Configuring Alfresco SSL by using Let’s Encrypt

/ / Blog, Document Management
Integrating Alfresco with the new Google Vision API
Alfresco OCR integration

Below is described a secure configuration for Alfresco Community 5 by using an SSL certificate generated by the new CA Let’s Encrypt under following assumptions:

  • Server with access from and to Internet
  • CentOS 6.7 minimal
  • Default Alfresco Community 5 installation at /opt/alfresco


1. Installing Apache HTTPd

Default installation from default repository.

# yum install httpd
# chkconfig httpd on

2. Installing APR native connector for Apache Tomcat

Some analysis are showing that native APR connector is the most efficient one in order to use SSL. As source code is provided in Apache Tomcat default distribution, previous compiling is required before configuration.

# yum install openssl-devel
# yum groupinstall "Development Tools"

# cd /opt/alfresco/tomcat/bin
# tar -zxvf tomcat-native.tar.gz
# cd tomcat-native-1.1.32-src/jni/native
# ./configure --with-apr=/usr/local/apr --with-java-home=/opt/jdk1.8.0_66
# make
# make install

Once this connector is available (default path is /usr/local/apr/lib), JNI configuration must be performed in Apache Tomcat.

# vi /opt/alfresco/tomcat/bin/
++ CATALINA_OPTS="$CATALINA_OPTS -Djava.library.path=/usr/local/apr/lib"

The process can be verified by examining Tomcat log file (usually named catalina.out) to find following line.

# cat /opt/alfresco/tomcat/logs/catalina.out
INFO: Loaded APR based Apache Tomcat Native library 1.1.32 using APR version 1.5.2.

3. Generating SSL certificates with Let’s Encrypt

Let’s Encrypt provides high quality SSL certificates for free. Once configured, users access the web site with a green locker, no additional operation is required. However, this procedure can’t be use for Intranets, because Let’s Encrypt requires Internet connections in both directions for validating purposes.

Let’s Encrypt software depends on Python 2.7, which is not available in public repositories for CentOS 6. Hence, manual installation is required and even Let’s Encrypt script has to be modified.

# wget
# rpm -Uvh epel-release-latest-6.noarch.rpm
# wget
# rpm -Uvh ius-release.rpm
# yum -y install python27 python27-devel python27-pip python27-setuptools python27-tools python27-virtualenv --enablerepo=ius

# yum install git
# git clone
# cd letsencrypt
# sed -i "s|--python python2|--python python2.7|" letsencrypt-auto

Once the software is installed, user account activation and SSL certificates generation must be performed. Let’s Encrypt will provide SSL certificates at default path /etc/letsencrypt/live/hostname.

# ./letsencrypt-auto --verbose
# ./letsencrypt-auto certonly --standalone -d

# ls /etc/letsencrypt/live/
# ls /etc/letsencrypt/live/
# ls /etc/letsencrypt/live/

4. mod_jk installation for Apache HTTPd

Web request redirections from Apache HTTPd to Apache Tomcat can be performed by using AJP protocol (usually in port 8009), which requires configuring mod_jk for Apache HTTPd. From our experience, this module is better in terms of efficiency for Alfresco than other common alternatives like mod_proxy.

This connector is distributed also as source code, so compiling is a previous task.

# yum install httpd-devel

# wget
# tar -xvzf tomcat-connectors-1.2.41-src.tar.gz
# cd tomcat-connectors-1.2.41-src/native
# ./configure --with-apxs=/usr/sbin/apxs
# make
# make install

Once compiled and installed, workers must be declared. Below a simple configuration with one worker named as app1Worker is described.

# vi /etc/httpd/conf.d/mod_jk.conf
LoadModule jk_module "/etc/httpd/modules/"
JkWorkersFile /etc/httpd/conf/
JkShmFile     /var/run/httpd/mod_jk.shm
JkLogFile     /var/log/httpd/mod_jk.log
JkLogLevel    info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

# vi /etc/httpd/conf/


Finally, redirections are configured in order to serve every request by SSL 443 port using Let’s Encrypt certificates.

# vi /etc/httpd/conf.d/alfresco.conf
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*)$1 [R=301,L]

Listen 443
<VirtualHost *:443>

JkMount /* app1Worker

SSLEngine           on
SSLVerifyClient     none

SSLCertificateFile    /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
SSLCertificateChainFile /etc/letsencrypt/live/

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
  downgrade-1.0 force-response-1.0

5. Alfresco configuration

SSL ports for alfresco and share web apps are declared in alfresco configuration file.

# vi /opt/alfresco/tomcat/shared/classes/



6. Automated SSL certificate renewal script

Let’s Encrypt SSL certificates are issued with a expiration of 90 days, so an automated renewal policy is required. By using --renew-by-default option, no human intervention is required in order to get a new set of certificates on the same path. Writing a new monthly task for cron should be enough, because it’s not necessary to wait till expiration date to request a certificate renewal.

# vi /etc/cron.monthly/letsencrypt-renew.cron
service httpd stop
/root/letsencrypt/letsencrypt-auto --renew-by-default certonly --standalone -d
service httpd start
# chmod +x /etc/cron.monthly/letsencrypt-renew.cron

For every renewal request, a new set of SSL certificates is issued in archive Let’s Encrypt folder.

# ls -l /etc/letsencrypt/live/
lrwxrwxrwx 1 root root 44 ene  7 12:04 cert.pem -> ../../archive/
lrwxrwxrwx 1 root root 45 ene  7 12:04 chain.pem -> ../../archive/
lrwxrwxrwx 1 root root 49 ene  7 12:04 fullchain.pem -> ../../archive/
lrwxrwxrwx 1 root root 47 ene  7 12:04 privkey.pem -> ../../archive/

Using this configuration, Alfresco will provide SSL channel for every protocol and operation. Never was so easy to secure your web servers!

Unidad de negocio, keensoft