Closed lwrubel closed 7 years ago
Consider https://letsencrypt.org/
Not entirely clear how long this will take, so erring on the side of major.
Need to handle 2 scenarios:
Since LetsEncrypt has rate limits, will want to have this be optional for dev environments.
LetsEncrypt does not issue to AWS or WRLC for various reasons. Instead, focus on first scenario: allow user to use their own certificate and add the path to the certificate into the dockerfile.
/etc/ssl/certs
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
<VirtualHost *:443>
Alias /static/ /opt/sfm-static/
<Directory /opt/sfm-static>
Require all granted
</Directory>
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
#For WSGI daemon mode:
#see http://code.google.com/p/modwsgi/wiki/QuickConfigurationGuide
#Using 1 process to force only one instance of APScheduler to be run.
#See https://github.com/gwu-libraries/sfm-ui/issues/79
WSGIDaemonProcess sfm processes=1 threads=30 python-path=/opt/sfm-ui/sfm
WSGIProcessGroup sfm
#For WSGI embedded mode:
#WSGIPythonPath /PATH/TO/sfm
#If using a virtualenv, uncomment and tweak next line (inc. python version):
#WSGIPythonPath /PATH/TO/YOUR/VENV/lib/python/2.X/site-packages
WSGIScriptAlias / /opt/sfm-ui/sfm/sfm/wsgi.py
<Directory /opt/sfm-ui/sfm/sfm>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
</VirtualHost>
Dockerfile
in /sfm-ui
EXPOSE 443
sudo a2enmod ssl
SFM_PORT
in .env
SFM_PORT=443
Note: A similar block can be added for a non-ssl site using port 80
in the VirtualHost
field
@justinlittman the branch is ready for you to look at.
Re-test after #532 is merged
Now that #532 is merged, @adityadharne can resume work as his schedule permits.
The HTTPS configuration does not stay persistent. The steps above work till the image is recreated - have to shell into the container every time to configure Apache after docker-compose up -d
.
See https://github.com/gwu-libraries/sfm-ui/tree/t361-https
On hold pending https://github.com/pyca/cryptography/pull/3278
Make sure to pin versions in Dockerfile-ssl and to match in Dockerfile.
Also, need to account for intermediary certs.
pyca/cryptography#3278 has now been fixed, @justinlittman to look into whether it's been released.
@adityadharne is going to investigate updates to LetsEncrypt that allow using it on AWS.
Justin Littman [10:59 AM] So just to be clear, I can just request from DIT? "If you're getting a proper certificate, send the csr file to a Certificate Authority (CA) and they will send back a certificate. At GWU, email it to ithelp@gwu.edu."
[10:59] And they will do this for wrlc.org domains as well?
Matthew Mihalik [11:00 AM] you'll need a GWU CNAME first
[11:01] We only issue SSL certs for GWU domains
Justin Littman [11:01 AM] Will WRLC issue for WRLC domains?
Matthew Mihalik [11:02 AM] They have to pay for them, what host are we doing? (edited)
Justin Littman [11:02 AM] For testing, gwsfm-test.wrlc.org. For production, gwsfm-prod2.wrlc.org.
Dan Kerchner [11:03 AM] we should also decide whether or not to get one for gwsfm-poe.wrlc.org
Matthew Mihalik [11:03 AM] I'd recommend getting a GWU domain, our apps should have them
Justin Littman [11:03 AM] What is the process for that?
Matthew Mihalik [11:04 AM] email ithelp@gwu.edu and request a CNAME entry for the host in question to the dns request: ie: cname gwsfm-prod2.wrlc.org to sfm.library.gwu.edu
[11:04] Then when you do the SSL cert your "Common Name" value will be the GW DNS entry
Note to self: The keys for gwsfm-test2 are in my home directory on server.
Deploy note: May need to add additional sites to social apps in admin.
nginx-proxy_1 | 2017/08/23 20:37:01 [emerg] 46#46: SSL_CTX_use_PrivateKey_file("/etc/nginx/certs/sfm-test.library.gwu.edu.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx-proxy_1 | nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/certs/sfm-test.library.gwu.edu.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
In the certificate file provided by DIT, the server cert came last. It had to be moved first in the file.
SFM does not currently run with HTTPS