How to activate ssl / Security

Hello,

i try to activate ssl encryption on Redmine, but it seems not to function and i dont find additional informations how to enable https on redmine. Is there a How-To or something about enabling https on redmine somewhere?

Also i miss some informations about the security of Redmine from the Bitnami installer. Because we want to go online and productive now, I would like to know how to secure the system.

Thank you

Hi,

To enable SSL is very simple. You should modify the “apache2/conf/httpd.conf” file, uncommenting the following line:

“Include conf/extra/httpd-ssl.conf”

Then you can create a certificate using openssl and put your certificate into “apache2/conf” folder.

I hope it helps.

@beltran

Thank you. I think i can get now additional informations how to activate SSL from the apache documentation. I was not sure at which end i need to start.

But can’t you say something about the Redmine security itself? I think reading in the Apache Documentation how to secure the Webserver itself is a good start, but are there any special things to consider because of the Bitnami installation of Redmine itself? The Bitnami Redmine Installation still is called a “Beta”. Are there any known security risk when going in production with this version?

We try to use the latest stable application version (0.8.2 in Redmine case). BitNami developers follow the same approach for all components (MySQL, Apache, etc). There is not any know security bug in this version but you can upgrade easily in the future, following the Redmine upgrade steps. I’m sure that Redmine application take into account all possible security issues.

About BitNami Stacks, all Stacks have the “beta-ish” tag but Gmail is also beta and everybody use it :) Really I do not know when we will remove the “beta” tag from the webpage.

Cheers.

OK, after some hours i managed to create the Certificates and activate them in Apache.

I can now browse to https://myRedmine.mydomain.com and i see the Bitanmi Splash Screen viaq https. But when i go to https://myRedmine.mydomain.com/redmine and then the Login-Screen appears, I#m back to http.

OK, i found it.

Just typed: RequestHeader set X_FORWARDED_PROTO ‘https’ at the end of the http.conf

i could post the complete ToDo about activating SSL on Bitanami-Redmine if you liked. Is there a special place to do so?

I’m glad to hear this.

Yes please, you can write a simple post in this forum or if you send us by email we can create a blog entry about this. We appreciate your help :) We will add a task in our TODO list to include an option to configure Redmine Stack using https automatically. Cheers.

sorry that it takes so long. Here is a short “Https To-Do” :

Activating SSL on >Bitnami Redmine installation:

1: Creating a Ssl Certificate
2: Activating SSL on Apache

1: Creating Ssl Certificate:
You need openssl. On Ubuntu, Debian etc. just type „sudo apt-get install openssl“
openssl req -new > new.cert.csr creates a new key pair. You know have created the two files: „new.cert.csr“ and „privkey.pem“
The first contains the Request-Certificate, the second one the Private-Key. While creating the Certificate you needed to type in a password. This password can now be extracted because normally you don’t want to have a password question while creating the https-connection. openssl rsa -in privkey.pem -out new.cert.key
Now you have the new key new.cert.key created.

Now we need to transform the Request-Zertifikat in a signed Zertifikat: openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365
Now we have created the file new.cert.cert, which holds a signed Zertifikat.

2. Enable HTTPS
To enable SSL is very simple. You should modify the “apache2/conf/httpd.conf” file, uncomment the following line:

“Include conf/extra/httpd-ssl.conf”
also you need to add these line: RequestHeader set X_FORWARDED_PROTO ‘https’

Then you put your certificate from point 1. into “apache2/conf” folder.

In httpd-ssl.conf you should add/change the following:

<VirtualHost ******:443>

 ServerName ******

 SSLEngine on 

 SSLCertificateKeyFile /etc/apache2/myssl/server.cert.key

 SSLCertificateFile /etc/apache2/myssl/server.cert.crt

</VirtualHost>

There are a lot more lines that you can uncomment/chance also, but for the first run you don’t. See the apache manual for further steps.

Uhhps, it doesn’t look good here. I have postet you an OpenOffice file with better formatting an additional “Tipps for Beginners”

Thanks! I have modified your post a bit to show it better.

Hi,

I have been following all steps on the configuration to activate the ssl encryption Redmine, anyway I still have problems and it doesn’t work.

1: Creating a Ssl Certificate -→ seems to be OK, the generated files are:

servercert.crt
servercert.key
servercert.key
privkey.pem

2. Enable HTTPS

Before modifying https.conf, it’s working properly on http:

Listen “80”
ServerName myhost.dyndns.org:80

Then I just modified the file apache2/conf/httpd.conf uncommenting the line “Include conf/extra/httpd-ssl.conf”
and adding the line: RequestHeader set X_FORWARDED_PROTO ‘https’
at the end of the file.
and kept Listening on port 80…..

I also put my file servercert.crt into the “apache2/conf” folder.

