New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

connecting to kernel on ipad #1421

Closed
theobarnhart opened this Issue May 3, 2016 · 33 comments

Comments

Projects
None yet
@theobarnhart

theobarnhart commented May 3, 2016

Are there any tricks for connecting to a jupyter notebook on an ipad being served from a computer on the local network? I can bring up the tree, but cannon connect to the kernel when I click a notebook. I've tried becoming a certificate signing authority to generate a non self signed certificate for SSL, but this has not helped (and adding the CA certificate as a trusted profile on the ipad). The notebook says its connecting and then it hangs and says "not connected." ipad pro 9.7 running safari and chrome iOS 9.3.1. Jupyter version 4.1.0

image
image

@willingc

This comment has been minimized.

Show comment
Hide comment
@willingc

willingc May 3, 2016

Member

@theobarnhart You may wish to try using Let's Encrypt for SSL since you seem to have admin access on the local network server. Here are instructions.

I'm not an iPad user. If others have a better solution, please post it here. Thanks!

Member

willingc commented May 3, 2016

@theobarnhart You may wish to try using Let's Encrypt for SSL since you seem to have admin access on the local network server. Here are instructions.

I'm not an iPad user. If others have a better solution, please post it here. Thanks!

@theobarnhart

This comment has been minimized.

Show comment
Hide comment
@theobarnhart

theobarnhart May 3, 2016

Thanks Carol, I tried that, but I'm on an internal server within a
institutional network so its not visible outside of colorado.edu. Lets
Encrypt cannot see the server so they will not issue a certificate for it.

Theodore Barnhart
PhD Candidate
INSTAAR / Geography
University of Colorado
theodore.barnhart@colorado.edu
http://theobarnhart.host-ed.me/

On Tue, May 3, 2016 at 11:59 AM, Carol Willing notifications@github.com
wrote:

@theobarnhart https://github.com/theobarnhart You may wish to try using
Let's Encrypt for SSL since you seem to have admin access on the local
network server. Here are instructions
https://jupyter-notebook.readthedocs.io/en/latest/public_server.html#using-let-s-encrypt
.

I'm not an iPad user. If others have a better solution, please post it
here. Thanks!


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#1421 (comment)

theobarnhart commented May 3, 2016

Thanks Carol, I tried that, but I'm on an internal server within a
institutional network so its not visible outside of colorado.edu. Lets
Encrypt cannot see the server so they will not issue a certificate for it.

Theodore Barnhart
PhD Candidate
INSTAAR / Geography
University of Colorado
theodore.barnhart@colorado.edu
http://theobarnhart.host-ed.me/

On Tue, May 3, 2016 at 11:59 AM, Carol Willing notifications@github.com
wrote:

@theobarnhart https://github.com/theobarnhart You may wish to try using
Let's Encrypt for SSL since you seem to have admin access on the local
network server. Here are instructions
https://jupyter-notebook.readthedocs.io/en/latest/public_server.html#using-let-s-encrypt
.

I'm not an iPad user. If others have a better solution, please post it
here. Thanks!


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#1421 (comment)

@willingc

This comment has been minimized.

Show comment
Hide comment
@willingc

willingc May 3, 2016

Member

@theobarnhart Good point. @ellisonbg @fperez I believe that you both use iPads. Any suggestions?

Member

willingc commented May 3, 2016

@theobarnhart Good point. @ellisonbg @fperez I believe that you both use iPads. Any suggestions?

@dopplershift

This comment has been minimized.

Show comment
Hide comment
@dopplershift

dopplershift May 3, 2016

You basically need a self-signed cert, but that self-signed cert needs to be signed by your own certificate authority; you can then add the certificate for your certificate authority as a profile(?) on iOS. I wrote up my notes for doing this stuff (when I figured it out) here: https://github.com/Unidata/Unidata-Dockerfiles/blob/master/jupyterhub/ssl/ssl_notes.txt

dopplershift commented May 3, 2016

You basically need a self-signed cert, but that self-signed cert needs to be signed by your own certificate authority; you can then add the certificate for your certificate authority as a profile(?) on iOS. I wrote up my notes for doing this stuff (when I figured it out) here: https://github.com/Unidata/Unidata-Dockerfiles/blob/master/jupyterhub/ssl/ssl_notes.txt

@dopplershift

This comment has been minimized.

