there. 
Įvertinimų vidurkis: -
Atsakymas į Attila Teiermayer

Re: working ssl certificate but not with moodle

Ken Task -
Particularly helpful Moodlers paveikslėlis

No where in those directions does it specifically address a LetsEncrypt cert bot setup.    So .... dumb questions follow ...

"set up an SSL certificate to the IP of the virtual machine using certbot"

The IP address ... oops ... IP or did you mean the existing in DNS fully qualifed domain name of the your moodle server?  So 2 things ... is the IP you used a private IP? and is there a fully qualfied domain name for your server (internet DNS not LAN/WAN private IP)?

When you set up the letsencrypt up, at the end you should have seen a:

"Congratulations! Your certificate and chain have been saved at:"

   /etc/letsencrypt/live/[yourfqdn]/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/[yourfqdn/privkey.pem
   Your cert will expire on 20xx-xx-xx. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

With that working, one uses only https://FQDN/moodle in config.php file.

You can test using curl ...

curl -vvv -I https://yourFQDN/

'SoS', Ken

Įvertinimų vidurkis: -
Atsakymas į Ken Task

Re: working ssl certificate but not with moodle

Attila Teiermayer -

Hi Ken,

Thank you for your message. Although it is not the right place to discuss the usage of right terms, I know that an SSL certificate can be issued for a public IP address of a virtual machine as well, however, you were right that my wording was incorrect in my question as I wanted to express that a full DNS name was assigned to the IP address and I can access the web server using a web browser securely. 

My question was about how moodle can accessed securely, and I amended the config.php file as all of you recommended, so everything works well.

Thank you for your contribution.

Įvertinimų vidurkis: -
Atsakymas į Attila Teiermayer

Re: working ssl certificate but not with moodle

Ken Task -
Particularly helpful Moodlers paveikslėlis

Me thinks ....

IMHO ... the directions for installing moodle initially, don't emphasize enough that the first 2 steps involve getting apache running ... port 80 or 443 with a 'it works!' page.   The latter would show a broken lock.

Second step ... valid cert ... and port 443 ... LetsEncrypt is the only on that has a bot ... all the other CA's require a process that Moodle docs really can't cover due to differences in how that's done.

Then, once again, testing access ... but this time https://FQDN/ to see if lock is not broken.

Then, and only then, install moodle ... when one gets to the wwwurl config one can use https:// from the get go and then don't have to go forward one only to have to step back, search/replace the DB for all the internal links that Moodle creates.

The other ... about not sharing URL to site is kinda a catch 22 but only if conditions (mis-configurations) are right ...  only time one should not do that is when php is completely broken ... the page renders enough info to slueth that the config.php file is wget-able and if the installer used the same root creds for the DB as for ssh, then the site mis-configuration has provided a hacker root access via ssh - if ssh not restricted to IP ranges or a specific IP (which many do later anyway).

IMHO, until the site is ready for students, front page shows nothing and requires a login to see/do anything.   Once ready, front page changed.

But ... that's my take. besišypsantis

'SoS', Ken


Įvertinimų vidurkis: -
Atsakymas į Ken Task

Re: working ssl certificate but not with moodle

Howard Miller -
Core developers paveikslėlis Documentation writers paveikslėlis Particularly helpful Moodlers paveikslėlis Peer reviewers paveikslėlis Plugin developers paveikslėlis
Getting https: working, debugging cert chains and all that stuff is *well* outside of the scope of Moodle docs.

It's another one of those "you can get a decently paid job" things. LetsEncrypt makes it reasonably easy but only if it works. You have to fall back on knowing what you are talking about if it doesn't. I've been doing this forever and that would still be a bad day rodantis dantis
Įvertinimų vidurkis:Useful (2)
Atsakymas į Howard Miller

Re: working ssl certificate but not with moodle

Ken Task -
Particularly helpful Moodlers paveikslėlis

Agree ... well outside scope of Moodle docs.  CA's, platform, etc. research will take some time before hand.   Even afterwards there are protocols and ciphers that need tweaking ... usually reducing/limiting. liūdnas

Kinda the nature of the beast these days ... any app ... WordPress, Joomla, Drupals, etc.   Think Moodle is the only one of those that uses a www config item (Joomla had optional).

Suggest anyone interested in such thing to test their own site with:

https://www.ssllabs.com/ssltest/

don't share/retain results ... and be prepared for info overload.   Goal would be a grade of A! besišypsantis

Am working on a site now that uses Google's ssh in a web browser to guest OS hosted on Google CE and it's eating my lunch ... and dinner! :|  Close ... but no cigar! :|

'SoS', Ken


Įvertinimų vidurkis: -
Atsakymas į Howard Miller

Re: working ssl certificate but not with moodle

Visvanath Ratnaweera -
Particularly helpful Moodlers paveikslėlis Translators paveikslėlis
+1

Moodle Docs should stop at http. The web server combined with all the network jugglery must make the address http://moodledomain/test.html in the browser to render a HTML file called test.html in the (planned) Moodle root directory before even Moodle code arrive.

Įvertinimų vidurkis: -