Attention ! Airtime upgrade is broken! (Not Exactly...)
  • Vote Up0Vote Down Albert FRAlbert FR
    Posts: 1,978Member, Airtime Moderator
    attention !

    don't do upgrade from 2.5.1-1 to 2.5.1-2 from deb packages
    - you're loosing access and rights to yours airtime
    - system want to be in https without certificates created
    Post edited by Albert FR at 2014-07-17 17:32:22
  • 25 Comments sorted by
  • Vote Up0Vote Down AndyAndy
    Posts: 42Member
    Hello together

    I have make apt-get update, and i see airtime have an upgrade, can i make this update without problems?

    Thx
  • Vote Up0Vote Down Daniel JamesDaniel James
    Posts: 844Member, Sourcefabric Team
    Hi Albert, your installation should not be broken. The new 2.5.1-2 package has a dependency on the ssl-cert package which should have been automatically installed for you, if you used apt-get to perform the upgrade. Did you install the new package with dpkg perhaps?

    When the ssl-cert package is installed, it creates a certificate at
    /etc/ssl/certs/ssl-cert-snakeoil.pem
    Do you have this file on your system?

    The method that the new package uses is the same as shown in http://sourcefabric.booktype.pro/airtime-25-for-broadcasters/secure-login-with-ssl/

    Please let me know how you get on!

    Cheers!

    Daniel
  • Vote Up0Vote Down Albert FRAlbert FR
    Posts: 1,978Member, Airtime Moderator
    I would be more specific ;-)
    Airtime package hasn't ssl-sert dependencies, and can't modify apache vhost too
    and the new package doesn't give the same rights to the files into .../public
  • Vote Up0Vote Down Daniel JamesDaniel James
    Posts: 844Member, Sourcefabric Team
    Hi Albert, this is very strange. If you open up the .deb package you have downloaded, and look at the file DEBIAN/control, you should see the following lines at the top:

    Package: airtime
    Version: 2.5.1-2
    Architecture: all
    Maintainer: Daniel James <daniel@64studio.com>
    Installed-Size: 24182
    Pre-Depends: postgresql, python-virtualenv (>= 1.4.9)
    Depends: apache2, coreutils (>= 7.5) | timeout, curl, ecasound, flac, gzip (>= 1.3.12), libapache2-mod-php5, liquidsoap (>= 1.1.1~), liquidsoap-plugin-alsa, liquidsoap-plugin-ao, liquidsoap-plugin-faad, liquidsoap-plugin-flac, liquidsoap-plugin-icecast, liquidsoap-plugin-lame, liquidsoap-plugin-mad, liquidsoap-plugin-ogg, liquidsoap-plugin-opus, liquidsoap-plugin-portaudio, liquidsoap-plugin-pulseaudio, liquidsoap-plugin-taglib, liquidsoap-plugin-voaacenc, liquidsoap-plugin-vorbis, locales, lsof, monit, mp3gain, multitail, php5-cli, php5-curl, php5-gd, php5-json, php5-pgsql, php-apc, php-pear, pwgen, python, rabbitmq-server, silan (>= 0.3.1~), ssl-cert, sudo, sysv-rc, tar (>= 1.22), unzip, vorbisgain, vorbis-tools, zendframework | libzend-framework-php, debconf (>= 0.5) | debconf-2.0, perl

    I'm now wondering if your download is corrupted. Please try a checksum:

    md5sum airtime_2.5.1-2_all.deb
    89a7b46a3e8d0b2d77b986ec00f1b8b0  airtime_2.5.1-2_all.deb

    Cheers!

    Daniel

  • Vote Up0Vote Down AndyAndy
    Posts: 42Member
    so, 

    i have make apt-get update and apt-get upgrade, fuck scheisse vom allerfeinsten,

     WARUM BIETET IHR EIN UPDATE AN WENN ES DANN NICHT MEHR GEHT?