Show comment
Hide comment
@dopplershift

dopplershift May 3, 2016

I should add--the root cause is that it seems that iOS refuses to use an untrusted cert for secure web sockets (WSS).

dopplershift commented May 3, 2016

I should add--the root cause is that it seems that iOS refuses to use an untrusted cert for secure web sockets (WSS).

@willingc

This comment has been minimized.

Show comment
Hide comment
@willingc

willingc May 3, 2016

Member

@dopplershift Thanks for sharing 👍

Member

willingc commented May 3, 2016

@dopplershift Thanks for sharing 👍

@theobarnhart

This comment has been minimized.

Show comment
Hide comment
@theobarnhart

theobarnhart May 3, 2016

Thank you @dopplershift! I tried a similar tutorial to become a signing authority, but yours is a little different so I'll give it a try and report back.

theobarnhart commented May 3, 2016

Thank you @dopplershift! I tried a similar tutorial to become a signing authority, but yours is a little different so I'll give it a try and report back.

@dopplershift

This comment has been minimized.

Show comment
Hide comment
@dopplershift

dopplershift May 3, 2016

Since it's not in the repo, here's the openssl.cnf:

prompt = no
dir = .

[ca]
default_ca = my_ca

[my_ca]
serial = $dir/CA/serial
database = $dir/CA/certindex.txt
new_certs_dir = $dir/CA/certs
certificate = $dir/CA/cacert.pem
private_key = $dir/private/cakey.pem
default_md = sha1
default_days = 365
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = match
emailAddress = optional

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_ca
default_bits = 2048

[req_distinguished_name]
countryName = US
stateOrProvinceName = Colorado
localityName = Boulder
organizationalUnitName = 
commonName = 
0.organizationName = 
emailAddress = 

[ v3_ca ]
basicConstraints = CA:TRUE

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1 = 
DNS.1 = 

I think the alt-names stuff allowed it to work on a server where I only had an IP address.

dopplershift commented May 3, 2016

Since it's not in the repo, here's the openssl.cnf:

prompt = no
dir = .

[ca]
default_ca = my_ca

[my_ca]
serial = $dir/CA/serial
database = $dir/CA/certindex.txt
new_certs_dir = $dir/CA/certs
certificate = $dir/CA/cacert.pem
private_key = $dir/private/cakey.pem
default_md = sha1
default_days = 365
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = match
emailAddress = optional

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_ca
default_bits = 2048

[req_distinguished_name]
countryName = US
stateOrProvinceName = Colorado
localityName = Boulder
organizationalUnitName = 
commonName = 
0.organizationName = 
emailAddress = 

[ v3_ca ]
basicConstraints = CA:TRUE

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1 = 
DNS.1 = 

I think the alt-names stuff allowed it to work on a server where I only had an IP address.

@fperez

This comment has been minimized.

Show comment
Hide comment
@fperez

fperez May 3, 2016

Member

I don't think there's a way to override the restriction on refusing connections to secure web sockets with self-signed certificates on iOS, even Safari on OSX imposes, I think, the same constraint. @minrk is quite the expert on these details, as always, so he can correct me if I'm wrong here.

Member

fperez commented May 3, 2016

I don't think there's a way to override the restriction on refusing connections to secure web sockets with self-signed certificates on iOS, even Safari on OSX imposes, I think, the same constraint. @minrk is quite the expert on these details, as always, so he can correct me if I'm wrong here.

@theobarnhart

This comment has been minimized.

Show comment
Hide comment
@theobarnhart

theobarnhart May 3, 2016

Thanks all, @dopplershift's solution and tutorial worked great!

theobarnhart commented May 3, 2016

Thanks all, @dopplershift's solution and tutorial worked great!

@willingc

This comment has been minimized.

