Monday, November 22, 2010

Lock Down! Enable SSL on Apache2 with Signed Certificates

Ssl_login

Enabling SSL on Apache2 is actually pretty easy and out of the box will enable self-signed certificates.  This will suffice for testing but if your goal is to lock down sensitive information and be trusted by users, getting an SSL certificate for your domain will be key.  When I setup my FedOne server about a year ago, I had to go through getting certificates for federation to work with the Google's Sandbox.

Enable SSL in Apache2:

I am assuming you already have Apache2 installed and own a domain name with postmaster/webmaster access.  Here are the steps to get the SSL module of Apache2 running:

1 - Enable ssl:

$: a2enmod ssl

Out of the box this will use self-signed certiicates which will light up most broswers with a red "This site's security certificate is not trusted!".  The self-signed certificates are great for testing especially since Ubuntu 10.04 which contains it's own SSL conf file. 

2 -  Once the SSL is enabled, restart Apache:

$: sudo /etc/init.d/apache2 restart

Now that SSL is enabled and https://yourdomain.com is using the self signed certs, we need to generate a certificate request file and a private key from our server and use a 3rd party signer to get our certificate.  

 

Generate CSR and Server Key:

1 - I used the same script to generate both the private key and certificate request.

$: sudo nano make-csr.sh

2 - Enter the following code:

#!/bin/bash

NAME=$1

if [ "$NAME" == '' ]

then

echo "$0 " 1>&2

  exit 1

fi

openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -out $NAME.key

openssl req -new -nodes -sha1 -days 365 -key $NAME.key -out $NAME.csr

3 - Make the script executible:

er$: sudo chmod a+x make-csr.sh

3 - Run the script, adding the name you want on the end.  I choose "server":

$: sudo ./make-csr.sh server

This generated two files:

server.key
server.csr 

StartSSL™

 

 

 

Validate Domain with StartSSL:

I choose StartSSL since I used them during my FedOne setup and it was rather easy and free to boot.  Here are the steps:

1 - Go to http://www.startssl.com and create an account.  You will need to have a registered domain and access to the postmaster or webmaster of the domain in order to establish a certified connection.

2 - Click on "Sign-up" to begin the registration process.  This will have you fill out some information and will have you verify with an email.  Once verified a certificate will be installed in your browser (doesn't work on Chrome in my tests).

3 - Click on "Validations Wizard" and select "Domain Name Validation" (Continue)

4 - Type in your domain name (Continue).  An email verification will be sent and you will paste in the validation code to get your domain validated.

Request Certificate from StartSSL:

1 - Click on "Certificates Wizard" and for Certificate Target select "Web Server SSL/TLS Certificate (Continue)

2 - Click on Skip since we are going to use our own CSR from the above step (Skip)

3 - Copy the contents of the "server.csr" generated above by typing:

$: cat server.csr

* Make sure the contents of the certificate request includes the header and footers of the CSR with all the dashes! (Continue)

4 - The screen will appear with the contents of the newly generated SSL certificate.  Copy the contents and add it to a new file called "server.crt" on the server.

$: sudo nano server.crt

Configure Apache2 to use Signed Certificates:

I decided to create a directory to place my certificates in the Apache2 directory. You can place them anywhere you like.

1 - Make a directory in Apache2

$: sudo mkdir /etc/apache2/ssl

2 - Copy the certificate (server.csr) and private key (server.key) to the new directory

$: sudo cp server.crt /etc/apache2/ssl
$: sudo cp server.key /etc/apache2/ssl

3 - Point Apache to use your new files in the default-ssl file:

$: sudo nano /etc/apache2/sites-available/default-ssl

Make sure the SSL Engine is on and the proper paths are reflected:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

4 - Restart Apache

$: sudo /etc/init.d/apache2 restart

Once restarted, Apache will now sign with your new certificates and users will see the green "https" in their browser bar.  Depending on what setup you require, you may need to still set your document root for your website and do a mod-rewrite in your .htaccess file to forward all your http traffic to https.

In my case, I was running my StatusNet instance with mixed mode SSL, protecting only sensitive pages since Meteor doesn't post via https yet without an unsupported proxy setup. ~Lou

Sunday, November 7, 2010

Google Boxes up Wave, Survival via Federation

Wiab
When Google announced that Wave would be shut down at the end of the year, I was extrememly disappointed since I believed in the movement of communication beyond email and all the other modes of collaboration.  For me, the saving grace was the announcement that Google would be working hard to build upon their open source FedOne project to incorporate all the the web UI that Google's own Wave had to date.  This new project is aptly named "Wave in a Box".

Back about a year ago, I went through the rigors of getting a FedOne Wave server installed.  Although the Wave Protocol had been released at Google I/O in May 2009, there was not much excitement without being able to federate with the development sandbox.  The other issue was nobody had access till the preview lauched, except in the sandbox, and all the invite hell that followed.

Once Google opened up federation on wavesandbox.com many of us started trying to run our own servers so we could test out this cool new federation protocol.  Most of the setup was pretty easy but certificates, which are required for federation with Google's Wave Sandbox, can be quite the ordeal to get working properly.  Without completely re-outlining every step, I thought I would outline my setup since I recently moved my wave setup to another server and had to walk thought the steps again, refreshing my memory.

Server OS: Ubuntu 10.10 Server:

1 - Get necessary packages to setup the Wave-in-a-box environment:

$: sudo apt-get install mercurial ant default-jdk mongodb eclipse 

NOTE: With Ubuntu 10.10 you need to get the repository for Java first:

 $: sudo add-apt-repository ppa:sun-java-community-team/sun-java6

 $: sudo apt-get update

 

2 - Get current Wave-in-a-Box source:

$: mkdir wave-development

$: cd wave-development

$: hg clone https://wave-protocol.googlecode.com/hg/ wave-protocol

 

3 - Build Wave-in-a-Box:

$: cd wave-protocol

$: sudo ant

Building Wave-in-a-Box is pretty straight forward however there are a few things to know if you intend to federate with other Wave-in-a-Box instances, especially when authentication is used.  Two major components, not mentioned above, are required to establish secure signing between servers and to allow some of the live collaboration. You will need to install an XMPP server and have your certificates built for the domain you are going to use for federation.  I also needed to add a few things to my host file and setup SRV records on my domain registrar to get all to work correctly.

Below are some links to help you in getting all of Wave-in--Box setup and working:

Setup: http://www.waveprotocol.org/wave-in-a-box/setting-up

Building: http://www.waveprotocol.org/wave-in-a-box/building-wave-in-a-box

Installation: http://www.waveprotocol.org/code/installation

XMPP step by step (Openfire): http://www.waveprotocol.org/federation/openfire-installation

Federation Certificates: http://www.waveprotocol.org/federation/certificates

Certificate Issuer: http://www.startssl.com/

A great step by step by Ralf Rottman: http://www.24100.net/2009/11/federate-google-wave-sandbox-with-your-own-fedone-server/

Once you are setup you can start trying out your newly, self-hosted Wave server. WiaB comes with two client interfaces.  The first is a terminal client located in the "wave-protocol" directory which can be used by typing:

./run-console-client.sh <username>  

Once inside you can type "/help" to see the available commands.

The other interface is web-based and works rather well.  This is the area that is under major development to bring it to parity with Google Wave's web UI.  By default it is accessible on port 9898 so you can access it by visiting http:/yourdomain.com:9898.  

Currently Federation is only open on other WiaB instances in which it is enabled and the developers sandbox at http://wavesandbox.com.  If you just want to try to set WiaB without federation, certificates and XMPP servers are not necessary.  You can then setup the server and install and build the source and run the server.  There is currently a config file for no federation that will allow you to test out the web UI quickly with very little headache.  Federation is key to the success of this platform in the long run so if you are serious about sustaining a Wave server, get federation running too! ~Lou

A Few Images:

Wiab_web_welcomeWiab_web_uiWiab-terminal

If you have questions or run into any issues, please leave a comment or send me a message:

Twitter: @gol10dr

Wave: gol10dr@googlewave.com