Setting up OpenSSL with Resin 4.0.32 on Ubuntu 12.0.4

From Resin 4.0 Wiki

Revision as of 00:00, 29 January 2013 by Alex (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

For this exercise, I am using Amazon EC2 to startup a clean Ubuntu 12.0.4 instance. One advantage that Resin has over other similar products is integration with OpenSSL. OpenSSL is much faster and less resource intensive than the SSL/TLS support that ships with Java. If you use Resin, you want to use OpenSSL, it is more scalable and faster.

For this exercise, I started up a 64 bit large instance in Amazon EC2 and I am using Ubuntu 12.0.4 with Resin 4.0.32.

Contents

Install Resin

I am following the instructions here for setup:

 $ sudo add-apt-repository http://caucho.com/download/debian


Then update the repo cache

$ sudo apt-get update


This is now broken with Ubuntu 12.0.4. It will work again in Resin 4.0.33 and beyond.

If you are using Resin 4.0.32 and before do this instead:

$ wget http://www.caucho.com/download/debian/dists/unstable/multiverse/binary-amd64/resin-pro_4.0.32-amd64.deb

Install Java 7 SDK (or Java 6 SDK) and OpenSSL as follows:

$ sudo apt-get -f install
$ sudo apt-get install openjdk-7-jdk
$ sudo apt-get install libssl-dev
$ sudo dpkg -i resin-pro_4.0.32-amd64.deb

(sudo apt-get install works in Resin 4.0.33 for Debian, but not for Resin 4.0.32.)

Generate a resin password.

$ resinctl password-generate admin mypassword
admin_user : admin
admin_password : {SSHA}yAKopu5id740xAoePKZOGyAtu78DpZck

Add the username and password to /etc/resin/resin.properties and turn stuff on. (Leave most of resin.properties alone, unless it is mentioned in the following listing.)



# Enable /resin-doc Resin documentation
resin_doc     : true

app.https         : 8443

web.http          : 8080
web.https         : 8443

# Must be identical between web, app, and cache clusters.
cluster_system_key : changeme

# Enable remote admin (for remote CLI and for EC2 ext: triad discovery)
remote_admin_enable : true

# Enable /resin-admin web administration console
web_admin_enable : true

# Permit access to /resin-admin from non-local network ip-addresses
web_admin_external : true

# Require HTTPS to access /resin-admin
web_admin_ssl : true

# Enable Resin REST Admin
rest_admin_enable : true

# Require SSL for REST Admin
rest_admin_ssl : true

admin_user : admin
admin_password : {SSHA}ypqpON4IGSWY6XZ6NtU9uadsfasdfasdfasdfasdf

The above turns on the Resin web admin remotely over SSL and we can use that to test our SSL setup.

Resin will create a self signed certificate so go ahead and load the admin to test your Resin setup before we get started.

In order to get OpenSSL to work, you need a Resin license. If you don't have, contact us and get one.

You should be able to load the admin and such using SSL.

https://mydomain.com:8443/resin-admin/

It should all work now. The browser will complain because you are using a certificate that is not from a certificate authority. Proceed past there errors.


Setup OpenSSL with a self-signed certificate

Next let's create a openssl.cnf file in /etc/resin/keys/openssl.cnf

/etc/resin/keys/openssl.cnf

[ req ]
 default_bits            = 1024
 distinguished_name      = Caucho

[ Caucho ]
 C                      = US
 C_default              = US
 ST                     = CA
 ST_default             = CA
 L                      = San Francisco
 L_default              = San Francisco
 O                      = Caucho Tech
 O_default              = Caucho Tech
 OU                     = QA Documentation
 OU_default             = QA Documentation
 CN                     = www.caucho.com
 CN_default             = www.caucho.com
 emailAddress           = info@caucho.com
 emailAddress_default   = info@caucho.com

The above file is not needed per se, but it will save you a lot of typing later on.

Next create your private key file with openssl.

$ cd /etc/resin/keys
$ pwd
/etc/resin/keys
$ sudo openssl genrsa -des3 -out myprivate.key 1024

The above generates an RSA key which can be used both for encryption and for signing.

You will be prompted for a protecting pass phrase.

(Note that 2048 or higher is recommended for RSA keys, as fewer amount of bits is considered less secure.)


RSA is an algorithm for public-key cryptography that is based on the difficulty of factoring large integers. RSA acronym is for the names of the three creators. RSA creates and then publishes the product of two large prime numbers, along with an another value, as the public key.


