Hi I´m trying to setup a ssl connection to Koha (using letsEncrypt certs ) so my users, admin and opac can have a secure connection. I´ve folllowed letsEncrypt & certbot instrucctions but neither opac nor admin pages work. I´ve tried directing connections manually and configuring apache for redirect unsuccessfully. Any hints on this? This is mostly to avoid the upcoming chrome config where it will display an unsafe site warning to any site requiring login that does not use ssl Regards, Alvaro
Excerpts from Alvaro Cornejo's message of 2018-06-04 21:18:57 -0500:
I´m trying to setup a ssl connection to Koha (using letsEncrypt certs ) so my users, admin and opac can have a secure connection.
I´ve folllowed letsEncrypt & certbot instrucctions but neither opac nor admin pages work.
I used certbot on Debian 8 to get the OPAC and staff clients to use SSL. If I recall correctly, certbot attempted to modify my Apache config file to add references to the LetsEncrypt certificate files, but I think it chose the wrong file to modify. So I hand-modified the Koha-specific config file to point to the certificates. Below is the resulting /etc/apache2/sites-available/LIB.conf. Replace LIB with the actual Koha instance name, and replace KOHA.MYLIBRARY.COM with the actual hostname. Note also that I chose port 81 for the OPAC and port 82 for the staff client; you will probably need to change those numbers. # Koha instance LIB Apache config. # OPAC <VirtualHost *:81> <IfVersion >= 2.4> Define instance "LIB" </IfVersion> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-opac-plack.conf Include /etc/koha/apache-shared-opac.conf ServerName KOHA.MYLIBRARY.COM SetEnv KOHA_CONF "/etc/koha/sites/LIB/koha-conf.xml" SetEnv MEMCACHED_SERVERS "127.0.0.1:11211" SetEnv MEMCACHED_NAMESPACE "koha_LIB" AssignUserID LIB-koha LIB-koha ErrorLog /var/log/koha/LIB/opac-error.log # TransferLog /var/log/koha/LIB/opac-access.log # RewriteLog /var/log/koha/LIB/opac-rewrite.log SSLCertificateFile /etc/letsencrypt/live/KOHA.MYLIBRARY.COM/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/KOHA.MYLIBRARY.COM/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> # Intranet <VirtualHost *:82> <IfVersion >= 2.4> Define instance "LIB" </IfVersion> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-intranet-plack.conf Include /etc/koha/apache-shared-intranet.conf ServerName KOHA.MYLIBRARY.COM SetEnv KOHA_CONF "/etc/koha/sites/LIB/koha-conf.xml" SetEnv MEMCACHED_SERVERS "127.0.0.1:11211" SetEnv MEMCACHED_NAMESPACE "koha_LIB" AssignUserID LIB-koha LIB-koha ErrorLog /var/log/koha/LIB/intranet-error.log # TransferLog /var/log/koha/LIB/intranet-access.log # RewriteLog /var/log/koha/LIB/intranet-rewrite.log SSLCertificateFile /etc/letsencrypt/live/KOHA.MYLIBRARY.COM/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/KOHA.MYLIBRARY.COM/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost>
On 5/06/18 2:18 pm, Alvaro Cornejo wrote:
Hi
I´m trying to setup a ssl connection to Koha (using letsEncrypt certs ) so my users, admin and opac can have a secure connection.
I´ve folllowed letsEncrypt & certbot instrucctions but neither opac nor admin pages work.
I´ve tried directing connections manually and configuring apache for redirect unsuccessfully.
Any hints on this?