Show comment
Hide comment
@willingc

willingc May 3, 2016

Member

I don't think there's a way to override the restriction on refusing connections to secure web sockets with self-signed certificates on iOS, even Safari on OSX imposes, I think, the same constraint.

@fperez You are correct on self-signed certs. This solution takes it a bit further, and it creates a certificate authority first and then uses it to sign the cert.

Thanks Team Colorado, @theobarnhart and @dopplershift, for the good work here 😄

Member

willingc commented May 3, 2016

I don't think there's a way to override the restriction on refusing connections to secure web sockets with self-signed certificates on iOS, even Safari on OSX imposes, I think, the same constraint.

@fperez You are correct on self-signed certs. This solution takes it a bit further, and it creates a certificate authority first and then uses it to sign the cert.

Thanks Team Colorado, @theobarnhart and @dopplershift, for the good work here 😄

@theobarnhart

This comment has been minimized.

Show comment
Hide comment
@theobarnhart

theobarnhart May 3, 2016

I should note that I emailed my cacert.pem to myself and added it as a profile on my ipad, I'm not sure if thats necessary (or a good idea), but I read about it on a different tutorial.

theobarnhart commented May 3, 2016

I should note that I emailed my cacert.pem to myself and added it as a profile on my ipad, I'm not sure if thats necessary (or a good idea), but I read about it on a different tutorial.

@dopplershift

This comment has been minimized.

Show comment
Hide comment
@dopplershift

dopplershift May 3, 2016

@theobarnhart IIRC, I emailed to myself as well. It's necessary so that your regular self-signed cert will be trusted by safari; unless someone else gets their hands on your CA private key, shouldn't be risky.

dopplershift commented May 3, 2016

@theobarnhart IIRC, I emailed to myself as well. It's necessary so that your regular self-signed cert will be trusted by safari; unless someone else gets their hands on your CA private key, shouldn't be risky.

@minrk minrk added this to the no action milestone May 30, 2016

@algorithmx

This comment has been minimized.

Show comment
Hide comment
@algorithmx

algorithmx Nov 27, 2016

@dopplershift
Hi Ryan,
I met the same problem (kernel not connected) with the latest version of Safari browser. According to the replies people refer to your tutorial which works well. But when I click the link, it is already dead. Could you please provide the tutorial again? Thanks!
Best,
Yunlong

algorithmx commented Nov 27, 2016

@dopplershift
Hi Ryan,
I met the same problem (kernel not connected) with the latest version of Safari browser. According to the replies people refer to your tutorial which works well. But when I click the link, it is already dead. Could you please provide the tutorial again? Thanks!
Best,
Yunlong

@dopplershift

This comment has been minimized.

Show comment
Hide comment
@dopplershift

dopplershift Nov 28, 2016

Sorry, that repository has been repurposed. I don't have the instructions up anywhere, so I'll just put them here:

To create CA:

  1. Generate new key and cert with password:
    openssl req -new -x509 -keyout private/cakey.pem -out CA/cacert.pem -days 365 -config ./openssl.cnf
  2. Initialize serial number:
    echo '100001' > CA/serial
  3. Init cert db:
    touch CA/certindex.txt
  4. Open CA/cacert.pem on OSX and trust it in the keychain.

To issue new certificate:

  1. Generate new RSA private key:
    openssl genrsa -out private/ssl.key 4096
  2. Make a new certificate request:
    openssl req -new -out ./ssl.req -key private/ssl.key -config ./openssl.cnf
  3. (optional) Check request for Subject Alternative Name info (SAN)
    openssl req -text -noout -in ./ssl.req
  4. Issue new cert from CA:
    openssl ca -in ssl.req -out ssl.cert -config openssl.cnf -extensions v3_req
  5. (optional) Verify SAN in output cert:
    openssl x509 -in ssl.cert -noout -text
  6. (optional) Verify trust: openssl verify -CAfile CA/cacert.pem ssl.cert
    To revoke (e.g. need to update IP address):
    openssl ca -revoke ./CA/certs/100001.pem -config openssl.cnf

dopplershift commented Nov 28, 2016

Sorry, that repository has been repurposed. I don't have the instructions up anywhere, so I'll just put them here:

To create CA:

  1. Generate new key and cert with password:
    openssl req -new -x509 -keyout private/cakey.pem -out CA/cacert.pem -days 365 -config ./openssl.cnf
  2. Initialize serial number:
    echo '100001' > CA/serial
  3. Init cert db:
    touch CA/certindex.txt
  4. Open CA/cacert.pem on OSX and trust it in the keychain.

