Reeder (iOS) integration with TT-RSS (via Fever API)

Post plugins and custom CSS snippets here
User avatar
ZeGuigui
BANNED_USERS
BANNED_USERS
Posts: 19
Joined: 15 Mar 2013, 17:30
Location: In the cloud!
Contact:

Re: Reeder (iOS) integration with TT-RSS (via Fever API)

Postby ZeGuigui » 25 May 2013, 03:16

From CaCert.org http://wiki.cacert.org/SimpleApacheCert

If using a Class 3 certificate as proposed you'll need the certificate chain file. This is just the Class 3 root certificate and the Class 1 root certificate in PEM format concatenated. Do it yourself or download it from the attachments.
Store the certificate chain file in the ssl.crt directory and let's call it CAcert_chain.pem for future reference.
Now all that remains to be done is to correctly configure Apache's mod_ssl. To use the certificate set the following directives in your SSL-configuration:

Code: Select all

SSLCertificateFile <Path to your certificate file>/example_cert.pem
SSLCertificateKeyFile <Path to your key file>/example_key.pem
SSLCertificateChainFile <Path to your chain file>/CAcert_chain.pem

morsedl
Bear Rating Trainee
Bear Rating Trainee
Posts: 13
Joined: 24 May 2013, 02:02

Re: Reeder (iOS) integration with TT-RSS (via Fever API)

Postby morsedl » 25 May 2013, 03:48

(Odd, I posted this already, but it didn't show up, so trying again...)

@ZeGuigui:

My tt-rss installation is at https://xxxxx.xxxxxxx.com/reader/

I didn't have SSLCertificateChainFile configured in Apache 2, but I downloaded CAcert_chain.pem from cacert.org and added:

SSLCertificateChainFile /etc/ssl/certs/CAcert_chain.pem

to the right place in my Apache mod_ssl config (i.e., /etc/apache2/sites-enables/ikrg-ssl), but still no joy (same login failed error).

Thanks again so much for your assistance! And thank you VERY much for confirming that this CAN work.

I wondering what I'm doing wrong or what I am I missing?

Doug
Last edited by morsedl on 25 May 2013, 07:06, edited 1 time in total.

User avatar
LifeWOutMilk
Bear Rating Disaster
Bear Rating Disaster
Posts: 52
Joined: 02 Apr 2013, 21:57

Re: Reeder (iOS) integration with TT-RSS (via Fever API)

Postby LifeWOutMilk » 25 May 2013, 04:24

Considering the guys at cacert.org can't even get it right, I'm not surprised.

https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fwww.cacert.org%2F

Edit: Why not go to StartSSL.com and get a cert that will actually work in current browsers instead of this broken cacert.org nonsense?

morsedl
Bear Rating Trainee
Bear Rating Trainee
Posts: 13
Joined: 24 May 2013, 02:02

Re: Reeder (iOS) integration with TT-RSS (via Fever API)

Postby morsedl » 25 May 2013, 07:05

@LifeWOutMilk:

Thanks so much, that did the trick! The ssllabs.com test suite is quiet useful -- I'm most grateful for you making it known to me!

@ALL:

OK, I'm good to go -- thanks to EVERYONE for your prompt, kind, courtesy, and, most of all -- useful -- assistance!

My solution was simply to take everyone's advice and switch my certificates to Startcom SSL. This did the trick and I'm now using tt-rss + fever over HTTPS / SSL just fine.

Happy Weekend Everyone!

Doug


POST-MORTEM FOLLOWS:

I'm not sure why I could not seem to get cacert.org's certificates to work -- it's really not clear to me where the problem might have resided. I doubt the problem is with their certificate chain, but perhaps.

I did check that my procedure exactly matched what they suggest (http://wiki.cacert.org/SimpleApacheCert) and it did, but with one exception. I did not have the SSLCertificateChainFile file (i.e., CAcert_chain.pem) installed and properly referenced in /etc/apache2/sites-enabled/ikrg-ssl (i.e., my config file modified from Apache 2's default-ssl file). Fixing this did not fix the problem with tt-rss+fever over https, however, as already noted.

