Forum OpenACS Q&A: Response to An OpenSSL/Aolserver HOWTO

Collapse
Posted by jay he on
Thanks. I guess that's the problem.

I haven't created the clientcert.pem and clientkey.pem. I notice that error. I just copied & pasted the sample configuration, which didn't mention how to create a client cert and key. So I took it for granted that without that client cert and key file, nsopenssl can still work.

But the truth is: it won't. I commented that out. Do a little bit tweak here and there. Finally get it work. Here is the my configuration file I created with the same nsd.tcl of birdnotes. Hope it can help if someone has my problem.

ns_log notice "nsd.tcl: starting to read config file..."

# which database do you want? postgres or oracle
set database              postgres 

if {$database == "oracle"} {
    set db_password        "mysitepassword"
}

set httpport              80
set httpsport             443 

# The hostname and address should be set to actual values.
set hostname              10.10.10.11 (Change to your hostname)
set address                10.10.10.11 (change to your internal IP)

set server              "birdnotes" 
set db_name             $server
set servername          "birdnotes.com Community"

set serverroot          "/web/${server}"

# if debug is false, all debugging will be turned off
set debug true

# you shouldn't need to adjust much below here
# for a standard install

# 
# AOLserver's home and binary directories. Autoconfigurable. 
#
set homedir                 [file dirname [ns_info config]] 
set bindir                  [file dirname [ns_info nsd]] 

#
# Where are your pages going to live ?
#
set pageroot                ${serverroot}/www 
set directoryfile           index.tcl,index.adp,index.html,index.htm

# 
# nsssl: Only loads if keyfile.pem and certfile.pem exist.
# If you are using SSL, make sure you have these dirs and files (refer
# to the AOLserver docs)

#set sslkeyfile ${homedir}/servers/${server}/modules/nsssl/keyfile.pem
#set sslcertfile ${homedir}/servers/${server}/modules/nsssl/certfile.pem 

set sslkeyfile ${homedir}/servers/${server}/modules/nsopenssl/keyfile.pem
set sslcertfile ${homedir}/servers/${server}/modules/nsopenssl/certfile.pem
# 
# Global server parameters 
#

ns_section ns/parameters 
ns_param   serverlog          ${homedir}/log/${server}-error.log 
ns_param   home               $homedir 
ns_param   maxkeepalive       5
ns_param   logroll            on
ns_param   maxbackup          5
ns_param   debug              $debug

# 
# Thread library (nsthread) parameters 
# 
ns_section ns/threads 
ns_param   mutexmeter         true      ;# measure lock contention 
ns_param   stacksize          [expr 2*512*1024]

# 
# MIME types. 
# 
#  Note: AOLserver already has an exhaustive list of MIME types, but in
#  case something is missing you can add it here. 
#

ns_section ns/mimetypes
ns_param   Default            text/plain
ns_param   NoExtension        text/plain
ns_param   .pcd               image/x-photo-cd
ns_param   .prc               application/x-pilot
ns_param   .xls               application/vnd.ms-excel
ns_param   .pdf		      application/pdf
# 
# Tcl Configuration 
# 
ns_section ns/server/${server}/tcl
ns_param   library        ${serverroot}/tcl
ns_param   autoclose      on 
ns_param   debug          $debug
 

############################################################ 
# 
# Server-level configuration 
# 
#  There is only one server in AOLserver, but this is helpful when multiple
#  servers share the same configuration file.  This file assumes that only
#  one server is in use so it is set at the top in the "server" Tcl variable
#  Other host-specific values are set up above as Tcl variables, too.
# 
ns_section ns/servers 
ns_param   $server     $servername 

# 
# Server parameters 
# 
ns_section ns/server/${server} 
ns_param   directoryfile      $directoryfile
ns_param   pageroot           $pageroot
ns_param   maxconnections     5
ns_param   maxdropped         0
ns_param   maxthreads         5
ns_param   minthreads         5
ns_param   threadtimeout      120
ns_param   globalstats        false    ;# Enable built-in statistics 
ns_param   urlstats           false    ;# Enable URL statistics 
ns_param   maxurlstats        1000     ;# Max number of URL's to do stats on
#ns_param   directoryadp    $pageroot/dirlist.adp ;# Choose one or the other
#ns_param   directoryproc    _ns_dirlist          ;#  ...but not both!
#ns_param   directorylisting  fancy               ;# Can be simple or fancy

# 
# ADP (AOLserver Dynamic Page) configuration 
# 
ns_section ns/server/${server}/adp 
ns_param   map           /*.adp    ;# Extensions to parse as ADP's 
#ns_param   map          "/*.html" ;# Any extension can be mapped 
ns_param   enableexpire  false     ;# Set "Expires: now" on all ADP's 
ns_param   enabledebug   $debug    ;# Allow Tclpro debugging with "?debug"
ns_param   defaultparser fancy

ns_section ns/server/${server}/adp/parsers
ns_param   fancy	".adp"
 
