Please let me know if I'm asking this question badly, but here is my situation. I'm trying to set up a phabricator server on AWS EC2 for my organization. The main phabricator server is fine, but I'm struggling to get the notification (aphlict) server working.
phabricator/.bin/aphlict start (or at least phabricator/.bin/aphlict status gives Aphlict (1461) is running.)phabricator/.bin/aphlict debug gives Error: error:0906D06C:PEM routines:PEM_read_bio:no start line and an uncaught exception of Error: EACCES: permission denied, open '/var/log/aphlict.log'Firefox can’t establish a connection to the server at wss://phabricator.<redacted>.com:22280/.[cURL/7] (https://phabricator.<redacted>.com:22280/) <CURLE_COULDNT_CONNECT> The cURL library raised an error while making a request. You may be able to find more information about this error (error code: 7) on the cURL site: http://curl.haxx.se/libcurl/c/libcurl-errors.html#CURLECOULDNTCONNECT`I am desperately trying to follow the instructions from https://phabricator.tbmh.org/book/phabricator/article/notifications/ but I really don't understand web sockets, HTTPS, TCP, or SSL well enough. I am serving my phabricator site over HTTPS, and am pretty sure I need to do some version of this:
If you serve Phabricator over HTTPS, you must also serve websockets over HTTPS. Browsers will refuse to connect to ws:// websockets from HTTPS pages.
If a client connects to Phabricator over HTTPS, Phabricator will automatically select an appropriate HTTPS service from notification.servers and instruct the browser to open a websocket connection with wss://.
The simplest way to do this is configure Aphlict with an SSL key and certificate and let it terminate SSL directly.
But unfortunately I can't figure out exactly what I should change to make it all work.
Here is my sudo ./bin/config get notification.servers:
{
"config": [
{
"key": "notification.servers",
"source": "local",
"value": [
{
"type": "client",
"host": "phabricator.<redacted>.com",
"port": 22280,
"protocol": "https"
},
{
"type": "admin",
"host": "127.0.0.1",
"port": 22281,
"protocol": "http"
}
],
"status": "set",
"errorInfo": null
},
{
"key": "notification.servers",
"source": "database",
"value": null,
"status": "unset",
"errorInfo": null
}
]
}
and here is my phabricator/conf/aphlict/aphlict.default.json:
{
"servers": [
{
"type": "client",
"port": 22280,
"listen": "0.0.0.0",
"ssl.key": "/etc/letsencrypt/live/phabricator.<redacted>.com/fullchain.pem",
"ssl.cert": "/etc/letsencrypt/live/phabricator.<redacted>.com/privkey.pem",
"ssl.chain": "/etc/letsencrypt/live/phabricator.<redacted>.com/chain.pem"
},
{
"type": "admin",
"port": 22281,
"listen": "127.0.0.1",
"ssl.key": "/etc/letsencrypt/live/phabricator.<redacted>.com/fullchain.pem",
"ssl.cert": "/etc/letsencrypt/live/phabricator.<redacted>.com/privkey.pem",
"ssl.chain": "/etc/letsencrypt/live/phabricator.<redacted>.com/chain.pem"
}
],
"logs": [
{
"path": "/var/log/aphlict.log"
}
],
"pidfile": "/var/tmp/aphlict/pid/aphlict.pid"
}
I've also added TCP inbound 0.0.0.0/0 and ::/0 rules on ports 22281 and 22280 in AWS.
I did finally get the solution. In the end I was just using the wrong permutation of .pem files...it needed to be this:
"ssl.key": "/etc/letsencrypt/live/phabricator.<redacted>.com/privkey.pem",
"ssl.cert": "/etc/letsencrypt/live/phabricator.<redacted>.com/cert.pem",
"ssl.chain": "/etc/letsencrypt/live/phabricator.<redacted>.com/fullchain.pem"