EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #10072

< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

RE: [EP-tech] HTTPS-only

CAUTION: This e-mail originated outside the University of Southampton.

David

 

OK, after lots of adventures I finally got the https-only to work at the Cloudflare end of things and now have overcome the various confusions in the *.conf files that were tripping up the https-only and HTST configuration settings. The SSL/TLS stuff all works correctly now, I believe, with no error messages. So, the server-side errors are all resolved and I am getting https-only requests to the site. But there are still problems in that active pages are just not being served but static ones are. It seems as though cgi requests are not being properly routed. Here is what happens when I test a process request:

root@ubuntu-s-1vcpu-1gb-lon1-01:/# curl -v https://arcomabstracts.com/cgi/process_request

* Host arcomabstracts.com:443 was resolved.

* IPv6: 2606:4700:3035::ac43:cefc, 2606:4700:3035::6815:4563

* IPv4: 104.21.69.99, 172.67.206.252

*   Trying 104.21.69.99:443...

* Connected to arcomabstracts.com (104.21.69.99) port 443

* ALPN: curl offers h2,http/1.1

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

*  CAfile: /etc/ssl/certs/ca-certificates.crt

*  CApath: /etc/ssl/certs

* TLSv1.3 (IN), TLS handshake, Server hello (2):

* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):

* TLSv1.3 (IN), TLS handshake, Certificate (11):

* TLSv1.3 (IN), TLS handshake, CERT verify (15):

* TLSv1.3 (IN), TLS handshake, Finished (20):

* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):

* TLSv1.3 (OUT), TLS handshake, Finished (20):

* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey

* ALPN: server accepted h2

* Server certificate:

*  subject: CN=arcomabstracts.com

*  start date: Mar 22 19:35:18 2025 GMT

*  expire date: Jun 20 20:33:37 2025 GMT

*  subjectAltName: host "arcomabstracts.com" matched cert's "arcomabstracts.com"

*  issuer: C=US; O=Google Trust Services; CN=WE1

*  SSL certificate verify ok.

*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256

*   Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384

*   Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384

* using HTTP/2

* [HTTP/2] [1] OPENED stream for https://arcomabstracts.com/cgi/process_request

* [HTTP/2] [1] [:method: GET]

* [HTTP/2] [1] [:scheme: https]

* [HTTP/2] [1] [:authority: arcomabstracts.com]

* [HTTP/2] [1] [:path: /cgi/process_request]

* [HTTP/2] [1] [user-agent: curl/8.9.1]

* [HTTP/2] [1] [accept: */*]

> GET /cgi/process_request HTTP/2

> Host: arcomabstracts.com

> User-Agent: curl/8.9.1

> Accept: */*

>

* Request completely sent off

* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

< HTTP/2 404

< date: Fri, 04 Apr 2025 15:28:23 GMT

< content-type: text/html; charset=iso-8859-1

< cf-cache-status: DYNAMIC

< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6GRYupr0EBzCx4eSvkmHNxfn6vlGcueglmOp7Bv0ojyy0HwuHoIhZYsbgVVB7WcAqziaHNaYB%2BMviK82Sj7nQJGWxaFL4QuF7uVSeNOYJNbaYOdLMV8XkZSJQZvOa1ruBxphZY4%3D"}],"group":"cf-nel","max_age":604800}

< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}

< strict-transport-security: max-age=31536000; includeSubDomains; preload

< server: cloudflare

< cf-ray: 92b1d5d2bcbf888f-LHR

< alt-svc: h3=":443"; ma=86400

< server-timing: cfL4;desc="?proto=TCP&rtt=2783&min_rtt=2180&rtt_var=1012&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3429&recv_bytes=792&delivery_rate=1328440&cwnd=252&unsent_bytes=0&cid=77c7920a62c5ea69&ts=47&x=0"