# 
# Socket driver module (HTTP)  -- nssock 
# 
ns_section ns/server/${server}/module/nssock
ns_param   timeout            120
ns_param   address            $address
ns_param   hostname           $hostname
ns_param   port               $httpport

# 
# Socket driver module (HTTPS) -- nsssl 
# 
#  nsssl does not load unless sslkeyfile/sslcertfile exist (above).
# 
#ns_section ns/server/${server}/module/nsssl 
#ns_param   port        $httpsport 
#ns_param   hostname    $hostname 
#ns_param   address     $address 
#ns_param   keyfile     $sslkeyfile 
#ns_param   certfile    $sslcertfile

# 
# Database drivers 
# The database driver is specified here. PostgreSQL driver being loaded.
# Make sure you have the driver compiled and put it in {aolserverdir}/bin
#
ns_section "ns/db/drivers" 
if { $database == "oracle" } {
	ns_param   ora8            ${bindir}/ora8.so
} else {
	ns_param   postgres        ${bindir}/postgres.so  ;# Load PostgreSQL driver
}

# 
# Database Pools: This is how AOLserver  ``talks'' to the RDBMS. You need 
# three for OpenACS: main, log, subquery. Make sure to replace ``yourdb'' 
# and ``yourpassword'' with the actual values for your db name and the 
# password for it.

# AOLserver can have different pools connecting to different databases 
# and even different different database servers.
# 
ns_section ns/db/pools 
ns_param   pool1	   "Pool 1"
ns_param   pool2	   "Pool 2"
ns_param   pool3	   "Pool 3"

ns_section ns/db/pool/pool1
ns_param   maxidle            1000000000
ns_param   maxopen            1000000000
ns_param   connections        5
ns_param   verbose            $debug
ns_param   extendedtableinfo  true
ns_param   logsqlerrors       $debug
if { $database == "oracle" } {
    ns_param   driver             ora8
    ns_param   datasource         {}
    ns_param   user               $db_name
    ns_param   password           $db_password
} else {
    ns_param   driver             postgres 
    ns_param   datasource         localhost::${db_name}
    ns_param   user               nsadmin
    ns_param   password           ""
} 

ns_section ns/db/pool/pool2
ns_param   maxidle            1000000000
ns_param   maxopen            1000000000
ns_param   connections        5
ns_param   verbose            $debug
ns_param   extendedtableinfo  true
ns_param   logsqlerrors       $debug
if { $database == "oracle" } {
    ns_param   driver             ora8
    ns_param   datasource         {}
    ns_param   user               $db_name
    ns_param   password           $db_password
} else {
    ns_param   driver             postgres 
    ns_param   datasource         localhost::${db_name}
    ns_param   user               nsadmin
    ns_param   password           ""
} 

ns_section ns/db/pool/pool3
ns_param   maxidle            1000000000
ns_param   maxopen            1000000000
ns_param   connections        5
ns_param   verbose            $debug
ns_param   extendedtableinfo  true
ns_param   logsqlerrors       $debug
if { $database == "oracle" } {
    ns_param   driver             ora8
    ns_param   datasource         {}
    ns_param   user               $db_name
    ns_param   password           $db_password
} else {
    ns_param   driver             postgres 
    ns_param   datasource         localhost::${db_name}
    ns_param   user               nsadmin
    ns_param   password           ""
} 

ns_section ns/server/${server}/db
ns_param   pools              "*" 
ns_param   defaultpool        pool1

ns_section ns/server/${server}/redirects
ns_param   404                "global/file-not-found.html"
ns_param   403                "global/forbidden.html"

# 
# Access log -- nslog 
# 
ns_section ns/server/${server}/module/nslog 
ns_param   file                 ${homedir}/log/${server}.log
ns_param   enablehostnamelookup false
ns_param   logcombined          true
#ns_param   logrefer             false
#ns_param   loguseragent         false
ns_param   maxbackup            5
ns_param   rollday              *
ns_param   rollfmt              %Y-%m-%d-%H:%M
ns_param   rollhour             0
ns_param   rollonsignal         true
ns_param   rolllog              true

#
# nsjava - aolserver module that embeds a java virtual machine.  Needed to 
#          support webmail.  See http://nsjava.sourceforge.net for further 
#          details. This may need to be updated for OpenACS4 webmail
#

ns_section ns/server/${server}/module/nsjava
ns_param   enablejava         off  ;# Set to on to enable nsjava.
ns_param   verbosejvm         off  ;# Same as command line -debug.
ns_param   loglevel           Notice
ns_param   destroyjvm         off  ;# Destroy jvm on shutdown.
ns_param   disablejitcompiler off  
ns_param   classpath          /usr/local/jdk/jdk118_v1/lib/classes.zip:${bindir}/nsjava.jar:${pageroot}/webmail/java/activation.jar:${pageroot}/webmail/java/mail.jar:${pageroot}/webmail/java 

