Ticket ID #313: Secure OwnCloud with HTTPS Implementation - GriffinKat/group-a GitHub Wiki

OwnCloud is using HTTP, this exposes user credentials. We need to change the certificate it uses to HTTPS

We can use a tool called LetsEncrypt to change the certificate and cron jobs to make sure it renews after 90 days when the certificate expires

Step 1: Install CertBot

I used this tutorial to install certbot

https://certbot.eff.org/instructions?ws=apache&os=snap

Here are the steps used in that tutorial

In order to ascertain if you are using pip or snap on Ubuntu you run the commands

pip --version
and
snap version

image

We know we are running Apache based on the doumentation here:

https://github.com/GriffinKat/group-a/wiki/Ticket-ID-%23278:-Deploy-and-Configure-ownCloud-Enterprise-File-Sharing-Platform
You can select 'Apache' and 'Snap' from the drop down menu to get the correct tutorial for our system
{F2B7294C-3202-41EA-8085-26340CCA3F68}

Now our system is ready to install certbot, put this command into the command line

sudo snap install --classic certbot

{7EF9E2A6-4842-44C4-9BE2-DE5E41E3FB9D}

We need to check that certbot can be run using the command:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

{963439BA-CB53-4E0B-A233-9D56BDBB0190}

Run this command to get a certificate and have Certbot edit your apache configuration automatically to serve it, turning on HTTPS access in a single step

sudo certbot --apache

To make sure that certbot automatically renews run the command

sudo certbot renew --dry-run

{091F0B0E-B1D1-430C-BD22-FDA031D0F234}

Step 2: Configure ownCloud to use Let's Encrypt

First we must prepare certbots environment using the following command

sudo certbot register --agree-tos --email [email protected]

{805AFDD2-0240-4343-91E8-674AD60951E5}

The email address used can be updated using the following command

sudo certbot register --update-registration --email

Create Let’s Encrypt’s Config Files

Change into the Let'sEncrypt directory

cd /etc/letsencrypt

Issue this command but change the domain name to our ownCloud domain

sudo touch cli.ini list.sh renew.sh renew-cron.sh delete.sh <your-domain-name>.sh

sudo touch cli.ini list.sh renew.sh renew-cron.sh delete.sh group-a.op-bit.nz.sh

Make all of these files executable except cli.ini using the command:

sudo chmod +x *.sh

Add some default settings to the cli.ini, I am using the email I registered with

rsa-key-size = 4096
email = [email protected]
agree-tos = True
authenticator = webroot
# post-hook = service apache2 reload

I have chosen not to uncomment the post-hook command, I'm not sure if they're necessary to our project

We need to add to our created scripts and edit the path in them to reflect the path that our machine uses for certbot

You can find the path to certbot using the command

which certbot

{6BCCB878-5094-4D0C-9FF2-8EB43AD8E5C9}

This is our path

/usr/bin/

I got stuck here because I updated all of the scripts to use the path LE_PATH="/usr/bin/certbot" but it should just be LE_PATH="/usr/bin/"

Edit the 'list.sh' file with the following command

sudo nano list.sh

Add this script to the list.sh file, it lists all of your issued certificates

#!/bin/bash

LE_PATH="/usr/bin/"
LE_CB="certbot"

"$LE_PATH/$LE_CB" certificates

{2FEA7C99-B115-4249-AFCF-D1729C80F50D}

Add this to the renew.sh script, it renews all of your issued certificates and if post hooks have been enabled it will automatically renew certificates

sudo nano renew.sh

#!/bin/bash

LE_PATH="/usr/bin/certbot"
LE_CB="certbot"

"$LE_PATH/$LE_CB" renew

{B146A557-D470-4E78-A76B-5BEE2479A6E1}

We need to edit the renew-cron.sh script also

This renews certificates but does not upgrade Certbot. It will also reload the web server configuration automatically if a certificate has been renewed

This script is intended for use via cron

sudo nano renew-cron.sh

#!/bin/bash

LE_PATH="/usr/bin/"
LE_CB="certbot"

