EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #09733

< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] Repository Server Upgrade SSL

CAUTION: This e-mail originated outside the University of Southampton.
John and David, thank you both so much for your advice. It turns out we had a few problems. On the old server IT had put the certs in /var/tmp and the new verson of Ubuntu/Apache did not like that. I put them somewhere sensible, then started getting actual useful errors that led me to resolving it (enable headers in Apache in this case).

I do have another problem though; none of my custom workflows or search results citations seem to be working. I've altered them in /opt/eprints3/archives/uolrepo/cfg but they don't seem to be taking. I've also modified them in the flavours and lib directories just to be sure. epadmin test isn't showing any errors, but it just seems to be refusing to take them up.

Any immediate thoughts? (by immediate I mean "on Monday")

The eprints version is 3.4.5

Thanks,
James

On Fri, Jun 14, 2024 at 8:58 AM David R Newman <drn@ecs.soton.ac.uk> wrote:
Hi James,

SSL config loading is a bit weird in EPrints and does things I would describe as the other way round.  Specifically for eprints.conf you need:

Include /opt/eprints3/cfg/apache.conf
Include /opt/eprints3/archives/*/ssl/securevhost.conf

You need to manually build the latter of these two in all your archives rather than creating this in /opt/eprints3/cfg/apache_ssl/uolrepo.conf.  The files in the directory should be generated by generate_apacheconf a long with the ones in /opt/eprints3/cfg/apache/.  What you do need to do with ssl/securevhost.conf (technically this could be anywhere as long as your sites-enabled/eprints.conf points at it) is similar is make sure it includes the generate file for the appropriate archive from /opt/eprints3/cfg/apache_ssl/ as per the example in:

https://wiki.eprints.org/w/How_to_use_EPrints_with_HTTPS#Configuration

Regards

David Newman
P.S. A file (which can be include in securevhost.conf) will only be created by generate_apacheconf under cfg/apache_ssl/ if the archive has a securehost set in 10_core.pl or at least some archive level cfg/cfg.d/  file.

On 14/06/2024 6:10 am, James Kerwin wrote:
CAUTION: This e-mail originated outside the University of Southampton.
CAUTION: This e-mail originated outside the University of Southampton.
Hi All,

I did the big switchover to my new repository server yesterday.

Had a number of problems with getting SSL to work. I'm now at the point where I can go to the url:

https://livrepository.liverpool.ac.uk/

But it loads the default Apache page. This feels like a step forwards as yesterday Apache was telling me my certificate files didn't exist.

Can anybody please advise me?

In /etc/apache2/sites-enabled/eprints.conf I have:

Include /opt/eprints3/cfg/apache.conf
<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from localhost
</Location>

In /opt/eprints3/cfg/apache.conf I have:

# Load the perl modules & repository configurations
PerlSwitches -I/opt/eprints3/perl_lib
Include /opt/eprints3/cfg/perl_module_isolation.conf

# Load the per-repository apache configuration
Include /opt/eprints3/cfg/apache/*.conf
Include /opt/eprints3/cfg/apache_ssl/*.conf

In /opt/eprints3/cfg/apache_ssl/uolrepo.conf I have what looks to be the correct conf based on it being similar in structure to that I use on the Data Catalogue. I think it's safe enough to share the below.

If anyone can help I would be eternally grateful and forever in your debt.

<VirtualHost *:443>
  ServerName livrepository.liverpool.ac.uk

  ServerAdmin jkerwin@liverpool.ac.uk
 
  SSLEngine On
  #SSLCertificateFile /var/tmp/270324-ssl-certs/repo-live_liv_ac_uk_cert.cer
  #SSLCertificateKeyFile /var/tmp/270324-ssl-certs/liv-repo-live.key
  #SSLCertificateChainFile /var/tmp/270324-ssl-certs/repo-live_liv_ac_uk_interm.cer
 
  SSLCertificateFile /opt/eprints3/certs/repo-live_liv_ac_uk_cert.cer
  SSLCertificateKeyFile /opt/eprints3/certs/liv-repo-live.key
  SSLCertificateChainFile /opt/eprints3/certs/repo-live_liv_ac_uk_interm.cer
 
  Header always set Strict-Transport-Security "max-age=15768000"  
  SSLProtocol             all -SSLv3
  SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  SSLHonorCipherOrder     on
  SSLCompression          off
 
  <Location "">
    PerlSetVar EPrints_ArchiveID uolrepo
    PerlSetVar EPrints_Secure yes

    Options +ExecCGI
    <IfModule mod_authz_core.c>
       Require all granted
    </IfModule>
    <IfModule !mod_authz_core.c>
       Order allow,deny
       Allow from all
    </IfModule>
  </Location>
</VirtualHost>

*** Options: https://wiki.eprints.org/w/Eprints-tech_Mailing_List
*** Archive: https://www.eprints.org/tech.php/
*** EPrints community wiki: https://wiki.eprints.org/