EPrints Technical Mailing List Archive
See the EPrints wiki for instructions on how to join this mailing list and related information.
Message: #09732
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
Re: [EP-tech] Repository Server Upgrade SSL
- To: <eprints-tech@ecs.soton.ac.uk>, James Kerwin <jkerwin2101@gmail.com>
- Subject: Re: [EP-tech] Repository Server Upgrade SSL
- From: David R Newman <drn@ecs.soton.ac.uk>
- Date: Fri, 14 Jun 2024 08:58:48 +0100
Hi James,
SSL config loading is a bit weird in EPrints and does things I would describe as the other way round. Specifically for eprints.conf you need:
Include /opt/eprints3/cfg/apache.conf
Include /opt/eprints3/archives/*/ssl/securevhost.conf
You need to manually build the latter of these two in all your archives rather than creating this in /opt/eprints3/cfg/apache_ssl/uolrepo.conf. The files in the directory should be generated by generate_apacheconf a long with the ones in /opt/eprints3/cfg/apache/. What you do need to do with ssl/securevhost.conf (technically this could be anywhere as long as your sites-enabled/eprints.conf points at it) is similar is make sure it includes the generate file for the appropriate archive from /opt/eprints3/cfg/apache_ssl/ as per the example in:
https://wiki.eprints.org/w/How_to_use_EPrints_with_HTTPS#Configuration
Regards
David Newman
P.S. A file (which can be include in securevhost.conf) will only be created by generate_apacheconf under cfg/apache_ssl/ if the archive has a securehost set in 10_core.pl or at least some archive level cfg/cfg.d/ file.
On 14/06/2024 6:10 am, James Kerwin
wrote:
CAUTION: This e-mail originated outside the University of Southampton.CAUTION: This e-mail originated outside the University of Southampton.Hi All,
I did the big switchover to my new repository server yesterday.
Had a number of problems with getting SSL to work. I'm now at the point where I can go to the url:
https://livrepository.liverpool.ac.uk/
But it loads the default Apache page. This feels like a step forwards as yesterday Apache was telling me my certificate files didn't exist.
Can anybody please advise me?
In /etc/apache2/sites-enabled/eprints.conf I have:
Include /opt/eprints3/cfg/apache.conf
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from localhost
</Location>
In /opt/eprints3/cfg/apache.conf I have:
# Load the perl modules & repository configurations
PerlSwitches -I/opt/eprints3/perl_lib
Include /opt/eprints3/cfg/perl_module_isolation.conf
# Load the per-repository apache configuration
Include /opt/eprints3/cfg/apache/*.conf
Include /opt/eprints3/cfg/apache_ssl/*.conf
In /opt/eprints3/cfg/apache_ssl/uolrepo.conf I have what looks to be the correct conf based on it being similar in structure to that I use on the Data Catalogue. I think it's safe enough to share the below.
If anyone can help I would be eternally grateful and forever in your debt.
<VirtualHost *:443>
ServerName livrepository.liverpool.ac.uk
ServerAdmin jkerwin@liverpool.ac.uk
SSLEngine On
#SSLCertificateFile /var/tmp/270324-ssl-certs/repo-live_liv_ac_uk_cert.cer
#SSLCertificateKeyFile /var/tmp/270324-ssl-certs/liv-repo-live.key
#SSLCertificateChainFile /var/tmp/270324-ssl-certs/repo-live_liv_ac_uk_interm.cer
SSLCertificateFile /opt/eprints3/certs/repo-live_liv_ac_uk_cert.cer
SSLCertificateKeyFile /opt/eprints3/certs/liv-repo-live.key
SSLCertificateChainFile /opt/eprints3/certs/repo-live_liv_ac_uk_interm.cer
Header always set Strict-Transport-Security "max-age=15768000"
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
<Location "">
PerlSetVar EPrints_ArchiveID uolrepo
PerlSetVar EPrints_Secure yes
Options +ExecCGI
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
</IfModule>
</Location>
</VirtualHost>
*** Options: https://wiki.eprints.org/w/Eprints-tech_Mailing_List *** Archive: https://www.eprints.org/tech.php/ *** EPrints community wiki: https://wiki.eprints.org/
- Follow-Ups:
- Re: [EP-tech] Repository Server Upgrade SSL
- From: James Kerwin <jkerwin2101@gmail.com>
- Re: [EP-tech] Repository Server Upgrade SSL
- References:
- [EP-tech] Repository Server Upgrade SSL
- From: James Kerwin <jkerwin2101@gmail.com>
- [EP-tech] Repository Server Upgrade SSL
- Prev by Date: Re: [EP-tech] Repository Server Upgrade SSL
- Next by Date: Re: [EP-tech] Repository Server Upgrade SSL
- Previous by thread: Re: [EP-tech] Repository Server Upgrade SSL
- Next by thread: Re: [EP-tech] Repository Server Upgrade SSL
- Index(es):