Securing Storage Made Easy with Let’s Encrypt

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG). Lets-Encrypt-SME

Read more at About Let’s Encrypt

Storage Made Easy recommends all traffic to be secured with encryption, as a matter of fact, by default we enforce the user of HTTPS communication. That said the software ships with self-signed certificates, to get you started, and when you first connect you will be greeted by an Invalid Certificate message in most browsers as self-signed is fine for pre-production, setup and testing but real certificates need to be added for production. In this post I will show you how to setup a free of charge, trusted certificate with our product.

Before you start, make sure you have already configured your firewall for external web traffic to the appliance. i.e. you can access your SME instance from the public internet on port 443 (https). You must also have configured the external DNS servers for the FQDN of your new appliance.

Let’s get started

First, login to the CLI of the appliance as the smeconfiguser

Start the configuration server

# smeconfigserver

Connect to your appliance on port 8080 with a common browser

Verify that all settings are correct, and especially the hostnames for SME, webdav and s3 protocol access.
In this example I am using sme.smedev.com, webdav.smedev.com, and s3.smedev.com.

Installing Let’s Encrypt

After you are happy with the settings, and after a potential reboot if you changed them, log back in to the CLI. This time, elevate your privilege to root.

su -

Download and install the Let’s Encrypt package:
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Once the package is installed with dependencies, go ahead and request the certificate. You must change the domain names to your DNS names. If you are not using webdav or s3, just leave off one (or two) “-d fqdn” in the command below.

# cd /opt/letsencrypt
# ./letsencrypt-auto --apache -d sme.smedev.com -d webdav.smedev.com  -d s3.smedev.com

This command can take a while to complete, since the Let’s Encrypt service will actually connect to your server to verify that the DNS names points to the correct server. It will also ask you a few questions about the setup. The only thing you have to do is to enter an email to receive updates and notices regarding your certificate. After it has completed, you will have a few new symlinks.

/etc/letsencrypt/live/sme.smedev.com/cert.pem 
/etc/letsencrypt/live/sme.smedev.com/chain.pem 
/etc/letsencrypt/live/sme.smedev.com/fullchain.pem 
/etc/letsencrypt/live/sme.smedev.com/privkey.pem

Once again, note your path will be different than above so ensure to use your path.

Let’s use the new certificate

Once the new server key, certificate and chain is created, we have to configure SME to user these new files.

vi /etc/httpd/conf.d/ssl.conf

In this file, remove the following two lines:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt"
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key"

and insert the following four:

SSLCertificateFile /etc/letsencrypt/live/sme.smedev.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sme.smedev.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/sme.smedev.com/chain.pem
SSLCACertificateFile /etc/letsencrypt/live/sme.smedev.com/fullchain.pem

It is important to change the path in the ssl.conf file to ensure that the automatic updates of the cert file will work going forward.

Restart apache to make the changes take effect.

systemctl restart httpd

To verify that your new certificate is in place and working, simply browse there with the browser of your choice. https://your.sme.com/ You should see the “green” padlock and the annoying message should be gone.

Automatically renewing your certificate

A Let’s Encrypt certificate is valid for 90 days, however it can be automatically renewed within 30 days of expiration. To accomplish this let’s create a cron job that will run once a week, validating the certificate and ensuring that if it is within 30 days of expiration, it will be automatically updated.

To build a job that runs once a week at 2:30 am, copy and paste the following line into “/etc/crontab” on the appliance.

# vi /etc/crontab

In the below example I run the job on Monday mornings, but you can of course adjust this also.
30 2 * * 1 root /opt/letsencrypt/letsencrypt-auto renew >> /var/log/letsencrypt/le-renew.log

I hope you have enjoyed this tutorial and I hope you will let me know if you use it for your deployment of the Storage Made Easy Enterprise File Sync and Share Fabric Solution.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *