Securing the Enterprise File Fabric with Free Let’s Encrypt Certificates

Storage Made Easy recommends all traffic to be secured with encryption.  This post will help new customers obtain a trusted certificate from the Let’s Encrypt Certificate Authority utilizing Certbot.

Prerequisites

Before trying to obtain a certificate it is important that the following tasks are completed.

  1.  The Enterprise File Fabric  must be accessible from a Public IP address on  TCP ports 80 (HTTP) and 443 (HTTPS)
  2. External DNS records must be mapped to the Public IP address.

Setting FQDNs

When first setting up the Enterprise File Fabric, the FQDNs that will be publicly registered in DNS must be setup.  If this has not previously been done during setup follow these instructions:

Log into the Enterprise File Fabric as the smeconfiguser and run the following command:

smeconfigserver

This will start the configuration server.  Navigate with HTTP to port 8080 of the IP address or URL of the Enterprise File Fabric.  Example:
http://fqdn.example.com:8080

Once the page loads, Navigate to “Configuration -> SME Server Hostname Settings” as detailed in this video:

Set the values for:
Domain Name
WebDav Domain Name
S3 Domain Name

This article will use the following values as an example:
Domain Name                       learn.storagemadeeasy.com
WebDav Domain Name   learn-webdav.storagemadeeasy.com
S3 Domain Name               learn-s3.storagemadeeasy.com

Verify that Public DNS records are setup correctly by pinging each FQDN.

Obtaining a Certificate for a New Deployment

Installing Let’s Encrypt Certbot

Log into the Enterprise File Fabric as smeconfiguser, then elevate to the root user by typing the following command and entering the root password when prompted.

su -

Download and install the Let’s Encrypt package:

yum install certbot-apache -y

Once the package is installed with dependencies, proceed with the certificate request.

Requesting a certficate with Certbot

Please Note:  The File Fabric will be inaccessible to end users during the request.  This downtime associated with a request may be up to a minute!

While still logged in as root run the following command:

certbot --authenticator standalone --installer apache --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd" 

This command will prompt for an email address.  It’s important to give this information so that an admin can be notified in the future if there are issues automatically renewing the certificate.

Please also agree to the Terms of Service. It is not necessary to share the provided email with the Electronic Frontier Foundation.

Certbot will automatically detect what FQDNs are setup for the Enterprise File Fabric and prompt for which should be included in the certificate.  If all of the FQDNs are registered with DNS, feel free to get a certificate for all of them.  If you only desire to use the website and CloudDav (webdav), then just select those.  In the example below, if I only wanted a certificate for the main site and webdav, I would enter 1,3.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: learn.storagemadeeasy.com
2: learn-s3.storagemadeeasy.com
3: learn-webdav.storagemadeeasy.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2,3

Lastly, Certbot will prompt to disable all HTTP access.  Please select option 1 as the File Fabric already has HTTP to HTTPS redirection options configured.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

After successful completion, the Enterprise File Fabric will automatically start using the new certificates.  These certificates will last for 90 days, so the final step is to setup automated renewal.

Automatically renewing the certificate

A Let’s Encrypt certificate is valid for 90 days, and can be automatically renewed within 30 days of expiration.  A simple cron job will run daily and handle renewals.

Please Note:  The File Fabric will be inaccessible during the renewal.  Please ensure that the renewal time is during off hours.  Downtime will only occur every 60 days when a renewal is required and may last up to one minute.

While still logged in as root run the following command to add a cron job.

crontab -e

In the below example the renewal attempt will process at 2:30AM in the timezone of the Enterprise File Fabric.  The Enterprise File Fabric ships by default with the timezone set to UTC time.  Please adjust this timezone as necessary.

30 2 * * * /bin/certbot renew >> /var/log/letsencrypt/le-renew.log

This will create a crontab entry for a cron job that will handle the renewals and write its output to a log file.

Optional: Increasing Certificate Cipher strength

Certbot automatically inserts the proper records into the Apache configuration for the new certificates.  However, Certbot adds the 3DES Cipher to the list of approved TLS Ciphers.  To restore the Enterprise File Fabric to it’s original cipher strength perform the following:

As the root user edit the following file with the vi or nano editors:
/etc/letsencrypt/options-ssl-apache.conf

vi /etc/letsencrypt/options-ssl-apache.conf

Find and replace the following line:
Note: It may line wrap and appear to be several lines

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:
DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

With:

SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

Additionally, if PCI DSS certification is required, it is important to disable TLSv1.0

Replace the line:

SSLProtocol all -SSLv2 -SSLv3

With:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

After saving the file restart apache

systemctl restart httpd

Once complete, please run an analysis of the Enterprise File Fabric against SSL Labs.  Your SME site receive an A+ rating!!!

Facebooktwitterredditpinterestlinkedinmailby feather
The following two tabs change content below.

Douglas Soltesz

Director Product Solutions at Storage Made Easy
Doug's focus is in Object and Cloud Storage APIs, Data Governance, Virtualization, and Containerization.