EPrints Technical Mailing List Archive
See the EPrints wiki for instructions on how to join this mailing list and related information.
Message: #09730
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
[EP-tech] Repository Server Upgrade SSL
- To: eprints-tech@ecs.soton.ac.uk
- Subject: [EP-tech] Repository Server Upgrade SSL
- From: James Kerwin <jkerwin2101@gmail.com>
- Date: Fri, 14 Jun 2024 06:10:36 +0100
CAUTION: This e-mail originated outside the University of Southampton.
Hi All,
I did the big switchover to my new repository server yesterday.
Had a number of problems with getting SSL to work. I'm now at the point where I can go to the url:
https://livrepository.liverpool.ac.uk/
But it loads the default Apache page. This feels like a step forwards as yesterday Apache was telling me my certificate files didn't exist.
https://livrepository.liverpool.ac.uk/
But it loads the default Apache page. This feels like a step forwards as yesterday Apache was telling me my certificate files didn't exist.
Can anybody please advise me?
In /etc/apache2/sites-enabled/eprints.conf I have:
In /etc/apache2/sites-enabled/eprints.conf I have:
Include /opt/eprints3/cfg/apache.conf
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from localhost
</Location>
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from localhost
</Location>
In /opt/eprints3/cfg/apache.conf I have:
# Load the perl modules & repository configurations
PerlSwitches -I/opt/eprints3/perl_lib
Include /opt/eprints3/cfg/perl_module_isolation.conf
# Load the per-repository apache configuration
Include /opt/eprints3/cfg/apache/*.conf
Include /opt/eprints3/cfg/apache_ssl/*.conf
PerlSwitches -I/opt/eprints3/perl_lib
Include /opt/eprints3/cfg/perl_module_isolation.conf
# Load the per-repository apache configuration
Include /opt/eprints3/cfg/apache/*.conf
Include /opt/eprints3/cfg/apache_ssl/*.conf
In /opt/eprints3/cfg/apache_ssl/uolrepo.conf I have what looks to be the correct conf based on it being similar in structure to that I use on the Data Catalogue. I think it's safe enough to share the below.
If anyone can help I would be eternally grateful and forever in your debt.
<VirtualHost *:443>
ServerName livrepository.liverpool.ac.uk
ServerAdmin jkerwin@liverpool.ac.uk
SSLEngine On
#SSLCertificateFile /var/tmp/270324-ssl-certs/repo-live_liv_ac_uk_cert.cer
#SSLCertificateKeyFile /var/tmp/270324-ssl-certs/liv-repo-live.key
#SSLCertificateChainFile /var/tmp/270324-ssl-certs/repo-live_liv_ac_uk_interm.cer
SSLCertificateFile /opt/eprints3/certs/repo-live_liv_ac_uk_cert.cer
SSLCertificateKeyFile /opt/eprints3/certs/liv-repo-live.key
SSLCertificateChainFile /opt/eprints3/certs/repo-live_liv_ac_uk_interm.cer
Header always set Strict-Transport-Security "max-age=15768000"
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
<Location "">
PerlSetVar EPrints_ArchiveID uolrepo
PerlSetVar EPrints_Secure yes
Options +ExecCGI
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
</IfModule>
</Location>
</VirtualHost>
If anyone can help I would be eternally grateful and forever in your debt.
<VirtualHost *:443>
ServerName livrepository.liverpool.ac.uk
ServerAdmin jkerwin@liverpool.ac.uk
SSLEngine On
#SSLCertificateFile /var/tmp/270324-ssl-certs/repo-live_liv_ac_uk_cert.cer
#SSLCertificateKeyFile /var/tmp/270324-ssl-certs/liv-repo-live.key
#SSLCertificateChainFile /var/tmp/270324-ssl-certs/repo-live_liv_ac_uk_interm.cer
SSLCertificateFile /opt/eprints3/certs/repo-live_liv_ac_uk_cert.cer
SSLCertificateKeyFile /opt/eprints3/certs/liv-repo-live.key
SSLCertificateChainFile /opt/eprints3/certs/repo-live_liv_ac_uk_interm.cer
Header always set Strict-Transport-Security "max-age=15768000"
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
<Location "">
PerlSetVar EPrints_ArchiveID uolrepo
PerlSetVar EPrints_Secure yes
Options +ExecCGI
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
</IfModule>
</Location>
</VirtualHost>
- Follow-Ups:
- Re: [EP-tech] Repository Server Upgrade SSL
- From: David R Newman <drn@ecs.soton.ac.uk>
- Re: [EP-tech] Repository Server Upgrade SSL
- From: John Salter <J.Salter@leeds.ac.uk>
- Re: [EP-tech] Repository Server Upgrade SSL
- Prev by Date: Re: [EP-tech] HTTPS only setup back to http
- Next by Date: Re: [EP-tech] Repository Server Upgrade SSL
- Previous by thread: [EP-tech] HTTPS only setup back to http
- Next by thread: Re: [EP-tech] Repository Server Upgrade SSL
- Index(es):