Setting up OpenSSL with Resin 4.0.32 on Ubuntu 12.0.4
From Resin 4.0 Wiki
For this exercise, I am using Amazon EC2 to startup a clean Ubuntu 12.0.4 instance.
I started up a 64 bit large instance.
I am following the instructions here for setup:
$ sudo add-apt-repository http://caucho.com/download/debian
Then update the repo cache
$ sudo apt-get update
This is now broken with Ubuntu 12.0.4. We will get it working again.
instead do this
$ wget http://www.caucho.com/download/debian/dists/unstable/multiverse/binary-amd64/resin-pro_4.0.32-amd64.deb
Install Java 7 SDK (or Java 6 SDK) and OpenSSL as follows:
$ sudo apt-get -f install $ sudo apt-get install openjdk-7-jdk $ sudo apt-get install libssl-dev $ sudo dpkg -i resin-pro_4.0.32-amd64.deb
(sudo apt-get install works in Resin 4.0.33 for Debian, but not for Resin 4.0.32.)
Turn stuff on.
# resin.properties - configuration variable values # # See resin.xml, cluster-default.xml, and health.xml for full configuration. # Any variable defined by ${...} can be set as a property in this file. # # Individual server overrides can be specified by prepending the server.id. # For example, increasing the log level for an individual server: # log_level : finest # app-0.log_level : finest # # Like Resin XML configuration, modification of this file will trigger # a restart. # # General log level (modify resin.xml for more granular log level adjustments) # log_level : finer # Enable verbose browser error reporting dev_mode : true # How often Resin should check for updated files. # dependency_check_interval : 5m # Enable /resin-doc Resin documentation resin_doc : true # List Triad server ip-addresses:hmux-port for each tier, space separated # App tier Triad servers must be listed to enable web-tier to # app-tier load-balancing # web-tier Triad servers: web-0 web-1 web-2 # web_servers : 127.0.0.1:6810 # app-tier Triad servers: app-0 app-1 app-2 app_servers : 127.0.0.1:6800 # Configures Resin for a memcached server tier # memcached-tier Triad servers: memcached-0 memcached-1 memcached-2 # memcached_servers : 127.0.0.1:6820 # memcached_port : 11211 # Allow elastic nodes to join the cluster (enable for cloud mode) # elastic_cloud_enable : true # The cluster that elastic nodes should join - each will contact a Triad server # Use a separate resin.properties file for each cluster home_cluster : app # Used for an elastic server to join the cluster in home_cluster # elastic_server : true # Create a distinct webapps/ directory for each server, for vertical scaling # elastic_webapp : true # Used for cloud servers with dynamic IP addresses where the DNS name for the # server is assigned after the server starts. Resin will retry the start. # elastic_dns : true # specifies the --server in the config file # home_server : app-0 # Set HTTP and HTTPS bind address # http_address : * # Set HTTP and HTTPS ports. # Use overrides for individual server control, for example: app-0.http : 8081 app.http : 8080 app.https : 8443 web.http : 8080 web.https : 8443 # memcached.http : 8080 # memcached.https : 8443 # For security, Resin can switch to a non-root user after binding to port 80 setuid_user : resin setuid_group : resin # Arg passed directly to the JVM # jvm_args : -Xmx2048m -XX:MaxPermSize=256m # Local URLs for the watchdog to check to ensure the server is up, # space separated # http_ping_urls : http://127.0.0.1/test.jsp # Throttle the number of active threads for a port port_thread_max : 256 accept_thread_max : 32 accept_thread_min : 4 # Enable JNI TCP speed optimizations tcp_cork : true sendfile : true # OpenSSL certificate configuration # Keys are typically stored in the resin configuration directory. # openssl_file : keys/test.crt # openssl_key : keys/test.key # openssl_password : changeme # JSSE certificate configuration # Keys are typically stored in the resin configuration directory. # jsse_keystore_type : jks # jsse_keystore_file : /etc/resin/keys/server.keystore # jsse_keystore_password : changeme # In absence of a signed certificate, Resin will fallback to using a # self-signed development certificate if HTTPS is enabled # Enable the proxy-cache - for caching static content in memory proxy_cache_enable : true # Sets the proxy cache memory size proxy_cache_size : 256m # Enable clustered persistent sessions (for failover) session_store : true # Web-apps named with numeric suffixes, e.g. foo-10.0.war and can be browsed # as /foo. When a new version of the web-app is deployed, Resin continues # to route active session requests to the previous web-app version while # new sessions go to the new version, so users will not be aware of the # application upgrade. # webapp_multiversion_routing : true # Set the email address to receive weekly and restart PDF reports # email : admin@example.com # Set a global password to prevent foreign Resin instances from connecting. # Must be identical between web, app, and cache clusters. cluster_system_key : changeme # Enable remote admin (for remote CLI and for EC2 ext: triad discovery) remote_admin_enable : true # Enable /resin-admin web administration console web_admin_enable : true # Permit access to /resin-admin from non-local network ip-addresses web_admin_external : true # Require HTTPS to access /resin-admin web_admin_ssl : true # Enable Resin REST Admin rest_admin_enable : true # Require SSL for REST Admin rest_admin_ssl : true # Access to /resin-admin and remote CLI is password restricted. # Use "resinctl generate-password" and copy/paste here to set the admin # admin_user : admin # admin_password : {SSHA}xxxxxxxx admin_user : admin admin_password : {SSHA}ypqpON4IGSWY6XZ6NtU9uadsfasdfasdfasdfasdf # Enable reading EC2 user data as resin properties # properties_import_url : http://169.254.169.254/latest/user-data
Resin will create a self signed certificate so go ahead and load the admin.