    AIRTIME_SERVER_RESPONDING      = OK
    KERNEL_VERSION                 = UNKNOWN
    MACHINE_ARCHITECTURE           = UNKNOWN
    TOTAL_MEMORY_MBYTES            = UNKNOWN
    TOTAL_SWAP_MBYTES              = UNKNOWN
    AIRTIME_VERSION                = UNKNOWN
    OS                             = Ubuntu 12.04.4 LTS i686
    CPU                            = AMD Opteron(tm) Processor 4180
    WEB_SERVER                     = Apache/2.2.22 (Ubuntu)
    PLAYOUT_ENGINE_PROCESS_ID      = FAILED
    PLAYOUT_ENGINE_RUNNING_SECONDS = 0
    PLAYOUT_ENGINE_MEM_PERC        = 0%
    PLAYOUT_ENGINE_CPU_PERC        = 0%
    -- Displaying log file /var/log/airtime/pypo/pypo.log
    -- 2014-07-17 11:52:28,099 INFO - [api_client.py : is_server_compatible() : line 220] - Unable to get Airtime version number.
    -- 
    -- 2014-07-17 11:52:33,104 DEBUG - [api_client.py : __call__() : line 134] - http://airtime.radio-wolke7.de:80/api/version/api_key/0MYIX9VGIMUUPGBKAKVU
    -- 2014-07-17 11:52:33,108 INFO - [api_client.py : is_server_compatible() : line 220] - Unable to get Airtime version number.
    -- 
    -- 
    -- 
    LIQUIDSOAP_PROCESS_ID          = FAILED
    LIQUIDSOAP_RUNNING_SECONDS     = 0
    LIQUIDSOAP_MEM_PERC            = 0%
    LIQUIDSOAP_CPU_PERC            = 0%
    -- Displaying log file /var/log/airtime/pypo-liquidsoap/ls_script.log
    -- 2014/07/17 11:51:15 [threads:3] Thread "wallclock_main" terminated (1 remaining).
    -- 2014/07/17 11:51:17 [threads:3] Thread "http polling" terminated (0 remaining).
    -- 2014/07/17 11:51:17 [main:3] Cleaning downloaded files...
    -- 2014/07/17 11:51:17 [main:3] Freeing memory...
    -- 2014/07/17 11:51:17 >>> LOG END
    -- 
    -- 
    MEDIA_MONITOR_PROCESS_ID       = FAILED
    MEDIA_MONITOR_RUNNING_SECONDS  = 0
    MEDIA_MONITOR_MEM_PERC         = 0%
    MEDIA_MONITOR_CPU_PERC         = 0%
    -- Displaying log file /var/log/airtime/media-monitor/media-monitor.log
    -- 2014-07-17 11:52:24,212 INFO - [Thread-1] [watchersyncer.py : __init__()] : LINE 19 - Created timeout thread...
    -- 2014-07-17 11:52:24,212 INFO - [Thread-1] [airtime.py : init_rabbit_mq()] : LINE 36 - Initializing RabbitMQ message consumer...
    -- 2014-07-17 11:52:24,217 INFO - [Thread-1] [airtime.py : init_rabbit_mq()] : LINE 48 - Initialized RabbitMQ consumer.
    -- 2014-07-17 11:52:24,217 DEBUG - [Thread-1] [api_client.py : __call__()] : LINE 134 - http://airtime.radio-wolke7.de:80/api/media-monitor-setup/format/json/api_key/0MYIX9VGIMUUPGBKAKVU
    -- 2014-07-17 11:52:24,223 INFO - [Thread-1] [syncdb.py : reload_directories()] : LINE 49 - HTTP Error 403: Forbidden
    -- 
    -- 
    -- There appears to be a problem with your Airtime installation.

    Forbidden

    You don't have permission to access / on this server.


    Apache/2.2.22 (Ubuntu) Server at airtime.radio-wolke7.de Port 80

    Warum Update wenn dann nichts mehr geht und muss alles von Hand umstelle?
  • Vote Up0Vote Down AndyAndy
    Posts: 42Member
    Vhost edit,
    #comment out ssl, 
    the original Airtime vhost, all is ok

    thx

  • Vote Up0Vote Down Albert FRAlbert FR
    Posts: 1,978Member, Airtime Moderator
    don't you have rights problems into /sur/share/airtime/public ?
  • Vote Up0Vote Down Daniel JamesDaniel James
    Posts: 844Member, Sourcefabric Team
    Hi Andy, the login page http://airtime.radio-wolke7.de/login is accessible from here. I'm guessing you have changed something since the above forum post, maybe gone back to the previous version of your virtualhost definition.

    I did not experience this issue on my own upgrade test so I wonder if you and Albert are accessing the admin interface in a different way. If you could provide me with further clues, I will investigate.

    Cheers!

    Daniel
  • Vote Up0Vote Down Daniel JamesDaniel James
    Posts: 844Member, Sourcefabric Team
    Hi Albert, are you running Apache 2.2 or 2.4? Please also post a copy of your /etc/apache2/sites-available/airtime-vhost.conf file

    Cheers!

    Daniel
    Post edited by Daniel James at 2014-07-17 08:23:26
  • Vote Up0Vote Down Daniel JamesDaniel James
    Posts: 844Member, Sourcefabric Team
    Hi Andy, the 'forbidden' message is normal when attempting to access port 80 from a remote machine if the virtualhost definition contains:

                  Order deny,allow
                  Deny from all
                  Allow from localhost

    What I would suggest is that you uncomment the port 443 section of your virtualhost definition, but leave port 80 accessible for the time being. Reload the Apache config then test that you can login via https://airtime.radio-wolke7.de/

    Cheers!