<

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>404 Not Found</title>

</head><body>

<h1>Not Found</h1>

<p>The requested URL was not found on this server.</p>

<hr>

<address>Apache/2.4.62 (Ubuntu) Server at arcomabstracts.com Port 443</address>

</body></html>

* Connection #0 to host arcomabstracts.com left intact

 

 

/var/log/apache2/error.log

[Fri Apr 04 15:27:56.373230 2025] [mpm_prefork:notice] [pid 1680742:tid 1680742] AH00170: caught SIGWINCH, shutting do>

[Fri Apr 04 15:27:57.502275 2025] [mpm_prefork:notice] [pid 1681079:tid 1681079] AH00163: Apache/2.4.62 (Ubuntu) OpenS>

[Fri Apr 04 15:27:57.502353 2025] [core:notice] [pid 1681079:tid 1681079] AH00094: Command line: '/usr/sbin/apache2'

 

 

Is there anything obvious here? I am working somewhat in the dark and learning as I go. It may be that fixing the https-only config at the Clourflare end is filtering out any incorrect http requests, and the site is then declaring those pages as non-existent? I am worried that something in my Eprints3 configuration is still wrong and perhaps there is a chance you might be able to point me in the right direction?

Thanks again

 

Best wishes

 

Will

 

 

From: eprints-tech-request@ecs.soton.ac.uk <eprints-tech-request@ecs.soton.ac.uk> On Behalf Of Will Hughes
Sent: 04 April 2025 12:40
To: David R Newman <drn@ecs.soton.ac.uk>; eprints-tech@ecs.soton.ac.uk
Subject: Re: [EP-tech] HTTPS-only

 

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

David

 

Thank you for these suggestions. I shall try these and also check the configuration of SSL Certificates with my website host.

 

Best wishes 

 

Will

____

From: David R Newman <drn@ecs.soton.ac.uk>
Sent: Thursday, April 3, 2025 2:08:49 PM
To: eprints-tech@ecs.soton.ac.uk <eprints-tech@ecs.soton.ac.uk>; Will Hughes <w.p.hughes@reading.ac.uk>
Subject: Re: [EP-tech] HTTPS-only

 

Hi Will,

You probably want to run:

journalctl -xeu apache2.service

as the root user or using sudo.  That may give you a useful error message.  Otherwise checking the error log for the webserver (typically /var/log/apache2/error.log) on Ubuntu.  Running the following command (as root or with sudo):

apache2ctl configtest

may also give you a clue to where the issue is.  This error message you do have does not look like it has anything to do with EPrints from a core codebase perspective.  It may be that the Apache configuration that EPrints has generated is somehow invalid.  One further thing to try, is regenerating this by running (as the eprints user):

EPRINTS_PATH/bin/generate_apacheconf --system --replace

Then try restarting Apache again (possible trying apache2ctl configtest again before restarting).  It may be your changes to try to setup HTTPS mean the generated Apache config from EPrints need updating.

Regards

David Newman

On 03/04/2025 13:50, Will Hughes wrote:

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

Hi

 

I wonder whether anyone has experience of switching their site to HTTPS-only. I have followed the steps in the manual and double-checked everything, but my site is not working properly, generating an error: SSL handshake failed Error code 525

 

I have checked through all the documentation I can find, and when I run: /etc/init.d/apache2 restart I get an error message:

 

Restarting apache2 (via systemctl): apache2.serviceJob for apache2.service failed because the control process exited with error code.

See "systemctl status apache2.service" and "journalctl -xeu apache2.service" for details.

 

Unfortunately, I so not understand what is happening here and I am not sure what aspect of the suggested commands to copy here. Can anyone help, please?

 

Best wishes

 

Will   

 

Will Hughes

Emeritus Professor of Construction Management and Economics

School of the Built Environment     

University of Reading, PO Box 219, Whiteknights

Reading, RG6 6DF, UK

 



*** Options: https://wiki.eprints.org/w/Eprints-tech_Mailing_List
*** Archive: https://www.eprints.org/tech.php/
*** EPrints community wiki: https://wiki.eprints.org/