I should note that I never installed or set SSLCACertificateFile when working with my cacert.org cert, as their instructions do not mention this config option at all (but the StartCom SSL instructions do). So, perhaps that's was the problem. I would think that the needed cacert.org root cert would be embeeded in the CAcert_chain.pem file -- indeed I'm pretty sure I checked and it is -- but perhaps SSLCACertificateFile must also be set, regardless of their instructions. If I were to keep trying with cacert.org, this is what I would have tried next. If that did not work, I would have then presumed the issue was more client-side, and kept trying to figure out how to get the right certs / cert-chains set up within my iPhone.

Given, however, that ZeGuigui and LifeWOMilk both reported working rss+fever over https, and that LifeWOMilk specifically mentioned that it worked with StartCom SSL, I opted to take their advice, as it seemed more of a "sure thing" than continuing to tool around with cacert.org (despite having a lot of success with them in the past).

Apologies for the somewhat lengthy post-mortem. However, I dislike it when folks post in forums (of all sorts), and, after changing directions in their efforts to resolve a problem, fail to really explain why they changed directions, and what they would have done next if they had stayed on that path. So, I make a point of trying to always provide such information when I can.


LifeWOutMilk wrote:Considering the guys at cacert.org can't even get it right, I'm not surprised.

https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fwww.cacert.org%2F

Edit: Why not go to StartSSL.com and get a cert that will actually work in current browsers instead of this broken cacert.org nonsense?

whatiris
Bear Rating Trainee
Bear Rating Trainee
Posts: 8
Joined: 26 May 2013, 18:02

Re: Reeder (iOS) integration with TT-RSS (via Fever API)

Postby whatiris » 26 May 2013, 18:09

Hullo! I have figured out the problem with the fever plugin and postgresql, I think. The PHP postgres handler returns "t" and "f" instead of 1 and 0 for boolean fields.

This means getUnreadItemIds() needs to be edited to handle the case of "t" instead of 1

if ($line["unread"] == "t")
$unreadItemIdsCSV .= $line["ref_id"] . ",";

and getItems() needs to handle the case of "f" when checking unread status

"is_read" => ($line["unread"] == "f" ? 1 : 0),

I am not much of a developer so I don't know how to submit a patch but as far as I can see those two changes are the only thing required to support postgres. The setItem type functions specify the boolean true in the query so they should work I think. I haven't tested this much beyond basic sanity checking.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Reeder (iOS) integration with TT-RSS (via Fever API)

Postby fox » 26 May 2013, 18:19

functions.php, sql_bool_to_bool()

whatiris
Bear Rating Trainee
Bear Rating Trainee
Posts: 8
Joined: 26 May 2013, 18:02

Re: Reeder (iOS) integration with TT-RSS (via Fever API)

Postby whatiris » 26 May 2013, 18:30

Ah cool, can wrap in that function instead.

And yes, obviously I'm talking about the functions in fever_api.php I forgot to mention that.

Anyway, hope this helps, DigitalDJ.

IvanRaide
Bear Rating Trainee
Bear Rating Trainee
Posts: 9
Joined: 10 May 2013, 06:40

Re: Reeder (iOS) integration with TT-RSS (via Fever API)

Postby IvanRaide » 26 May 2013, 23:34

Seeing the above working for morsedl I decided to try it as well (but am much less qualified I believe to actually accomplish it).

I got an express cert from StartSLL, which was a p12 file. I noticed that all the apache2 ssl settings required pem files in the examples above, so I ran the following...
openssl pkcs12 -in StartSSL.p12 -out StartSSL.pem -nodes

I then ran:

a2enmod ssl
a2ensite default-ssl
service apache2 restart


Now when I go to the tt-rss website it came up with untrusted cert (which makes sense, I believe its using that snake-oil cert).
I copied over the StartSSL.pem file to /etc/ssl/certs and changed the following 3 lines in default-ssl to:

SSLCertificateFile /etc/ssl/cert/StartSSL.pem
SSLCertificateKeyFile/etc/ssl/cert/StartSSL.pem
SSLCertificateChainFile /etc/ssl/cert/StartSSL.pem

but when trying to restart apache it fails. My assumption was that pem are a concatenation of all the info required, but honestly, I don't know very much about openssl,ssl etc, so I'm sure that assumption is wrong.
if that assumption is wrong, how do you get the necessary files from StartSSL ? I guess, "am I close, or am I so far off the mark that I should just give up"

