TLS/SSL Certificates
Last Updated: March 27, 2023
This document walks through configuring a Server or SSL Certificate for Access Anywhere Server. Certificates authenticate the identity of the appliance for your organization and are used in encrypting information sent from client applications to the server.
For information on certificate verification with storage services see Storage Provider Certificates.
The appliance includes a self-signed certificate which is untrusted and blocked by some browsers and applications. It should be replaced by a certificate associated with the domain name you have given the appliance.
You can create a valid certificate from Let's Encrypt from within the appliance or add a certificate you have generated through a third party.
Let's Encrypt
This section creates and configures SSL certificates from Let's Encrypt. If you are using your own certificates (or a different service) see the section below Your Own Certificates.
First SSH into the appliance as smeconfiguser.
Elevate to the root user, and, if applicable, entering the root password when prompted.
For example,
sudo bash
or
su -
Note: The appliance will be inaccessible during the request which may be up to a minute.
Run the following command:
certbot --authenticator standalone --installer apache --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd"
This command will prompt for an email address. It’s important to give this information so that an admin can be notified in the future if there are issues automatically renewing the certificate.
Please also agree to the Terms of Service. It is not necessary to share the provided email with the Electronic Frontier Foundation.
Certbot will automatically detect what FQDNs are setup for the Nasuni Access Anywhere Server and prompt for which should be included in the certificate. Skip activation of the s3 endpoint which is no longer used.
Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: files.example.com 2: s3.files.example.com 3: files-webdav.example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1,3
You can skip creating SSL certificates for the services (S3, WebDAV) you won't be using.
Lastly, Certbot will prompt to disable all HTTP access. Please select option 1 as the server already has HTTP to HTTPS redirection options configured.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
After successful completion, the server will automatically start using the new certificates. These certificates will last for 90 days, so the final step is to setup automated renewal.
If you set up your server to use Let's Encrypt certificates and then use smeconfigserver the SSL configuration will be overwritten and your server will no longer use your Let's Encrypt certificates. This will happen even if you don't edit the SSL certificates with smeconfigserver. To prevent losing the use of your Let's Encrypt certificates, first use smeconfigserver to configure your server and then set up the Let's Encrypt certificates as described in this section. If you have to change your configuration with smeconfigserver after you have set up the Let's Encrypt certificates, repeat the setup steps in this section to resume using Let's Encrypt certificates.
Automatically renewing the certificate
A Let’s Encrypt certificate is valid for 90 days, and can be automatically renewed within 30 days of expiration. A simple cron job will run daily and handle renewals.
Please Note: The server will be inaccessible during the renewal. Please ensure that the renewal time is during off hours. Downtime will only occur every 60 days when a renewal is required and may last up to one minute.
While still logged in as root run the following command to add a cron job.
crontab -e
In the example below the renewal attempt will process at 2:30AM in the timezone of the server. The server ships by default with the timezone set to UTC time. Please adjust the time in crontab as necessary.
30 2 * * * /bin/certbot renew >> /var/log/letsencrypt/le-renew.log
This will create a crontab entry for a cron job that will handle the renewals and write its output to a log file.
Use https://www.ssllabs.com/ to test the installation.
Your Own Certificates
Start NAA Config Server
Leave root privilege:
[root@ip-10-0-0-192 smeconfiguser]# exit
As the smeconfiguser start the configuration server by typing smeconfigserver. You should see a confirmation that the config server is running:
[smeconfiguser@ip-10-0-0-192 ~]$ smeconfigserver Please contact me with a browser on port 8080 Hit Ctrl+C when work is done
Now open your browser to:
http://<your_ip>:8080
SSL Certificate Settings
The File Server uses https to communicate with the clients for security. For https to work correctly you need wildcard SSL certificates that matches the domain name that you have configured. The SSL certificate must match the host name that you have configured. Apply the Cert the Key and the Chain (Intermediate) files in an Apache PEM format. Please also ensure that the SSL keyfile is not encrypted/password protected.
This will require a reboot.
To generate a CSR if you are applying for certificates please see http://httpd.apache.org/docs/2.4/ssl/ssl_faq.html#realcert
To find the currently applied RSA PRIVATE KEY, ssh into the server as smeconfiguser and go to
cd /etc/pki/tls/private