To issue new certificate:

  1. Generate new RSA private key:
    openssl genrsa -out private/ssl.key 4096
  2. Make a new certificate request:
    openssl req -new -out ./ssl.req -key private/ssl.key -config ./openssl.cnf
  3. (optional) Check request for Subject Alternative Name info (SAN)
    openssl req -text -noout -in ./ssl.req
  4. Issue new cert from CA:
    openssl ca -in ssl.req -out ssl.cert -config openssl.cnf -extensions v3_req
  5. (optional) Verify SAN in output cert:
    openssl x509 -in ssl.cert -noout -text
  6. (optional) Verify trust: openssl verify -CAfile CA/cacert.pem ssl.cert
    To revoke (e.g. need to update IP address):
    openssl ca -revoke ./CA/certs/100001.pem -config openssl.cnf
@ioancw

This comment has been minimized.

Show comment
Hide comment
@ioancw

ioancw Jun 26, 2017

Hello, thanks for the solution.
I've followed your steps above, which (at the end of step 4 creates a new CA in CA/certs called 100001.pem.

Question. Which file do I move to my server (as c.NotebookApp.certfile)? Is it cacert.pem, or 100001.pem? Also which do I open/use on my iPad?

Thanks

ioancw commented Jun 26, 2017

Hello, thanks for the solution.
I've followed your steps above, which (at the end of step 4 creates a new CA in CA/certs called 100001.pem.

Question. Which file do I move to my server (as c.NotebookApp.certfile)? Is it cacert.pem, or 100001.pem? Also which do I open/use on my iPad?

Thanks

@dopplershift

This comment has been minimized.

Show comment
Hide comment
@dopplershift

dopplershift Jun 26, 2017

@ioancw ssl.cert should be on the server

cacert.pem is what you need to open and trust on your iPad.

dopplershift commented Jun 26, 2017

@ioancw ssl.cert should be on the server

cacert.pem is what you need to open and trust on your iPad.

@ioancw

This comment has been minimized.

Show comment
Hide comment
@ioancw

ioancw Jun 26, 2017

Thanks for the info.
So I copied ssl.cert and ssl.key to the server, and set:
c.NotebookApp.certfile = ssl.cert and
c.NotebookApp.keyfile = ssl.key

Everything seems to be ok when I run from my Mac, i.e. I can get a kernel and perform a calc in Jupyter. But after sending cacert.pem to my iPad and installing it, I still get a 'connecting to kernel' message.

Thanks

ioancw commented Jun 26, 2017

Thanks for the info.
So I copied ssl.cert and ssl.key to the server, and set:
c.NotebookApp.certfile = ssl.cert and
c.NotebookApp.keyfile = ssl.key

Everything seems to be ok when I run from my Mac, i.e. I can get a kernel and perform a calc in Jupyter. But after sending cacert.pem to my iPad and installing it, I still get a 'connecting to kernel' message.

Thanks

@dopplershift

This comment has been minimized.

Show comment
Hide comment
@dopplershift

dopplershift Jun 27, 2017

All I can offer is to open up settings > General > profiles and make sure the CA cert is there and that all of the information in the fields looks good (and trusted). My setup still seems to work fine.

If your server doesn't have a DNS name you may need to set up the alternative name stuff listed in openssl.cnf above.

dopplershift commented Jun 27, 2017

All I can offer is to open up settings > General > profiles and make sure the CA cert is there and that all of the information in the fields looks good (and trusted). My setup still seems to work fine.

If your server doesn't have a DNS name you may need to set up the alternative name stuff listed in openssl.cnf above.