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Reeder (iOS) integration with TT-RSS (via Fever API)

Postby fox » 26 May 2013, 23:35

Last I checked you were posting on a tt-rss forum, not "plz halp I can't apache".

morsedl
Bear Rating Trainee
Bear Rating Trainee
Posts: 13
Joined: 24 May 2013, 02:02

Re: Reeder (iOS) integration with TT-RSS (via Fever API)

Postby morsedl » 27 May 2013, 00:34

.
@IvanRaide:

You need four different files referenced in your default-ssl file for your StartSSL certificate to work.

[Note: I reference both StartSLL and StartCom in what follows -- obviously, they are the same entity.]


Some Background

First, StartSLL seems to install a private key into your browser during the initial setup, and encourarges you to back up this file, which Firefox (and likely other browsers) will store as a .p12 file. However, this file IS NOT your private key for your certifcates -- rather, it is YOUR PERSONAL PRIVATE KEY FOR SECURE EMAIL (such as S/MIME). Thus, it is NOT the private key you want to install in Apache, and, at least in my case, I did NOT have to convert any .p12 files to .pem files.

So, you're probably using the wrong key file. I'll get to that in a moment.

Second, a little more background: The "standards" for file extensions for SSL-related files are rather "loose". A lot of folks use .pem for everything. I prefer and recommend using the following extensions: .csr, .pem, and .key. .csr is for certificate signing requests, and .key is for private keys (technically, just a .pem file with only one, private key). .pem files are generally for certificates, but technically they are a container format, meaning they can hold multiple items, typically public keys and certificates (including entire certificate chains). (For more about this, see http://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file.)

Some Ideas on How to Fix You Problem

First, here are the four relevant lines from my default-ssl file (with myhost.myserver.com replacing my actual server):

SSLCertificateFile /etc/ssl/certs/myhost.myserver.com.pem
SSLCertificateKeyFile /etc/ssl/private/myhost.myserver.com.key
SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/startcom-ca.pem

The latter two files you download from StartCom's website (links are provided here: http://www.startssl.com/?app=21.

The second file, that is, SSLCertificateKeyFile, is the key file that was generated when youy created your certificate signing request that you pasted into StartCom's website. You probably ran a command like the following to generate the .csr file:

openssl req -nodes -newkey rsa:2048 -keyout myhost.myserver.com.key -out myhost.myserver.csr

It is this .key file -- the option to the -keyout parameter -- that is the private key for the server certificate you obtained from StartCom. Thus, and in other words, STARTCOM NEVER GETS THE PRIVATE KEY FOR YOUR CERTIFICATE, ONLY YOU HAVE IT (which is sort of the point, no? :) ).

If for some reason or somehow you didn't run a command like the one above, or deleted the .key file, can't find it, or whatever, you can simply revoke your existing server certificate and create a new one, this time being sure to hang on to the private key.

Lastly, the first file, SSLCertificateFile, is simply the server certificate issued to you by StartCom, which you obtain with the "Retrieve Certificate" option in their Toolbox (or whatnot). IIRC, you have to cut and paste the certificate. Simply copy the certificate to your clipboard. Then, paste into a new text document in your text editor of choice, and save it as a plain text file called myhost.myserver.com.pem.

I believe that if you get these four files setup correctly, and your default-ssl file adjusted accordingly, you should be good to go. As it stands now, it looks like you're trying to use just the .pem certificate for three of the four required configuration options, and, as you observed, that won't work. Apache cannot decrypt the certificate without the private key file (myhost.myserver.com.key), and without the certificate of authority file (startcom-ca.pem) and the certificate chain file (sub.class1.server.ca.pem), Apache cannot send the public keys embedded within these files to the web/mobile clients for them to be able to validate the authenticite of both StartCom itself and the entire certificate chain. Thus, at the moment, the only Apache configuration you appear to have correct is your server certificate itself (what I'm calling myhost.myserver.com.pem here, what you called StartSSL.pem).

Hope this helps.

