12
edits
Changes
From Amahi Wiki
m
{{NeedsUpdate}}{{MessageBox|backgroundcolor = #faa|image =Warning.png|heading =WARNING|message = This is recommended only for advanced users, proceed with caution.}}Here I will discuss accessing your Amahi HDA over SSL. This means that you will go to your home page ''<nowiki>http://hda </nowiki>'' and it will automatically convert to ''<nowiki>https://hda</nowiki>''.
Fedora:''mod_ssl '' for Apache2 is required for this functionality. Luckily Fedora makes it easy.<pre><nowiki>yum dnf -y install mod_ssl</nowiki></pre>
Ubuntu== Generate your own certificates =='''NOTE:Not needed, should already be installed''' Leaving defaults will not make your server less secure. If notyou don't understand what I mean then you should read about [http:<pre><nowiki>sudo a2enmod ssl</nowiki></pre>en.wikipedia.org/wiki/Public-key_cryptography public-key cryptography] which is essentially what SSL uses.
== Generate your own As of Chrome version 58, the Chrome browser requires SSL certificates ==NOTE: Leaving defaults will not make your server less secure. Make sure that you change "asecretpassword" in the commands below to something else. Otherwise any commands which don't have "asecretpassword" in it can be copied use SAN (Subject Alternative Name) and pastedhas removed Common Name (CN). This has to do with Using a CN will produce an error within the Security Overview section of the certificate, telling the challenge password for user that the private keySAN is missing. If you don't understand what I mean then you should read about [http://en.wikipedia.org/wiki/Public-key_cryptography public-key cryptography] which A new method of creating the certificate is essentially what SSL uses.<pre><nowiki>mkdir /etc/httpd/sslrequired.crt
openssl genrsa -des3 -passout pass:asecretpassword -out 1. Change directory to /etc/httpd/, and switch users <pre><nowiki>cd /etc/httpd/ssl.crtsudo -s</nowiki></server.key.org 1024pre>
openssl req -2. Create a new -passin pass:asecretpassword -passout pass:asecretpassword -key /etc/httpd/ssl.crt/server.key.org -out /etc/httpd/sslfile createRootCA.crt/serversh using vi, nano, or your favorite text editor.csr -days 3650
openssl rsa -passin pass:asecretpassword -in /etc/httpd/ssl3.crt/serverNow create another file createselfsignedcertificate.key.org -out /etc/httpd/ssl.crt/server.keysh:
mv /etc/httpd/ssl4.crt/Create the configuration file server.key /etc/httpd/sslcsr.key/servercnf.key
service systemctl restart httpd == Bonus ==Fedora 27/Amahi 11 provides [http://www.amahi.org/apps/cockpit Cockpit], a powerful browser-based server administration portal. To eliminate the SSL warning on this page, you need to create a .cert file using files previously created in this walkthrough. The .cert file consists of the contents of the server.crt and server.key. To create the file, run the following commands. This will automatically place the file in the correct directory. <pre><nowiki>cat /etc/httpd/ssl.crt/server.crt > /etc/cockpit/ws-certs.d/01-self-signed.certcat /etc/httpd restart/ssl.crt/server.key >> /etc/cockpit/ws-certs.d/01-self-signed.cert</nowiki></pre>
<pre><nowiki> service httpd configtest</nowiki></pre> If all goes well and you get "'''Syntax OK'''" then you can start your Apache server again. systemctl restart httpd
If all goes well {{META_BOX_Green||AH00548: NameVirtualHost has no effect and you get "Syntax OK" then you can start your Apache server againwill be removed in the next release /etc/httpd/conf.<pre><nowiki>service httpd start<d/nowiki>00-init.conf:1</prebr>Syntax OK}}is acceptable and will work.
→Generate your own certificates
'''NOTE:''' This has not been tested with Amahi 7. Following this guidance is at your own risk and could break your HDA. This has been tested with Amahi 10, Fedora 25.
= Why is this recommended? =
Currently you access your Amahi HDA control panel unsecured. This means that anyone sniffing your network can get the password to your HDA. If your password is compromised then this means they can log in to possibly modify your shares or even access SSH (if you have it enabled). So I recommend anyone using SSH to at least have SSL access to their Amahi HDA.
[[User:Sag47|Sag47]] 00:38, 15 June 2011 (PDT). Updates and clarifications [[User:Spaceman|spaceman]] 15:23, 27 March 2017 (BST).[[User:Tamorgen|Tamorgen]] 09:15, 31 Oct 2018 (EST). Made changes for Subject Alternative Name.
'''NOTE:''' This may interfere with [[Hosting_a_website|Hosting a Website]] tutorial.
= Prerequisites =
I assume you already have Fedora 14 25 installed with Amahi up and running.
= Instructions =
All commands must be run as ''root'' user.
== Back up apache configurations ==
Before doing anything be sure to back up your apache configurations!
