[LON-CAPA-admin] SSL setup

Raeburn, Stuart raeburn at msu.edu
Wed Aug 22 18:25:44 EDT 2018


Lars,

>
> Could we add certbot to the lon-capa distribution so one doesn't have to worry about the 
> epel repository?
>

A number of institutions which currently run LON-CAPA domains may have policies requiring use of SSL certificates signed by institutionally-authorized signers (e.g., InCommon) for public-facing web sites, and therefore would have no use for certbot.

Anyway, I will give some thought to how best to integrate the letsencrypt.org certbot service into LON-CAPA. Participants at recent LON-CAPA conferences, and also those who follow commits to CVS (e.g., source.loncapa.org/cvs/ ), will know that I have recently been working on extending SSL certificate provisioning for "internal" traffic between LON-CAPA nodes. 

You might check the entries you have on your server for:
SSLCertificateFile, SSLCertificateChainFile, and SSLCertificateKeyFile in your Apache config file, e.g., /etc/httpd/conf.d/ssl.conf, and also the permissions/ownership of the files at which those entries point.

If I test your LON-CAPA server using: whatsmychaincert.com it reports your server has a misconfigured certificate chain.  

Similarly, for your server,  www.ssllabs.com/ssltest/ 
reports: "This server's certificate chain is incomplete." 

>From the command line on Linux you can also do:
openssl s_client  -connect <hostname>:443

replacing <hostname> with your server's hostname.


Stuart Raeburn
LON-CAPA Academic Consortium

________________________________________
From: LON-CAPA-admin <lon-capa-admin-bounces at mail.lon-capa.org> on behalf of Lars <ljensen at tmcc.edu>
Sent: Wednesday, August 22, 2018 12:59 AM
To: list about administration and system updating
Subject: Re: [LON-CAPA-admin] SSL setup

Hi Stuart,

Thanks for your reply.

We're on CentOS7, and I added a file to my /etc/httpd/conf.d firectory
containing only these 3 lines:
<VirtualHost *:80>
    RewriteOptions Inherit
</VirtualHost>

and now automatic renewal with certbot seems to work.

I have one more question regarding the installation of certbot.
certbot would not install without first adding the epel repository:
yum install epel-release
so added this repository, and certbot installed. However, when I next
did a yum update, suddenly there were updates available, including
mod-perl, maxima, R, and lots more. (I worried that I broke my system,
but after uninstalling the updates, removing epel, and re-running
.UPDATE the server seems to be fine.) Could we add certbot to the
lon-capa distribution so one doesn't have to worry about the epel
repository?

Lars.
On Tue, Aug 21, 2018 at 8:28 PM Raeburn, Stuart <raeburn at msu.edu> wrote:
>
> Lars,
>
> >
> > Is it OK to leave the VirtualHost sequence above permanently in httpd.conf?
> >
>
> You can leave a <VirtualHost *:80></VirtualHost> block permanently in httpd.conf on CentOS/RedHat/Scientific Linux if you so wish.  (For other Linux distros you would put <VirtualHost *:80> in a different file).
>
> However, if you do, you should also include this line inside the virtualhost block:
> RewriteOptions Inherit
> so that the rewrite rules in /etc/httpd/conf/loncapa_rewrite.conf apply, assuming you have: RewriteEngine on
> within that file (recommended).
>
> My own experience with the Let's Encrypt certbot has been that a <VirtualHost *:443></VirtualHost> block within /etc/httpd/conf.d/ssl.conf means I don't need a <VirtualHost *:80> block in httpd.conf to satisfy certbot's requirements when renewing certs.
>
> Stuart Raeburn
> LON-CAPA Academic Consortium
>
> ________________________________________
> From: LON-CAPA-admin <lon-capa-admin-bounces at mail.lon-capa.org> on behalf of Lars <ljensen at tmcc.edu>
> Sent: Sunday, August 19, 2018 11:24:20 PM
> To: list about administration and system updating
> Subject: [LON-CAPA-admin] SSL setup
>
> Hi Everyone,
>
> We just configured our server for https, and things seems to be
> working well, except for some issues related to the generation of the
> certificate. We're using Letsencrypts free certificates, generated by
> certbot.
>
> First, we had an issue generating the initial certificate, apparently
> because the loncapa httpd.conf file does not include a VirtualHost
> configuration. So I tricked certbot and included a
> <VirtualHost *:80>
>     ServerAdmin admin at example.com
>     ServerName myserver.tmcc.edu
>     ServerAlias myserver.tmcc.edu
>     DocumentRoot /home/httpd/html
> </VirtualHost>
> sequence in httpd.conf. That worked and certbot generated the
> certificate, and then I removed the VirtualHost entry again from
> httpd.comf.
>
> However, the certificate is only valid for 89 days, and needs to be
> updated at regular intervals because of this, so I created a certbot
> renew entry in my crontab. However, when crontab runs it, we get the
> same error that  httpd.conf doesn't have a virtualhost entry, so no
> new certificate is generated
>
> How can I fix this? Is it OK to leave the VirtualHost sequence above
> permanently in httpd.conf?
>
> Thanks,
> Lars.
>
> --
>
>
> --
>
> *Public Records Notice:* In accordance with Nevada Revised Statutes
> (NRS) Chapter 239, this email and responses, unless otherwise made
> confidential by law, may be subject to the Nevada Public Records laws and
> may be disclosed to the public upon request.
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> https://urldefense.proofpoint.com/v2/url?u=http-3A__mail.lon-2Dcapa.org_mailman_listinfo_lon-2Dcapa-2Dadmin&d=DwIGaQ&c=nE__W8dFE-shTxStwXtp0A&r=VsGo3jOm8tGLd6f-KlhT-g&m=liYkEpLV4NS53ig_Fql36ORd32ijnf1YJlvEhfTTYqg&s=MQX79tNRTTEFHUinehNhAPzvqEtIQ-BT0bDojjAXrC8&e=
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> https://urldefense.proofpoint.com/v2/url?u=http-3A__mail.lon-2Dcapa.org_mailman_listinfo_lon-2Dcapa-2Dadmin&d=DwIGaQ&c=nE__W8dFE-shTxStwXtp0A&r=VsGo3jOm8tGLd6f-KlhT-g&m=-_3OLVKaBYNDn7zD35227Qx6BBgb0KQMc5mlxqGN9IM&s=5I6eQhXGQ0dBfI0qugay75Fi_iYpEdKHp3BJ8hinyLA&e=

--


--

*Public Records Notice:* In accordance with Nevada Revised Statutes
(NRS) Chapter 239, this email and responses, unless otherwise made
confidential by law, may be subject to the Nevada Public Records laws and
may be disclosed to the public upon request.
_______________________________________________
LON-CAPA-admin mailing list
LON-CAPA-admin at mail.lon-capa.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__mail.lon-2Dcapa.org_mailman_listinfo_lon-2Dcapa-2Dadmin&d=DwIGaQ&c=nE__W8dFE-shTxStwXtp0A&r=VsGo3jOm8tGLd6f-KlhT-g&m=-_3OLVKaBYNDn7zD35227Qx6BBgb0KQMc5mlxqGN9IM&s=5I6eQhXGQ0dBfI0qugay75Fi_iYpEdKHp3BJ8hinyLA&e=


More information about the LON-CAPA-admin mailing list