Tech support for your technologically-challenged admin

[Amlux]

Hi there. I'm going to use this thread as a dumping ground for running into issues with this forum and my site and associated domains. The good news is that this forum is pretty easy to manage as phpBB makes it simple for n00bs. But when I run into brick walls with adding features to my site, I will add my notes here for troubleshooting if anyone wants to do some charity work as a member of the community and give me pointers or advice. But very little here will be an emergency, so expect the pace of this problem- solving to be relaxed.

Right now, I'm having some trouble getting a script to work on my site that says when I'm live via my Owncast software or not. I believe it has to do with some certification issues which also are likely the result of an error that netdoll got when I went live a while back. satoridepon suggested removing need for a CORS proxy that I was using for an AI-scripted tool I generated talking to ChatGPT, but the tool was ultimately very inconsistent and buggy, so I ditched it. For ideological reasons, it feels right to do it as well. I'm instead using this .php script written for me graciously by drummyfish.

Code: Select all

<!DOCTYPE html>
<html>

<head>
  <link rel="stylesheet" type="text/css" href="https://pantsuprophet.xyz/index/pantsuprophet.css">
</head>

<body>
<?php

  if (strpos("abc","a")) 
    echo "AAA";
  else
    echo "BBB";

  if (strpos("abc","d"))
    echo "CCC";
  else
    echo "DDD";

  //echo strpos("abc","d") ? "CCC" : "DDD";
  //print_r(file_get_contents("https://live.pantsuprophet.xyz/api/status"));
/*
  echo
  str_contains(file_get_contents("https://live.pantsuprophet.xyz/api/status"),"\"online\":true") ?
    "<span class=\"status_on\">online</span>" :
    "<span class=\"status_off\">offline</span>";
 */
?>
</body>
</html>

I'd like to continue with this because it's good to try to get .php files like this set up on my site because it opens up the possibility of a lot of interesting stuff to potentially add to the site (a more dynamic calendar, rotating quotes/images, etc.). This works with other Owncast streams but not my own, and it almost certainly has to do with the certification issue. When I perform a "curl https://live.pantsuprophet.xyz/api/status" I get this error:

Code: Select all

curl: (60) SSL: no alternative certificate subject name matches target host name 'live.pantsuprophet.xyz'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

So there's some issue with my certification but not with others, which explains why the .php file has trouble picking up any info from it. When I look at my /etc/nginx/sites-available/owncast file, it looks like this:

Code: Select all

server {
    server_name live.pantsuprophet.xyz;  # Replace

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/live.pantsuprophet.xyz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/live.pantsuprophet.xyz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = live.pantsuprophet.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name live.pantsuprophet.xyz;
    return 404; # managed by Certbot


}

If anyone knows more about this than me, please let me know what I could do to help.

Until then, I'll be posting here manually when I go live or possibly look for some third-party software/script that does it for me. I think I tend to get more viewers when I do manually post about it anyway, and it takes me like 2 seconds. So we'll do it old-fashioned for now.

[drummyfish]

To summarize the issue as I understand it:

PHP on Amluxe's server is unable to retrive the stream status with

Code: Select all

file_get_contents("https://live.pantsuprophet.xyz/api/status");

due to an error that states "insecure" connection. The same function WORKS with other Owncast streams (we tried). Amlux is also unable to just curl the API from shell with

Code: Select all

curl https://live.pantsuprophet.xyz/api/status

Curl gives same kind of "insecure connection" error shown in OP.

Weird thing is that both of these (PHP's file_get_contents and curl) WORK on all my computers, it's just the Amlux server that can't do it. Besides this people are obviously able to watch his streams without their browsers complaining about insecure connections.

So the issue therefore seems to be in Amlux server's PHP (and curl) certificate authority database (which they seem to share), i.e. my computers see Amluxe's stream URL as safe because his certificate is signed by an authority that my computers know, but Amluxe's server doesn't seem to have the same CA database or something. Now this is completely outside my field and area of interest, so I have no idea what's actually going on, which is why this thread has been made. Maybe the solution is something trivial like updating some database with a single command, I don't know.

I.e. we need to solve: make Amluxe's server accept his certificate as valid.

---------------------------------

By the way Amlux now I am wondering if this is only affecting the "live.pantsuprophet.xyz" subdomain. Are you able to do this from your server?

Code: Select all

curl https://pantsuprophet.xyz/index.html

[Amlux]

Not sure if this is related but I was looking around and noticed something. I did a bit of poking at my /etc/nginx/sites-available file for live.pantsuprophet.xyz and noticed that it reads as follows:

Code: Select all

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/live.pantsuprophet.xyz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/live.pantsuprophet.xyz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    

While my files in the same directory for pantsuprophet.xyz and forums.pantsuprophet.xyz look like this, respectively:

Code: Select all

    listten [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/forums.pantsuprophet.xyz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/forums.pantsuprophet.xyz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    

Code: Select all

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/forums.pantsuprophet.xyz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/forums.pantsuprophet.xyz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    

That is, both of them contain a line which says something like listen [::]:443 ssl, unlike the live.pantsuprophet.xyz file, which only has listen 443 ssl.

Also, I noticed that both of these use an ssl certificate which reads as forums.pantsuprophet.xyz while this one uses live.pantsuprophet.xyz. I might have messed something up trying to set up Certbot certifications? It's confusing! Anyway, I'll have a look at Certbot settings the next time I have the freedom to do this. I'm going to be busy with friends for a good chunk of today, hosting the CyTube party tomorrow (please join!), and then I'll be busy with IRL duties from June 7th-11th (still checking in on the site and forum every day of course, just without as much time as usual).

Thanks to drummy for his help and anyone else reading this for advice and support ^^

[satoridepon]

Try curling http://localhost:8080/api/status on the server, there shouldn't be no need to use the domain.