Frappe.publish_realtime or currently viewing or hot reload is not working for SSL site

ashish-greycube · January 5, 2022, 9:46am

I have a server with 2 sites
[a] without SSL site
publish_realtime or currently viewing works
FYI, on site console run following command and it will popup for user in browser
frappe.publish_realtime(event=‘msgprint’, message=‘Popup Msg As Test’, user=‘user@test.com’,doctype=‘User’)

[b] site with SSL
publish_realtime or currently viewing doesnot work

These means there is no issue with node version or other requirements.
Only issue i think is due to SSL vs publish_realtime i.e. socket. io

I tried to tinker frappe-bench/config/nginx.conf

Original

ssl on;
ssl_certificate      /etc/letsencrypt/live/site1.com/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/live/site1.com/privkey.pem;
ssl_session_timeout  5m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;

Tried minimal…ie. following

ssl on;
ssl_certificate      /etc/letsencrypt/live/site1.com/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/live/site1.com/privkey.pem;
ssl_protocols TLSv1.2;

it didnot work. any suggestion or pointers? please…thanks!

aashishvashisht6 · January 5, 2022, 1:31pm

@ashish-greycube
You can edit this in frappe-bench/config/nginx.conf

ssl on;
ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve auto;
ssl_prefer_server_ciphers on;

SubhajitDey · January 6, 2022, 2:31am

Check your node version (node -v). at least version 10.x
set ssl_ecdh_curve to auto : ssl_ecdh_curve auto;
Restart nginx followed by bench restart
run frappe.publish_realtime again
Check your logs/node-socketio.log
if error in your log file something like bad gateway or certificate has expired, try to disable TLS rejection in your socketio.js file (frappe/socketio.js) by adding :
process.env.NODE_TLS_REJECT_UNAUTHORIZED = “0”;
on top of the file
this is not suggested as the socketio connection won’t use SSL

ashish-greycube · January 6, 2022, 5:12am

@SubhajitDey much appreciated detailed answer. I tried it. My logs/node-socketio.log has following errors

Unable to join chat room. Error: certificate has expired
Unable to join chat room. Error: certificate has expired
Unable to join chat room. Error: certificate has expired
Unable to join chat room. Error: certificate has expired
Unable to join chat room. Error: certificate has expired
Unable to join chat room. Error: certificate has expired
listening on *: 9000
Unable to join chat room. Error: certificate has expired
Unable to join chat room. Error: certificate has expired

and putting

process.env.NODE_TLS_REJECT_UNAUTHORIZED =‘0’

does work, but has pointed out …it is not recommended as SSL is bypassed for socketio…so looking at log error do you suggest anything to rectify it…thanks!

SubhajitDey · January 6, 2022, 5:59am

On top of my head, probably you can try to update SSL certificate that being used by OpenSSL.

ashish-greycube · January 6, 2022, 8:24am

updated SSL certificates (that is not the issue)
FYI, other workaround is to put frappe-bench/config/supervisor.conf with environment variable instead of in frappe/socketio.js

environment=NODE_TLS_REJECT_UNAUTHORIZED=‘0’

[program:frappe-bench-node-socketio]
command=/usr/bin/node /home/frappe/frappe-bench/apps/frappe/socketio.js
priority=4
autostart=true
autorestart=true
stdout_logfile=/home/frappe/frappe-bench/logs/node-socketio.log
stderr_logfile=/home/frappe/frappe-bench/logs/node-socketio.error.log
user=frappe
directory=/home/frappe/frappe-bench
environment=NODE_TLS_REJECT_UNAUTHORIZED=‘0’

SubhajitDey · January 6, 2022, 1:00pm

Nice info thanks.
Btw, which ssl certificate did you update?

ashish-greycube · January 8, 2022, 4:22am

it is a letsencrypt certificate .
I think ideal sol would be to solve the cert chain issue as mentioned in

ie. Simply edit the fullchain.pem file and remove the last certificate.
I tried that but it didn’t work for me. So broadly speaking (a) some solved it by correcting node version. In my case it is v12.19.0 so that is not the solution (b) other is to bypass error i.e. in supervisor.conf put environment=NODE_TLS_REJECT_UNAUTHORIZED=‘0’ ( c) ideal is to correct letsencrypt issue…but i am not able to get hold of it
@aashishvashisht6 @SubhajitDey thanks! for all insights.

ashish-greycube · January 9, 2022, 5:51am

@saru2020 this might be helpful to you

saru2020 · January 9, 2022, 5:51pm

I don’t understand from where you’ve linked me here.
Is this for socketio or production issues? asking because I’m seeing 2 kinda solutions and coincidentally, I’m still facing both these issues.

btw: thanks for your input, @ashish-greycube

ashish-greycube · January 10, 2022, 5:06am

Other Solution :
[1]Remove last certificate from /etc/letsencrypt/live/site.com/fullchain.pem
i.e. remove certificate from chain for expired DST Root CA X3
ex. remove last part like
-----BEGIN CERTIFICATE-----
xyz…xyz
-----END CERTIFICATE-----
[2] edit config/nginx.conf and set
ssl_ecdh_curve auto;
[3]
sudo supervisorctl reload
sudo service nginx reload

ashish-greycube · April 6, 2022, 7:15am

sol finally worked for me, thanks @karthikeyan5
i.e. wrong node version

$ /usr/bin/node -v
v8.17.0

$  /usr/local/bin/node -v
v12.19.0

so i changed my node in config/supervisor.conf

before

[program:frappe-bench-node-socketio]
command=/usr/local/bin/node /home/frappe/frappe-bench/apps/frappe/socketio.js

after

[program:frappe-bench-node-socketio]
command=/usr/bin/node /home/frappe/frappe-bench/apps/frappe/socketio.js