In order to get OpenSSL to work you need a Resin license.
You should be able to load the admin and such using SSL.
Next let's create a openssl.cnf file in /etc/resin/keys/openssl.cnf
/etc/resin/keys/openssl.cnf
[ req ] default_bits = 1024 distinguished_name = Caucho [ Caucho ] C = US C_default = US ST = CA ST_default = CA L = San Francisco L_default = San Francisco O = Caucho Tech O_default = Caucho Tech OU = QA Documentation OU_default = QA Documentation CN = www.caucho.com CN_default = www.caucho.com emailAddress = info@caucho.com emailAddress_default = info@caucho.com
The above file is not needed per se, but it will save you a lot of typing later on.
Next create your private key file.
$ cd /etc/resin/keys $ pwd /etc/resin/keys $ sudo openssl genrsa -des3 -out myprivate.key 1024
The above generates an RSA key which can be used both for encryption and for signing.
You will be prompted for a protecting pass phrase.
(Note that 2048 or higher is recommended for RSA keys, as fewer amount of bits is consider less secure.)
RSA is an algorithm for public-key cryptography that is based on the difficulty of factoring large integers.
RSA acronym is for the names of the three creators.
RSA creates and then publishes the product of two large prime numbers, along with an another value, as the public key.
Output
Generating RSA private key, 1024 bit long modulus ...++++++ ..........................++++++ e is 65537 (0x10001) Enter pass phrase for /etc/resin/myprivate.key: Verifying - Enter pass phrase for /etc/resin/myprivate.key:
Enter in a password twice. Remember this password, you will need it later.
At this stage, just create a self-signed certificate to see if openssl is working and installed correctly.
$ sudo openssl req -config openssl.cnf -new -key myprivate.key -x509 -out my-self-signed-certificate.crt
Certificates are for public key cryptography and contain the public key. Public keys are easily derived from private keys, and this is why we created the private key first. The certificate is a file that has the organizations information and the public key.
To know if SSL is working, you want to check to see if you can load resin-admin.
Then look in the resin log (/var/log/resin/jvm*.log), and look for the following:
Resin Professional 4.0.32 (built Mon, 01 Oct 2012 02:34:38 PDT) Copyright(c) 1998-2012 Caucho Technology. All rights reserved. [13-01-17 21:35:23.624] {main} 1013792.license -- 1 Resin server Caucho 1013792.license -- 1 Resin server Caucho Starting Resin Professional on Thu, 17 Jan 2013 21:35:21 +0000 (UTC) ... ... [13-01-17 21:35:27.616] {main} http listening to *:8080 OpenSSL support compiled for OpenSSL 0.9.8o 01 Jun 2010 [13-01-17 21:35:27.710] {main} https listening to *:8443
If you see those two things then all should be well.
Testing your setup if something goes wrong
If for some reason OpenSSL is not working, then you can use the tools that ship with OpenSSL to verify your setup. Open up two terminals.
$ cd /etc/resin/keys $ sudo openssl s_server -accept 9999 -key myprivate.key -cert my-self-signed-certificate.crt
The above opens up a TLS server listening on port 9999 that is using the key and certificate that you just generated.
See http://www.openssl.org/docs/apps/s_server.html# for more details.
Now in a separate terminal window connect to this utility server.
