Cannot connect to Nucleuse in SSL/TLS mode through Omniverse Create, or Drive

markyqj · May 29, 2022, 3:08pm

I am deploying Nucleus in SSL/TLS mode (or, PBR, Path-based Routing) based on the official document.
I could successfully connect to Nucleus (with Nginx as a reverse proxy) by browser, but failed by Omniverse Create or Drive.

Watching the log of Nginx about the 1st HTTP request sent by browser and Omniverse Create/Drive, there are 2 difference:

the trailing slash: by browser is “GET /omni/discovery/”, but by Omniverse Create/Drive is “GET /omni/discovery”.
the Header user-agent: by browser is “Mozilla/5.0 …”, but by Omniverse/Drive is NOTHING.

I wonder there is workable nginx.conf or this is a bug of Omniverse Create/Drive?
How could I simply fix it?

WendyGram · May 31, 2022, 5:25pm

Hello @markyqj! I have notified the dev team about your post. Can you share a copy of your nucleus logs found here: %HOMEPATH%\.nvidia-omniverse\logs It may help us pinpoint where the issue is.

WendyGram · May 31, 2022, 9:09pm

Hi @markyqj! The development team would like to know if you are using the Enterprise Nucleus or the Desktop Nucleus. They wanted to know if you were using the trial license for Enterprise or if you have the paid version.

markyqj · June 1, 2022, 12:38am

Hi @WendyGram ,

It’s Enterprise Nucleus on Ubuntu, and is trial license.

Since the “/omni/discovery” is not properly redirected to Nucleus Discovery, I add below routing rule for reverse proxy (Nginx)

        location = /omni/discovery {
          proxy_pass https://20.78.122.74.nip.io/omni/discovery/;
          proxy_http_version 1.1;
          proxy_read_timeout 60s;
          proxy_set_header Upgrade $http_upgrade;
          add_header Access-Control-Allow-Origin * always;
          add_header Access-Control-Allow-Headers * always;
          add_header Access-Control-Allow-Methods * always;
          proxy_set_header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36";
          proxy_set_header Connection "upgrade";

        }

Below is log of reverse proxy (Nginx)

portal-nginx  | 2022/06/01 00:33:50 [info] 34#34: *946 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 20.125.28.59, server: 0.0.0.0:443
portal-nginx  | 20.125.28.59 - - [01/Jun/2022:00:33:50 +0000] "/omni/discovery" "GET /omni/discovery HTTP/1.1" 101 2481 "-" "-" "-"
portal-nginx  | 20.78.122.74 - - [01/Jun/2022:00:33:50 +0000] "/omni/discovery/" "GET /omni/discovery/ HTTP/1.1" 101 2481 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36" "-"
portal-nginx  | 2022/06/01 00:33:50 [info] 32#32: *949 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 20.125.28.59, server: 0.0.0.0:443

, and below is log of "nucleuse base_stack"