# 
# CGI interface -- nscgi, if you have legacy stuff. Tcl or ADP files inside 
# AOLserver are vastly superior to CGIs. I haven't tested these params but they
# should be right.
# 
#ns_section "ns/server/${server}/module/nscgi" 
#       ns_param   map "GET  /cgi-bin/ /web/$server/cgi-bin"
#       ns_param   map "POST /cgi-bin/ /web/$server/cgi-bin" 
#       ns_param   Interps CGIinterps

#ns_section "ns/interps/CGIinterps" 
#       ns_param .pl "/usr/bin/perl"

# 
# Modules to load 
# 
ns_section ns/server/${server}/modules 
ns_param   nssock          ${bindir}/nssock.so 
ns_param   nslog           ${bindir}/nslog.so 
ns_param   nssha1          ${bindir}/nssha1.so 
ns_param   nscache         ${bindir}/nscache.so 
ns_param   nsrewrite       ${bindir}/nsrewrite.so 
ns_param   nsxml           ${bindir}/nsxml.so
#ns_param   nsopenssl	    ${bindir}/nsopenssl.so 
#ns_param   nsfts           ${bindir}/nsfts.so
#ns_param   nsperm          ${bindir}/nsperm.so 
#ns_param   nscgi           ${bindir}/nscgi.so 
#ns_param   nsjava          ${bindir}/libnsjava.so

#
## nsssl: loads only if requisite files already exist (see top of this
# file). 

#if { [file exists $sslcertfile] && [file exists $sslkeyfile] } { 
# ns_param nsssl ${bindir}/nsssle.so 
#	ns_param nsssl ${bindir}/nsopenssl.so
#} else { 
#    ns_log warning "nsd.tcl: nsssl not loaded because key/cert files do not exist."
#}

ns_section "ns/server/${server}/module/nsopenssl"

# NSD-driven connections:
ns_param ServerPort                      $httpsport
ns_param ServerHostname                  $hostname
ns_param ServerAddress                   $address
ns_param ServerCertFile                  certfile.pem
ns_param ServerKeyFile                   keyfile.pem
ns_param ServerProtocols                 "SSLv2, SSLv3, TLSv1"
ns_param ServerCipherSuite               "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param ServerSessionCache              false
ns_param ServerSessionCacheID            1
ns_param ServerSessionCacheSize          512
ns_param ServerSessionCacheTimeout       300
ns_param ServerPeerVerify                true
ns_param ServerPeerVerifyDepth           3
ns_param ServerCADir                     ca
ns_param ServerCAFile                    ca.pem
ns_param ServerTrace                     false

# For listening and accepting SSL connections via Tcl/C API:
ns_param SockServerCertFile              certfile.pem
ns_param SockServerKeyFile               keyfile.pem
ns_param SockServerProtocols             "SSLv2, SSLv3, TLSv1"
ns_param SockServerCipherSuite           "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param SockServerSessionCache          false
ns_param SockServerSessionCacheID        2
ns_param SockServerSessionCacheSize      512
ns_param SockServerSessionCacheTimeout   300
ns_param SockServerPeerVerify            true
ns_param SockServerPeerVerifyDepth       3
ns_param SockServerCADir                 internal_ca
ns_param SockServerCAFile                internal_ca.pem
ns_param SockServerTrace                 false

# Outgoing SSL connections
#ns_param SockClientCertFile              clientcertfile.pem
#ns_param SockClientKeyFile               clientkeyfile.pem
#ns_param SockClientProtocols             "SSLv2, SSLv3, TLSv1"
#ns_param SockClientCipherSuite           "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
#ns_param SockClientSessionCache          false
#ns_param SockClientSessionCacheID        3
#ns_param SockClientSessionCacheSize      512
#ns_param SockClientSessionCacheTimeout   300
#ns_param SockClientPeerVerify            true
#ns_param SockServerPeerVerifyDepth       3
#ns_param SockClientCADir                 ca
#ns_param SockClientCAFile                ca.pem
#ns_param SockClientTrace                 false

# OpenSSL library support:
ns_param RandomFile                      /some/file
ns_param SeedBytes                       1024

ns_section "ns/server/${server}/modules"
ns_param nsopenssl    ${bindir}/nsopenssl.so

#if { [file exists $sslcertfile] && [file exists $sslkeyfile] } { 
#    ns_param nsopenssl ${bindir}/nsopenssl.so 
#} else { 
#    ns_log warning "nsd.tcl: nsopenssl not loaded because key/cert files do not exist."
#}

ns_log notice "nsd.tcl: finished reading config file."

My default web folder is /web/birdnotes/ and aolserver directory is /usr/local/aolserver.I follow the instruction in ReadMe.txt and copy the test-cert.pem and test-key.pem to /user/local/aolserver/servers/birdnotes/modules/nsopenssl.

Thank you for your help.

Jay