Enable HTTPS for MiaRec Web portal

Setup free SSL certificate for MiaRec using Let's Encrypt (Ubuntu 14.04)

This tutorial describes how to setup a free TLS/SSL certificate from Let's Encrypt on MiaRec server based on Ubuntu 14.04 server running Apache as a web server.

SSL certificates are used within web servers to encrypt the traffic between the server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.

What is Let's Encrypt? Let’s Encrypt is a free, automated, and open certificate authority managed by the non-profit Internet Security Research Group (ISRG). Major sponsors are the Electronic Frontier Foundation (EFF), the Mozilla Foundation, OVH, Akamai, Google and Cisco Systems. See this page for more on ISRG sponsors.

Step 1 - Install Certbot on Ubuntu 14.04

What is Certbot? Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for webserver. Certbot was developed by EFF and others as a client for Let’s Encrypt. This client runs on Unix-based operating systems.

To install Certbot, you must first enable the PPA repository maintained by the Certbot team:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot

Afterwards, update the package list to pick up the new repository's package information:

sudo apt-get update

And finally, install Certbot from the new repository with apt-get:

sudo apt-get install python-certbot-apache

Step 2 - Configure Apache to serve .well-known/acme-challenge directory

The Apache web server should be configured properly to allow serving of the files inside the /.well-known/acme-challenge directory. In this tutorial, we will use directory /var/www/html/.well-known as a location for the Certbot's temporary files.

What is a purpose of .well-known directory?

To obtain SSL certificate, the Certbot client creates a temporary file in ${webroot-path}/.well-known/acme-challenge directory. Then the Let’s Encrypt validation server makes HTTP requests to validate that the DNS for each requested domain resolves to the server running certbot. An example request made to your web server would look like:

66.133.109.36 - - [05/Jan/2016:20:11:24 -0500] "GET /.well-known/acme-challenge/HGr8U1IeTW4kY_Z6UIyaakzOkyQgPr_7ArlLgtZE8SX HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Create file /etc/apache2/sites-available/letsencrypt-well-known.conf:

vim /etc/apache2/sites-available/letsencrypt-well-known.conf

Copy-paste the following content to that file:

For Apache 2.4:

<IfModule mod_proxy.c>
  ProxyPass /.well-known !
</IfModule>

Alias /.well-known/ "/var/www/html/.well-known/"

<Directory "/var/www/html/.well-known">
  Options None
  AllowOverride None
  Require all granted
</Directory>

<Location /.well-known/acme-challenge>
  Options None
  Require all granted
</Location>

Enable this configuration file:

sudo a2ensite letsencrypt-well-known.conf

Reload Apache:

sudo service apache2 reload

Step 4 - Obtain SSL certificates from Let's Encrypt server

Run the following command to obtain the certificate:

sudo certbot certonly --webroot -w /var/www/html/ -d miarec.example.com

Important! Replace miarec.example.com with your MiaRec server DNS name.

If everything goes well, then you should see the following message:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/miarec.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/miarec.example.com/privkey.pem
   Your cert will expire on 2017-12-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

Note the location of the generated certificate files. In our example, it is /etc/letsencrypt/live/miarec.example.com/.

Step 4 - Install mod_ssl module for Apache

The mod_ssl module is available in apache2-common package. Execute the following command at a terminal prompt to enable the mod_ssl module:

sudo a2enmod ssl

Enable HTTPS for Apache:

sudo a2ensite default-ssl

Step 5 - Configure Apache to use new SSL certificates

Edit file /etc/apache2/sites-available/default-ssl.conf

vim /etc/apache2/sites-available/default-ssl.conf

Modify the parameters SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile. They should point to the public, private and CA certificate files correspondingly.

