[LON-CAPA-admin] SSL setup
Lars
ljensen at tmcc.edu
Wed Aug 22 19:11:39 EDT 2018
Hi Stuart,
Thanks for pointing this out - I hadn't configured
SSLCertificateKeyFile in ssl.conf, after doing that, the setup checks
out correctly. I didn't think I had to because I have some other
servers, all running debian, and didn't configure
SSLCertificateKeyFile on these, and they check out "correct" on
http://whatsmychaincert.com/.... so I didn't think I needed to
configure SSLCertificateKeyFile on CentOS either.
Lars.
On Wed, Aug 22, 2018 at 3:27 PM Raeburn, Stuart <raeburn at msu.edu> wrote:
>
> Lars,
>
> >
> > Could we add certbot to the lon-capa distribution so one doesn't have to worry about the
> > epel repository?
> >
>
> A number of institutions which currently run LON-CAPA domains may have policies requiring use of SSL certificates signed by institutionally-authorized signers (e.g., InCommon) for public-facing web sites, and therefore would have no use for certbot.
>
> Anyway, I will give some thought to how best to integrate the letsencrypt.org certbot service into LON-CAPA. Participants at recent LON-CAPA conferences, and also those who follow commits to CVS (e.g., source.loncapa.org/cvs/ ), will know that I have recently been working on extending SSL certificate provisioning for "internal" traffic between LON-CAPA nodes.
>
> You might check the entries you have on your server for:
> SSLCertificateFile, SSLCertificateChainFile, and SSLCertificateKeyFile in your Apache config file, e.g., /etc/httpd/conf.d/ssl.conf, and also the permissions/ownership of the files at which those entries point.
>
> If I test your LON-CAPA server using: whatsmychaincert.com it reports your server has a misconfigured certificate chain.
>
> Similarly, for your server, www.ssllabs.com/ssltest/
> reports: "This server's certificate chain is incomplete."
>
> From the command line on Linux you can also do:
> openssl s_client -connect <hostname>:443
>
> replacing <hostname> with your server's hostname.
>
>
> Stuart Raeburn
> LON-CAPA Academic Consortium
>
> ________________________________________
> From: LON-CAPA-admin <lon-capa-admin-bounces at mail.lon-capa.org> on behalf of Lars <ljensen at tmcc.edu>
> Sent: Wednesday, August 22, 2018 12:59 AM
> To: list about administration and system updating
> Subject: Re: [LON-CAPA-admin] SSL setup
>
> Hi Stuart,
>
> Thanks for your reply.
>
> We're on CentOS7, and I added a file to my /etc/httpd/conf.d firectory
> containing only these 3 lines:
> <VirtualHost *:80>
> RewriteOptions Inherit
> </VirtualHost>
>
> and now automatic renewal with certbot seems to work.
>
> I have one more question regarding the installation of certbot.
> certbot would not install without first adding the epel repository:
> yum install epel-release
> so added this repository, and certbot installed. However, when I next
> did a yum update, suddenly there were updates available, including
> mod-perl, maxima, R, and lots more. (I worried that I broke my system,
> but after uninstalling the updates, removing epel, and re-running
> .UPDATE the server seems to be fine.) Could we add certbot to the
> lon-capa distribution so one doesn't have to worry about the epel
> repository?
>
> Lars.
> On Tue, Aug 21, 2018 at 8:28 PM Raeburn, Stuart <raeburn at msu.edu> wrote:
> >
> > Lars,
> >
> > >
> > > Is it OK to leave the VirtualHost sequence above permanently in httpd.conf?
> > >
> >
> > You can leave a <VirtualHost *:80></VirtualHost> block permanently in httpd.conf on CentOS/RedHat/Scientific Linux if you so wish. (For other Linux distros you would put <VirtualHost *:80> in a different file).
> >
> > However, if you do, you should also include this line inside the virtualhost block:
> > RewriteOptions Inherit
> > so that the rewrite rules in /etc/httpd/conf/loncapa_rewrite.conf apply, assuming you have: RewriteEngine on
> > within that file (recommended).
> >
> > My own experience with the Let's Encrypt certbot has been that a <VirtualHost *:443></VirtualHost> block within /etc/httpd/conf.d/ssl.conf means I don't need a <VirtualHost *:80> block in httpd.conf to satisfy certbot's requirements when renewing certs.