Finally I modified httpd-ssl.conf, the file and it’s virtual port definition looks like this:
…….
Listen 443
…….
< VirtualHost 192.168.1.22:443 >

DocumentRoot “C:/Program Files/BitNami Redmine Stack/apache2/htdocs”
ServerName myhost.dyndns.org:443
ServerAdmin mymail@example.com
ErrorLog “C:/Program Files/BitNami Redmine Stack/apache2/logs/error.log”
TransferLog “C:/Program Files/BitNami Redmine Stack/apache2/logs/access.log”

SSLEngine on

SSLCipherSuite ALL:EXPORT56:RC4+RSA:HIGH:MEDIUM:LOW:SSLv2:EXP:eNULL

SSLCertificateFile “C:/Program Files/BitNami Redmine Stack/apache2/conf/servercert.crt”

SSLCertificateKeyFile “C:/Program Files/BitNami Redmine Stack/apache2/conf/servercert.key”

<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars

<Directory “C:/Program Files/BitNami Redmine Stack/apache2/cgi-bin”>
SSLOptions +StdEnvVars

BrowserMatch “.MSIE.” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog “C:/Program Files/BitNami Redmine Stack/apache2/logs/ssl_request.log” \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\" %b"

< /VirtualHost >

Could anybody please help me?

Thanks….

In the Windows rubystack distribution, one more line needs to be uncommented in httpd.conf.
Although it’s obvious in hindsight, I missed it while following the instructions above.
Uncomment the line “LoadModule ssl_module modules/mod_ssl.so”

I still have an issue, though. Although I can connect with https to redmine, I can also connect with http. I’d like to restrict all access to https. I already set protocol to https.

The combination of the above worked a treat – you guys are brilliant.

I also added an SSL forward to force SSL:

Add the following code section to your httpd.conf down around line #220, right after the big “load modules” section.

Be aware that “#’s” indicate a comment line in the .conf file and are ignored by Apache2.

#########################################

1. XXX: BEGIN EDIT FOR MOD_REWRITE ####
2. This is intended to force HTTPS ####
3. for all inbound HTTP requests ####

####

1. This module (mod_rewrite) simply tells Apache2 that all connections to
2. port 80 need to go to port 443 – SSL – No exceptions
   ####

<IfModule !mod_rewrite.c>
LoadModule rewrite_module modules/mod_rewrite.so

RewriteEngine on

####

1. The line below sets the rewrite condition for mod_rewrite.so.
2. That is, if the server port does not equal 443, then this condition is true
   ####

ReWriteCond %{SERVER_PORT} !^443$

####

1. The line below is the rule, it states that if above condition is true,
2. and the request can be any url, then redirect everything to https:// plus
3. the original url that was requested.
   ####

RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]

1. XXX: END EDIT FOR MOD_REWRITE ####
   #######################################

Add the code to httpd.conf and restart Apache2, check your logs for errors to ensure a clean startup and connect to your server on port 80. It should be instantly redirected to 443.

Hi.
I followed all the steps above to secure the coppermine stack.
Starting the system I do get the following errors:
(13)Permission denied: make_sock: could not bind to address [::]:443
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Unable to open logs
Since I am pretty new to this business I need some explanation here.
OS is ubuntu 10.04.
Thanks in advance.
Regards.

Hi,

Have you installed the Stack as root user? If you installed the Stack as a regular user Apache can not bind any port lower than 1024.

Hello, thanx everyone for suggestions. I have managed to launch HTTPS support using Win Server 2008

IMPORTANT points that will help you along with the above posts:

1. RequestHeader set X_FORWARDED_PROTO ‘https’ —→ this line should be inserted INSIDE of the VirtualHost block.

2. If you get “RSA Server Certificate is a CA Certificate (BasicConstraints: CA == TRUE !?)” in your error.log file then check once more whether your certificate CN (common name field) and ServerName in the VirtualHost block are EQUAL. Remove PORT number from ServerName in case you have it there.

For ex. in your certificate you have common name as ‘your.domain.com’, so in ServerName parameter inside of the VirtualHost block you should write ‘ServerName your.domain.com’ instead of ‘ServerName your.domain.com:443’.

Although for some people above remarks could be obvious – it took me for about an hour to settle those problems. So it might for you – in that case I hope I shall save you some time :)

Thanks for sharing that with us !

Danoo

While writing this post in notepad, I’ve resolved most of problems which I’d wanted to ask about :)

But still I have a couple of questions.
To restrict access through plain HTTP I’ve commented “Listen 80” string in httpd.conf. Is it right step or I’ll get some troubles with it in the future?
The second question is: I use Bitnami Redmine + VisualSVN and I can’t browse svn repository in redmine via https. Redmine and VisualSVN are using the same certificate generated by VisualSVN. It’s not a very important question – I always can access repository from redmine via file:/// protocol and via https from remote computer. Just interesting how to resolve this.

Thanks in advance. Sorry for my english :)

If you are running on Amazon EC2 then don’t forget to allow inbound traffic from port 443 (Amazon AWS Console → EC2 → Security Groups → Add rule). If you need to verify that the packets reach the machine use tcpdump:

$ sudo tcpdump -i any port 443

Thanks for sharing the info. You are right, you should open the 443 port in the Amazon AWS firewall.