Problems with installing SSL on kolibri-server

We need support with installing SSL on a kolibri-server.

We have installed kolibri-server on Ubuntu Ubuntu 22.04
URL: http://class.ytfacademy.org

This is what we’ve done so far:

INSTALL KOLIBRI-SERVER
sudo add-apt-repository ppa:learningequality/kolibri
sudo apt-get update
sudo apt-get install kolibri-server

selected ports 80 and 81

Verified that Kolibri works without SSL on http://class.ytfacademy.org
Verified that it loads SCORM ZIPPED content that we have imported from a channel that we own at Studio

Copied the SSL certificate bundle and key files on /etc/ssl
Copied the file “class.ytfacademy.org.conf” on /etc/nginx/sites-enabled
Restarted nginx with sudo service nginx restart
Checked that the site loads the SSL certificate and it allows to access the Kolibri facility at:
http://class.ytfacademy.org

Tested to load SCORM content with a negative result

this is the URL that we get by inspecting the SCORM element not charging:
https://class.ytfacademy.org:81/content/static/hashi/hashi-cea3be36e609aeba234a13b27afd33b8.html

This is the content of the class.ytfacademy.org.conf file that we placed at /etc/nginx/sites-enabled/:

server {
    listen 80;
    server_name class.ytfacademy.org;
}

map $server_port $upstream_port {
    443     80;
    8443    81;
    }

    server {
        listen 443 ssl;
        listen 8443 ssl;

    ssl_certificate     /etc/ssl/class-ytfacademy-ssl-bundle.crt; # REPLACE HERE
    ssl_certificate_key /etc/ssl/class-ytfacademy-private.key; # REPLACE HERE

    location / {
        proxy_pass http://167.71.83.17:80;
    }
}

Have we done something wrong, or are we missing something?

hello @Antonio_Herrera
yes, you’re missing several things. One of the reasons of kolibri-server to exist is to help users with a tested configuration. If you’re going to do your own configuration, installing kolibri-server does not make sense, just install kolibri and do your own setup, because now you’re mixing two different configuration files.

If you want to reuse kolibri-server setup, you can take a look at your kolibri folder where you will see a nginx.conf with all the needed parts (kolibri uses a second port for security reasons when running html5 apps in a sandbox, and the uwsgi configuration) . That file will be overwritten everytime you start kolibri-server. To add your custom setup you can do it at /etc/kolibri/nginx.d/ . There you can also replace the use of the mentioned nginx.conf by your own setup if you prefer it.

Anyway, for a very customized installation, as the one @blaine has suggested, the recommendation is doing your own setup using only the kolibri package, not using kolibri-server because your changes and its configs will conflict whenever it starts.

Hope this helps
José

Hi José Luis, we really appreciate your quick reply and willingness to help.

Our intention is to follow the recommendations from Learning Equality and take advantage of the pre-set conditions of kolibri-server.

The configurations we’ve done until now were not intended to apply our criteria. It has been the result of our “best guess” about how to configure SSL for our domain class.ytfacademy.org

By reading your message and checking on the folder and file structure, we come to the conclusion that the way to install SSL so that it works with html5 packages is to place a .conf file a this folder:

/etc/kolibri/nginx.d/

If that’s correct, is there a .conf file template that we can use and only change our domain, IP address and location of the SSL certificate files?

.

Our intention is to follow the recommendations from Learning Equality and take advantage of the pre-set conditions of kolibri-server.

oh, sure, you can take those configs as a template and adapt it to your needs, or improve them (please, let us know if you do that, to apply any improvement for all the users)

If that’s correct, is there a .conf file template that we can use and only change our domain, IP address and location of the SSL certificate files?

The best template would be the one in the nginx.conf file present in the directory where kolibri database is located (Troubleshooting — Kolibri User Guide ) , that file together will the ones you see in /etc/kolibri/nginx.d/ do it all. But, please, be aware that kolibri-server starting scripts rewrites that nginx.conf file when it starts, so you’ll have to disable it if you add your own config.

However, these files don’t have a ssl configuration, for that part, the suggestions @blaine gave before in this thread are the way to go.

If it’s helpful to clarify, the approach I previously suggested with the above map expression between ports works well for a reverse HTTP proxy where you could avoid duplicating the same location block. The kolibri-server package uses separate location blocks because it uses a uwsgi proxy. So you may copy that nginx.conf, add your SSL configuration to those blocks, and adjust ports as necessary. The kolibri-server package should automatically configure ZIP_CONTENT_ORIGIN in Kolibri’s options.ini. So if you change the port that nginx listens on for HTML5 / “hashi” serving, please be aware you may need to change that in the options.ini.

Thanks again for your continued help !

Actually we choose kolibri-server ports 80 and 81 during installation because those are the ports where nginx is listening.

Therefore, maybe we would not need the ports mapping?

Another approach could be, is there any way to get a paid service either directly from Learning Equality or a pool of experts who could do the installation for us?

We would provide the certificate files in such scenario.