Example of configuration (replace miarec.example.com with your domain):

#   Server Public Key:
SSLCertificateFile /etc/letsencrypt/live/miarec.example.com/cert.pem

#   Server Private Key:
SSLCertificateKeyFile /etc/letsencrypt/live/miarec.example.com/privkey.pem

#   Server Certificate Chain:
SSLCertificateChainFile /etc/letsencrypt/live/miarec.example.com/chain.pem

Enable this configuration file and load Apache:

sudo a2ensite default-ssl.conf
sudo service apache2 reload

Step 6 - Open port 443 on firewall

If you are using iptables on this machine, then execute the following commands:

iptables -I INPUT 5 -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

Save all rules into iptables configuration file:

service iptables save

Restart iptables service:

service iptables restart

If you are using ufw firewall, then execute the following commands:

sudo ufw allow https

Step 7 - Force HTTPS for all traffic except internal call event notification (recommended)

Create file /etc/apache2/sites-available/miarec-ssl.conf:

vim /etc/apache2/sites-available/miarec-ssl.conf

Copy/paste the following content into this file:

<VirtualHost *:80>
    RewriteEngine on
    RewriteCond %{HTTP_HOST}%{REQUEST_URI} !^127.0.0.1/notify
    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]
</VirtualHost>

Enable this configuration file and load Apache:

sudo a2ensite miarec-ssl.conf
sudo service apache2 reload

What is "127.0.0.1/notify" in the rewrite rule? MiaRec uses internally the HTTP protocol for sending call event notifications from recorder engine to a web portal. The above rewrite rule will force HTTPS for all web traffic except internal communication between recorder and web portal.

Step 9 - Configure cron to automatically renew the certificate.

Let’s Encrypt CA issues short-lived certificates (90 days). This tutorial shows how to automatically renew the certificates using cron.

Edit file /etc/crontab:

vi /etc/crontab

Insert the following line to the end of file:

27 5,21 * * * root certbot renew --quiet --no-self-upgrade --post-hook "apachectl graceful"

The example above will run the renew sub-command at 05:27 and 21:27 daily. You can change time to other values. If the certificates are updated, then apache is gracefully restarted.

Reload cron service:

service cron reload

Verify if cron service is started:

service cron status

It should return something like:

cron start/running, process 1105

Setup free SSL certificate for MiaRec using Let's Encrypt (Centos 6/7)

This tutorial describes how to setup a free TLS/SSL certificate from Let's Encrypt on MiaRec server based on Centos 7 server running Apache as a web server.

SSL certificates are used within web servers to encrypt the traffic between the server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.

What is Let's Encrypt? Let’s Encrypt is a free, automated, and open certificate authority managed by the non-profit Internet Security Research Group (ISRG). Major sponsors are the Electronic Frontier Foundation (EFF), the Mozilla Foundation, OVH, Akamai, Google and Cisco Systems. See this page for more on ISRG sponsors.

Step 1 - Enable EPEL repository in Centos 6/7

To use Certbot (described below), you must first enable the EPEL (Extra Packages for Enterprise Linux) repository and enable EPEL optional channel.

yum install epel-release

What is EPEL? Extra Packages for Enterprise Linux (or EPEL) is a Fedora Special Interest Group that creates, maintains, and manages a high quality set of additional packages for Enterprise Linux, including, but not limited to, Red Hat Enterprise Linux (RHEL), CentOS and Scientific Linux (SL), Oracle Linux (OL).

Step 2 - Install Certbot

Install Certbot by running:

Centos 6:

cd /root
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Centos 7:

yum install python-certbot-apache

What is Certbot? Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for webserver. Certbot was developed by EFF and others as a client for Let’s Encrypt. This client runs on Unix-based operating systems.

Step 3 - Configure Apache to serve .well-known/acme-challenge directory

The Apache web server should be configured properly to allow serving of the files inside the /.well-known/acme-challenge directory. In this tutorial, we will use directory /var/www/html/.well-known as a location for the Certbot's temporary files.

What is a purpose of .well-known directory?

