Updated: Securing the Enterprise File Fabric with Let’s Encrypt Certificates

While the current technology news cycles are being dominated with Meltdown and Spectre, a security flaw in TLS-SNI has invalidated a simple way of securing free certificates from Let’s Encrypt.

Storage Made Easy recommends all traffic to be secured with encryption.  This post will help new customers obtain a trusted certificate from the Let’s Encrypt Certificate Authority and instruct existing customers how to switch verification method from TLS-SNI to HTTP based validation.

Prerequisites

Before trying to obtain a certificate it is important that the following tasks are completed.

  1.  The Enterprise File Fabric  must be accessible from a Public IP address on  TCP ports 80 (HTTP) and 443 (HTTPS)
  2. External DNS records must be mapped to the Public IP address.  If unsure of the FQDNs, follow the steps in the section below.

Verifying the DNS Records

Log into the Enterprise File Fabric as the smeconfiguser and run the following command:

smeconfigserver

This will start the configuration server.  Navigate with HTTP to port 8080 of the IP address or URL of the Enterprise File Fabric.  Example:
http://fqdn.example.com:8080

Once the page loads, Navigate to “Configuration -> SME Server Hostname Settings” as detailed in this video:

Record the values for:
Domain Name
WebDav Domain Name
S3 Domain Name

This artice will use the following values as an example:
Domain Name                     learn.storagemadeeasy.com
WebDav Domain Name   webdav.learn.storagemadeeasy.com
S3 Domain Name               s3.learn.storagemadeeasy.com

Verify that Public DNS records are setup correctly by pinging each FQDN.

Obtaining a Certificate for a New Deployment

If the Enterprise File Fabric already has a certificate from Let’s Encrypt, please jump ahead to the next section to convert from TLS-SNI to HTTP verification.

Installing Let’s Encrypt Certbot

Log into the Enterprise File Fabric as smeconfiguser, then elevate to the root user by typing the following command and entering the root password when prompted.

su -

Download and install the Let’s Encrypt package:

yum install certbot-apache -y

Once the package is installed with dependencies, proceed with the certificate request.

Please Note:  The File Fabric will be inaccessible to end users during the request.  This downtime associated with a request may be up to a minute!
Also, the FQDNs below are an example, please use the FQDNs recorded in the previous step.  If the File Fabric is not a Webdav or S3 gateway,  leave off one (or two) “-d FQDNs” in the command below.

certbot --authenticator standalone --installer apache --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd" -d learn.storagemadeeasy.com -d s3.learn.storagemadeeasy.com -d webdav.learn.storagemadeeasy.com

This command will prompt for an email address.  It’s important to give this information so that an admin can be notified in the future if there are issues automatically renewing the certificate.

Please also agree to the Terms of Service. It is not necessary to share the provided email with the Electronic Frontier Foundation.

Lastly, Certbot will prompt to disable all HTTP access.  Please select option 1 as the File Fabric already has HTTP to HTTPS redirection options configured.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

After successful completion, the Enterprise File Fabric will automatically start using the new certificates.  These certificates will last for 90 days, so the final step is to setup automated renewal.

Automatically renewing the certificate

A Let’s Encrypt certificate is valid for 90 days, and can be automatically renewed within 30 days of expiration.  A simple cron job will run daily and handle renewals.

Please Note:  The File Fabric will be inaccessible during the renewal.  Please ensure that the renewal time is during off hours.  Downtime will only occur every 60 days when a renewal is required and may last up to one minute.

While still logged in as root run the following command to add a cron job.

crontab -e

In the below example the renewal attempt will process at 2:30AM in the timezone of the Enterprise File Fabric.  The Enterprise File Fabric ships by default with the timezone set to UTC time.  Please adjust this timezone as necessary.

30 2 * * * /bin/certbot renew >> /var/log/letsencrypt/le-renew.log

This will create a crontab entry for a cron job that will handle the renewals and write its output to a log file.

Updating Existing Certbot Installations

If the Enterprise File Fabric has already been been secured with Let’s Encrypt it will continue to function as expected.  However, Let’s Encrypt will eventually force all TLS-SNI renewals to DNS or HTTP based validation.  To proactively change the renewal from TLS-SNI to HTTP validation perform the following.

Log into the Enterprise File Fabric as smeconfiguser, then elevate to the root user by typing the following command and entering the root password when prompted.

su -

Update the Let’s Encrypt package:

yum update certbot-apache -y

Using the same FQDNs as orginally used to obtain a certificate, run the bellow substituting the proper FQDNs for the examples.  If the current FQDNs are unknown please follow the instructions above under “Prerequisites” to locate the proper hostnames.

certbot --authenticator standalone --installer apache --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd" -d learn.storagemadeeasy.com -d s3.learn.storagemadeeasy.com -d webdav.learn.storagemadeeasy.com

Please Note:  The File Fabric will be inaccessible to end users during the request.  This downtime associated with a request may be up to a minute!

After running the command the below message should appear.  Select option 2 to force a new renewal.

You have an existing certificate that has exactly the same domains or certificate name 
you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/learn.storagemadeeasy.com.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Certbot will prompt to disable all HTTP access.  Please select option 1 as the File Fabric already has HTTP to HTTPS redirection options configured.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

No futher action is required after a successful renewal.  The existing cron job will continue to renew the certificate in advance of expiration.

Optional: Increasing Certificate Cipher strength

Certbot automatically inserts the proper records into the Apache configuration for the new certificates.  However, Certbot adds the 3DES Cipher to the list of approved TLS Ciphers.  To restore the Enterprise File Fabric to it’s original cipher strength perform the following:

As the root user edit the following file with the vi or nano editors:
/etc/letsencrypt/options-ssl-apache.conf

vi /etc/letsencrypt/options-ssl-apache.conf

Find and replace the following line:
Note: It may line wrap and appear to be several lines

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:
DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

With:

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!RSA

Additionally, if PCI DSS certification is required, it is important to disable TLSv1.0 before the June, 30th 2018 deadline.

Replace the line:

SSLProtocol all -SSLv2 -SSLv3

With:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1

After saving the file restart apache

systemctl restart httpd

Once complete, please run an analysis of the Enterprise File Fabric against SSL Labs.  Your SME site receive an A+ rating!!!

 

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
The following two tabs change content below.

Douglas Soltesz

Director Product Solutions at Storage Made Easy
Doug's focus is in Object and Cloud Storage APIs, Data Governance, Virtualization, and Containerization.