Kallithea issues archive

Issue #69: https doesn't work out of the box

Reported by: Teo Tei
State: new
Created on: 2015-01-02 19:40
Updated on: 2015-08-17 02:26

Description

I've installed kallithea following the instructions.

I had edited production.ini to set force_https=true

However, if I point the browser to https://mysite.com:5000 nothing happens. The browser gets stuck at "establishing secure connection" forever. Via http it does work. And it shouldn't, it should redirect to https.

Something may be wrong or missing in my installation, but if that is the case then installation instructions are incomplete because I just followed them.

Btw, consider making force_https the default.

Attachments

Comments

Comment by Mads Kiilerich, on 2015-01-02 22:08

"The instructions" describe several different ways of installing Kallithea. Exactly what did you do?

Especially: what part of the documentation suggested incorrectly that just setting force_https would give https support?

Setting force_https by default would do that it wouldn't be possible to get anything working locally before you have bought a certificate or created your own CA and certificate and convinced your browser and VCS to accept it. I doubt that is a good idea.

Comment by Teo Tei, on 2015-01-03 01:38

"The instructions" describe several different ways of installing Kallithea. Exactly what did you do?

pip install kallithea

Especially: what part of the documentation suggested incorrectly that just setting force_https would give https support?

You're right, none. But there's no explanation of how to set up https either, anywhere that I could find. That's why I naively thought that it was just prepared to work out of the box, and force_https was the only https-related option in the ini file; so it seemed even more legitimate to think that https was supported seamlessly and the only decision was whether to force it. Then (after reporting the bug) I realized that the fact that there is no mention whatsoever of certificates should have given me a hint that https wasn't meant to work. (but on the other hand, I wasn't sure whether kallithea was running its own server, as now I know it is, or if it would use existing apache server, which I had already properly set up to support https)

Setting force_https by default would do that it wouldn't be possible to get anything working locally before you have bought a certificate or created your own CA and certificate and convinced your browser and VCS to accept it. I doubt that is a good idea.

Yeah, well, of course setting force_https without having https working of course wouldn't be a good idea. But what about including in the setup instructions a detailed guide of how to get https support properly, and make it easier? That's something that should be encouraged. Setting up a centralized repository on some server and then access it insecurely over plain http seems quite crazy to me.

"Convincing" a browser to accept a self-signed certificate is not that hard either. I have phpmyadmin set up to force https, and I just have to tell my browser that I "understand the risk" or to "proceed anyway" or whatever it is called, when I connect.

Comment by Mads Kiilerich, on 2015-01-03 11:22

The documentation mention many different options for which web server to use. You haven't mentioned which one you use.

Kallithea is just a WSGI application - thorough documentation of the full stack is not feasible ... but the documentation could be better and getting people started and point at other resources for details.

Kallithea and https will Just Work if it is run by a WSGI compliant web server. I use apache+mod_wsgi.

'paster serve' is a simple lightweight web server. I don't think it has ssl support. It will require a separate "SSL proxy" and tricks like force_https to trick Kallithea to reference to itself as https even though it is running plain http.

(44.html might do that you will need the workaround of also setting force_ssl .)

Comment by Modulus255, on 2015-02-24 05:48

I was able to get https working on my windows install with some effort (The documentation does not make it at all clear how the .ini file works). You'll need pyOpenSSL installed (pip install pyopenssl) Then you'll need to edit your .ini file. Comment out the following lines

#use = egg:waitress#main
#threads = 5
#max_request_body_size = 107374182400

Uncomment the line about use Paste

use = egg:Paste#http

Add the following line somewhere under the [server:main] section

ssl_pem = *

This will set the server to use https with a new self-singed cert every time the server is started. if you want, you can generate your own self-signed cert to use instead, using openssl follow the directions here under the "ssl_pem" section. http://pythonpaste.org/modules/httpserver.html I stuck the cert I made in the \Bin folder and then just changed the line to

ssl_pem = my_cert.pem

Make sure you use https after you restart the server, http will not respond afterwards.

Comment by Jason Harris, on 2015-08-16 13:51

I have had the same issue. Unfortunately Modulus255's instructions didn't help either.

Comment by Mads Kiilerich, on 2015-08-17 02:26

The primary issue here seems to be that the documentation didn't set the right expectations and/or gave insufficient or incorrect descriptions. Kallithea is just a web application and we can't teach or document the sysadmin skills it takes to manage a whole server, but we can give hints. There might of course also be bugs in Kallithea that prevents a "correctly" installed system from working correctly.

@jfh if you had that issue too, please point out where the problem is. The best way to "debug" it will probably be to use the mailing list or IRC. The best way to describe exactly what you did might be to provide a "one-line-install" that doesn't work so we can analyze and improve that.

It would also be nice to have defaults & documentation that makes it easy to have the paste development server serve https, but I don't think it would very useful for actual use in production.