base_stack-nucleus-discovery-1         | 2022-06-01 00:33:50,336 | > DiscoverySearch.find: {'query': {'service_interface': {'origin': 'OmniAuth.idl.ts', 'name': 'Credentials', 'capabilities': {'auth': 0}}, 'supported_transport': [{'name': 'sows', 'meta': {'marshaller': 'bs', 'serializer': 'json', 'ssl': 'true'}}, {'name': 'sows', 'meta': {'marshaller': 'bs', 'serializer': 'json', 'ssl': 'true', 'supports_path': 'true'}}, {'name': 'sows', 'meta': {'marshaller': 'bs', 'serializer': 'json', 'ssl': 'false'}}, {'name': 'sows', 'meta': {'marshaller': 'bs', 'serializer': 'json', 'ssl': 'false', 'supports_path': 'true'}}, {'name': 'connlib', 'meta': {}}], 'meta': {'deployment': 'external'}}, 'version': 2}
base_stack-nucleus-discovery-1         | 2022-06-01 00:33:50,336 | < DiscoverySearch.find: {'found': True, 'service_interface': {'origin': 'OmniAuth.idl.ts', 'name': 'Credentials', 'capabilities': {'get_settings': 0, 'auth': 1, 'register': 1, 'reset': 0}}, 'transport': {'name': 'sows', 'params': '{"host": "20.78.122.74.nip.io", "port": 443, "path": "/omni/auth"}', 'meta': {'marshaller': 'bs', 'serializer': 'json', 'ssl': 'true', 'supports_path': 'true'}}, 'meta': {'deployment': 'external', 'login_url': 'https://20.78.122.74.nip.io:443/omni/auth/login/'}, 'version': 2}
base_stack-nucleus-discovery-1         | 2022-06-01 00:33:50,337 | > DiscoverySearch.find: {'query': {'service_interface': {'origin': 'OmniAuth.idl.ts', 'name': 'Tokens', 'capabilities': {'refresh': 0}}, 'supported_transport': [{'name': 'sows', 'meta': {'marshaller': 'bs', 'serializer': 'json', 'ssl': 'true'}}, {'name': 'sows', 'meta': {'marshaller': 'bs', 'serializer': 'json', 'ssl': 'true', 'supports_path': 'true'}}, {'name': 'sows', 'meta': {'marshaller': 'bs', 'serializer': 'json', 'ssl': 'false'}}, {'name': 'sows', 'meta': {'marshaller': 'bs', 'serializer': 'json', 'ssl': 'false', 'supports_path': 'true'}}, {'name': 'connlib', 'meta': {}}], 'meta': {'deployment': 'external'}}, 'version': 2}
base_stack-nucleus-discovery-1         | 2022-06-01 00:33:50,338 | < DiscoverySearch.find: {'found': True, 'service_interface': {'origin': 'OmniAuth.idl.ts', 'name': 'Tokens', 'capabilities': {'generate': 0, 'refresh': 0, 'subscribe': 0, 'create_api_token': 0, 'delete_api_token': 0, 'get_api_tokens': 0, 'auth_with_api_token': 0}}, 'transport': {'name': 'sows', 'params': '{"host": "20.78.122.74.nip.io", "port": 443, "path": "/omni/auth"}', 'meta': {'marshaller': 'bs', 'serializer': 'json', 'ssl': 'true', 'supports_path': 'true'}}, 'meta': {'deployment': 'external', 'login_url': 'https://20.78.122.74.nip.io:443/omni/auth/login/'}, 'version': 2}
base_stack-nucleus-discovery-1         | 2022-06-01 00:33:50,338 | > DiscoverySearch.find: {'query': {'service_interface': {'origin': 'omni1.idl.ts', 'name': 'Connection', 'capabilities': {'auth': 2, 'authorize_token': 1, 'change_acl': 0, 'checkpoint_version': 1, 'copy': 1, 'create': 2, 'create_asset': 0, 'create_directory': 0, 'create_group': 0, 'delete': 0, 'get_acl': 0, 'get_checkpoints': 0, 'get_mount_info': 0, 'list2': 2, 'lock': 2, 'ping': 0, 'read': 0, 'read_asset_version': 0, 'replace_version': 0, 'stat2': 1, 'subscribe_list': 0, 'unlock': 1, 'update': 1}}, 'supported_transport': [{'name': 'sows', 'meta': {'marshaller': 'bs', 'serializer': 'json', 'ssl': 'true'}}, {'name': 'sows', 'meta': {'marshaller': 'bs', 'serializer': 'json', 'ssl': 'true', 'supports_path': 'true'}}, {'name': 'sows', 'meta': {'marshaller': 'bs', 'serializer': 'json', 'ssl': 'false'}}, {'name': 'sows', 'meta': {'marshaller': 'bs', 'serializer': 'json', 'ssl': 'false', 'supports_path': 'true'}}, {'name': 'connlib', 'meta': {}}], 'meta': {'deployment': 'external'}}, 'version': 2}
base_stack-nucleus-discovery-1         | 2022-06-01 00:33:50,339 | < DiscoverySearch.find: {'found': True, 'service_interface': {'origin': 'omni1.idl.ts', 'name': 'Connection', 'capabilities': {'add_user_to_group': 0, 'auth': 2, 'authorize_token': 1, 'change_acl': 0, 'checkpoint_version': 1, 'copy': 1, 'copy2': 0, 'create': 2, 'create_asset': 0, 'create_asset_with_hash': 0, 'create_directory': 0, 'create_group': 0, 'create_object': 0, 'deep_copy_object_struct': 0, 'delete': 0, 'delete2': 0, 'get_acl': 0, 'get_acl_resolved': 0, 'get_acl_v2': 0, 'get_branches': 0, 'get_checkpoints': 0, 'get_group_users': 0, 'get_groups': 0, 'get_mount_info': 0, 'get_transaction_id': 0, 'get_user_groups': 0, 'get_users': 0, 'list': 4, 'list2': 4, 'lock': 2, 'mount': 0, 'ping': 0, 'read': 0, 'read_asset_resolved': 0, 'read_asset_version': 0, 'read_object_resolved': 0, 'read_object_version': 0, 'remove_group': 0, 'remove_user_from_group': 0, 'rename': 0, 'rename_group': 0, 'replace_version': 0, 'set_acl_v2': 0, 'set_path_options': 1, 'set_path_options2': 0, 'stat2': 1, 'stop': 0, 'subscribe_list': 1, 'subscribe_read_asset': 0, 'subscribe_read_object': 1, 'subscribe_server_notifications': 0, 'unlock': 1, 'unmount': 0, 'update': 1, 'update_asset': 0, 'update_asset_with_hash': 0, 'update_object': 0}}, 'transport': {'name': 'connlib', 'params': '{\n    "url": "wss://20.78.122.74.nip.io:443/omni/api"\n}', 'meta': {}}, 'meta': {'deployment': 'external'}, 'version': 2}

jimit-modi · June 2, 2022, 4:56am

@markyqj - Can you please specify whether you are using the Fullchain SSL certificate or not? As I was also facing the same issue earlier a few months back. And using the Fullchain SSL certificate did wonder for me.

markyqj · June 2, 2022, 8:13am

Hi @jimit-modi I am using certbot+let’s encrypt.