> >
> > Stuart Raeburn
> > LON-CAPA Academic Consortium
> >
> > ________________________________________
> > From: LON-CAPA-admin <lon-capa-admin-bounces at mail.lon-capa.org> on behalf of Lars <ljensen at tmcc.edu>
> > Sent: Sunday, August 19, 2018 11:24:20 PM
> > To: list about administration and system updating
> > Subject: [LON-CAPA-admin] SSL setup
> >
> > Hi Everyone,
> >
> > We just configured our server for https, and things seems to be
> > working well, except for some issues related to the generation of the
> > certificate. We're using Letsencrypts free certificates, generated by
> > certbot.
> >
> > First, we had an issue generating the initial certificate, apparently
> > because the loncapa httpd.conf file does not include a VirtualHost
> > configuration. So I tricked certbot and included a
> > <VirtualHost *:80>
> > ServerAdmin admin at example.com
> > ServerName myserver.tmcc.edu
> > ServerAlias myserver.tmcc.edu
> > DocumentRoot /home/httpd/html
> > </VirtualHost>
> > sequence in httpd.conf. That worked and certbot generated the
> > certificate, and then I removed the VirtualHost entry again from
> > httpd.comf.
> >
> > However, the certificate is only valid for 89 days, and needs to be
> > updated at regular intervals because of this, so I created a certbot
> > renew entry in my crontab. However, when crontab runs it, we get the
> > same error that httpd.conf doesn't have a virtualhost entry, so no
> > new certificate is generated
> >
> > How can I fix this? Is it OK to leave the VirtualHost sequence above
> > permanently in httpd.conf?
> >
> > Thanks,
> > Lars.
> >
> > --
> >
> >
> > --
> >
> > *Public Records Notice:* In accordance with Nevada Revised Statutes
> > (NRS) Chapter 239, this email and responses, unless otherwise made
> > confidential by law, may be subject to the Nevada Public Records laws and
> > may be disclosed to the public upon request.
> > _______________________________________________
> > LON-CAPA-admin mailing list
> > LON-CAPA-admin at mail.lon-capa.org
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__mail.lon-2Dcapa.org_mailman_listinfo_lon-2Dcapa-2Dadmin&d=DwIGaQ&c=nE__W8dFE-shTxStwXtp0A&r=VsGo3jOm8tGLd6f-KlhT-g&m=liYkEpLV4NS53ig_Fql36ORd32ijnf1YJlvEhfTTYqg&s=MQX79tNRTTEFHUinehNhAPzvqEtIQ-BT0bDojjAXrC8&e=
> > _______________________________________________
> > LON-CAPA-admin mailing list
> > LON-CAPA-admin at mail.lon-capa.org
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__mail.lon-2Dcapa.org_mailman_listinfo_lon-2Dcapa-2Dadmin&d=DwIGaQ&c=nE__W8dFE-shTxStwXtp0A&r=VsGo3jOm8tGLd6f-KlhT-g&m=-_3OLVKaBYNDn7zD35227Qx6BBgb0KQMc5mlxqGN9IM&s=5I6eQhXGQ0dBfI0qugay75Fi_iYpEdKHp3BJ8hinyLA&e=
>
> --
>
>
> --
>
> *Public Records Notice:* In accordance with Nevada Revised Statutes
> (NRS) Chapter 239, this email and responses, unless otherwise made
> confidential by law, may be subject to the Nevada Public Records laws and
> may be disclosed to the public upon request.
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> https://urldefense.proofpoint.com/v2/url?u=http-3A__mail.lon-2Dcapa.org_mailman_listinfo_lon-2Dcapa-2Dadmin&d=DwIGaQ&c=nE__W8dFE-shTxStwXtp0A&r=VsGo3jOm8tGLd6f-KlhT-g&m=-_3OLVKaBYNDn7zD35227Qx6BBgb0KQMc5mlxqGN9IM&s=5I6eQhXGQ0dBfI0qugay75Fi_iYpEdKHp3BJ8hinyLA&e=
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
--
--
*Public Records Notice:* In accordance with Nevada Revised Statutes
(NRS) Chapter 239, this email and responses, unless otherwise made
confidential by law, may be subject to the Nevada Public Records laws and
may be disclosed to the public upon request.
More information about the LON-CAPA-admin
mailing list