== Install mod_ssl ==
<pre><nowiki>#!/usr/bin/env bashmkdir ~/ssl/openssl genrsa -des3 -out ~/ssl/rootCA.key 2048openssl req -x509 -passin pass:asecretpassword new -passout pass:asecretpassword nodes -key /etc/httpd~/ssl.crt/serverrootCA.key.org -in /etc/httpdsha256 -days 1024 -out ~/ssl.crt/serverrootCA.csr -out /etc/httpdpem</ssl.crtnowiki></server.crt -days 3650pre>
<pre><nowiki>
#!/usr/bin/env bash
mkdir /etc/httpd/ssl.crt
mkdir /etc/httpd/ssl.key
openssl req -new -sha256 -nodes -out /etc/httpd/ssl.crt/server.csr -newkey rsa:2048 -keyout /etc/httpd/ssl.crt/server.key -config <( cat /etc/httpd/server.csr.cnf )
openssl x509 -req -in /etc/httpd/ssl.crt/server.csr -CA ~/ssl/rootCA.pem -CAkey ~/ssl/rootCA.key -CAcreateserial -out /etc/httpd/ssl.crt/server.crt -days 3650 -sha256 -extfile v3.ext
</nowiki></pre>
<pre><nowiki>
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C=US
ST=Maryland
L=Annapolis
O=Home Administrator
OU=HDA Domain
emailAddress=your-address@your-domain.com
CN = localhost
</nowiki></pre>
5. Now, create a file called v3.ext for the x509 v3 certificate
<pre><nowiki>
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = ''hostname.yourdomain''
DNS.2 = hda
DNS.3 = hda.''yourdomain''
DNS.4 = cockpit.''yourdomain''
</nowiki></pre>
6. Now it's time to create your certificates. Run createRootCA.sh. Follow the prompts
<pre><nowiki>
bash ./createRootCA.sh
</nowiki></pre>
Then createselfsignedcertificate.sh
<pre><nowiki>
bash ./createselfsignedcertificate.sh
</nowiki></pre>
7. Copy your newly created server.key to the ssl.key directory.
<pre><nowiki>
cp /etc/httpd/ssl.crt/server.key /etc/httpd/ssl.key/server.key
chmod 400 /etc/httpd/ssl.key/server.key</nowiki></pre>
8. Copy your rootCA.pem certificate to a network share, so you may import it to your favorite browser, to eliminate the untrusted certificate warning.
<pre><nowiki>
cd ~/ssl/
cp rootCA.pem /var/hda/files/docs/.
</nowiki></pre>
9. Import rootCA into your browser. For Chrome, Settings --> Advanced --> Manage Certificates --> Authorities --> Import. Select your root certificate from a locally accessible resource, either directly from, or after copying it from your share.
== Modify apache initialization ==
Modify the apache initialization for allowing SSL virtual hosts. Just in case you decide you want more than one virtual host to be capable of SSL. ('''NOTE''': NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf.d/00-init.conf:1; this section can be ommited).
<pre><nowiki>(cd /etc/httpd/conf.d/ && echo 'NameVirtualHost *:443' >> ./00-init.conf)</nowiki></pre>
<pre><nowiki>cd /etc/httpd/conf.d/
cp 01-platform.conf 01-platform-ssl.conf</nowiki></pre>
You need to modify 01-platform-ssl.conf and <pre><nowiki>nano 01-platfrom-ssl.conf</pre>...replace the line with "<VirtualHost *:80>" to with the following lines...
<pre><nowiki><VirtualHost *:443>
SSLEngine on
== Create a redirect from HDA to secured HDA ==
Modify /etc/httpd/conf.d/'''01-platform.conf''' and go down to the rewrite rules<pre><nowiki>nano 01-platform. conf</nowiki></pre>Below the last rewrite rule , just before the line "# this was only for FCGI" put above the following code.<location /> section, add:
<pre><nowiki>RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]</nowiki></pre>
This will automatically redirect requests from <nowiki>http://hda ((http://192.168.1.10</nowiki>) to <nowiki>https://hda (https://192.168.1.10</nowiki>)...
== Restart the Apache2 server ==
Restart your server to apply the changes you've made. If you did everything right you shouldn't receive any warnings when restarting the server.
= Finished =
Now that you're done go ahead and visit '''<nowiki>http://hda</nowiki> ''' and watch it turn into '''<nowiki>https://hda</nowiki>'''! Understand that the certificates you generated have not been verified by a certificate authority so you'll need to confirm a security exception.
= Troubleshooting =
A way to solve this is to delete and retype the first an last character of each line which Apache is complaining about. You can then test your configuration again.
If all things end badly and you can't figure it out then it is possible to restart this tutorial from scratch. Just start it over.
== How do I start over? ==
Run the following command sequence.
<pre><nowiki>yum dnf -y remove mod_sslerase mod_ssl
rm -rf /etc/httpd/ssl.crt
rm -rf /etc/httpd/ssl.key
(cd /etc/httpd/conf.d/ && rm -f *-ssl.conf)
(cd /etc/httpd/ && tar -xzf apache-backup.tar.gz)systemctl restart httpd</nowiki></pre>
Then you can start the instructions again from step one.