$ openssl s_client -connect localhost:9999 CONNECTED(00000003) depth=0 C = US, ST = CA, L = San Francisco, O = Caucho Tech, OU = QA Documentation, CN = www.caucho.com, emailAddress = info@caucho.com verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = CA, L = San Francisco, O = Caucho Tech, OU = QA Documentation, CN = www.caucho.com, emailAddress = info@caucho.com verify return:1 --- Certificate chain 0 s:/C=US/ST=CA/L=San Francisco/O=Caucho Tech/OU=QA Documentation/CN=www.caucho.com/emailAddress=info@caucho.com i:/C=US/ST=CA/L=San Francisco/O=Caucho Tech/OU=QA Documentation/CN=www.caucho.com/emailAddress=info@caucho.com --- Server certificate -----BEGIN CERTIFICATE----- MIICsTCCAhoCCQCbeymZWYc9lzANBgkqhkiG9w0BAQUFADCBnDELMAkGA1UEBhMC VVABCDEFGNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRQwEgYDVQQK EwtDYXVjaG8gVGVjaDEZMBcGA1UECxMQUUEgRG9jdW1lbnRhdGlvbjEXMBUGA1UE AxMOd3d3LmNhdWNoby5jb20xHjAcBgkqhkiG9w0BCQEWD2luZm9AY2F1Y2hvLmNv bTAeFw0xMzAxMTcyMDU2MjhaFw0xMzAyMTYyMDU2MjhaMIGcMQswCQYDVQQGEwJV ... ... -----END CERTIFICATE----- subject=/C=US/ST=CA/L=San Francisco/O=Caucho Tech/OU=QA Documentation/CN=www.caucho.com/emailAddress=info@caucho.com issuer=/C=US/ST=CA/L=San Francisco/O=Caucho Tech/OU=QA Documentation/CN=www.caucho.com/emailAddress=info@caucho.com --- No client certificate CA names sent --- SSL handshake has read 1246 bytes and written 376 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1.1 Cipher : ECDHE-RSA-AES256-SHA Session-ID: 07C6B7627821D29E814F069D2C7Casdfasdfasdfasdfasdfasdfasdfasdf Session-ID-ctx: Master-Key: C38B943A0E5570A2662695ABCDEFlkjalkj;lkjl;kjasdlfkjasdlkfjasl;kdfjalksdjf Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 71 24 62 44 f1 c0 bc 95-8f e7 04 FF 73 c1 5c de q$bD...00...s.\. 0010 - 13 54 e8 f3 20 1d 2b 82-e8 83 05 62 4d 46 f9 3c .T.. .+....bMF.< 0020 - d5 27 e5 7a c6 6b 11 6b-81 95 3b 81 1e 8a f2 8c .'.z.k.k..;..... 0030 - e6 14 e6 6d 0c 9d e8 fc-e6 90 b1 f7 79 5d 60 32 ...m........y]`2 0040 - db 2b 3f d3 fa 7d b9 04-9f 65 95 d8 bb 10 d3 ca .+?..}...e...... 0050 - 47 79 cf 0c 65 67 e5 5f-90 4e a5 43 c7 b0 31 bb Gy..eg._.N.C..1. 0060 - f3 9b a4 c4 72 9c 24 18-5b 7a 90 63 4f 25 35 2c ....r.$.[z.cO%5, ... Compression: 1 (zlib compression) Start Time: 1358459991 Timeout : 300 (sec) Verify return code: 18 (self signed certificate)
See http://www.openssl.org/docs/apps/s_client.html# for more details.
Using GoDaddy
Setup a GoDaddy account.
You have to change the size to 2048.
$ sudo openssl genrsa -des3 -out myprivate.key 2048 $ sudo openssl req -new -config openssl.cnf -key myprivate.key -out CA_request.csr
You have to cut & paste it into the godaddy.com text box.
Wait for two days and argue with GoDaddy tech support that I am in fact a real person, and I am not in fact going to use SSL certificate to bludgeon baby seals with Louisville slugger.
The GoDaddy certificate show up into my account under the domain I registered. www.mydomain.com Stick the zip file with the certificates somewhere where you can get it. Upload certificate zip to server.
$ unzip mydomain.info.zip
There should be two files in here:
$ ls go_bundle.crt mydomain.info.crt
You need to move these where Resin can find them.
$ sudo mv gd_bundle.crt /etc/resin/keys $ sudo mv mydomain.info.crt /etc/resin/keys $ cd /etc/resin/keys $ ls CA_request.csr mydomain.info.crt my-self-signed-certificate.crt gd_bundle.crt myprivate.key openssl.cnf
You should back these file up in a safe place.
Now we need to modify Resin to take an SSL chain file.
You can specify the certificate-chain-file as follows:
<http port="443"> <openssl> <certificate-key-file>keys/your_domain.key</certificate-key-file> <certificate-file>keys/your_domain.crt</certificate-file> <certificate-chain-file>keys/chain.txt</certificate-chain-file> <password>test123</password> </openssl> </http>
By default openssl is setup by resin.properties and cluster-default.xml.
Here is a snippet from /etc/resin/cluster-default.xml
<resin:when test="${openssl_file != null}"> <http address="${http_address?:'*'}" port="${https}"> <openssl> <certificate-file>${file_lookup(openssl_file,__DIR__)}</certificate-file> <certificate-key-file>${file_lookup(openssl_key, __DIR__)}</certificate-key-file> <password> <resin:Password>${openssl_password}</resin:Password> </password> </openssl> </http> </resin:when>
The problem is that it does not specify the chain file, which might be a fairly common thing, but not common enough to make it into resin.properties by default.
Try this. Modify /etc/resin/cluster-default.xml as follows:
<resin:when test="${openssl_file != null}"> <http address="${http_address?:'*'}" port="${https}"> <openssl> <certificate-file>${file_lookup(openssl_file,__DIR__)}</certificate-file> <certificate-key-file>${file_lookup(openssl_key, __DIR__)}</certificate-key-file> <certificate-chain-file>${file_lookup(openssl_chain_file,__DIR__)}</certificate-chain-file> <password> <resin:Password>${openssl_password}</resin:Password> </password> </openssl> </http> </resin:when>
Then modify you /etc/resin/resin.properties as follows:
# OpenSSL certificate configuration # Keys are typically stored in the resin configuration directory. openssl_file : keys/mydomain.info.crt openssl_key : keys/mydomain.key openssl_chain_file : keys/gd_bundle.crt openssl_password : password