EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #09734

< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] Repository Server Upgrade SSL

Hi James,

(Sitting here waiting for an rsync to complete).  If you are saying that the citations are still behaving like you would expect before you altered the workflow/citation files under you archive, it is possible you have made an invalid change.  EPrints will not reload modified workflow/citations files if they have XML syntax issues.  So a good first test is to run:

xmllint FILE.xml > /dev/null

In theory, "epadmin test" would be doing this across all workflow/citations that are loaded, so it should not be necessary but it is good to rule this out.

If you are saying you decided to take a version of a workflow or citation from lib, flavours/pub_lib, site_lib or an ingredient and then make local modifications at an archive level, then that will require an Apache reload. However, I don't think that is what you are saying.

It is possible that there is a permission issue preventing the appropriate files being read by the webserver.  I would expect an error log file for Apache to show this or possibly another error, which explains why these are not loading as expected.

Were you making these workflow citations whilst upgrading EPrints, if so what version of EPrints were you on before?  There should not be anything that has changed in 3.4.5 that would affect the load order or what gets loaded for workflows/citations.

This may be a silly question but are you sure there is nothing that could be obfuscating this.  I have many a time either not realised that my browser is on a different instance of my repository (e.g. test or pre-prod rather than live) as the hostnames are very similar or I have hacked around with my /etc/hosts file so although my browser says I am on one hostname I am technically on different IP address.  Another layer of obfuscation could be your Apache config is pointing at a different directory path than the one you have been editing  or you are symlinking /opt/eprints3 to somewhere different than you thought.  (All things that have caught me out in the past).


David Newman

On 14/06/2024 17:37, James Kerwin wrote:
CAUTION: This e-mail originated outside the University of Southampton.
John and David, thank you both so much for your advice. It turns out we had a few problems. On the old server IT had put the certs in /var/tmp and the new verson of Ubuntu/Apache did not like that. I put them somewhere sensible, then started getting actual useful errors that led me to resolving it (enable headers in Apache in this case).

I do have another problem though; none of my custom workflows or search results citations seem to be working. I've altered them in /opt/eprints3/archives/uolrepo/cfg but they don't seem to be taking. I've also modified them in the flavours and lib directories just to be sure. epadmin test isn't showing any errors, but it just seems to be refusing to take them up.

Any immediate thoughts? (by immediate I mean "on Monday")

The eprints version is 3.4.5


On Fri, Jun 14, 2024 at 8:58 AM David R Newman <drn@ecs.soton.ac.uk> wrote:
Hi James,

SSL config loading is a bit weird in EPrints and does things I would describe as the other way round.  Specifically for eprints.conf you need:

Include /opt/eprints3/cfg/apache.conf
Include /opt/eprints3/archives/*/ssl/securevhost.conf

You need to manually build the latter of these two in all your archives rather than creating this in /opt/eprints3/cfg/apache_ssl/uolrepo.conf.  The files in the directory should be generated by generate_apacheconf a long with the ones in /opt/eprints3/cfg/apache/.  What you do need to do with ssl/securevhost.conf (technically this could be anywhere as long as your sites-enabled/eprints.conf points at it) is similar is make sure it includes the generate file for the appropriate archive from /opt/eprints3/cfg/apache_ssl/ as per the example in:



David Newman
P.S. A file (which can be include in securevhost.conf) will only be created by generate_apacheconf under cfg/apache_ssl/ if the archive has a securehost set in 10_core.pl or at least some archive level cfg/cfg.d/  file.

On 14/06/2024 6:10 am, James Kerwin wrote:
CAUTION: This e-mail originated outside the University of Southampton.
CAUTION: This e-mail originated outside the University of Southampton.
Hi All,

I did the big switchover to my new repository server yesterday.

Had a number of problems with getting SSL to work. I'm now at the point where I can go to the url:


But it loads the default Apache page. This feels like a step forwards as yesterday Apache was telling me my certificate files didn't exist.

Can anybody please advise me?

In /etc/apache2/sites-enabled/eprints.conf I have:

Include /opt/eprints3/cfg/apache.conf
<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from localhost

In /opt/eprints3/cfg/apache.conf I have:

# Load the perl modules & repository configurations
PerlSwitches -I/opt/eprints3/perl_lib
Include /opt/eprints3/cfg/perl_module_isolation.conf

# Load the per-repository apache configuration
Include /opt/eprints3/cfg/apache/*.conf
Include /opt/eprints3/cfg/apache_ssl/*.conf

In /opt/eprints3/cfg/apache_ssl/uolrepo.conf I have what looks to be the correct conf based on it being similar in structure to that I use on the Data Catalogue. I think it's safe enough to share the below.

If anyone can help I would be eternally grateful and forever in your debt.

<VirtualHost *:443>
  ServerName livrepository.liverpool.ac.uk

  ServerAdmin jkerwin@liverpool.ac.uk
  SSLEngine On
  #SSLCertificateFile /var/tmp/270324-ssl-certs/repo-live_liv_ac_uk_cert.cer
  #SSLCertificateKeyFile /var/tmp/270324-ssl-certs/liv-repo-live.key
  #SSLCertificateChainFile /var/tmp/270324-ssl-certs/repo-live_liv_ac_uk_interm.cer
  SSLCertificateFile /opt/eprints3/certs/repo-live_liv_ac_uk_cert.cer
  SSLCertificateKeyFile /opt/eprints3/certs/liv-repo-live.key
  SSLCertificateChainFile /opt/eprints3/certs/repo-live_liv_ac_uk_interm.cer
  Header always set Strict-Transport-Security "max-age=15768000"  
  SSLProtocol             all -SSLv3
  SSLHonorCipherOrder     on
  SSLCompression          off
  <Location "">
    PerlSetVar EPrints_ArchiveID uolrepo
    PerlSetVar EPrints_Secure yes

    Options +ExecCGI
    <IfModule mod_authz_core.c>
       Require all granted
    <IfModule !mod_authz_core.c>
       Order allow,deny
       Allow from all

*** Options: https://wiki.eprints.org/w/Eprints-tech_Mailing_List
*** Archive: https://www.eprints.org/tech.php/
*** EPrints community wiki: https://wiki.eprints.org/