Forum Stats

  • 3,827,877 Users
  • 2,260,836 Discussions
  • 7,897,402 Comments

Discussions

How to use Letsencrypt with Oracle Secure Global Desktop

Jan-Oracle
Jan-Oracle Member Posts: 122 Employee
edited Apr 23, 2020 2:23PM in Secure Global Desktop

image

Overview

LetsEncrypt is an easy and cheap way to get a SSL certificate, so the client browser does not complain about the self-signed certificate. For this to work you need to be able to resolve a Fully Qualified Domain Name (FQDN) to the IP address of your SGD gateway. If your domain has a CAA record in the DNS server, you must have letsencrypt listed.

ACME certbot

In order to communicate with LetsEncrypt we need to install a utility called certbot. It will allow us to communicate with the service, request a SSL certificate and provide the challenge response. This utility can integrate with Apache and NGinx web servers. Even though the SGD gateway is using Apache, the incoming HTTP(S) stream is being received by some custom SGD gateway code, so we can not use this integration.

On Oracle Linux certbot can be installed via yum from the ol7_developer_EPEL repository. There is one dependency (python2-urllib3 or python-urllib3) that exists in multiple yum repositories, but only the one from @ol7_latest works with certbot, so we need to make sure to use the correct one. When we remove python2-urllib3 it might remove other packages that had it declared as a dependency (most likely cloud-init), so after we add the certbot package from the correct repository we need to add cloud-init back.

# yum list installed python2-urllib3 && yum remove python2-urllib3

# yum --disablerepo=ol7_developer install -y certbot && yum install -y cloud-init<br/>

For operating systems not directly supported by certbot one can download certbot-auto, which bootstraps itself with the necessary python libraries. This seems to be the most reliable method to get certbot going.

Use it with the SGD gateway

Stop SGD gateway

since a running gateway listens on port 80 and 443, we need to stop the gateway before invoking certbot

# /opt/SUNWsgdg/bin/gateway stop --force

Run Certbot

Once we have DNS configured to properly resolve our FQDN to the IP address of our gateway, we can run certbot by specifying the FQDN and an e-mail address (I am using a fictitious domain name, please adjust accordingly)

<span># certbot certonly --standalone --agree-tos -n -m </span><a class="jive-link-email-small" href="mailto:[email protected]">[email protected]</a><span> -d sgd.example.com</span>

If everything goes well, the resulting SSL certificate would be in /etc/letsencrypt/live/sgd.example.com/cert.pem

Import the SSL certificate into the SGD gateway

Once the SSL certificate has been generated, we need to use the gateway command to import the new certificate and start the gateway

# CERT=sgd.example.com

# /opt/SUNWsgdg/bin/gateway sslkey import \

        --keyfile<span class="Apple-converted-space"> </span>/etc/letsencrypt/live/${CERT}/privkey.pem \

        --certfile<span class="Apple-converted-space"> </span>/etc/letsencrypt/live/${CERT}/cert.pem \

        --cacertfile<span class="Apple-converted-space"> </span>/etc/letsencrypt/live/${CERT}/chain.pem \

        --keyalg RSA \

        --alwaysoverwrite

# /opt/SUNWsgdg/bin/gateway start

Now we have started the SGD gateway we can check in a browser if we have the correct SSL certificate. Sometimes a browser needs to be restarted after a certificate has been added to a server previously visited. Here is a screenshot from one of my servers accessed via Safari on Mac OS X.

pastedImage_1.png