Calibre Companion and Basic Authentication

[bossanova808]

I have calibre content server running as a reverse proxy behind Apache, and am using basic authentication on this server.

Generally I can get apps to connect to my server via something like:

Code:

https://user:password@servername.com:port/CA/

This works for all the usual suspects (sabnzbd, sickbeard, etc) - and works fine for Calibre too in general.

I have tried the 'full url' option and entering the above, but Calibre Companion won't connect.

I believe reverse proxies are in general ok - but what about those using basic auth? Any ideas on this one?

I thought I would post here first so that future searchers could benefit from the discussion as this is quite a common setup these days.

[chaley]

Quote:

Originally Posted by bossanova808

I have calibre content server running as a reverse proxy behind Apache, and am using basic authentication on this server.

Generally I can get apps to connect to my server via something like:

Code:

https://user:password@servername.com:port/CA/

This works for all the usual suspects (sabnzbd, sickbeard, etc) - and works fine for Calibre too in general.

I have tried the 'full url' option and entering the above, but Calibre Companion won't connect.

I believe reverse proxies are in general ok - but what about those using basic auth? Any ideas on this one?

I thought I would post here first so that future searchers could benefit from the discussion as this is quite a common setup these days.

Basic auth works fine. What doesn't work is putting the credentials into the URL. Instead, connect using a URL without credentials and wait for CC to ask you for a username and password.

Or are you using a double-password scheme, where the proxy demands credential set one and calibre demands credential set two? This kind of scheme will be a problem. The solution: turn off authentication on calibre and trust the reverse proxy. Or vice versa.

[bossanova808]

No, just the basic authentication. I tried it without the user/pass previously and it won't connect - it's not very informative as to why though. Is there a debugging mode maybe?

[bossanova808]

(same url - copy and pasted - works fine in Firefox) - maybe an issue with self signed certificates? I am using https....

[chaley]

At the moment there is no debugging output in CC. That should change with the next release.

I run a reverse proxy scheme using apache 2. I just reconfigured it to use basic auth, and CC connects without trouble. Are you sure you entered the right credentials into CC?

[bossanova808]

It's now all good over http. But not https - I presume because of my self signed certificate maybe. I appear to have installed it (it says it installs) - but still not working yet...I still get the red X in chrome, and CC won't connect (instant fail). I try and only leave https open, but I can live with some things over http I guess. I will persist and report back - but some sort of error reporting would be v. handy!

[chaley]

Quote:

Originally Posted by bossanova808

It's now all good over http. But not https - I presume because of my self signed certificate maybe. I appear to have installed it (it says it installs) - but still not working yet...I still get the red X in chrome, and CC won't connect (instant fail). I try and only leave https open, but I can live with some things over http I guess. I will persist and report back - but some sort of error reporting would be v. handy!

CC will never work with a self-signed cert because we don't support invalid signature exceptions. CC (and all other browsers) really want the cert to be signed by a known issuing authority. If this isn't the case (as with all self-signed certs), most browsers will permit you to add an exception for that cert, and then continue. This sort of thing is far beyond what we are prepared to deal with in CC.

FWIW: I went ahead and bought a real cert from cheapssl. Cost me $6/year, which is a deal compared to the hassle of managing exceptions.

FWIW**2: I don't recommend you run basic auth over http. Your credentials are visible on the 'net for anyone to sniff. Use digest.

[bossanova808]

All good points. Hell I think I even have an unused certificate option in an account somewhere...indeed, time to sort that out.

Thanks for your help, much appreciated.

[bossanova808]

(set up my proper certificate and all is indeed well now) - nice app!

[bossanova808]

Hey

Are you aware of any change in Calibre and/or Calibre Companinion that would break this?

I've had it working for ages and not changed anything other than normal updated to C an CC, but it has stopped working.

Did that logging ever get added so one can see what is going on? I can get to the content server fine in a browser from my Nexus7, and from other devices both within and from outside my network. So no general issue, just with CC.

Any ideas?

[chaley]

Quote:

Originally Posted by bossanova808

Hey

Are you aware of any change in Calibre and/or Calibre Companinion that would break this?

I've had it working for ages and not changed anything other than normal updated to C an CC, but it has stopped working.

Did that logging ever get added so one can see what is going on? I can get to the content server fine in a browser from my Nexus7, and from other devices both within and from outside my network. So no general issue, just with CC.

Any ideas?

To my knowledge there haven't been any changes in either calibre of CC that could affect this. Has the cert expired?

There is extensive logging in CC. The log is in Android/data/com.multipie.calibreandroid/files (I think). You can email it to yourself in CC's Settings / Send a debug log to multipie. Change the To: addresses to your own. Do remember that if you use Gmail to send yourself a message then that message won't appear in your inbox. Check in Sent Items.

[gbm]

Quote:

Originally Posted by chaley

To my knowledge there haven't been any changes in either calibre of CC that could affect this. Has the cert expired?

There is extensive logging in CC. The log is in Android/data/com.multipie.calibreandroid/files (I think). You can email it to yourself in CC's Settings / Send a debug log to multipie. Change the To: addresses to your own. Do remember that if you use Gmail to send yourself a message then that message won't appear in your inbox. Check in Sent Items.