"$LE_PATH/$LE_CB" renew --no-self-upgrade --noninteractive

{2C4099D4-3009-4E58-9E1C-99649F2867C2}

We will also add to the delete.sh script

It deletes an issued certificate

sudo nano delete.sh

#!/bin/bash

LE_PATH="/usr/bin/"
LE_CB="certbot"

##
## Retrieve and print a list of the installed Let's Encrypt SSL certificates.
##
function get_certificate_names()
{
"$LE_PATH/$LE_CB" certificates | grep -iE "certificate name" | awk -F: '{gsub(/\s+/, "", $2); printf("- %s\n", $2)}'
}

echo "Available Certificates:"

get_certificate_names
echo

read -p "Which certificate do you want to delete: " -r -e answer
if [ -n "$answer" ]; then
"$LE_PATH/$LE_CB" delete --cert-name "$answer"
fi

{4DC95496-4484-442A-8ED9-399BBB304B41}

Finally we need to edit the .sh

Our file is called 'group-a.op-bit.nz.sh'

You can create different certificates for different sub-domains, such as example.com, www.example.com, and subdomain.example.com by creating different scripts.

sudo nano group-a.op-bit.nz.sh

#!/bin/bash
# export makes the variable available for all subprocesses

LE_PATH="/usr/bin/"
LE_CB="certbot"

# Assumes that example.com www.example.com and subdomain.example.com are the domains
# that you want a certificate for
export DOMAINS="-d group-a.op-bit.nz"

"$LE_PATH/$LE_CB" certonly --config /etc/letsencrypt/cli.ini "$DOMAINS" # --dry-run

{07D6DFD8-411E-4DE3-8FA9-AC9A9E80C43F}

Create an SSL Certificate

With all the scripts created, to create an SSL certificate, run the following command

sudo /etc/letsencrypt/group-a.op-bit.nz.sh

{BF2ED7E4-F77F-41BE-B3DC-D199FF3BBB4D}

Run this command to see the existing SSL certificates

sudo /etc/letsencrypt/list.sh

Automatic Renewal via Crontab

Step 2: Set up a cron job to renew the Let's Encrypt certificate after 60 days

Certbot can be forced to renew via options at any time as long as the certificate is valid.

In the home folder enter the command:

sudo crontab -e

{6FFB74CB-D449-4BD8-A262-499FEEEC0D9A}

Add the following at the end of the existing configuration

30 03 * * 6 /etc/letsencrypt/renew-cron.sh

{0120B0E3-C943-4E26-B146-AA1E3AAA5400}

After you save and exit the file, the new job will have been added to the Cron job scheduler

You can see now that ownCloud is using HTTPS

{ED331EEF-CB76-4A43-97E2-1F79D011F219}

Enable HSTS header in Apache config

Use this command to enable headers in Apache

sudo a2enmod headers # Ubuntu, Debian and SUSE variants

{F568A612-8D5E-4B10-B524-A8D03260759F}

Open the configuration file for our Apache website

sudo nano /etc/apache2/sites-available/owncloud.conf

Add Strict-Transport-Security in the Header directive within your virtual server configuration

Change the highlighted part of the config file from 80 to 443

{F89F718C-7CE4-4B4D-A2A6-D90B1F123C5C}

Add this line of code to the end of the file

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

{E355A49E-1706-47C5-A02C-D3C50DE2476F}

Reload or restart the Apache service to apply the changes

sudo systemctl restart apache2

{83D014EA-D6EA-499E-B9E4-AE7EA146B615}

Verify that HSTS has been properly implemented by accessing your website over HTTPS and check the response headers

curl --head group-a.op-bit.nz

{9A663FFE-F0C9-42C7-B7B0-7C297CC903CF}

Disable TLS 1.0/1.1

{A7E65639-6636-4B3F-B123-E6D4B112F6DD}

Remove the TLS 1 & TLS 1.1 option on the SSLProtocol

{3DEE7D0C-6FFB-46C5-AC21-CD50E2A322D1}

Test that these updates to the configuration file have been successful at

https://www.ssllabs.com/ssltest/analyze.html

Put group-a.op-bit.nz in the search bar

{AD7B9860-5654-432E-8AA7-4DD64397DF48}

Ticket Reference- https://rt.dataraster.com/Ticket/Display.html?id=313