Rollout SSL

[ Up ]

Configuring Rollout and Rolloutd to support SSL encryption and authentication can be slightly tricky to get right, so there is a sample CA (Certificate Authority) makefile included which can make it easier to test. For proper production use, you should use real certificates, signed by a trusted authority.

  1. Included in the source distribution is a directory rollout Change to this directory and run:

    # make ca server
  2. This will create a CA certificate and a certificate for the server. This will be verified by the client to make sure it is connecting to a known server. If you have followed the installation instructions, These files will be in the correct place already. If not, you need to copy cacert.crt, certs/rolloutd.pem and certs/rolloutd.key into the correct place for your server.
  3. Edit the startup script so that SSL will be supported. This should be done by editing /etc/default/rollout and making sure LISTEN_SSL is defined. At this point you may be able to set ALLOW to something wider (perhaps because authentication will be done by certificate from now on.
  4. Restart rollout:

    # /etc/init.d/rolloutd restart
  5. In the directory, create a client certificate for every client machine:

    # make client HOSTNAME=<hostname>
  6. This will create two files in certs (hostname.key and hostname.pem) which you need to copy to each client machine along with cacert.crt, and place all three files in /etc/rollout:

    # scp certs/hostname.pem hostname:/etc/rollout/cert.pem
    # scp certs/hostname.key hostname:/etc/rollout/cert.key
    # scp cacert.crt hostname:/etc/rollout/

    On the client you want to install the certificate, you can run something like this to pull the certificate with scp:

    # SRC=root@rollout.domain:/usr/local/rollout/; H=`hostname`; mkdir -p /etc/rollout; cd /etc/rollout; scp $SRC/cacert.crt .; \
    scp $SRC/certs/$H.key cert.key; scp $SRC/certs/$H.pem cert.pem
  7. Test the client by running rollout with a new https url:

    # rollout -s -u https://rollout.domain:port -o setup

    If you don't already have rollout installed on this client, you can run:

    # URL=https://rollout.domain:port; wget -O- -S --no-check-certificate --certificate /etc/rollout/cert.pem \
    --private-key /etc/rollout/cert.key --ca-certificate /etc/rollout/cacert.crt $URL/rollout | perl - -u $URL -o setup 

If you want more debugging information, you can try using the openssl commandline tool to connect to the server and send a request. You should get output like this:

# openssl s_client -key /etc/rollout/cert.key -cert /etc/rollout/cert.pem -CAfile /etc/rollout/cacert.crt -connect localhost:8000
depth=1 /CN=Rollout CA/C=AU
verify return:1
depth=0 /CN=rolloutd/C=AU
verify return:1
Certificate chain
 0 s:/CN=rolloutd/C=AU
   i:/CN=Rollout CA/C=AU
 1 s:/CN=Rollout CA/C=AU
   i:/CN=Rollout CA/C=AU
Server certificate
issuer=/CN=Rollout CA/C=AU
No client certificate CA names sent
SSL handshake has read 1207 bytes and written 1500 bytes
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: ADFFC8AABA8350FB98D6DC64E2B59BBF8E381C1835C560BACE5C926709C2E205
    Master-Key: E2E617E466DEB7D1B4D36EB80C3D79D1D6653DE387020A64CCF3A0EADA0990A57665157164003CBBA2B996430E9B27F8
    Key-Arg   : None
    Start Time: 1283149374
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
GET / HTTP/1.0

HTTP/1.0 200 OK
Connection: close
Content-Length: 1739
Content-Type: text/html
Date: Mon, 30 Aug 2010 06:23:00 UTC
Server: Rolloutd/1.2.0

<h1>Rolloutd File Listing</h1>
<table width="100%">


The default duration for the server key is 365 days. That means that after 365 days your clients won't be able to verify the server certificate and will fail to run. When this happens (or preferably before this happens) you need to regenerate the server key.

# make server