To obtain SSL certificate, the Certbot client creates a temporary file in ${webroot-path}/.well-known/acme-challenge directory. Then the Let’s Encrypt validation server makes HTTP requests to validate that the DNS for each requested domain resolves to the server running certbot. An example request made to your web server would look like:

66.133.109.36 - - [05/Jan/2016:20:11:24 -0500] "GET /.well-known/acme-challenge/HGr8U1IeTW4kY_Z6UIyaakzOkyQgPr_7ArlLgtZE8SX HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Create file /etc/httpd/conf.d/letsencrypt-well-known.conf:

vi /etc/httpd/conf.d/letsencrypt-well-known.conf

Copy-paste the following content to that file:

For Apache 2.4 (Centos 7):

<IfModule mod_proxy.c>
  ProxyPass /.well-known !
</IfModule>

Alias /.well-known/ "/var/www/html/.well-known/"

<Directory "/var/www/html/.well-known">
  Options None
  AllowOverride None
  Require all granted
</Directory>

<Location /.well-known/acme-challenge>
  Options None
  Require all granted
</Location>

For Apache 2.2 (Centos 6):

<IfModule mod_proxy.c>
  ProxyPass /.well-known !
</IfModule>

Alias /.well-known/ "/var/www/html/.well-known/"

<Directory "/var/www/html/.well-known">
  Options None
  Order allow,deny
  Allow from all
</Directory>

<Location /.well-known/acme-challenge>
  Options None
  Order allow,deny
  Allow from all
</Location>

Reload Apache:

service httpd reload

Step 4 - Obtain SSL certificates from Let's Encrypt server

Run the following command to obtain the certificate:

Centos 6:

./certbot-auto certonly --webroot -w /var/www/html/ -d miarec.example.com

Centos 7:

certbot certonly --webroot -w /var/www/html/ -d miarec.example.com

Important! Replace miarec.example.com with your MiaRec server DNS name.

If everything goes well, then you should see the following message:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/miarec.example.com/fullchain.pem. Your cert will
   expire on 2017-08-06. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"

Note the location of the generated certificate files. In our example, it is /etc/letsencrypt/live/miarec.example.com/.

Step 5 - Install mod_ssl module for Apache

yum install mod_ssl

The module will automatically be enabled during installation, and Apache will be able to start using an SSL certificate after it is restarted. You don't need to take any additional steps for mod_ssl to be ready for use.

Step 6 - Configure Apache to use new SSL certificates

Edit file /etc/httpd/conf.d/ssl.conf

vi /etc/httpd/conf.d/ssl.conf

Modify the parameters SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile. They should point to the public, private and CA certificate files correspondingly.

Example of configuration (replace miarec.example.com with your domain):

#   Server Public Key:
SSLCertificateFile /etc/letsencrypt/live/miarec.example.com/cert.pem

#   Server Private Key:
SSLCertificateKeyFile /etc/letsencrypt/live/miarec.example.com/privkey.pem

#   Server Certificate Chain:
SSLCertificateChainFile /etc/letsencrypt/live/miarec.example.com/chain.pem

Step 7 - Open port 443 on firewall

Add exclusion rule to firewall:

iptables -I INPUT 5 -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

Save all rules into iptables configuration file:

service iptables save

Restart iptables service:

service iptables restart

Step 8 - Force HTTPS for all traffic except internal call event notification (recommended)

Create file /etc/httpd/conf.d/miarec-ssl.conf:

vi /etc/httpd/conf.d/miarec-ssl.conf

Copy/paste the following content into this file:

NameVirtualHost *:80
<VirtualHost *:80>
    RewriteEngine on
    RewriteCond %{HTTP_HOST}%{REQUEST_URI} !^127.0.0.1/notify
    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]
</VirtualHost>

Reload Apache:

service httpd reload

What is "127.0.0.1/notify" in the rewrite rule? MiaRec uses internally the HTTP protocol for sending call event notifications from recorder engine to a web portal. The above rewrite rule will force HTTPS for all web traffic except internal communication between recorder and web portal.

Step 9 - Configure cron to automatically renew the certificate.

Let’s Encrypt CA issues short-lived certificates (90 days). This tutorial shows how to automatically renew the certificates using cron.

