Configuring Alfresco SSL by using Let’s Encrypt

/ / Published in Blog, Document Management
Integrating Alfresco with the new Google Vision API
Alfresco OCR integration

Below is described a secure configuration for Alfresco Community 5 by using an SSL certificate generated by the new CA Let’s Encrypt under following assumptions:

  • Server with access from and to Internet
  • CentOS 6.7 minimal
  • Default Alfresco Community 5 installation at /opt/alfresco

alfresco-ssl-keensoft

1. Installing Apache HTTPd

Default installation from default repository.

# yum install httpd
# chkconfig httpd on

2. Installing APR native connector for Apache Tomcat

Some analysis are showing that native APR connector is the most efficient one in order to use SSL. As source code is provided in Apache Tomcat default distribution, previous compiling is required before configuration.


# yum install openssl-devel
# yum groupinstall "Development Tools"

# cd /opt/alfresco/tomcat/bin
# tar -zxvf tomcat-native.tar.gz
# cd tomcat-native-1.1.32-src/jni/native
# ./configure --with-apr=/usr/local/apr --with-java-home=/opt/jdk1.8.0_66
# make
# make install

Once this connector is available (default path is /usr/local/apr/lib), JNI configuration must be performed in Apache Tomcat.


# vi /opt/alfresco/tomcat/bin/catalina.sh
++ CATALINA_OPTS="$CATALINA_OPTS -Djava.library.path=/usr/local/apr/lib"

The process can be verified by examining Tomcat log file (usually named catalina.out) to find following line.


# cat /opt/alfresco/tomcat/logs/catalina.out
INFO: Loaded APR based Apache Tomcat Native library 1.1.32 using APR version 1.5.2.

3. Generating SSL certificates with Let’s Encrypt

Let’s Encrypt provides high quality SSL certificates for free. Once configured, users access the web site with a green locker, no additional operation is required. However, this procedure can’t be use for Intranets, because Let’s Encrypt requires Internet connections in both directions for validating purposes.

Let’s Encrypt software depends on Python 2.7, which is not available in public repositories for CentOS 6. Hence, manual installation is required and even Let’s Encrypt script has to be modified.


# wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
# rpm -Uvh epel-release-latest-6.noarch.rpm
# wget https://centos6.iuscommunity.org/ius-release.rpm
# rpm -Uvh ius-release.rpm
# yum -y install python27 python27-devel python27-pip python27-setuptools python27-tools python27-virtualenv --enablerepo=ius

# yum install git
# git clone https://github.com/letsencrypt/letsencrypt
# cd letsencrypt
# sed -i "s|--python python2|--python python2.7|" letsencrypt-auto

Once the software is installed, user account activation and SSL certificates generation must be performed. Let’s Encrypt will provide SSL certificates at default path /etc/letsencrypt/live/hostname.


# ./letsencrypt-auto --verbose
# ./letsencrypt-auto certonly --standalone -d alfresco.keensoft.es

# ls /etc/letsencrypt/live/alfresco.keensoft.es/cert.pem
# ls /etc/letsencrypt/live/alfresco.keensoft.es/privkey.pem
# ls /etc/letsencrypt/live/alfresco.keensoft.es/fullchain.pem

4. mod_jk installation for Apache HTTPd

Web request redirections from Apache HTTPd to Apache Tomcat can be performed by using AJP protocol (usually in port 8009), which requires configuring mod_jk for Apache HTTPd. From our experience, this module is better in terms of efficiency for Alfresco than other common alternatives like mod_proxy.

This connector is distributed also as source code, so compiling is a previous task.


# yum install httpd-devel

# wget http://ftp.cixug.es/apache/tomcat/tomcat-connectors/jk/tomcat-connectors-1.2.41-src.tar.gz
# tar -xvzf tomcat-connectors-1.2.41-src.tar.gz
# cd tomcat-connectors-1.2.41-src/native
# ./configure --with-apxs=/usr/sbin/apxs
# make
# make install

Once compiled and installed, workers must be declared. Below a simple configuration with one worker named as app1Worker is described.


# vi /etc/httpd/conf.d/mod_jk.conf
LoadModule jk_module "/etc/httpd/modules/mod_jk.so"
JkWorkersFile /etc/httpd/conf/workers.properties
JkShmFile     /var/run/httpd/mod_jk.shm
JkLogFile     /var/log/httpd/mod_jk.log
JkLogLevel    info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

# vi /etc/httpd/conf/workers.properties
workers.apache_log=/var/log/httpd
worker.list=app1Worker
worker.stat1.type=status

worker.app1Worker.type=ajp13
worker.app1Worker.host=alfresco.keensoft.es
worker.app1Worker.port=8009

Finally, redirections are configured in order to serve every request by SSL 443 port using Let’s Encrypt certificates.


# vi /etc/httpd/conf.d/alfresco.conf
<VirtualHost *:80>
ServerName alfresco.keensoft.es
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://alfresco.keensoft.es/$1 [R=301,L]
</VirtualHost>

Listen 443
<VirtualHost *:443>
ServerName alfresco.keensoft.es

JkMount /* app1Worker

SSLEngine           on
SSLVerifyClient     none

SSLCertificateFile    /etc/letsencrypt/live/alfresco.keensoft.es/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/alfresco.keensoft.es/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/alfresco.keensoft.es/fullchain.pem

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
  downgrade-1.0 force-response-1.0
</VirtualHost>

5. Alfresco configuration

SSL ports for alfresco and share web apps are declared in alfresco configuration file.


# vi /opt/alfresco/tomcat/shared/classes/alfresco-global.properties

alfresco.context=alfresco
alfresco.host=alfresco.keensoft.es
alfresco.port=443
alfresco.protocol=https

share.context=share
share.host=alfresco.keensoft.es
share.port=443
share.protocol=https

6. Automated SSL certificate renewal script

Let’s Encrypt SSL certificates are issued with a expiration of 90 days, so an automated renewal policy is required. By using --renew-by-default option, no human intervention is required in order to get a new set of certificates on the same path. Writing a new monthly task for cron should be enough, because it’s not necessary to wait till expiration date to request a certificate renewal.

# vi /etc/cron.monthly/letsencrypt-renew.cron
service httpd stop
/root/letsencrypt/letsencrypt-auto --renew-by-default certonly --standalone -d alfresco.keensoft.es
service httpd start
# chmod +x /etc/cron.monthly/letsencrypt-renew.cron

For every renewal request, a new set of SSL certificates is issued in archive Let’s Encrypt folder.

# ls -l /etc/letsencrypt/live/alfresco.keensoft.es/
lrwxrwxrwx 1 root root 44 ene  7 12:04 cert.pem -> ../../archive/alfresco.keensoft.es/cert3.pem
lrwxrwxrwx 1 root root 45 ene  7 12:04 chain.pem -> ../../archive/alfresco.keensoft.es/chain3.pem
lrwxrwxrwx 1 root root 49 ene  7 12:04 fullchain.pem -> ../../archive/alfresco.keensoft.es/fullchain3.pem
lrwxrwxrwx 1 root root 47 ene  7 12:04 privkey.pem -> ../../archive/alfresco.keensoft.es/privkey3.pem

Using this configuration, Alfresco will provide SSL channel for every protocol and operation. Never was so easy to secure your web servers!

Unidad de negocio, keensoft

Unidad de negocio, keensoft

What you can read next

alfresco community
Alfresco Community runs on Oracle
Alfresco Analytics 1.0
alfrescosummit
keensoft´s schedule at the Alfresco 2014 Summit (London)