Topic on Extension talk:VisualEditor

Symptoms:

New installation of private MediaWiki 1.35 with Visual Editor. IIS configured to use Windows Authentication (to enable authentication with Windows AD). MW works as excepted, launching VE causes Curl error 60.

VisualEditor documentation states that with MediaWiki 1.35, you should not need to download anything to get VE working, private wiki may need some configuration but otherwise VE should work out of the box.

Many hours (days) and lots of research later I can say, that getting VE work with MediaWiki 1.35 on Windows environment wasn’t such an easy task. I found lots of suggestions how to get VE work after “Error contacting the Parsoid/RESTBase server: (Curl error: 60) SSL peer certificate or SSH remote key was not OK”, but none of them worked for me.

Workaround:

This is my solution (quite simple, actually), hope this helps someone to get things working without days of work and banging head to the wall.

1. Install MediaWiki 1.35 with extensions of your choice.

2. Make sure that everything is working like you want (except that stubborn VisualEditor that gives you Curl error 60)

3. Export CA-certificate and add reference to it in php.ini -conf (*

4. Modify authentication settings of rest.php -file in IIS (**

5. Add following lines to LocalSettings.php

if($_SERVER['REMOTE_ADDR'] == 'your_server_ip_address'){

$wgGroupPermissions['*']['edit'] = true;

$wgGroupPermissions['*']['read'] = true;

}

6. Make iisreset

(* If I get it right, the Curl 60 is generated when you click on modify in MediaWiki, which leads to connection attempt to VE through PHP that can't verify the server certificate in use. To fix this error you need to export the CA-certificate and tell the PHP where it is found:

1. Open mmc → Add/Remove Snap-in → Certificates → Computer account

2. In certificates -console navigate to Trusted Root Certification Authorities → Certificates

3. Select your Root CA → Export → Base-64 encoded X.509 (.CER) (this is equivalent to .pem -certificate format) → Save to the wiki root -folder (same place where is your LocalSettings.php) with name “cacert.cer”

4. Go to your PHP install folder and find php.ini → find line ;curl.cainfo =

5. Remove ; and add absolute path to your exported cacert.cer -file, example: curl.cainfo = “c:\WIKI\cacert.cer”

Now the curl 60 should disappear, you can verify that by changing the IIS authentication settings to Anonymous Authentication and authenticating with log in form.

(** SSO wont work if you have Anonymous Authentication enabled in IIS and VE wont work if it is disabled. This is a problem if you use something else than username/password to authenticate users (you know what I mean if you have smart cards in use).

You can tackle the authentication problem by setting the Anonymous Authentication only to the rest.php -file (found in you wiki root) and everywhere else you can use Windows Authentication and keep the Anonymous Authentication disabled:

1. Navigate to your %windir%\system32\inetsrv\config directory and modify applicationHost.config

2. Search <location path=”your_wiki_site”> … </location> section and add a new section below it:

<location path=”your_wiki_site/rest.php”>

<system.webServer>

<security>

<authentication>

<anonymousAuthentication enabled=”true” />

</authentication>

</security>

</system.webServer>

</location>

3. Save your changes to the config file and make an iisreset.

Now you should have working MediaWiki with Visual Editor.

I could not import my certificate in the cert store, so I added the ignore option for curl to get it running:

edit includes/libs/http/MultiHttpClient.php

                $ch = curl_init();

+                curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

+                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

                curl_setopt( $ch, CURLOPT_PROXY, $req['proxy'] ?? $this->proxy );

Now curl does not check my certificate, but it works.

After hours of search & try I finally found a solution for my private wiki.

Here are my steps and solution. Maybe they will help someone.

- See what is the problem:

curl --trace-ascii trace.txt wiki-adress/api.php

My curl.cainfo in the php.config was not used. In the trace.txt I found the path.

- The I added my SSL cert at the end of ca-certificates.crt

sudo nano /etc/ssl/certs/ca-certificates.crt

   -> add private cert at the end

- I use NGINX with htaccess protection. But now I got a 401 error. Thats why I disabled the auth*

-> remove auth_* in NGINX config

   server {

       auth_basic "Restricted";

       auth_basic_user_file /etc/nginx/.htpasswd;

   }

- Now I got a 400 error. I added following line in NGINX config:

     location /rest.php/ {

           try_files $uri $uri/ /rest.php?$query_string;

       }

sudo nginx -t

sudo systemctl reload nginx

This finally worked for me.

Unfortunatelly I have no more htaccess protection.

I have same error (Curl error: 60) with MW 1.35.2 working on the virtual server (Ubuntu 20.04, Apache2, PHP 7.4.3, MySQL 8.0.25). I have assumption that error arise from NGNIX - Apache bundle, where Apache works throwout 127.0.0.1 localhost.

I don't knew, how to fix this. No one of presented here methods don't work for me.

Thanks this is good! Do you face any issues with image uploads? I get a Could not open lock file for "mwstore://local-backend/local-public/ while uploading

I have some wiki websites on different hosts and yesterday when using VE I faced with the same error: (Curl error: 60) SSL peer certificate or SSH remote key was not OK

What steps should be made to resolve this problem I really don't know. Can someone help me?

     location /rest.php/ {

           try_files $uri $uri/ /rest.php?$query_string;

       }

This worked for me, thanks!

How do I "Export CA-certificate"?

Thanks in advance!

Christian