Edit file /etc/crontab:

vi /etc/crontab

Insert the following line to the end of file:

Centos 6:

27 5,21 * * * root /root/certbot-auto renew --quiet --no-self-upgrade --post-hook "apachectl graceful"

Centos 7:

27 5,21 * * * root certbot renew --quiet --no-self-upgrade --post-hook "apachectl graceful"

The example above will run the renew sub-command at 05:27 and 21:27 daily. You can change time to other values. If the certificates are updated, then apache is gracefully restarted.

Reload crond service:

Centos 6:

/etc/init.d/crond reload

Centos 7:

service crond restart

Setup SSL certificate for MiaRec Web portal on Centos

In order to enable HTTPS (SSL) in MiaRec Web server, it is necessary to install SSL certificate. The certificate should be issued from a trusted Certificate Authority (like Verisign/Symantec, Comodo, GlobalSign, Digicert, GoDaddy etc).

The certificate is issued per domain name and can be used only with particular name. For example, if you install MiaRec on server and access it with address https://rec.my-company.com, then the SSL certificate should be issued to “rec.my-company.com” domain name.

Alternatively, the certificate can be self-signed. This means that instead of signing the certificate by Trusted Authority, you will sign it by your own certificate. In this case you will see in browser warning message that certificate is not trusted (means that it is not signed by trusted Certificate Authority), although the connection between client’s web-browser and MiaRec server will be secure and encrypted:

You can generate the self-signed certificate using the following command line:

openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout server.key -out server.crt

This command will generate key/certificate pair and then sign it.

1. Install mod_ssl module for Apache

yum install mod_ssl

The module will automatically be enabled during installation, and Apache will be able to start using an SSL certificate after it is restarted. You don't need to take any additional steps for mod_ssl to be ready for use.

2. Install SSL private key and certificate

Copy your SSL private key to directory:

/etc/pki/tls/private/

Copy your SSL certificate to directory:

/etc/pki/tls/certs/

In some case you may need to copy also intermediary certificate of the company, which signed your certificate. Check their official instructions for Apache server.

3. Edit Apache configuration file (ssl.conf)

Edit file /etc/httpd/conf.d/ssl.conf and make sure that:

  • SSLCertificateFile points to your certificate
  • SSLCertificateKeyFile points to your private certificate
  • SSLCertificateChainFile points to your certificate authority intermediary certificate (check your authority instructions)
#   Server Certificate:
SSLCertificateFile /etc/pki/tls/certs/miarec.example.com.crt

#   Server Private Key:
SSLCertificateKeyFile /etc/pki/tls/private/miarec.example.com.key

#   Server Certificate Chain:
SSLCertificateChainFile /etc/pki/tls/certs/CA.crt

4. Disable SSL protocol, allow TLS v1.2 only

It is recommended to disable SSL version 3.0 protocol, and force clients to use more secure TLS v1.2

Edit file /etc/httpd/conf.d/ssl.conf, locate the SSLProtocol line, if its commented out with a #, remove the hash (#) symbol and change it to the following:

SSLProtocol TLSv1.2

Now to increase the security strength we can also disable the weaker ciphers, located the SSLCipherSuite line, uncomment it and make it:

SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA:!RC4:!3DES

5. Open port 443 on firewall

Add exclusion rule to firewall:

iptables -I INPUT 5 -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

Save all rules into iptables configuration file:

service iptables save

Restart iptables service:

service iptables restart

6. [Optional] Force HTTPS for all traffic except internal call events

Create file /etc/httpd/conf.d/miarec-ssl.conf:

vi /etc/httpd/conf.d/miarec-ssl.conf

Copy/paste the following content into this file:

NameVirtualHost *:80
<VirtualHost *:80>
    RewriteEngine on
    RewriteCond %{HTTP_HOST}%{REQUEST_URI} !^127.0.0.1/notify
    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]
</VirtualHost>

Reload Apache:

service httpd reload

What is "127.0.0.1/notify" in the rewrite rule? MiaRec uses internally the HTTP protocol for sending call event notifications from recorder engine to a web portal. The above rewrite rule will force HTTPS for all web traffic except internal communication between recorder and web portal.

7. Restart Apache

service httpd restart