Output

Generating RSA private key, 1024 bit long modulus
...++++++
..........................++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/resin/myprivate.key:
Verifying - Enter pass phrase for /etc/resin/myprivate.key:

Enter in a password twice. Remember this password, you will need it later.

At this stage, just create a self-signed certificate to see if openssl is working and installed correctly.

$ sudo openssl req -config openssl.cnf -new -key myprivate.key -x509 -out my-self-signed-certificate.crt

Certificates are for public key cryptography and contain the public key. Public keys are easily derived from private keys, and this is why we created the private key first. The certificate is a file that has the organizations information and the public key.

To know if SSL is working, you want to check to see if you can load resin-admin.

Then look in the resin log (/var/log/resin/jvm*.log), and look for the following:

Resin Professional 4.0.32 (built Mon, 01 Oct 2012 02:34:38 PDT)
Copyright(c) 1998-2012 Caucho Technology.  All rights reserved.

[13-01-17 21:35:23.624] {main}   1013792.license -- 1 Resin server Caucho
                       
  1013792.license -- 1 Resin server Caucho

Starting Resin Professional on Thu, 17 Jan 2013 21:35:21 +0000 (UTC)

...
...
[13-01-17 21:35:27.616] {main} http listening to *:8080
OpenSSL support compiled for OpenSSL 0.9.8o 01 Jun 2010
[13-01-17 21:35:27.710] {main} https listening to *:8443

If you see those two things then all should be well.

Testing your openssl setup if something goes wrong

If for some reason OpenSSL is not working, then you can use the tools that ship with OpenSSL to verify your setup.

Open up two terminals.


$  cd /etc/resin/keys
$ sudo openssl s_server -accept 9999 -key myprivate.key -cert my-self-signed-certificate.crt 

The above opens up a TLS server listening on port 9999 that is using the key and certificate that you just generated.

See http://www.openssl.org/docs/apps/s_server.html# for more details.

Now in a separate terminal window connect to this utility server.

$ openssl s_client -connect localhost:9999
CONNECTED(00000003)
depth=0 C = US, ST = CA, L = San Francisco, O = Caucho Tech, OU = QA Documentation, CN = www.caucho.com, emailAddress = info@caucho.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = Caucho Tech, OU = QA Documentation, CN = www.caucho.com, emailAddress = info@caucho.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=CA/L=San Francisco/O=Caucho Tech/OU=QA Documentation/CN=www.caucho.com/emailAddress=info@caucho.com
   i:/C=US/ST=CA/L=San Francisco/O=Caucho Tech/OU=QA Documentation/CN=www.caucho.com/emailAddress=info@caucho.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICsTCCAhoCCQCbeymZWYc9lzANBgkqhkiG9w0BAQUFADCBnDELMAkGA1UEBhMC
VVABCDEFGNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRQwEgYDVQQK
EwtDYXVjaG8gVGVjaDEZMBcGA1UECxMQUUEgRG9jdW1lbnRhdGlvbjEXMBUGA1UE
AxMOd3d3LmNhdWNoby5jb20xHjAcBgkqhkiG9w0BCQEWD2luZm9AY2F1Y2hvLmNv
bTAeFw0xMzAxMTcyMDU2MjhaFw0xMzAyMTYyMDU2MjhaMIGcMQswCQYDVQQGEwJV
...
...
-----END CERTIFICATE-----
subject=/C=US/ST=CA/L=San Francisco/O=Caucho Tech/OU=QA Documentation/CN=www.caucho.com/emailAddress=info@caucho.com
issuer=/C=US/ST=CA/L=San Francisco/O=Caucho Tech/OU=QA Documentation/CN=www.caucho.com/emailAddress=info@caucho.com
---
No client certificate CA names sent
---
SSL handshake has read 1246 bytes and written 376 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 07C6B7627821D29E814F069D2C7Casdfasdfasdfasdfasdfasdfasdfasdf
    Session-ID-ctx: 
    Master-Key: C38B943A0E5570A2662695ABCDEFlkjalkj;lkjl;kjasdlfkjasdlkfjasl;kdfjalksdjf
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 71 24 62 44 f1 c0 bc 95-8f e7 04 FF 73 c1 5c de   q$bD...00...s.\.
    0010 - 13 54 e8 f3 20 1d 2b 82-e8 83 05 62 4d 46 f9 3c   .T.. .+....bMF.<
...
    0040 - db 2b 3f d3 fa 7d b9 04-9f 65 95 d8 bb 10 d3 ca   .+?..}...e......
    0050 - 47 79 cf 0c 65 67 e5 5f-90 4e a5 43 c7 b0 31 bb   Gy..eg._.N.C..1.
    0060 - f3 9b a4 c4 72 9c 24 18-5b 7a 90 63 4f 25 35 2c   ....r.$.[z.cO%5,
   ...
    Compression: 1 (zlib compression)
    Start Time: 1358459991
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

See http://www.openssl.org/docs/apps/s_client.html# for more details.

