Topic on Talk:Parsoid

Is there a way to tell VisualEditor/Parsoid to work correctly for a wiki with a self-signed SSL cert? Clicking "Edit" in VisualEditor produces the error "Error contacting the Parsoid/RESTBase server: (curl error: 60) Peer certificate cannot be authenticated with given CA certificates." This is on MediaWiki 1.37.1.

I've tried the "insecure http" workaround at https://phabricator.wikimedia.org/T272680 (setting $wgVirtualRestConfig['modules']['parsoid']['url'] = 'http://mywiki.com/w/rest.php'), but the error message remained.

This is a test wiki on my own network, not a production wiki. I'm hoping for a server-side solution, not client-side, since multiple clients connect to this wiki.

Thank you very much.

If you set the url to http then there's no certificate to verify, so something didn't quite work out in your testing

Hello all.

I am having the exact same issue with my install of mediawiki. This is a 'private' wiki (only certain users will be able to edit), but the majority of pages will be publicly readable.

Hence the whole site must be working on HTTPS (SSL).

I know however that a large number of the editors will not be impressed if they have to learn mediawiki markup, so the visual editor is a must have.

My set up is as follows.

Running on top of the Apache web server, with Debian 11.

I have used the https config as I found it from here : https://askubuntu.com/questions/788658/configuring-apache2-for-mediawiki

I have tried copying the SSL certificates to /etc/ssl/certs on the main part of the server, but I'm sure I have not done this correctly.

I have tried many solutions and have been able to recreate all the errors found in Extension:VisualEditor#Troubleshooting, so much so I can flip between them almost at will !

The solution in my mind would be for the parsoid to be able to verify the authenticity of the server (in this instance itself), I must be able to do this, but where should I place the public and private certificates ?

I am __very__ reluctant to run the wiki over http only. I notice that all the pages can be edited on the various wikimedia sites (including this one) with the visual editor, and they are working on https.

It leads me to question if I should install parsoid / restbase as if I was in a Dev environment.

finaly. I'm quite surprised that there isn't sample config for apache / nginx for working over SSL anywhere in the manual page .... once I get my config figured out, and cut down to the bare required minimum on my dev site I will be very happy to share my config to the manual:install page.

Thanks in advance for you aid in resolving this issue.

David

You don't need to run the wiki over http only. You only need to allow http requests to localhost.

I understood that, but running parsoid over http causes the error that I posted above. I'm not getting the local communication to work.

Also when running parsoid over local non SSL communication the address bar says http in it (unlike on this site, and other mediawiki sites) that continue to say https.

I'm sure there is an error in my apache config for the site, specific to parsoid, or in the LocalSettings.php file. Having tried all the various options that are set out in the various threads here, and across the net (OK mabye not all, but a lots of them! ;) ). I continue to end up with the error above, or one of the others on the visual editor : troubleshooting page.

You said in your earlier response to Maiden taiwan that something didn't work out in their testing. do you have any further suggestions for troubleshooting ? I'm not sure what other log files I need to debug the situation fully.

I should say here that I really like mediawiki, its lovely to use, I'm just concerned for my colleagues if they have to edit the source for pages (I know it won't be popular)

Thanks

D

I guess the first step is establishing that you connect to Parsoid over http at localhost.

What happens when you visit http://localhost/rest.php/localhost/v3/page/html/Main%20Page

Hello Arlolra,

appologies for the slow reply, my dev work is only a part of my main job, and I've been rather 'busy' !

So I can actually use a browser from the local host (headless server). But I can ssh into the server and 'curl' the page you have asked about.

$ curl  http://localhost/rest.php/localhost/v3/page/html/Main%20Page

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>404 Not Found</title>

</head><body>

<h1>Not Found</h1>

<p>The requested URL was not found on this server.</p>

<hr>

<address>Apache/2.4.38 (Debian) Server at localhost Port 80</address>

</body></html>

the same but this time using https ...

curl  https://localhost/rest.php/localhost/v3/page/html/Main%20Page
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

which is consistent with the problems that I have seen other users have. IT also is why I wonder if I can get the server to 'self verify' somehow (like I do when I ssh into the server, but done locally). I know that the browser will normally store the SSL certificate, so as to 'verify' the server. but how to enable the same for the php commands within parsoid over localhost.

Again, I can confirm that when I run the site without https everything works just fine.

Should I try with a 'dev' version of parsoid (as outlined in Parsoid#Installation). In fact on that page (Parsoid#Linking a developer checkout of Parsoid) it states that :

<blockquote>

Parsoid code is bundled in two different ways: first, Parsoid is included from MediaWiki as a composer library, wikimedia/parsoid </blockquote>

Is this only in the git version ? as I don't find this path on the main mediawiki files that I downloaded. The only folder is the

/extensios/VisualEditor

and this doesn't have the structure as described in the parsoid development pages, which makes it hard to know what I should be modifying.

Appologies this became a longer response that I had anticipated !

David

https://unix.stackexchange.com/questions/90450/adding-a-self-signed-certificate-to-the-trusted-list

If you're getting a 404 from Apache for curl http://localhost/rest.php/localhost/v3/page/html/Main%20Page, you need to configure Apache serve your MediaWiki instance for connections to port 80

@Arlolra,

I appreciate your suggestions .... but ...

That would be a problem as all the guides say that web sites should now be served over HTTPS (ie SSL and port 403) and not be using port 80 (which makes lots of sense to me).

When I run the site without SSL (so on port 80 / http) everything is fine, but see above, I want SSL.

The site will have registered users, and I can't have them log in over port 80 sending passwords to my server "in the clear".

@Ciencia Al Poder, that looks interesting, I'll test to see if it works.

Its also given me another idea, can I use a config file for CURL that will cause it to always use the 'insecure' flag, or point to the required certificate to authenticate with ? ... its a facetious question ... Im off to have a look now ...

So there is a default config file for curl :

see : https://everything.curl.dev/cmdline/configfile

this leads to the question for curl as used by mediawiki, is there a local mediwiki config file for php / curl.

My reasoning for this is if the server uses curl in other automated jobs / web apps etc, pointing to this "default config" file may tread on the toes of how CURL works in those other instances.

Can we (cough I) create a config for curl in the LocalSettings.php , or somewhere else in the mediawiki file structure, that would be easily to modified as required.

suggested example :

$wgCurlSSLcert = "/path/to/SSL/cert"

My suggestion was to accept connections at port 80 on localhost, not from traffic coming from outside your machine

So, something like <VirtualHost localhost:80> and <VirtualHost mywiki.com:443>

Another option is to use a certificate from https://letsencrypt.org/ instead of self-signing

Arlorla,

Ah sorry, I missunderstood.

That makes sense ... I'll need to look into how to configure apache for that.

I'm guessing something like

<VirtualHost localhost:80>

ServerName wiki.example.com ServerAdmin admin@wiki.example.com

${APACHE_LOG_DIR}/wiki.example.com.error.log CustomLog ${APACHE_LOG_DIR}/wiki.example.com.access.log combined

</VirtualHost>

But my current config has <virtualHost *:80> pushing everything to SSL with Redirect permanent "/" "https://wiki.example.com/"

Do you have any guides on how I can do this, I'm sure its fairly common, but not something I've had to do before.

Once again, thanks in advance, and I fully intend to create a page to document my config once it is working, which I will happily share.

Appologies to anyone following this thread.

I've not found time to work on this ... will report back once I have.

tried the <VirtualHost localhost:80> solution, and get:

{"message":"Error: exception of type Wikimedia\\ParamValidator\\ValidationException: Validation of `domain` failed: invalid-domain {\"expected\":\"...