No need to use email, ES file manger can open or send that file to your computer using wireless.

bernie

[bossanova808]

Hmm, ok, it seems it is using verifypeer with ssl? I changed from GoDaddy to RapidSSL certificate a while back...but it's still a full certificate.

Most stuff turns verifypeer off in general, for compatibility with self signed etc.

2015-04-08 20:27:59.989: ContentServer: my ip address is: 192.168.1.2
2015-04-08 20:27:59.991: Networking: checking if connect possible to iport https://XXXX.net:202/CA/:0
2015-04-08 20:28:00.059: Networking: Can connect to XXXX.net:202
2015-04-08 20:28:00.060: ContentServer: returning fixed values: ipaddress=https://XXXX.net:202/CA/, port=0
2015-04-08 20:28:00.243: ContentServer: creating connection to https://XXXX.net:202/CA/
2015-04-08 20:28:00.382: Error decrypting. Probably using wrong key.
2015-04-08 20:28:00.383: ContentServer: checking authentication
2015-04-08 20:28:00.476: Exception in OnContentServerFound: probably connection failed because CS not running
javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
at com.android.org.conscrypt.SSLNullSession.getPeerCe rtificates(SSLNullSession.java:104)
at a.a.a.e.d.a.a(Source:128)
at a.a.a.e.d.e.a(Source:572)
at a.a.a.h.c.e.a(Source:180)
at a.a.a.h.c.m.a(Source:294)
at a.a.a.h.b.m.a(Source:640)
at a.a.a.h.b.m.a(Source:479)
at a.a.a.h.b.a.a(Source:902)
at a.a.a.h.b.a.a(Source:801)
at com.multipie.cclibrary.Opds.r.b(Source:209)
at com.multipie.cclibrary.Opds.r.d(Source:221)
at com.multipie.cclibrary.Opds.ap.a(Source:400)
at com.multipie.cclibrary.Opds.ap.doInBackground(Sour ce:1)
at android.os.AsyncTask$2.call(AsyncTask.java:288)
at java.util.concurrent.FutureTask.run(FutureTask.jav a:237)
at android.os.AsyncTask$SerialExecutor$1.run(AsyncTas k.java:231)
at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1112)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:587)
at java.lang.Thread.run(Thread.java:818)
2015-04-08 20:28:00.492: Log flush
2015-04-08 20:28:00.519: ContentServer: shutting down connection
2015-04-08 20:28:00.520: OPDS: onPostExecute: status NO_CS
2015-04-08 20:28:00.911: onSaveInstanceState
2015-04-08 20:28:00.915: BaseActivity onStop
2015-04-08 21:55:15.931: OPDS reconnect
2015-04-08 21:55:15.950: ContentServer: creating connection to https://XXXX.net:202/CA/
2015-04-08 21:55:16.060: Error decrypting. Probably using wrong key.
2015-04-08 21:55:16.061: ContentServer: checking authentication
2015-04-08 21:55:18.398: onActivityResult req=1, res=-1
2015-04-08 21:55:18.410: BaseActivity onStart
2015-04-08 21:55:18.411: onResume
2015-04-08 21:55:18.414: setupScrollThumb onLeft=false, inGrid=true, inList=true, inDrawer=true, always=false
2015-04-08 21:55:18.583: setGroupingEnabled isEnabled=true
2015-04-08 21:55:18.968: ContentServer: shutting down connection
2015-04-08 21:55:19.924: onPrepareOptionsMenu
2015-04-08 21:55:19.941: setGroupingEnabled isEnabled=true
2015-04-08 21:55:22.827: onPause
2015-04-08 21:55:23.583: onSaveInstanceState
2015-04-08 21:55:23.585: BaseActivity onStop

[chaley]

Quote:

Originally Posted by bossanova808

Hmm, ok, it seems it is using verifypeer with ssl? I changed from GoDaddy to RapidSSL certificate a while back...but it's still a full certificate.

Did you add the certificate chain to your server? I have a cheap comodo "positiveSSL" cert and peer verification didn't work until I added both the intermediate and the root cert to the server's SSL chain bundle. For apache, this involves adding something like the following to ssl-sites.conf:

Code:

    SSLCertificateFile /etc/ssl/tho.new/tho.crt
    SSLCertificateKeyFile /etc/ssl/tho.new/tho.key
    SSLCertificateChainFile /etc/ssl/tho.new/bundle.crt

Quote:

Most stuff turns verifypeer off in general, for compatibility with self signed etc.

Browsers and the like have dialogs to accept certs that are not verifiable, expired, or have the wrong site name. My guess is that you had to do that the first time you connected from your device using chrome or whatever.

I am not willing either to add those dialogs or to turn off peer verification.

[bossanova808]

I thought I had but apparently not when I renewed it. All good again. Although honestly why you preclude the use of self signed seems overkill to me....after all plenty of home servers would be run that way?


Man in the middle arracks using cc seems highly unlikely....but I am sure you know much more about it then me.. Thanks for your help again.