For Nginx config, I set

        ssl_certificate      /letsencrypt/live/20.78.122.74.nip.io/fullchain.pem;
        ssl_certificate_key  /letsencrypt/live/20.78.122.74.nip.io/privkey.pem;

Looks like it’s Fullchain SSL cert.

jimit-modi · June 2, 2022, 8:51am

@markyqj - I have a few questions:

Which Create App version you are using currently?
Were you able to add the connection to any of the App/ App versions?
On which OS you are running the OV Client Apps?
Can you share your Nginx config file?

markyqj · June 2, 2022, 9:19am

Hi @jimit-modi

it’s 2022.1.2
besides to browser, I could use Omniverse Navigator (3.0.0) connect to Nucleus successfully.
windows 10
sure,
default.conf (8.6 KB)

jimit-modi · June 2, 2022, 9:26am

@markyqj - Can you try it in 2021.3.7 version of Create App and tell me whether you are able to connect to not?
And I wanted to view the Nginx config file, the onw which you are using for Reverse-proxy configuration file which may be under the SSL directory of the base-stack.

markyqj · June 2, 2022, 9:32am

@jimit-modi
I update the file again, please have a look.
I will install and feedback, soon.

markyqj · June 2, 2022, 11:08am

@jimit-modi trying with the Create 2021.3.7, the browser (login form) shows.
After input the id/password, the browser says “You have successfully logged in. You can continue to work in your application.”, but Omnniverse Create says “ERROR_CONNECTION”.

jimit-modi · June 2, 2022, 11:40am

@markyqj - Okay, so I guess the SSL configuration you are currently using is not compatible with the SSL standard maintained in the Client Apps. Also, I am not sure whether self-signed SSL certificates are compatible with the Client Apps. We can try connecting to the Nucleus server by disabling the SSL standard for a particular Client App. To do so, follow this steps:

Close the Create App, if it’s running.
Open CMD [Command Prompt] on your system.
Change directory to where the Create App is installed. For me it’s C:\Users\jimit_modi\AppData\Local\ov\pkg\create-2022.1.2
If you don’t know the path, you can get to know it from the following images:

image2896×1584 370 KB

image2896×1584 374 KB

image2896×1648 228 KB
And run the following two commands on CMD:
set OMNI_TRUSTED_CERTIFICATE=ALL
omni.create.bat

This will launch the Create App and disable the SSL checks for your Nucleus server SSL configurations. Let me know whether this worked for you or not?

markyqj · June 2, 2022, 12:18pm

@jimit-modi unfortunatelly, it doesn’t work (Create 2022.1.2).
The browser is even now brought by Create.

By the way, the cert is issued by certbot+let’s encrypt; is it “self-signed”?

jimit-modi · June 2, 2022, 12:50pm

@markyqj - can you create a user id for me. so that I can test it out?
I am not sure of the fact whether it’s a self-signed certificate or not.

markyqj · June 8, 2022, 4:19am

The problem is solved, thanks to @jimit-modi and @mirice .

Share the experience here.

I applied the domain name with nip.io, and get the cert by certbot+let’s encrypt.
If failed; or, it only works for “OMNI_TRUSTED_CERTIFICATE=ALL”

I apply the domain name with no-ip, and get the cert by certbot+let’s encrypt again.
It works like a charm.

Why nip.io doesn’t work? No clue.

jimit-modi · June 8, 2022, 5:07am

So, Summing up the points which can be considered to check if you face issues while adding connection of OV Nucleus Enterprise to the Client Apps:

To check whether the domain on which the Nucleus server is hosted is a secured connection. You can check it by visiting the login page of the Nucleus Enterprise server on the browser which should have a lock symbol ahead of the URL.
To check whether the SSL certificate used by you is considered Trusted or Untrusted. This can be checked by setting the environment variable OMNI_TRUSTED_CERTIFICATE=ALL, which marks all the certificates as Trusted. Follow the following steps to do this:
- Open the installation directory. (For me it is C:\Users\jimit_modi\AppData\Local\ov\pkg\create-2022.1.2) You can find yours as follows:
  
  image2896×1584 370 KB
  
  image2896×1584 374 KB
  
  image2896×1648 228 KB
- Then open the batch file omni.create.bat in a text-editable form.
- Replace it with the following content:
  
  image794×120 3.64 KB
- Now try to launch from the OV Launcher and try adding a connection to the Nucleus server.
Confirm whether you are using a full chain certificate file rather than just the certificate file for your SSL configuration.
Confirm whether there is any discrepancy in the reverse-proxy configuration. If using Nginx, confirm whether the configuration file is configured properly.

markyqj · June 9, 2022, 3:05am

Update the result.

I change the domain name, from
20.78.122.74.nip.io
to
markyqj-20-78-122-74.nip.io,

it works!

The format of domain name matters.

system · June 23, 2022, 3:05am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.