This is mostly to avoid the upcoming chrome config where it will display an unsafe site warning to any site requiring login that does not use ssl
Regards,
Alvaro _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
hi Alvaro here's an apache config that has worked well for me it has some extra magic to improve it's SSL score the config now gets an 'A+' on the following site... https://www.ssllabs.com/ssltest i'll aim to add this to the Koha wiki cheers, Mason root@deb8:/etc/apache2/sites-available# cat demo.conf # ------------------------------ # OPAC <VirtualHost *:80> <IfVersion >= 2.4> Define instance "demo" </IfVersion> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-opac.conf ServerName demo.foo.org SetEnv KOHA_CONF "/etc/koha/sites/demo/koha-conf.xml" AssignUserID demo-koha demo-koha RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} ErrorLog /var/log/koha/demo/opac-error.log # TransferLog /var/log/koha/demo/opac-access_log # RewriteLog /var/log/koha/demo/opac-rewrite.log </VirtualHost> # ------------------------------ <VirtualHost *:443> <IfVersion >= 2.4> Define instance "demo" </IfVersion> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-opac-plack.conf Include /etc/koha/apache-shared-opac.conf ServerName demo.foo.org SetEnv KOHA_CONF "/etc/koha/sites/demo/koha-conf.xml" AssignUserID demo-koha demo-koha ErrorLog /var/log/koha/demo/opac-error.log # TransferLog /var/log/koha/demo/opac-access_log # RewriteLog /var/log/koha/demo/opac-rewrite.log # SSL config here! SSLEngine on SSLCertificateFile /etc/letsencrypt/live/demo.foo.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/demo.foo.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/demo.foo.org/fullchain.pem SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On Header always set Strict-Transport-Security "max-age=17280000; preload" Header always set Content-Security-Policy "upgrade-insecure-requests" </VirtualHost> # ------------------------------ # Intranet / redirect to https <VirtualHost *:80> <IfVersion >= 2.4> Define instance "demo" </IfVersion> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-intranet.conf ServerName demo-admin.foo.org RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} ErrorLog /var/log/koha/demo/intranet-error.log # TransferLog /var/log/koha/demo/intranet-access_log # RewriteLog /var/log/koha/demo/intranet-rewrite.log </VirtualHost> # ------------------------------ <VirtualHost *:443> <IfVersion >= 2.4> Define instance "demo" </IfVersion> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-intranet-plack.conf Include /etc/koha/apache-shared-intranet.conf ServerName demo-admin.foo.org SetEnv KOHA_CONF "/etc/koha/sites/demo/koha-conf.xml" AssignUserID demo-koha demo-koha ErrorLog /var/log/koha/demo/intranet-error.log # TransferLog /var/log/koha/demo/intranet-access_log # RewriteLog /var/log/koha/demo/intranet-rewrite.log # SSL config here! SSLEngine on SSLCertificateFile /etc/letsencrypt/live/demo.foo.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/demo.foo.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/demo.foo.org/fullchain.pem Header always set Strict-Transport-Security "max-age=17280000; preload" Header always set Content-Security-Policy "upgrade-insecure-requests" </VirtualHost>
On 6/06/18 3:45 pm, Mason James wrote:
On 5/06/18 2:18 pm, Alvaro Cornejo wrote:
Hi
I´m trying to setup a ssl connection to Koha (using letsEncrypt certs ) so my users, admin and opac can have a secure connection.
I´ve folllowed letsEncrypt & certbot instrucctions but neither opac nor admin pages work.
I´ve tried directing connections manually and configuring apache for redirect unsuccessfully.
Any hints on this?
This is mostly to avoid the upcoming chrome config where it will display an unsafe site warning to any site requiring login that does not use ssl
Regards,
Alvaro _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha hi Alvaro
here's an apache config that has worked well for me
it has some extra magic to improve it's SSL score
the config now gets an 'A+' on the following site... https://www.ssllabs.com/ssltest
i'll aim to add this to the Koha wiki
cheers, Mason
...and here's a nice 'cert renew' solution, using LE's cli.ini file root@deb8:/# cat /etc/letsencrypt/cli.ini domains = demo.foo.org, demo-admin.foo.org root@deb8:/# cat /etc/cron.d/certbot # /etc/cron.d/certbot: crontab entries for the certbot package # # Upstream recommends attempting renewal twice a day # SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # -n for non-interactive 0 1 * * * root service apache2 stop ; perl -e 'sleep int(rand(3600))' && /usr/bin/certbot certonly --expand -n --standalone --config /etc/letsencrypt/cli.ini ; service apache2 start
On 6/06/18 4:06 pm, Mason James wrote:
On 6/06/18 3:45 pm, Mason James wrote:
On 5/06/18 2:18 pm, Alvaro Cornejo wrote:
Hi
I´m trying to setup a ssl connection to Koha (using letsEncrypt certs ) so my users, admin and opac can have a secure connection.