    Daniel

  • Vote Up0Vote Down Albert FRAlbert FR
    Posts: 1,978Member, Airtime Moderator
    2.2
  • Vote Up0Vote Down Daniel JamesDaniel James
    Posts: 844Member, Sourcefabric Team
    Hi Albert, if you are running 2.2 then the 'Deny from all' syntax is correct. When the package upgrade was happening, did you see a prompt about keeping the locally modified copy of a configuration file? Cheers! Daniel
  • Vote Up0Vote Down Albert FRAlbert FR
    Posts: 1,978Member, Airtime Moderator
    nope :/
  • Vote Up0Vote Down Daniel JamesDaniel James
    Posts: 844Member, Sourcefabric Team
    OK, in that case, please send me your /etc/apache2/sites-available/airtime-vhost.conf file and I'll try to figure it out.
  • Vote Up0Vote Down Albert FRAlbert FR
    Posts: 1,978Member, Airtime Moderator
    I've found why...

    the RSA server certificate CommonName (CN) does NOT match with the server name... and in this case, the airtime website is unavailable.


    Post edited by Albert FR at 2014-07-17 17:00:33
  • Vote Up0Vote Down Albert FRAlbert FR
    Posts: 1,978Member, Airtime Moderator
    I'll give a little trick to all people who risk to have this problem

    you need to edit /usr/share/ssl-cert/ssleay.cnf

    and change

    commonName                      = @HostName@

    by

    commonName                      = your-domain.com

    and after this :

    make-ssl-cert generate-default-snakeoil --force-overwrite 

  • Daniel -- so this update takes care of cert generation and automatically drops it into the right place?
  • Vote Up0Vote Down Daniel JamesDaniel James
    Posts: 844Member, Sourcefabric Team
    Hi Roger, it is the ssl-cert package which generates the certificate, then the updated Airtime package points to that certificate in the virtualhost definition.

    I did not have to perform the extra step that Albert suggests, but I think this is because my server hostname and Airtime server name are under the same domain (64studio.com in my case). I will release a new version of the package which keeps port 80 (http) available so that people have the time to resolve any SSL issues before tightening up security.

    Cheers!

    Daniel
  • Vote Up0Vote Down Albert FRAlbert FR
    Posts: 1,978Member, Airtime Moderator
    Hi Daniel,

    That's exactly why I had proposed this solution ;-)
    I think (but it's only a suggestion) theses informations would be available on the doc (in case of...) here :

    http://sourcefabric.booktype.pro/airtime-25-for-broadcasters/secure-login-with-ssl/
  • Vote Up0Vote Down Daniel JamesDaniel James
    Posts: 844Member, Sourcefabric Team
    Hi Albert, thanks for your insights :-) I have now released an update 2.5.1-3 to the apt server.

    The main issue was that because access to port 80 was blocked for remote sites, the redirect I had put in place for the port 80 virtualhost:

    Redirect permanent /login https://www.example.com/login

    could not be accessed, which I believe was the cause of the blank screen and Forbidden errors described in the posts above. With the update, port 80 is open but because all requests for the root directory get forwarded to the login page, the redirect rule now has a chance to function.

    Your tip to change the commonName and regenerate the certificate works for me to remove the 'The certificate is only valid for (hostname)' error from the browser, I will add this to the manual. However I expect you will still see the warning 'The certificate is not trusted because it is self-signed' unless you have already imported the certificate.

    Cheers!

    Daniel







  • Vote Up0Vote Down Albert FRAlbert FR
    Posts: 1,978Member, Airtime Moderator
    Yep !

    certificate not trusted is our millstone :D
  • Vote Up0Vote Down Daniel JamesDaniel James
    Posts: 844Member, Sourcefabric Team
    Hi Albert,

    If you have a known group of users it is possible to import the certificate directly into their browsers from a trusted local file, for example on a USB key. This creates a very simple web of trust, which to my way of thinking is more secure than relying on a third-party certificate authority.

    I have updated http://sourcefabric.booktype.pro/airtime-25-for-broadcasters/secure-login-with-ssl/ to mention this possibility.

    Thanks for the help!

    Daniel
  • Vote Up0Vote Down Albert FRAlbert FR
    Posts: 1,978Member, Airtime Moderator
    Yes, that's true, but in the same time, accepting a known untrusted certificate is more simple for a lot of users...
    But you're in the truth :D
  • Vote Up0Vote Down GigaGiga
    Posts: 80Member
    Hi, I have the same problem apparently, the upgrade broke my login section, isn't the new apache configuration compatible with custom port, I use port 8222 for airtime admin , all was working fine till the last upgrade, all airtime files are set to work on 8222 but the login site is not replying anything, would appreciate if someone can help with that
  • please bro,

    how can i preview media with just copy & past URL to another website without login to view it

    many thanks :)