Securing Storage Made Easy with Let’s Encrypt using Certbot

Storage Made Easy recommends all traffic to be secured with encryption, as a matter of fact, by default we enforce the user of HTTPS communication. That said the software ships with self-signed certificates, to get you started, and when you first connect you will be greeted by an Invalid Certificate message in most browsers as self-signed is fine for pre-production, setup and testing but real certificates need to be added for production. In this post I will show you how to setup a free of charge, trusted certificate with our product.  Let’s Encrypt is the name of the Certificate Authority we will be using, who provide free SSL certificates for 90 days.

Before you start, make sure you have already configured your firewall for external web traffic to the appliance. i.e. you can access your SME instance from the public internet on port 443 (https). You must also have configured the external DNS servers for the FQDN of your new appliance.

Let’s get started

First, login to the CLI of the appliance as the smeconfiguser

Start the configuration server

# smeconfigserver

Connect to your appliance on port 8080 with a common browser

Verify that all settings are correct, and especially the hostnames for SME, webdav and s3 protocol access.
In this example I am using sme.smedev.com, webdav.smedev.com, and s3.smedev.com.

Installing Let’s Encrypt Certbot

After you are happy with the settings, and after a potential reboot if you changed them, log back in to the CLI. This time, elevate your privilege to root by typing the following command and entering the root password when prompted.

# su -

Download and install the Let’s Encrypt package:

# yum install python-certbot-apache

Once the package is installed with dependencies, go ahead and request the certificate. You must change the domain names to your DNS names. If you are not using webdav or s3, just leave off one (or two) “-d fqdn” in the command below.

# certbot --apache -d devoffice.smestorage.com -d s3.devoffice.smestorage.com -d webdavdevoffice.smestorage.com

This command can take a while to complete, since the Let’s Encrypt service will actually connect to your server to verify that the DNS names points to the correct server. It will also ask you a few questions about the setup. The only thing you have to do is to enter an email to receive updates and notices regarding your certificate. After it has completed, you will have a few new symlinks.

/etc/letsencrypt/live/sme.smedev.com/cert.pem

/etc/letsencrypt/live/sme.smedev.com/chain.pem

/etc/letsencrypt/live/ sme.smedev.com/fullchain.pem

/etc/letsencrypt/live/sme.smedev.com/privkey.pem

Once again, note your path will be different than above so ensure to use your path.

Let’s use the new certificate

Once the new server key, certificate and chain is created, we have to configure SME to use these new files.

# vi /etc/httpd/conf.d/ssl.conf

In this file, remove the following two lines:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt"

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key"

and insert the following four:

SSLCertificateFile /etc/letsencrypt/live/sme.smedev.com/cert.pem

SSLCertificateKeyFile /etc/letsencrypt/live/sme.smedev.com/privkey.pem

SSLCertificateChainFile /etc/letsencrypt/live/sme.smedev.com/chain.pem

SSLCACertificateFile /etc/letsencrypt/live/sme.smedev.com/fullchain.pem

It is important to change the path in the ssl.conf file to ensure that the automatic updates of the cert file will work going forward.

Restart apache to make the changes take effect using the following command:

# systemctl restart httpd

confirm apache has restarted successfully by typing the following command:

# systemctl status httpd

To verify that your new certificate is in place and working, simply browse there with the browser of your choice. https://your.sme.com/ You should see the “green” padlock and the annoying message should be gone.

Automatically renewing your certificate

A Let’s Encrypt certificate is valid for 90 days, however it can be automatically renewed within 30 days of expiration. To accomplish this, let’s create a cron job that will run once a week, validating the certificate and ensuring that if it is within 30 days of expiration, it will be automatically updated.

To build a job that runs once a week at 2:30 am, type in the following command to enter the crontab file

# crontab -e

In the below example I run the job on Monday mornings, but you can of course adjust this also.

30 2 * * 1 /bin/certbot renew >> /var/log/letsencrypt/le-renew.log

This will create the crontab and also write the output of the job to a log file.

I hope you have enjoyed this tutorial and I hope you will let me know if you use it for your deployment of the Storage Made Easy Enterprise File Sync and Share Fabric Solution.

 

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *