EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #09730


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

[EP-tech] Repository Server Upgrade SSL


CAUTION: This e-mail originated outside the University of Southampton.
Hi All,

I did the big switchover to my new repository server yesterday.

Had a number of problems with getting SSL to work. I'm now at the point where I can go to the url:

https://livrepository.liverpool.ac.uk/

But it loads the default Apache page. This feels like a step forwards as yesterday Apache was telling me my certificate files didn't exist.

Can anybody please advise me?

In /etc/apache2/sites-enabled/eprints.conf I have:

Include /opt/eprints3/cfg/apache.conf
<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from localhost
</Location>

In /opt/eprints3/cfg/apache.conf I have:

# Load the perl modules & repository configurations
PerlSwitches -I/opt/eprints3/perl_lib
Include /opt/eprints3/cfg/perl_module_isolation.conf

# Load the per-repository apache configuration
Include /opt/eprints3/cfg/apache/*.conf
Include /opt/eprints3/cfg/apache_ssl/*.conf

In /opt/eprints3/cfg/apache_ssl/uolrepo.conf I have what looks to be the correct conf based on it being similar in structure to that I use on the Data Catalogue. I think it's safe enough to share the below.

If anyone can help I would be eternally grateful and forever in your debt.

<VirtualHost *:443>
  ServerName livrepository.liverpool.ac.uk

  ServerAdmin jkerwin@liverpool.ac.uk
 
  SSLEngine On
  #SSLCertificateFile /var/tmp/270324-ssl-certs/repo-live_liv_ac_uk_cert.cer
  #SSLCertificateKeyFile /var/tmp/270324-ssl-certs/liv-repo-live.key
  #SSLCertificateChainFile /var/tmp/270324-ssl-certs/repo-live_liv_ac_uk_interm.cer
 
  SSLCertificateFile /opt/eprints3/certs/repo-live_liv_ac_uk_cert.cer
  SSLCertificateKeyFile /opt/eprints3/certs/liv-repo-live.key
  SSLCertificateChainFile /opt/eprints3/certs/repo-live_liv_ac_uk_interm.cer
 
  Header always set Strict-Transport-Security "max-age=15768000"  
  SSLProtocol             all -SSLv3
  SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  SSLHonorCipherOrder     on
  SSLCompression          off
 
  <Location "">
    PerlSetVar EPrints_ArchiveID uolrepo
    PerlSetVar EPrints_Secure yes

    Options +ExecCGI
    <IfModule mod_authz_core.c>
       Require all granted
    </IfModule>
    <IfModule !mod_authz_core.c>
       Order allow,deny
       Allow from all
    </IfModule>
  </Location>
</VirtualHost>