To try this out in Resin, you just need to modify etc/resin/resin.properties as follows:

# OpenSSL certificate configuration                                             
# Keys are typically stored in the resin configuration directory.               
openssl_file : keys/my-self-signed-certificate.crt                                                 
openssl_key : keys/myprivate.key             
openssl_password : password

Just navigate to:

https://mydomain.com:8443/resin-admin/

It should all work now. The browser will complain because you are using a certificate that is not from a certificate authority. Proceed past there errors.

GoDaddy is becoming a popular SSL certificate authority because it is a low cost alternative. Let's use GoDaddy to setup a real SSL to show how it is done.

Using GoDaddy

Setup a GoDaddy account.

You have to change the size of the private key to 2048 as follows:

$ sudo openssl genrsa -des3 -out myprivate.key 2048
$ sudo openssl req -new -config openssl.cnf -key myprivate.key -out CA_request.csr

The above creates a request file. You can take this request file to any certificate authority. You give them money. Wait 2 to 24 hours and then they give you a certificate.

Go to https://certs.godaddy.com/ to find out more information.

(This is not an endorsement of GoDaddy. I mainly picked it because it was the cheapest.)


You have to cut & paste the file CA_request.csr into the godaddy.com text box associated with creating a new SSL certificate.

Wait for two days and argue with GoDaddy tech support that I am in fact a real person, and I am not in fact going to use SSL certificate to bludgeon baby seals with Louisville slugger.

With any luck, the GoDaddy certificate shows up into my account under the domain I registered. www.mydomain.com.

Stick the zip file with the certificates somewhere where you can get it. Upload certificate zip to server.

$ unzip mydomain.com.zip

There should be two files in here:

$ ls
go_bundle.crt
mydomain.com.crt

You need to move these where Resin can find them.

$ sudo mv gd_bundle.crt /etc/resin/keys
$ sudo mv mydomain.info.crt /etc/resin/keys
$ cd /etc/resin/keys
$ ls
CA_request.csr  mydomain.info.crt  my-self-signed-certificate.crt
gd_bundle.crt   myprivate.key       openssl.cnf

You should back these file up in a safe place.

Now we need to modify Resin to take an SSL chain file.

You can specify the certificate-chain-file as follows:

<http port="443">
  <openssl>
    <certificate-key-file>keys/your_domain.key</certificate-key-file>
    <certificate-file>keys/your_domain.crt</certificate-file>        
    <certificate-chain-file>keys/chain.txt</certificate-chain-file>
    <password>test123</password>
  </openssl>
</http>

By default openssl is setup by resin.properties and cluster-default.xml.

Here is a snippet from /etc/resin/cluster-default.xml

      <resin:when test="${openssl_file != null}">
        <http address="${http_address?:'*'}" port="${https}">
          <openssl>
            <certificate-file>${file_lookup(openssl_file,__DIR__)}</certificate-file>
            <certificate-key-file>${file_lookup(openssl_key, __DIR__)}</certificate-key-file>
            <password>
              <resin:Password>${openssl_password}</resin:Password>
            </password>
          </openssl>
        </http>
      </resin:when>

The problem is that it does not specify the chain file, which might be a fairly common thing, but not common enough to make it into resin.properties by default. (If you were using Verisign or a more well known CA authority, you would only need the chain file, this is mostly to support GoDaddy and other lesser known authorities, full explanation at bottom on this entry.)


Try this. Modify /etc/resin/cluster-default.xml as follows:

      <resin:when test="${openssl_file != null}">
        <http address="${http_address?:'*'}" port="${https}">
          <openssl>
            <certificate-file>${file_lookup(openssl_file,__DIR__)}</certificate-file>
            <certificate-key-file>${file_lookup(openssl_key, __DIR__)}</certificate-key-file>
            <certificate-chain-file>${file_lookup(openssl_chain_file,__DIR__)}</certificate-chain-file>

              <password>
              <resin:Password>${openssl_password}</resin:Password>
            </password>
          </openssl>
        </http>
      </resin:when>

Notice that I added <certificate-chain-file> to the cluster-default and I point it to the property openssl_chain_file.


If you were using Verisign or a more well known CA authority, you would only need this:

# OpenSSL certificate configuration                                             
# Keys are typically stored in the resin configuration directory.               
openssl_file : keys/mydomain.com.crt                                                 
openssl_key : keys/myprivate.key             
openssl_password : password

You would not need the chain file with Verisign.

But for this example, we do need the chain file so let's try to configure it.

Then modify your /etc/resin/resin.properties as follows (this configuration is wrong, but from the docs it sounds like this is what they are telling you to do):

# OpenSSL certificate configuration                                             
# Keys are typically stored in the resin configuration directory.               
openssl_file : keys/mydomain.com.crt                                                 
openssl_key : keys/myprivate.key             
openssl_chain_file : keys/gd_bundle.crt                                      
openssl_password : password

The above did not work from the browser so let's debug it, but it does work from the command line tools from openssl.

$ sudo openssl s_server -accept 9999 -key myprivate.key -cert javaeefun.info.crt -CAfile gd_bundle.crt 
$ openssl s_client -connect localhost:9999

That does work. So now we know we need to add mydomain.com.crt to the chain. (Ok that was a pretty big leap so let me explain what a chain.txt file is right after I show you how to create it properly.)

The test client and server did work so lets cat the mydomain.com.crt to the chain as follows:

$ sudo cat mydomain.com.crt  gd_bundle.crt  > chain.txt

The gd_bundle.crt file is a complete chain of SSL certificates from GoDaddy but it does not contain our certificate which we need. We used cat to add gd_bundle.crt after our mydomain.com.crt.

Now retest with the openssl tools as follows:

$ sudo openssl s_server -accept 9999 -key myprivate.key -cert mydomain.com.crt -CAfile chain.txt


$ openssl s_client -connect localhost:9999

The openssl tools likes our new setup. We can connect from the client.

Now configure resin to use the chain.txt file instead of just our file.


# OpenSSL certificate configuration                                             
# Keys are typically stored in the resin configuration directory.               
openssl_file : keys/mydomain.com.crt                                                 
openssl_key : keys/myprivate.key             
openssl_chain_file : keys/chain.txt                                      
openssl_password : password

Now retest from the browser.

https://mydomain.com:8443/resin-admin/

All should be well.

Note: if you see a ' T_CLIENT_HELLO:no shared cipher ' on the server side, please make sure that you properly included mydomain.com.crt and gd_bundle.crt into chain.txt.

  {resin-port-443-46} BadRequestException: java.io.IOException: errno=0 openssl='139770598954752:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1230:

Some more background on certificate chains and why they are needed with GoDaddy

This information was derived from and other places: http://bloggit.livejournal.com/26595.html

GoDaddy has good prices and decent service. Sadly their explanations are a bit terse as is the documentation for OpenSSL.

Browsers like Opera and Internet Explorer know about GoDaddy. But Firefox, Chrome, Safari and other applications do not. So as far as a CA certificate goes, its recognition is not as good as Verisign and others (so far). If you just use their CA certificate then your device or browser might give you the old "Unknown Authority". This is not what you want from a CA authority at all.

SSL Certificates are encryption packets that reference other encryption packets, to form a a chain of trust. It's a bit like asking for references. Your browser or app or devices knows a few top-level authorities, but certainly not all. When you hit a new SSL certificate, your browser (or SSL library or app) checks the new certificate against the browser's own list of trusted authorities.

You can view the list of authorities in your browser pretty easily: Firefox: Options - Advanced - View Certificates - Authorities.

The trick is to provide a chain of references from your certificate up through GoDaddy, all the way up to a trusted authority that Firefox already knows about. That is what the chain.txt file we constructed did. It put GoDaddy chain concatenated on to our chain. Firefox does not trust GoDaddy, but it trusts GoDaddy parent company Starfield so the chain we created was mydomain.com->godaddy.com->startfield.com. Firefox says I don't know mydomain.com. Then it looks at the next certificate in the chain and says, I don't know GoDaddy either, then it sees the next one in the chain and says I do know Starfield. Then Firefox asks Starfield (more or less) do you trust GoDaddy. Startfield says yes. Then FireFox asks GoDaddy do you trust mydomain.com, and GoDaddy says yes. Then the trust results are cached, now Firefox knows about GoDaddy and MyDomain.com. Whoot!

We will do this by including the certificate "chain".

Personal tools
TOOLBOX
LANGUAGES