Reduce Insecurity for free, HTTPS now democratized by LetsEncrypt

 

how-to-install-lets-encrypt-ssl-certificate

I am typing this with my fingers crossed, that I could just get someone to acknowledge that HTTPS is not only prudent but damn easy to setup. Security is not my primary focus, yet I align with most of the InfoSec’s paranoia out there today. A dumb hacker millions of years ago said that, the minimum you could do in security is to use SSL encryption in your communication.

Now that I have uncrossed my fingers. Below is my rough note for setting up a secure instance for which I assume you have an elastic IP in EC2 instance and a DNS pointing using the A-host configuration to this IP. Below is a totally fake xyzminime.org domain name which I do not own and is just used for example. No offence to anyone who owns it, I just think its an awesome name.

URL: https://xyzminime.org

Email: info@xyzminime.org

# This is how I used to generate my insecure self-signed certificate earlier
keytool -genkeypair -dname "CN=xyzminime.org, OU=XYZ, O=XYZ, L=PaloAlto, ST=CA, C=US" -alias xyzminime -keyalg RSA -ext san=ip:xyzminime.org -keystore /opt/tomcat7/.keystore

Since I am not an authorized certificate signing authority, all the browsers just flags my certificate as unsecure and block it by default.

This is where LetsEncrypt came for help with their democratic certificate authority. There were some references that I drew inspiration from, to do this thing as a rough note and not a tutorial.

Ref:    https://certbot.eff.org/#centosrhel6-other
        https://certbot.eff.org/docs/using.html#webroot
        https://melo.myds.me/wordpress/lets-encrypt-for-tomcat-7-on-ds/

 

1.) Pre-requisite is to get the certbot client

# Installation taken care by the certbot-auto client
sudo yum install epel-release wget
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

# Install the certbot on your instance
sudo ./certbot-auto

Certbot dumps its contents in a folder like below, in my ec2-user local path,
/home/ec2-user/.local/share/letsencrypt/bin/letsencrypt certonly

 

2.) Generate a certificate

Keep an email address for notification and validation handy for the enrolment with ACME

If you have a functional webserver that needs to be SSLified then use the webroot way otherwise --standalone is preffered
sudo ./certbot-auto certonly -n --rsa-key-size 2048 --agree-tos --email info@xyzminime.org --webroot -w /opt/tomcat7/webapps/ -d xyzminime.org
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xyzminime.org/fullchain.pem.
Your cert will expire on 2016-12-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
“certbot-auto renew”
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
The certificates are written to /etc/letsencrypt/live/xyzminime.org/
export CERT_PATH="/etc/letsencrypt/live/xyzminime.org/"
 - cert.pem
 - chain.pem
 - fullchain.pem
 - privkey.pem

 

3.) Create a keystore for Tomcat

Basically there are only two steps required to get our fullchain.pem and privkey.pem inside a JKS. 
First we bundle both our fullchain and the private key in a PKCS12 keystore. 
We do this, because apparently Java’s keytool (which we use to create our JKS),
is not able to import pre-existing keys and certificates into a JKS, as described here.
sudo openssl pkcs12 -export -in "$CERT_PATH"fullchain.pem -inkey "$CERT_PATH"privkey.pem -out fullchain_and_key.p12 -name xyzminime -password pass:mini#123

Now that we have our PKCS12 keystore, we can use Java’s keytool to generate a JKS,
from our PKCS12 file like;
keytool -importkeystore -deststorepass mini#123 -destkeypass mini#123 -destkeystore xyzminime.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass mini#123 -alias xyzminime
 
# Backup and place your self-signed keystore in the tomcat home
mv /opt/tomcat7/.keystore .keystore_backup_1
sudo cp xyzminime.jks /opt/tomcat7/.keystore
 
Make sure that the 8443 conector configuration in the conf/server.xml is as follows
<Connector port="8443" 
           keystoreFile="${user.home}/.keystore" 
           keystorePass="mini#123" 
           keyAlias="xyzminime" 
           ...
Run the InstallCert utility for java security ca cert 
Compile the InstallCert using javac
java InstallCert xyzminime.org
sudo cp jssecacerts /usr/java/jdk1.8.0_73/jre/lib/security/

 

4.) Automating renewal

# A test run for renewal
certbot-auto renew --dry-run

# Add the following to the cron or systemmd that should run twice daily in case of any certificate invalidation
certbot-auto renew --quiet

 

Now your tomcat will be able to serve the content over SSL. Verify this by accessing the server on the below URL.

https://xyzminime.org

 

 

 

Advertisements

ODOO (Open ERP) AWS setup notes for your unforeseen startup

_______________________________________

Setup ODOO on EC2 & RDS (Insecure)
_______________________________________

 

Go to https://www.odoo.com and make sure you understand the needs for an ERP system at your startup. I would advice that you evaluate the pros & cons for using an ERP before jumping into this bureaucratic complication.

Security is prime and make sure you realize that I have not covered any aspect of securing the instance or the application here.
1. Intallation pre-requisites

a. Initialize a RDS PostgreSql service on AWS.

b. Initialize an EC2 instance with Amazon Linux in the same security group as RDS

yum install git libtool zlib devel automake pkgconfig gcc c++ curl make gcc-c++ libxml2-devel rsync
yum install openldap-devel libjpeg-devel python-devel vim
yum -y install babel libxslt-python pyparsing python-dateutil python-decorator python-docutils python-feedparser python-imaging python-jinja2 python-ldap python-lxml python-mako python-mock python-openid python-passlib python-psutil python-psycopg2 python-reportlab python-requests python-simplejson python-unittest2 python-vobject python-werkzeug python-yaml pytz
yum install icu xorg-x11-fonts-75dpi freetype freetype-devel 

> Setup Node
yum install nodejs npm
npm install -g less less-plugin-clean-css
ln -s /usr/local/bin/lessc /usr/bin/lessc
ln -s /usr/bin/nodejs /usr/bin/node

> CentOS 6
yum localinstall http://yum.postgresql.org/9.3/redhat/rhel-6-x86_64/pgdg-centos93-9.3-1.noarch.rpm
wget https://bitbucket.org/wkhtmltopdf/wkhtmltopdf/downloads/wkhtmltox-0.13.0-alpha-7b36694_linux-centos6-amd64.rpm
rpm -ivh wkhtmltox-0.13.0-alpha-7b36694_linux-centos6-amd64.rpm

> CentOS 7
yum localinstall https://yum.postgresql.org/9.3/redhat/rhel-7-x86_64/pgdg-redhat93-9.3-3.noarch.rpm
wget http://download.gna.org/wkhtmltopdf/0.12/0.12.2.1/wkhtmltox-0.12.2.1_linux-centos7-amd64.rpm
rpm -Uvh wkhtmltox-0.12.2.1_linux-centos7-amd64.rpm

yum install postgresql93-contrib postgresql93-devel postgresql93-plpython27
Now lets get the odoo source on the machine to start the setup
git clone https://github.com/odoo/odoo.git
Go to your odoo directory and install the python packages
easy_install -U setuptools
easy_install pip
pip install -r requirements.txt

2. Create a config file openerp-server.conf with the below content

[options]
; This is the password that allows database operations:
; admin_passwd = admin
db_host = admindb.xxxxxxx.us-west-2.rds.amazonaws.com
db_port = 5432
db_user = admin
db_password = admin123
addons_path = /usr/lib/python2.7/dist-packages/openerp/addons
logfile = /tmp/odoo-server.log
xmlrpc_port = 8069

Setup a RDS with postgres database server

psql -h admindb.xxxxxxx.us-west-2.rds.amazonaws.com -U admin admindb

CREATE USER admin WITH PASSWORD 'admin123';
ALTER USER admin CREATEDB;


3. Run the server with the configurations

chown -R ec2-user odoo 
./odoo-bin --addons-path=addons --config=openerp-server.conf

4. Configure the EC2 Instance

a.) IP routing on the instance. Not secure, but will provide the basic routing to start your system.

iptables -t nat -A OUTPUT -p tcp -d ec2-xxx-xxx-xxx-xxx.us-west-2.compute.amazonaws.com --dport 80 -j REDIRECT --to-port 8069
iptables -t nat -I PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 8069
Make sure you verify the iptables. 
sudo iptables -t nat -L -v

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8069
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere ip-xxx-xxx-xxx-xxx.us-west-2.compute.internal tcp dpt:http redir ports 8069
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

 

b.) Security group config for port 80. Add exception for incoming HTTP traffic
5. Run the ODOO server as a service

echo "Killing any previous instance of odoo"
ps ax | grep odoo | grep -v grep | awk '{print $1}' | xargs sudo kill
echo "Starting the Odoo server"
nohup ./odoo-bin --addons-path=addons --config=openerp-server.conf -d oodb -u all &> /dev/null & disown
echo "Conf : ~/odoo/odoo/openerp-server.conf"
echo "Log : tail -f /tmp/odoo-server.log"

6. Login as admin / admin
http://ec2-xxx-xxx-xxx-xxx.us-west-2.compute.amazonaws.com