Given fox's comment, it might be best to continue this via email. Feel free to email me at (dm at-sign dougmorse period org) and I'll try to help as best I can.

Cheers,
Doug


IvanRaide wrote:Seeing the above working for morsedl I decided to try it as well (but am much less qualified I believe to actually accomplish it).

I got an express cert from StartSLL, which was a p12 file. I noticed that all the apache2 ssl settings required pem files in the examples above, so I ran the following...
openssl pkcs12 -in StartSSL.p12 -out StartSSL.pem -nodes

...

DigitalDJ
Bear Rating Disaster
Bear Rating Disaster
Posts: 58
Joined: 18 Apr 2008, 12:46

Re: Reeder (iOS) integration with TT-RSS (via Fever API)

Postby DigitalDJ » 27 May 2013, 03:04

whatiris wrote:Ah cool, can wrap in that function instead.

And yes, obviously I'm talking about the functions in fever_api.php I forgot to mention that.

Anyway, hope this helps, DigitalDJ.


Thanks for that.

Have you tried using the function on the lines you specified. Does it fix all the problems? If so, I'll update the plugin.

Your best bet would to keep track of your PHP error log and try use Reeder with the Fever plugin, to detect any errors.

EDIT: I have updated the plugin to what I think will fix the issue. Give v1.2 a shot (from the first post)

whatiris
Bear Rating Trainee
Bear Rating Trainee
Posts: 8
Joined: 26 May 2013, 18:02

Re: Reeder (iOS) integration with TT-RSS (via Fever API)

Postby whatiris » 27 May 2013, 05:19

Yep, I did make the changes myself and have been using it in Reeder successfully since yesterday. I'll give your 1.2 a go later today.

Edit: I have updated to 1.2 now and was able to successfully refresh in Reeder, and mark an item read which updated correctly in the web interface.

Looking at the changes you've made, they're pretty much exactly what I did which has been fine so should be all good.

vasechka
Bear Rating Trainee
Bear Rating Trainee
Posts: 9
Joined: 20 Feb 2008, 23:19

Re: Reeder (iOS) integration with TT-RSS (via Fever API)

Postby vasechka » 02 Jun 2013, 06:34

Absolutely great plugin.
I tried to get it working with ReadKit on OS X. And didn't go - ReadKit will crash after requesting groups list. Just FYI.
Oh, btw, got it working on https - had to install my own CA certificate onto iOS device.

morsedl
Bear Rating Trainee
Bear Rating Trainee
Posts: 13
Joined: 24 May 2013, 02:02

Re: Reeder (iOS) integration with TT-RSS (via Fever API)

Postby morsedl » 02 Jun 2013, 09:10

@vasechka: Do you mind to say a little more about what CA certificate you installed and how you did so? I just went through all that and did not have any luck (and ended up switching to StartSLL from CAcert.org). In particular, what steps did you have to go through to get your device to allow you to login with your own cert over https? Thanks!

vasechka wrote: .... Oh, btw, got it working on https - had to install my own CA certificate onto iOS device.

pendor
Bear Rating Trainee
Bear Rating Trainee
Posts: 1
Joined: 18 Jun 2013, 19:39

Chill Pill support?

Postby pendor » 18 Jun 2013, 19:44

Greetings all! Just joining in trying to get Fever support to replace my beloved NewNewsWire on Mac OS.

I've tried ReadKit 2 with this very useful Fever plugin, and it works pretty well, but it frequently pegs the CPU on my Mac and stays that way. Hopefully an update is forthcoming, but in the mean time I decided to give Chill Pill for Mac a try. At first it refused to acknowledge that the plugin was a valid Fever server, looking for a file at [ttrsshome]/plugins/fever/firewall/receipt.txt that contains the string "Fever". Having fixed that, now all Chill Pill shows is a blank screen with a bit of JSON in it:

Code: Select all

{"api_version":3,"auth":0}


I'm curious if anyone else has tried to get Chill Pill working and had any success? Haven't had any chance to try debugging yet, but will do unless maybe someone has an easy answer on tap. Here's hoping anyways... =)

Thanks again for the plugin & in advance for any help!

-Zac


Return to “Themes and plugins”

Who is online

Users browsing this forum: No registered users and 5 guests