Review configuration inputs for SSL in ood-portal.conf

General Discussion
1

I’m conducting an annual update of ssl certs. We generate the new certs using certbot, which has proven useful. This discussion references the implementation in RHEL 8, with apache conf in /etc/httpd.

Before implementing the new certificates, I was reviewing the ood docs, trying the recall the partnership between /etc/ood/config/ood-portal.yml and the apache ssl.conf. I believe that when generating a new /etc/httpd/conf.d/ood-portal.conf via the script
/opt/ood/ood-portal-generator/sbin/update_ood_portal, information is taken from the two source files mentioned above:
/etc/ood/config/ood-portal.yml
/etc/httpd/conf.d/ssl.conf

So, two questions for clarification:

  1. Priority
    Is configuration in the ood-portal.yml taking priority over ssl.conf when constructing ood-portal.conf?
  2. SSL config and OOD
    Are these settings associated with certbot in ssl.conf overly restrictive, or at all detrimental for operating OOD? The SSLCipherSuite is very different from what is mentioned in ood docs, and yet those materials look to me unchanged from my early implementation of ood here with v1.4 or so.
     57 # Certbot handling
     58 #SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
     59 #SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDS:A-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
     60 #SSLHonorCipherOrder off
     61 #SSLOptions +StrictRequire
     62 #SSLCertificateFile /etc/pki/tls/acme/config/live/ondemand-pioneer.case.edu/cert.pem
     63 #SSLCertificateKeyFile /etc/pki/tls/acme/config/live/ondemand-pioneer.case.edu/privkey.pem
2

We use certbot on our ood servers. Our ssl.conf is untouched (according to rpm -qV); our generated ood-portcal.conf contains the path /etc/letsencrypt/live/… which is where certbot likes to put things.

We have an additional /etc/httpd/ssl/nessus.conf that sets a bunch of stuff (including a restricted SSL Cipher Suite) to keep our ISO group happy.

None of that affects certbot. certbot connects to your provider, and, if needed, plops a file in /etc/letsencrypt/… and runs an hhtpd reload command.

My memory on how apache handles configs is they are processed in alphabetical order.

Cheers,

Ric

3

Thanks @azric.

Hi @emily.dragowsky

Does this help you?

-gerald

4

Hi, Ric, Gerald – Ric, perhaps you could be a little more explicit. I infer that ood-portal.yml is editted at your site to point to /etc/letsencrypt/… That would be consistent with our procedure, although our certbot configuration uses the path /etc/pki/tls/acme/config/ as the base for certbot.

So, my two questions stand for clarification: priority, and certainly the advisability of using the code-block shared previously in either ssl.conf or in ood-portal.yml.

Cheers

5

We have this snippet:

List of SSL Apache directives

Example:

ssl:

- ‘SSLCertificateFile “/etc/pki/tls/certs/www.example.com.crt”’

- ‘SSLCertificateKeyFile “/etc/pki/tls/private/www.example.com.key”’

Default: null (no SSL support)

#ssl: null

ssl:

  • ‘SSLCertificateFile “/etc/letsencrypt/live/DVcert/cert.pem”’

  • ‘SSLCertificateKeyFile “/etc/letsencrypt/live/DVcert/privkey.pem”’

  • ‘SSLCertificateChainFile “/etc/letsencrypt/live/DVcert/chain.pem”’

In /etc/ood/config/ood_portal.yml.

/etc/httpd/conf.d/ssl.conf is as released by the vendor.

The only other local change we have is an additional file

/etc/httpd/conf.d/sslnessus.conf

which contains

changes to keep nessus happy. In a separate file here so we don’t

have to alter RPM owned files (e.g., …/conf/httpd.conf or ./ssl.conf).

image001.png

image002.png

6

Clarifying my understanding (alternately, clarifying my confusion): /etc/httpd/conf.d/ood-portal.conf and /etc/httpd/conf.d/ssl.conf compliment each other in establishing the apache configuration. And while I don’t know the rules yet, there must be a precedence established in the case that both ood_portal.conf and ssl.conf specify SSLProtocol and/or SSLCipherSuite.

Question to OnDemand community: does OnDemand operationally “care” what the settings actually are? Do the docs that advise setting ‘SSLCertificateFile’ values mean to say the OnDemand has a requirement internally? Or is this assuming that the Apache ‘ssl.conf’ is somehow inadequate?
https://osc.github.io/ood-documentation/release-2.0/installation/add-ssl.html?highlight=sslcertificatefile
And if OnDemand wants the certfile info in ondemand-portal.conf, then why not the SSLProtocol and the SSLCipherSuite?

Bottom line question: Does Apache SSL configuration belong in ood-portal.conf at all? Why should this duplicate information in ssl.conf?

Thanks again!

7

The TLDR is - You need to supply SSLCertificate* configurations to OnDemand. Beyond that you can set other ssl settings globally in ssl.conf or locally to that DNS hostname in ood-portal.conf.

It’s important to note a couple things here:

  • certificates are specific to a DNS hostname.
  • apache can respond to any number of DNS hostnames (through VirtualHosts).
  • ood_portal.conf specifies 1 DNS hostname.
  • directives can be global across all VirtualHosts (a VirtualHost is configuration for a specific DNS hostname) or specific to that VirtualHost.

So putting that together we get a couple things:

  • you need to specify at least SSLCertificate* files for ood-portal.conf because those certificates are specific to that DNS hostname.
  • You could use ssl.conf to specify SSL settings globally. For example what cipers you’d accept (SSLCipherSuite). Because these settings are global (they apply to all VirtualHosts) this could be beneficiary in terms of configuration management. Since they apply across the board, you don’t have them here and there and everywhere, and potentially have mismatches.
    • alternatively - if you only run OnDemand through this apache, you could forget about ssl.conf and supply everything in that VirtualHost (ood-portal.conf) specifically. This may be easier to reason about, but does kind of limit you should you want to setup another website through that same apache instance.

From the apache documentation - VirtualHost settings (i.e., ood-portal.conf) override global settings. That seems reasonable as VirtualHost settings are more specific/granular than global settings.

Sections inside <VirtualHost> sections are applied after the 
corresponding sections outside the virtual host definition. 
This allows virtual hosts to override the main server configuration.

https://httpd.apache.org/docs/2.4/sections.html#merging

Hope that helps! Let me know if you need further clarification.