I´ve folllowed letsEncrypt & certbot instrucctions but neither opac nor admin pages work.
I´ve tried directing connections manually and configuring apache for redirect unsuccessfully.
Any hints on this?
This is mostly to avoid the upcoming chrome config where it will display an unsafe site warning to any site requiring login that does not use ssl
Regards,
Alvaro _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha hi Alvaro
here's an apache config that has worked well for me
it has some extra magic to improve it's SSL score
the config now gets an 'A+' on the following site... https://www.ssllabs.com/ssltest
i'll aim to add this to the Koha wiki
cheers, Mason
...and here's a nice 'cert renew' solution, using LE's cli.ini file
root@deb8:/# cat /etc/letsencrypt/cli.ini domains = demo.foo.org, demo-admin.foo.org
root@deb8:/# cat /etc/cron.d/certbot # /etc/cron.d/certbot: crontab entries for the certbot package # # Upstream recommends attempting renewal twice a day # SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# -n for non-interactive 0 1 * * * root service apache2 stop ; perl -e 'sleep int(rand(3600))' && /usr/bin/certbot certonly --expand -n --standalone --config /etc/letsencrypt/cli.ini ; service apache2 start
oops, a bad cut/paste this looks like a better way, using pre/post hooks... 0 1 * * * root perl -e 'sleep int(rand(3600))' && /usr/bin/certbot certonly --expand -n --standalone --config /etc/letsencrypt/cli.ini --pre-hook 'service apache2 stop' --post-hook 'service apache2 start'
Hi I have just do the suggestions and it worked like a charm. About the renewal cron, will have to wait until my certs are for renew and see what happens Thanks!!! Alvaro |-----------------------------------------------------------------------------------------------------------------| Envíe y Reciba Datos y mensajes de Texto (SMS) hacia y desde cualquier celular y Nextel en el Perú, México y en mas de 180 paises. Use aplicaciones 2 vias via SMS y GPRS online Visitenos en www.perusms.com 2018-06-06 0:20 GMT-05:00 Mason James <mtj@kohaaloha.com>:
On 6/06/18 4:06 pm, Mason James wrote:
On 6/06/18 3:45 pm, Mason James wrote:
On 5/06/18 2:18 pm, Alvaro Cornejo wrote:
Hi
I´m trying to setup a ssl connection to Koha (using letsEncrypt certs
) so
my users, admin and opac can have a secure connection.
I´ve folllowed letsEncrypt & certbot instrucctions but neither opac nor admin pages work.
I´ve tried directing connections manually and configuring apache for redirect unsuccessfully.
Any hints on this?
This is mostly to avoid the upcoming chrome config where it will display an unsafe site warning to any site requiring login that does not use ssl
Regards,
Alvaro _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha hi Alvaro
here's an apache config that has worked well for me
it has some extra magic to improve it's SSL score
the config now gets an 'A+' on the following site... https://www.ssllabs.com/ssltest
i'll aim to add this to the Koha wiki
cheers, Mason
...and here's a nice 'cert renew' solution, using LE's cli.ini file
root@deb8:/# cat /etc/letsencrypt/cli.ini domains = demo.foo.org, demo-admin.foo.org
root@deb8:/# cat /etc/cron.d/certbot # /etc/cron.d/certbot: crontab entries for the certbot package # # Upstream recommends attempting renewal twice a day # SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# -n for non-interactive 0 1 * * * root service apache2 stop ; perl -e 'sleep int(rand(3600))' && /usr/bin/certbot certonly --expand -n --standalone --config /etc/letsencrypt/cli.ini ; service apache2 start
oops, a bad cut/paste
this looks like a better way, using pre/post hooks... 0 1 * * * root perl -e 'sleep int(rand(3600))' && /usr/bin/certbot certonly --expand -n --standalone --config /etc/letsencrypt/cli.ini --pre-hook 'service apache2 stop' --post-hook 'service apache2 start'
participants (3)
-
Alvaro Cornejo -
Mark Alexander -
Mason James