Production ISLE IP address left with 404 and non-valid SSL cert

[wpwen...@gmail.com]

As the title mentions, our production instance IP address, after successful implementation of our ISLE service, leaves us with some loose ends. We are getting flagged by our Information Security office for having a non-compliant SSL on the IP address, in addition to having no service reachable from that IP address. We do have a valid certificate already generated for our domain name: digitalcollections.briscoecenter.org. We followed the production guidelines from the ISLE documentation for generating Let's Encrypt certificates, and this is the result when using the IP address in browser:

We need to generate a valid certificate for this IP address. What's the easiest way to add the IP address to the Let's Encrypt cert generation?

Also, we would ideally like to be able to resolve the production instance on the IP address instead of leaving this 404. If it is not feasible or an easy fix, it's not necessary. 

Thanks!

Paul Wentzell

[Diego Pino]

Paul, unrelated to ISLLE, an ssl cert for an IP address is not a frequent thing. Can be done but not via certbot and the requirements are quite strong. Read 

https://www.geocerts.com/support/ip-address-in-ssl-certificate

--
You received this message because you are subscribed to the Google Groups "Islandora ISLE" group.
To unsubscribe from this group and stop receiving emails from it, send an email to islandora-isl...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/islandora-isle/67d24d2d-8e4a-4c20-919c-68ed06dddc02n%40googlegroups.com.

--

Diego Pino Navarro

Digital Repositories Developer

Metropolitan New York Library Council (METRO)

[wpwen...@gmail.com]

Hello Diego, 

Unfortunately, our Information Security office has stipulated that if the IP address is exposed to the public and resolves, it needs a cert. The other option would be to remove the service running on 443 (Traefik) such that the IP address does not resolve. These are our only options. 

I'm not quite sure how to cut service such that the IP address does not resolve (the 404 error). As it is, what I am reporting is the result of following the ISLE production guidelines. Do you have a recommendation for cutting the service such that the 404 error is not displayed, and the IP address does not resolve anything (leaving the domain name and all services resolving to it) intact? I am not sure this is even possible.

Thanks!

Paul

[Wm. Josiah Erikson]

Paul,

My suspicion is that there's a misunderstanding between your Information Security office and you.

Requiring an actual IP address to have a cert is extremely unlikely, nonstandard, and I really doubt that's what they actually mean.

Having a cert *at* each IP address that belongs to a DNS entry that resolves to that IP address is probably what they mean.

Just trying to save you some trouble, as getting a cert for a DNS name is the usual (and the only thing I've ever seen, and I've been doing this for 21 years)

-Josiah

To view this discussion on the web visit https://groups.google.com/d/msgid/islandora-isle/316bde36-b078-412e-ba17-cf0043b95f6an%40googlegroups.com.

-- 
Wm. Josiah Erikson
Associate Director of IT, Infrastructure and Web Applications Groups
Network Engineer
System Administrator, HPC and CS
Staff Trustee
Hampshire College
Amherst, MA 01002
(413) 559-6091
pronouns: he/him/his

[wpwen...@gmail.com]

Josiah, 

You are indeed correct! The issue is not requiring a cert, it's requiring a VALID cert. As it is, when I followed the production documentation for launching our site, it left an INVALID, untrusted Traefik cert on the IP address. 

How do I remove that?

Thanks,

Paul

[wpwen...@gmail.com]

I think simply removing the invalid cert is actually the issue, which is the confusion between ISO and myself. See image above.

-P

[Wm. Josiah Erikson]

Great! Unfortunately I can't answer that question for you specifically - hopefully somebody much more familiar with ISLE than me can answer it.

If I answered, I'd just be talking about generic apache stuff

-Josiah

To view this discussion on the web visit https://groups.google.com/d/msgid/islandora-isle/b03b497b-2c54-4ad5-9f12-d70d6668feccn%40googlegroups.com.

[wpwen...@gmail.com]

I wanted to follow-up with this as we are on quarantine notice (we have roughly 48 hours) unless this is resolved, and as I am unfamiliar with the intricacies of Traefik, I will need someone who has more knowledge with Traefik to help resolve this issue.

Diego send a helpful message off-thread that pointed me in a good direction: https://community.traefik.io/t/direct-ip-access-instead-of-fqdn/9631

When I tried altering the YAML and TOML files with the snippets from here (https://doc.traefik.io/traefik/https/tls/#strict-sni-checking), I got an error with the YAML config and the TOML didn't seem to have any effect. I believe the default ISLE Traefik configs are incompatible with a simple copy-paste fix in this case. 

Any other idea on how to block direct IP access, or remove the self-signed cert?

[wpwen...@gmail.com]

The solution: https://community.traefik.io/t/automatic-subdomain-letsencrypt-certificates-with-wildcard-fallback-for-non-sni/11959

Basically, you CANNOT define a default cert when using Let's Encrypt, so you need to dump the acme.json using a third party software, and then define the default cert in the Traefik global config based on the resulting key and cert files.

This was actually so much trouble we just resorted to using a commercial cert. Too bad that Traefik doesn't have a fallback in place for Let's Encrypt on FQDN that addresses the IP address' self-signed cert. I'm certain other people using the ISLE 7 stack will (did?) run into this, and as such, wanted to make sure I tied up any loose ends for those who are using this for production environments.

Leaving the IP address reachable and only showing a self-signed cert is an issue for a production environment, perhaps the ISLE team could consider this moving forward.