@ioancw

This comment has been minimized.

Show comment
Hide comment
@ioancw

ioancw Jun 27, 2017

@dopplershift thanks for your reply. I will check it out tonight.

ioancw commented Jun 27, 2017

@dopplershift thanks for your reply. I will check it out tonight.

@ioancw

This comment has been minimized.

Show comment
Hide comment
@ioancw

ioancw Jun 27, 2017

@dopplershift thanks. that did the trick (adding the ip address of my server).
All works now on my iPad.

ioancw commented Jun 27, 2017

@dopplershift thanks. that did the trick (adding the ip address of my server).
All works now on my iPad.

@ioancw

This comment has been minimized.

Show comment
Hide comment
@ioancw

ioancw Jun 27, 2017

Another minor point. I've noticed that tab auto-completion doesn't work when using my iPad keyboard (it's a 10.5 iPad Pro). Incidentally it also doesn't work with azure Jupyter notebooks. So may well be my set up. Is this configurable within Jupyter?

ioancw commented Jun 27, 2017

Another minor point. I've noticed that tab auto-completion doesn't work when using my iPad keyboard (it's a 10.5 iPad Pro). Incidentally it also doesn't work with azure Jupyter notebooks. So may well be my set up. Is this configurable within Jupyter?

@kimolas

This comment has been minimized.

Show comment
Hide comment
@kimolas

kimolas Jul 4, 2017

I was able to run all of your instructions, @dopplershift. However, when I run jupyter notebook on my server and try to access the webpage from my iPad, I keep getting a prompt to "Enter PEM pass phrase" which prevents me from actually accessing my notebook. I can provide it the pass phrase several times and I can log in on my iPad, but then I cannot connect to the kernel since no matter how many times I provide the pass phrase it will eventually time out and say that the kernel could not be connected to.

I guess the pass phrase needs to be stored in the system keychain, but I am not sure how to do that. @ioancw did you have this problem as well?

Running macOS Sierra on my server and iOS 11 on my iPad Pro 10.5", although I have the same problem with iOS 10 on my iPad Air 2. Notebook works perfectly fine without SSL.

kimolas commented Jul 4, 2017

I was able to run all of your instructions, @dopplershift. However, when I run jupyter notebook on my server and try to access the webpage from my iPad, I keep getting a prompt to "Enter PEM pass phrase" which prevents me from actually accessing my notebook. I can provide it the pass phrase several times and I can log in on my iPad, but then I cannot connect to the kernel since no matter how many times I provide the pass phrase it will eventually time out and say that the kernel could not be connected to.

I guess the pass phrase needs to be stored in the system keychain, but I am not sure how to do that. @ioancw did you have this problem as well?

Running macOS Sierra on my server and iOS 11 on my iPad Pro 10.5", although I have the same problem with iOS 10 on my iPad Air 2. Notebook works perfectly fine without SSL.

@ioancw

This comment has been minimized.

Show comment
Hide comment
@ioancw

ioancw Jul 4, 2017

No I didn't have the same problem.
I set up my server following the instructions here:
https://github.com/yhilpisch/cloud-python

The only difference is the way we create the key - and I followed the steps detailed in this step.

ioancw commented Jul 4, 2017

No I didn't have the same problem.
I set up my server following the instructions here:
https://github.com/yhilpisch/cloud-python

The only difference is the way we create the key - and I followed the steps detailed in this step.

@kimolas

This comment has been minimized.

Show comment
Hide comment
@kimolas

kimolas Jul 4, 2017

I see, thanks! I'll give it a shot. By the way, tab completion works for me, although it only really works if there is a unique completion.

kimolas commented Jul 4, 2017

I see, thanks! I'll give it a shot. By the way, tab completion works for me, although it only really works if there is a unique completion.

@kimolas

This comment has been minimized.

