Mirko Tietgen koha.abunchofthings.net Kohacon 2016 Aristotle University of Thessaloniki 30th May 2016
Mirko Tietgenkoha.abunchofthings.net
Kohacon 2016Aristotle University of Thessaloniki
30th May 2016
HTTPPlain text communication between server and client
Browser –> 001011010101100 –> WebserverBrowser <– 001011010101100 <– Webserver
HTTPPlain text communication between server and client
Browser –> 0010password100 –> WebserverBrowser <– 0010a_secret100 <– Webserver
HTTPPlain text communication between server and client
Patrons –> 0010password100 –> Koha OPACPatrons <– 0010a_secret100 <– Koha OPAC
HTTPPlain text communication between server and client
Librarian –> 0010password100 –> Koha IntranetLibrarian <– 0010a_secret100 <– Koha Intranet
HTTPSSecure communication between server and client
Browser –> XXXXXXXXXXXXXXX –> WebserverBrowser <– XXXXXXXXXXXXXXX <– Webserver
HTTPSTransport Layer Security (TLS)
▶ Encrypt communication between peers▶ Verify integrity of communication▶ Verify identity of peers▶ Based on certificates
HTTPSCertificates
▶ Issued by a Certificate Authority (CA)▶ Different default levels of trust in web browsers▶ Different types (single, multiple subdomains, wildcard)▶ More or less expensive, depending on features
HTTPScertificates: trusted
HTTPSSelf-signed certificates
▶ Free▶ Blocked by default in web browsers▶ Need manual exceptions▶ Exception options hidden behind scary warnings
HTTPSSelf-signed certificates: scary warnings
Enter Let’s EncryptA free certificate authority
▶ Started by members of Electronic Frontier Foundation,Mozilla and University of Michigan
▶ Internet Security Research Group founded in 2013▶ Goal: Build a certificate authority that provides
▶ free TLS certificates▶ in an automated process▶ trusted by web browsers
Enter Let’s EncryptA free certificate authority
▶ ACME: Automated Certificate Management Environment▶ Reference client implementation: letsencrypt
renamed to certbot recently▶ Public beta: 3rd December 2015▶ Left beta: 12th April 2016
Enter Let’s EncryptA free certificate authority
So why don’t we use it in Koha?
Enter Koha 16.05Released 26th May 2016
We do.
KohaDebian package command
koha-create --create-db yourlibrarySet up a Koha instance using Debian packages
Koha 16.05Debian package command: new option
koha-create --create-db --letsencrypt yourlibraryGet certificate and appropriate webserver configuration
Let’s Encrypt in Koha 16.05Process happening in the background
koha-create creates a Koha instance as usual, then …▶ LE client adds information (token) to the Koha web folder▶ LE client asks LE server to connect to the Koha server▶ LE server connects to the Koha server, checks token
Let’s Encrypt in Koha 16.05Process happening in the background
▶ If successful, a certificate is issued▶ The web server configuration is changed
Use the new certificate for secure connectionsForward all traffic to secure connection
▶ The web server is restarted to pick up the new configuration▶ Done
Let’s Encrypt in Koha 16.05Requirements
▶ Koha server accessible from the Internet (port 80)LE server needs to check that you are allowed to get acertificate
▶ Global domain namesLE server can’t find your local domain name or IP address
Limitations …… of the implementation in Koha 16.05
▶ Automation only works with Koha Debian packagesYou can use LE manually with Koha on other distros of course
▶ Only works for new Koha instancesAn option to handle existing Koha instances will follow
DependenciesKoha automation
▶ Needs the letsencrypt (or certbot) package of yourGNU/Linux distributionIf there is none, there is a workaround
▶ For Debian Jessie, add the jessie-backports repository.▶ For other GNU/Linux distributions, check the certbot
website: https://certbot.eff.org/Choose None of the above as webserver
DependenciesKoha automation
▶ If there is no package, follow the instructions on the certbotwebsite on how to get certbot-autoKoha will look for /usr/bin/letsencrypt, you can create asymlink to certbot-auto
▶ The patch was written before the name change tocertbot. Please test in a non production environmentand report problems if you find any.
Limitations …… of LE itself
▶ No wildcard certificatesMultidomain (SAN) certificates are possibleCurrently limited to 100 entries per certificate
▶ 20 certificates within 7 daysNo problem for a regular Koha library, but might be for Kohasupport providers
▶ Certificates are valid for only 90 daysRenewal can be automated
RenewalWith a LE package for your distro
▶ letsencrypt renew… will try to renew all certificates that expire in < 30 days
▶ letsencrypt renew --dry-run… will show you what will be renewed without applying it
▶ letsencrypt renew --quietSet up a cronjob for it
▶ Do the equivalent with certbot-auto if there is no packagedversion of LE
Links
▶ https://letsencrypt.org▶ https://certbot.eff.org▶ https://bugs.koha-community.org/bugzilla3/show_
bug.cgi?id=15303
More Koha enhancements related to encryptionSponsoring welcome
▶ Encryption for emails sent by Kohahttps://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8897
▶ Run a Tor hidden service (.onion address) for the Koha OPAChttps://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15540
Thanks for listening!
▶ Mirko Tietgenemail: [email protected]: koha.abunchofthings.net