HTTPS Certificate Configuration

The main purpose of this document is explain how enable SSL in order to use HTTPS to connect openNAC web server.

Configuration steps

Install mod_ssl

First of all, we require the mod_ssl module:

yum install mod_ssl



This package will copy ssl.conf file in /etc/httpd/conf.d directory, with some default configuration. To avoid multiple SSL configuration, we rename this configuration file (only the *.conf files are applied):

mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.old

Certificate

If we have a valid certificate for this server, we can use it, putting the CRT and KEY files in /etc/httpd/ssl directory:

/etc/httpd/ssl/server.crt
/etc/httpd/ssl/server.key

For testing purposes, we can generate a selfsigned certificate, indicating the days and subject for this certificate. The most important, is the Common Name in subject, it should match the internet name FQDN:

openssl req -x509 -nodes -days 11499 -subj '/C=ES/ST=Madrid/L=Madrid/CN=opennac.test' -newkey rsa:2048 -keyout /etc/httpd/ssl/server.key -out /etc/httpd/ssl/server.crt

Generate CSR

We can generate a CSR to be signed for a trusted CA, again we have to fill the information.

openssl req -new -newkey rsa:2048 -nodes -keyout opennac.key -out opennac.csr
Generating a 2048 bit RSA private key
..........................................+++
.............+++
writing new private key to 'opennac.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ES
State or Province Name (full name) []:Madrid
Locality Name (eg, city) [Default City]:Madrid
Organization Name (eg, company) [Default Company Ltd]:OpenCloudFactory
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:LAB0oncore
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

After that we can export the .csr file or copy and paste the contents of the file.

HTTPS configuration

Add the following configuration to a configuration file in /etc/httpd/conf.d directory, for example, /etc/httpd/conf.d/opennac_ssl.conf:

LoadModule ssl_module modules/mod_ssl.so
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
Listen 443

<VirtualHost *:443>
   SSLEngine on
   SSLCertificateFile /etc/httpd/ssl/server.crt
   SSLCertificateKeyFile /etc/httpd/ssl/server.key

   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
   DocumentRoot "/usr/share/opennac/userportal/public"
   ServerName userportal
   SetEnv APPLICATION_ENV production
   ErrorLog /var/log/httpd/opennac-https-error_log
   CustomLog /var/log/httpd/opennac-https-access_log common
</VirtualHost>

Restarting HTTPD

Finally, we have to restart the service:

/etc/init.d/httpd restart

Check firewall

Check the firewall configuration to allow traffic on port 443.

Configuration script

You can use the following script (source:trunk/src/utils/build-repo/enable_https.sh) to make the necessary configurations. The command line to reproduce the example parameters would be:

./enable_https.sh --subject=/C=ES/ST=Madrid/L=Madrid/CN=poennac.test --days=11499

Verification of Client Certificates Revocation Status with OCSP

The Online Certificate Status Protocol (OCSP) is used to obtain the revocation status of an x509 digital certificate and has been created as an alternative to certificate revocation lists (CRLs).

The radiusd server can be configured to check the revocation status of 802.1x client certificates by querying an OCSP responder. The configuration steps are:

  1. Edit the /etc/raddb/eap.conf file and find the “ocsp” configuration section.
  2. Enable OCSP checking by modifying the default ‘enable = no’ to ‘enable = yes’.
  3. Define whether the URL of the OCSP responder will be automatically extracted from the certificate in question. If you want to inform the URL of the OCSP responder instead of using that of the certificate, keep the default configuration directive that is “override_cert_url = yes”. If you want to use the URL provided in the certificate, change the default setting to “override_cert_url = no”.
  4. If you have chosen to inform the URL of the OCSP responder according to the previous step, modify the default setting ‘url = “http://127.0.0.1/ocsp/” by replacing the host 127.0.0.1 with the IP address or hostname of the OCSP responder. If the OCSP responder service is listening on a port other than 80, you can use the host:port notation. For example: http://10.0.0.1:2560/. If you chose to use the certificate URL, then no modification is required.

Additional information and warnings:

FreeRaduis can inspect into certificates to extract the revocation URL, before is important to check the firewall rule and the DNS resolution for the URL.

To know if a server certificate that will be used by Free Radius contains the URL of the OCSP responder, run the command:

openssl x509 -noout -text -in <certificate_file>

In the output of the command, if there are information about the URLs of OCSP responders, they can be found in the ‘X509v3 extensions’ block, similar to the following example:

Authority Information Access:
         CA Issuers - URI:http://ocsp.mycompany.example.com/
         OCSP - URI:http://ocsp.mycompany.example.com

Normally an error in the OCSP query response will result in a validation failure. When setting ‘enable = yes’ you are assuming that an OCSP responder is available to respond to radius server queries. In case of problems with the availability of OCSP, it is possible to modify the default ‘softfail = no’ to ‘softfail = yes’, but this feature should be used with caution as it may result in a network access authorization for clients with revoked certificates if the OCSP responder is unavailable.

You must restart the radiusd service in order for the settings to take effect.

You can check the operation of the OCSP verification by starting radiusd daemon in debug mode. In the case of a valid certificate the output of the debug will contain lines similar to the following:

[tls] --> Starting OCSP Request
[ocsp] --> Responder URL = http://ocsp.mycompany.example.com:2560/
[ocsp] --> Response status: successful
This Update: Jun 20 14:04:38 2018 GMT
[oscp] --> Cert status: good
[ocsp] --> Certificate is valid!

In the case of a revoked certificate the output of the debug will contain lines similar to these:

[tls] --> Starting OCSP Request
[ocsp] --> Responder URL = http://ocsp.mycompany.example.com:2560/
[ocsp] --> Response status: successful
This Update: Jun 20 14:38:53 2018 GMT
[ocsp] --> Cert status: revoked
Revocation Time: Jun 20 14:31:02 2018 GMT
[ocsp] --> Certificate has been expired/revoked!