Migrating install to different server


#1

Hi,
We’ve got a working globaleaks install, but now I need to move it to another server for production. The original server was exposed over https in addition to tor. I made a backup of the existing install, installed globaleaks from scratch on the new server, and restored the backup.

The problem is on the new server the globaleaks page isn’t accessible. In the logs the server seems to start without issues, and netstat shows it listening on the right ports. When you try to reach it in the browser though it times out (from localhost or remote).

I the logs there are 301 replies when you try to reach the http page, but then it looks like it times out trying to reach the https page after the redirect. Curl -I http://ip-of-server returns a 301 (as expected if redirecting to https, right?) but curl -I https://ip-of-server times out with no reply. The onion site is also not reachable, and was working on the original box.

I’m thinking the issue is the https configuration, but I can’t get to the admin panel. Is there another way I could replace the cert? Or is the problem something else?
Thanks!


#2

With the regards to the Onion Site, did you shutdown the previous server (including Tor)?
As they maybe loading the very same Onion RSA key going in conflict one each other.

With the regards to the curl -l https://ip-of-server in HTTPS does it connect() opening the TCP connection and then stall without negotiating the TLS, or it doesn’t even connect at all?


#3

Thanks for the quick reply! The original server is disconnected from the network, but I didn’t stop the tor service separately from globaleaks before disconnecting. Here’s the output of curl -v (address info removed), looks like it stalls on the TLS handshake:

* Rebuilt URL to: https://globaleaks.server.com/
*   Trying xxx.xxx.xxx.xxx...
* TCP_NODELAY set
* Connected to globaleaks.server.com (xxx.xxx.xxx.xxx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Operation timed out after 300961 milliseconds with 0 out of 0 bytes received
* stopped the pause stream!
* Closing connection 0
curl: (28) Operation timed out after 300961 milliseconds with 0 out of 0 bytes received

This just occurred to me - if I disable https on the original, I should be able to reach it at localhost over http, right? Then I could just restore a new backup with https disabled, get into the admin via localhost on the new box and reconfigure tor & https?


#4

mmmmm does it work also in localhost by doing curl -v -H globaleaks.server.com https://localhost to see if there’s any network issue or if it’s n application level issue?

Fabio


#5

Same result using curl to localhost. I was able to get to the admin panel via http by restoring a backup of the old server without https configured, but the problem recurred after adding the cert back and enabling https.

I believe I’ve found a clue, could it be apparmor configuration? System logs are spammed with apparmor denial messages for globaleaks:

Oct 12 13:15:20 laph-tipline01 audit[9738]: AVC apparmor="DENIED" operation="exec" profile="usr.bin.globaleaks" name="/usr/bin/python3.6" pid=9738 comm="globaleaks" requested_mask="x" denied_mask="x" fsuid=112 ouid=0
Oct 12 13:15:21 laph-tipline01 audit[9739]: AVC apparmor="DENIED" operation="exec" profile="usr.bin.globaleaks" name="/usr/bin/python3.6" pid=9739 comm="globaleaks" requested_mask="x" denied_mask="x" fsuid=112 ouid=0
Oct 12 13:15:21 laph-tipline01 audit[9740]: AVC apparmor="DENIED" operation="exec" profile="usr.bin.globaleaks" name="/usr/bin/python3.6" pid=9740 comm="globaleaks" requested_mask="x" denied_mask="x" fsuid=112 ouid=0
Oct 12 13:15:21 laph-tipline01 audit[9741]: AVC apparmor="DENIED" operation="exec" profile="usr.bin.globaleaks" name="/usr/bin/python3.6" pid=9741 comm="globaleaks" requested_mask="x" denied_mask="x" fsuid=112 ouid=0

And with loglevel set to debug the globaleaks log is filled with failed attempts to launch an https subprocess:

2018-10-12 13:15:59-0700 [-] [I] Launched: <HTTPSProcProtocol: 140217291972000:<Process pid=17946 status=-1>>
2018-10-12 13:15:59-0700 [-] [D] Subprocess: <HTTPSProcProtocol: 140217291623448:<Process pid=None status=256>> exited with: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.ProcessTerminated'>: A process has ended with a probable error condition: process ended with exit code 1.\n]
(etc...)

Edit: After putting apparmor in complain mode i can reach https on localhost. Is there an edit I need to make to the apparmor profile?


#6

ahhhh, that’s a kind of very interesting analysis, it may be a bug related to new Python 3 support along with Apparmor, @evilaliv3 what do you think?

Which version of Ubuntu are you using?

Which kernel version?

Is it possible to get access to the server for diagnostic? In case we’re on chat at https://slack.hermescenter.org .

Or otherwise if we can play editing:
/etc/apparmor.d/usr.bin.globaleaks

In order to make a rule that fix this specific kind of problem:

Then reload apparmor:
sudo service apparmor reload

Then try again to see if that’s the kind of problem.

It maybe a unpredicted bug that we must fix