SSL-Verschlüsselung mit Let’s Encrypt
An updated version of the article for installations with Nginx reverse proxy can be found here.
This article technically refers to a standard package installation (in the example on Debian 10) of EGroupware in an environment here shown.
!!! This manual is not applicable to a 20.1 standard installation with nginx as described below !!!
Access to EGroupware should ALWAYS be encrypted. This means that the web address should start with https:// .
Reasons
- The communication between Web browser and EGroupware server is protected against eavesdropping
- The access data will be transmitted encrypted
- Synchronization with iOS requires SSL encryption
- The communication of EGroupware with other services (Collabora Online, …) requires SSL encryption.
The web server (up to EGw 17.1) or the reverse proxy (from EGw 19.1, NOT the NGINX in the docker container!, see Docker (in EGroupware 19.1)?) must therefore be equipped with an SSL configuration and a certificate. This should also be considered if EGroupware is operated exclusively in a local network.
The simplest solution in a standard installation is to use certificates from Let’s Encrypt. Using a Client, the certificate is created, copied to the server, and the web server is configured.
Installation
Certbot needs a correct configuration of the web server with one (the) domain address. In this case in the
/etc/apache2/sites-available/000-default-le-ssl.conf
In Debian 10, the Let’s Encrypt client (Certbot) can be installed directly:
apt install certbot python-certbot-apache
Then run Certbot:
certbot --apache
The following is an interactive query of some data. Finally the domain and the automatic forwarding on https should be selected.
EGroupware should now be accessible via https. Also the automatic forwarding to https should be tested.
The prerequisite is ALWAYS that the EGroupware server is accessible under a domain name. An IP address does not work!
To do this, it is advisable to book a package with a domain from a provider. This provider must allow this domain or a created sub-domain to be assigned a fixed IP address or to be provided with a dynamic address. This can be done by the local router or a software on the server (e.g. ddclient).
Let’s Encrypt issues domain-validated certificates. This means that Let’s Encrypt checks the accessibility (on port 80, unencrypted) of the domain (therefore domain name, not IP).
Ports 80 and 443 must be forwarded on the router to ensure accessibility of the EGroupware server.
It may be necessary to deactivate the Geo-IP blocker for USA on the router/firewall. The servers are located there.
The firewall on the server must also be configured so that port 80 is allowed through as well as port 443.
The web server can be configured by Certbot in such a way that later requests under http are forwarded to https. So you don’t have to enter https when typing in the address and you can prevent an unencrypted connection.
Let’s Encrypt certificates have a validity period of 3 months. The certificates must be renewed before expiration. This happens automatically during the installation described above. Prerequisite is that the service is not deactivated and that the server can still be reached on port 80.
Before the deadline expires, a message will be sent to the specified e-mail address indicating that the certificate is about to expire. If the automatic does not work.
Optional configuration
The connection between web proxy and web browser is now SSL encrypted. However, the quality of the encryption can usually be increased.
The quality of the encryption can be tested here, for example:
https://www.ssllabs.com/ssltest/
With the default settings, you can achieve an A rating:
This is the “compatibility mode”, so to speak. With the settings you can operate practically every device/browser.
This can and should be improved. If no old devices/browsers are used, TLS 1.0 / TLS 1.1 and unnecessary (potentially unsafe) ciphers (the orange entries) should be switched off:
The configuration can be done on the host (reverse proxy) in the
/etc/letsencrypt/options-ssl-apache.conf
in front of you.
In this case:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
After a
service apache2 restart
you can run the test again at ssllabs:
If you now turn on HSTS:
Header always set Strict-Transport-Security "max-age=63072000"
Is an A+ rating achievable:
The list at the bottom of the evaluation shows which devices/browsers are supported.
Mozilla offers help with configuration with its SSL Configuration Generator:
https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=intermediate
Also in the
/etc/letsencrypt/options-ssl-apache.conf
you can enable HTTP/2:
Protocols h2 http/1.1
In some situations this brings speed advantages in the transfer to the browser.
Thus the essential part of the options-ssl-apache.conf sees
like this:
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
Protocols h2 http/1.1
Header always set Strict-Transport-Security "max-age=63072000"
For further suggestions please create a topic here in the forum.
As always: BEFORE make a data backup of the web server configurations!
No guarantee for the above mentioned versions!
Further Links
Welcome to the Certbot documentation!
How To Secure Apache with Let’s Encrypt on Ubuntu 18.04
Admin Network & Security: HTTP/1.1 versus HTTP/2 and HTTP/3