Show comment
Hide comment
@kimolas

kimolas Jul 4, 2017

@ioancw It looks like the instructions you linked to create a certificate without a passcode, so it circumvents the PEM key input issue. That's fine with me, although I am now running into the following error:

img_0034

The Jupyter instance shows this:

img_0035

I might be missing something obvious/simple. Any ideas?

kimolas commented Jul 4, 2017

@ioancw It looks like the instructions you linked to create a certificate without a passcode, so it circumvents the PEM key input issue. That's fine with me, although I am now running into the following error:

img_0034

The Jupyter instance shows this:

img_0035

I might be missing something obvious/simple. Any ideas?

@86magic

This comment has been minimized.

Show comment
Hide comment
@86magic

86magic Jul 18, 2017

I spent a lot of time trying to solve this. And finally it works thanks to instructions from @dopplershift. Thank you!

86magic commented Jul 18, 2017

I spent a lot of time trying to solve this. And finally it works thanks to instructions from @dopplershift. Thank you!

@pretesh100

This comment has been minimized.

Show comment
Hide comment
@pretesh100

pretesh100 Aug 23, 2017

@ioancw @dopplershift
I have the same issue where from a regular pc/browser my jupyterhub works fine, but when I try to run from iphone/ipad (both safari and chrome), i get the "kernel not connecting" error.

I have tried adding the following line to my conf (I dont have anything for DNS):

[alt_names]
IP.1 = 173.232.XXX.XX (my ip address)

When I check the configuration settings of the installed certificate on my iphone I dont see my IP address anywhere (should I be able to see it there?)

Any other ideas/troubleshooting I can try??

pretesh100 commented Aug 23, 2017

@ioancw @dopplershift
I have the same issue where from a regular pc/browser my jupyterhub works fine, but when I try to run from iphone/ipad (both safari and chrome), i get the "kernel not connecting" error.

I have tried adding the following line to my conf (I dont have anything for DNS):

[alt_names]
IP.1 = 173.232.XXX.XX (my ip address)

When I check the configuration settings of the installed certificate on my iphone I dont see my IP address anywhere (should I be able to see it there?)

Any other ideas/troubleshooting I can try??

@dopplershift

This comment has been minimized.

Show comment
Hide comment
@dopplershift

dopplershift Aug 24, 2017

@pretesh100 Sorry, nothing springs to mind here. I can say that I don't see the alt_names listed on my iPad either, and everything seems to work.

dopplershift commented Aug 24, 2017

@pretesh100 Sorry, nothing springs to mind here. I can say that I don't see the alt_names listed on my iPad either, and everything seems to work.

@pretesh100

This comment has been minimized.

Show comment
Hide comment
@pretesh100

pretesh100 Aug 24, 2017

@dopplershift I manged to get it working. I found this dummies guide with all the steps which seems to have done the trick.

For anyone else stuck - here is the link:

https://kernels.io/ssl-self-signed-cert/

pretesh100 commented Aug 24, 2017

@dopplershift I manged to get it working. I found this dummies guide with all the steps which seems to have done the trick.

For anyone else stuck - here is the link:

https://kernels.io/ssl-self-signed-cert/

@navoshta

This comment has been minimized.

Show comment
Hide comment
@navoshta

navoshta Nov 4, 2017

Here's an updated link of the article above on how to configure valid SSL certificate in order to connect to your Jupyter server from iPad:

https://juno.sh/ssl-self-signed-cert/

navoshta commented Nov 4, 2017

Here's an updated link of the article above on how to configure valid SSL certificate in order to connect to your Jupyter server from iPad:

https://juno.sh/ssl-self-signed-cert/

@garyzhalo

This comment has been minimized.

Show comment
Hide comment
@garyzhalo

garyzhalo Jan 21, 2018

What IP should I put in the alt_names? The public IP for the router or the static local ip assigned to the server?

garyzhalo commented Jan 21, 2018

What IP should I put in the alt_names? The public IP for the router or the static local ip assigned to the server?

@navoshta

This comment has been minimized.

Show comment
Hide comment
@navoshta

navoshta Jan 25, 2018

@garyzhalo Should be server's public address that iPad will try to open in Safari.

navoshta commented Jan 25, 2018

@garyzhalo Should be server's public address that iPad will try to open in Safari.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment