Adding a Security Certificate to Your Website

Obtaining a security certificate from a Certificate Authority enables you to use https on your website hosted by CADES. Utilizing https maintains the confidentiality of the transferred information by using a set of encryption keys.

Additionally, this document will cover requirements for Firewall exceptions, cipher specifications, and HSTS preloading conditions.

Caveat: Auto SSL Creation for CADES VMs

In order to expedite ORNL's required compliance with DHS BOD 18-01 as many sites as possible were automatically adjusted to defaulting to HTTPS with a Let's Encrypt certificate.

Directive Overview

Pursuant to DHS BOD 18-01 all federal websites must be migrated to HTTPS. The prescribed implementation pattern is as follows

• Redirect HTTP traffic to HTTPS via 301 Moved Permanently
• HTTPS should be configured with a trusted TLS certificate
• All of the following should be disallowed:
  • SSL v2
  • SSL v3
  • RC4, DES, and 3DES ciphers
• HSTS header set with max-age equal to 1 year.

---

Prerequisites

• A website hosted by CADES resources
• Bash access to the VM hosting the site
• Enable virtual hosts in your apache config file and ensure the default site is served as a virtual host.
  • CentOS Apache Virtual Host Configuration
  • Ubuntu Apache Virtual Host Configuration

Part 1: Modifying the OpenStack Horizon Security Group

View the Instance Using Horizon

1. Navigate to the Horizon web interface at https://cloud.cades.ornl.gov/.
2. Log in with your UCAMS credentials.
   • Domain: ornl
   • Username: Your three-letter UCAMS ID
   • Password: Your UCAMS password
3. Navigate to Project → Compute → Instances.
4. Click on the existing instance that hosts your web server if you'd like to review the settings.

If you have never launched a VM Instance before, check out the tutorial linked below before proceeding.

📖   How to: Launch a VM Instance

Add Rule for Secured TCP Traffic

When you originally set up your web server, the settings allowed incoming traffic on port 80. Now we need to allow secure traffic. Then we'll make sure the rule is properly assigned to your Instance.

1. Navigate to Project → Compute → Access & Security → Security Groups.
2. Find the existing Security Group that contains your http access rules and click Manage Rules on the right side of the screen.
3. In the resulting window, click + Add Rule.
4. In the resulting dialog, click the drop-down field under Rule.
5. Choose the HTTPS rule template from the drop-down list.
   • Choosing the HTTPS template will automatically set the port to 443 and set the direction to Ingress.
6. In the Remote box, choose CIDR (preferred) and leave the field as 0.0.0.0/0 or enter the desired inter-domain range. See CIDR examples for more information.
7. Click Add at the bottom of the dialog box to implement your custom rule.
8. Confirm your new custom rule is displayed in the Manage Rules screen.

📖   More info: Security Groups

Add Rule to the Instance's Security Group

1. Navigate to Project → Compute → Instances.
2. On the right, click the down arrow (▾) next to Create Snapshot.
3. Select Manage Security Groups.
4. Click the + next to your new HTTPS rule to add it to your Instance.

Part 2: Obtaining the Security Certificate for your Site

The process of obtaining the SSL certificate is automated via the command line using Let's Encrypt and Certbot.

Access your VM via ssh.

1. Open a Bash terminal.
2. Execute ssh cades@128.219.186.42.
   • Replace 128.219.186.42 with the IP address of your own Instance.
3. You should now be connected to your VM Instance via SSH.

For more detailed information on connecting to your VM Instance using SSH, please see the SSH tutorials, linked below.

📖   How to: Access Your VM Instance Using SSH

For Windows users, we have developed a separate tutorial that walks you through connecting to your VM Instance using PuTTY's SSH client.

📖   How to: Access Your VM Instance Using PuTTY (Windows)

Installing Certbot for Ubuntu (see below for CentOS)

Certbot is an automated client that obtains and implements SSL certificates for your website.

• Obtain the necessary Certbot packages.

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache

• Use Certbot's Apache plugins to automate the certificate process.
  • There are two options. Option A should be used if cannot stop and restart your web server. Option B should be used if you can start and stop your web server. If you are not sure, choose Option A.
  • Option A sudo certbot --authenticator webroot --installer apache
  • Option B sudo certbot --authenticator standalone --installer apache --pre-hook "apachectl -k stop" --post-hook "apachectl -k start"
    • You will be asked to enter your domain name (e.g. example.com) and your webroot (the folder where your website lives, e.g. www).

Installing Certbot for CentOS (see above for Ubuntu)

Certbot is an automated client that obtains and implements SSL certificates for your website.

• Obtain the necessary Certbot packages.

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

• Use Certbot's plugins to automate the certificate process. (Fill in the /path/to/ with your specific path.)

sudo ./path/to/certbot-auto certonly

• Select 2 when prompted to place Certbot's files in the webroot directory.
• Please also provide your email address and your domain name, e.g. example.com.
• Next, you'll be asked to provide the webroot for your domain (the folder where your website lives), e.g. www.
• The next command will stop and restart your server. Please be aware of the temporary service interruption.

sudo certbot --authenticator standalone --installer apache --pre-hook "apachectl -k stop" --post-hook "apachectl -k start"

Part 3: Updating Firewall Exception (for External-Facing Sites)

1. Navigate to https://safer.ornl.gov. 
2. Log in to the SAFER interface using your UCAMS credentials.
   • Username: Your three-letter UCAMS ID
   • Password: Your UCAMS password
3. Click + New Request at the top left of the screen.
4. On the resulting page, choose ORNL SAFER Request.
   
5. In the resulting request dialog, we need to fill out the following fields:
   • Subject – A simple subject will do. We're going with VM web server.
   • Authorization – Set to None.
   • Change Request Justification – Provide the reason for your firewall exception.
   • Expires – Leave this blank to make this exception indefinite. Otherwise, choose a date for the exception to expire.
   • Source – The source IP or IP range (with CIDR notation if range) of the server for which you would like to make an exception. We're going to use the single IP address of our VM Instance, 128.219.186.29.
   • Destination – For this example, we're going to make the source and the destination the same IP address, 128.219.186.29.
   • Service – This can be formatted using the protocol/port (e.g., TCP/443) or you can choose from a list of common multi-port services in the drop-down menu. Please use TCP/443 as the secure traffic port.
   • Service Name – User-defined name of the rule. We're calling ours blackmesa_web.
6. Once filled out, click Next to submit your request.
   

You will receive an e-mail confirmation of your request. You can also view the status of your exception request at any time by logging into the SAFER interface.

Part 4: Webserver configuration

Your webserver will need to be configured to do the following:

• Redirect HTTP traffic to HTTPS
• Set up the HSTS header and preloading for external-facing sites (see ORNL documentation)
• Use the TLS certificate designated for your site
• Allow only approved ciphers (see ORNL documentation)

The exact details will vary between different web and application servers, but Mozilla provides a simple interactive tool that can help you get started:

https://mozilla.github.io/server-side-tls/ssl-config-generator/

Part 5: Certificate Auto-Renewal

Using a simple script we can automate the certificate renewal process. Although this certificate lasts for 90 days, running this cron job often will ensure your certificate stays up to date.

@weekly python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew

If you find that you need more guidance setting up automatic renewal, you can visit this site.