search

gvlproject / gvl.ansible.playbook

Playbook for building the Genomics Virtual Laboratory
7 stars 4 forks source link

Add support for letsencrypt #70

Open nuwang opened 7 years ago

nuwang commented 7 years ago

The self-generated certificates result in uninviting warnings. Test letsencrypt as a replacement.

nuwang commented 7 years ago

Letsencrypt needs a domain name to issue a certificate. This would mean that we need to integrate with Amazon route53 or Designate in OpenStack, which is probably best deferred to the new cloudman.

Enabling a self-generated certificate for the IP generates a warning message on first time access, which is probably uninviting for new users.

Therefore, I think we should defer this to the next release with newer cloudman.

nuwang commented 7 years ago

Outcome from GVL meeting: Thom's solution: (https://workshop.hometreelab.com/tinker_binf/gvl-letsencrypt)

LetsEncrypt needs DNS name (not IP address). So unless we have a way to automatically issue DNS names, we cannot programmatically generate a certificate for new machines.

Nuwan suggests to not do it for this release. Derek reports that there are some gov users who are concerned about security of not properly using HTTPS. The managed instances should get them. Derek will start looking at this with Galaxy-QLD Nuwan reports that next version of cloudman may have some answers.

Lets apply to managed instances and leave programmatic solution out for now.

ACTION: @dnbenso will attempt LetsEncrpt cert for Galaxy-QLD and report outcome for Melbourne folks to look at.

dnbenso commented 7 years ago

It's very easy to implement. Add a location entry to nginx default locations:

vi /mnt/cm/cm/conftemplates/nginx_default_locations.default
vi /etc/nginx/sites-enabled/default.locations

    location ~ /.well-known {
        allow all;
    }

Modify the cloudman server ssl file to include the correct certificates (these won't exist yet) and exclude the POODLE SSL3 vulnerability:

vi /mnt/cm/cm/conftemplates/nginx_server_ssl.default

    server {
        listen                  443 ssl;
        client_max_body_size    10G;
        proxy_read_timeout      1200s;

        ssl on;
        ssl_certificate         /etc/letsencrypt/live/galaxy-qld.genome.edu.au/fullchain.pem;
        ssl_certificate_key     /etc/letsencrypt/live/galaxy-qld.genome.edu.au/privkey.pem;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        include $nginx_conf_dir/sites-enabled/*.locations;
    }

Then run the following:

nginx -t
service nginx reload
add-apt-repository ppa:certbot/certbot && apt-get update && apt-get install certbot
certbot certonly --webroot --webroot-path=/usr/share/nginx/html -d galaxy-qld.genome.edu.au

Note in the above examples you will need to replace the domain name 'galaxy-qld.genome.edu.au' with your own. This is in nginx ssl file and in the certbot command.

You may need to change the cloudman files you have changed in the cloudman bucket too. i.e. cm/conftemplates/nginx_default_locations.default and cm/conftemplates/nginx_server_ssl.default

Now when you toggle SSL functionality in the cloudman admin console it will work with a green certificate. You will also need to configure a crontab entry to update the cert when it expires. I'll leave that for another comment.

jessicachung commented 7 years ago

From the GVL meeting: Letsencrypt implementation should be done with other managed servers that have a domain name (e.g. Galaxy-mel, abrpi) following the instructions Derek has provided. @Slugger70, can you do this whenever you have time?