Q: How can I secure access to LISTSERV Maestro with HTTPS for free?
By Johannes Hubert, Senior Applications Programmer, L-Soft
More and more, the modern web is migrating over to the encrypted HTTPS protocol as a replacement for the old, unencrypted HTTP protocol. In some areas, HTTPS is already becoming mandatory (see for example the OMB Memorandum M-15-13), and modern browsers have begun marking web pages that contain a password field as "not secure" if they are not served via HTTPS.
Switching to HTTPS makes sense especially for a server like LISTSERV Maestro where sensitive data is transferred between the user's browser and the server (including, but not limited to, the user's login credentials). The built-in features of LISTSERV Maestro make this very easy, so there really is no reason not to use HTTPS.
To secure a server like LISTSERV Maestro with HTTPS, you need a so called "server certificate". Obtaining such a certificate used to be a complex manual process, often employing command line tools and also requiring a recurring payment to the certification authority of your choice.
But since version 7.2, LISTSERV Maestro allows you to obtain such a server certificate in a much simpler manner – and without additional costs.
For this, LISTSERV Maestro makes use of Let's Encrypt, a free, automated and open certificate authority. In combination with Let's Encrypt, LISTSERV Maestro can automatically obtain the necessary server certificates for you and also automatically refresh the certificates well in time before they expire.
The setup is also quite simple, as described below, and once configured, you can essentially forget about it. There is no longer a need to remember to refresh your certificate every year and no manual process involved.
Preconditions for Using Automatic Let's Encrypt Certificates
For the automated Let's Encrypt certification process to work, the following preconditions must be met:
- LISTSERV Maestro must use the standard HTTP port 80 for unencrypted HTTP access
This is important because otherwise LISTSERV Maestro will either be unable to obtain the certificates from Let's Encrypt in the first place or will be unable to automatically refresh the certificates before they expire.
- Certificate host names and secured IP addresses must match
Certificates are issued for certain host names. A given certificate can be issued for a single host name or for a set of host names. Such a certificate is then used to secure a given IP address for HTTPS.
For this to work, the host names in the certificate must match the host names that are assigned to the IP address. Specifically, all host names that are assigned to an IP address must also be included in the certificate that is to be used to secure this IP address.
For example, for an IP address with only one host name, the certificate should contain only this one host name. For an IP address with three different host names, the certificate should contain exactly these three host names.
This is important because otherwise LISTSERV Maestro may serve the wrong certificate to the user's browser, which the browser will then show as an invalid and insecure connection.
Securing LISTSERV Maestro With an Automatic Let's Encrypt Certificate
To secure a LISTSERV Maestro IP address with an automatic Let's Encrypt certificate, follow this procedure:
1. Decide which IP address you want to secure
If you don't know the IP address but only the server's host name, for example from the LISTSERV Maestro access URL, then you need to find out the IP address that this host name is assigned to (for example with the command line tool "nslookup" or something similar).
2. Determine all public host names that are assigned to this IP address
An IP address may have several public host names assigned. You need to find out all of these host names for the certificate.
It's important that the server in question is accessible from the public internet via all of these host names (this usually means that there must be a registered DNS A record for each host name that points to the selected IP address).
3. In LISTSERV Maestro, create a new certificate that contains all of these host names
To do so, log in to the Administration Hub (HUB) as the administrator and select Global Settings > HTTPS Certificates from the menu. Then on the certificates page, subscribe your LISTSERV Maestro instance at Let's Encrypt (if you haven't already done so).
To create a certificate, in the section that lists the servers on which the LISTSERV Maestro components are installed (can be one, two or three servers), locate the server to which the desired IP address is assigned and click the associated Create new certificate managed by this server link. Then proceed as described on screen (for more information, refer to the online help via the [?] icon in the top right corner).
4. Use the new certificate to secure the IP address that you decided on
The certificate that has been created in the previous step is not automatically used for HTTPS connections. To actually make use of the certificate, you need to add a specific entry to the tomcat.ini file of the corresponding server (i.e. the server for which you created the certificate in the previous step):
[maestro_install_folder]/conf/tomcat.ini
The entry that you need to add is different for each certificate. To find out the correct entry for a given certificate, click the How to Apply This Certificate link that is associated with the certificate.
On the following page, you can enter the IP address that you want to secure, plus the desired HTTPS port. This will construct the correct INI entry for you, which you can then simply copy & paste to the desired tomcat.ini file. Again, see the online help of that page (via the [?] icon in the top right corner) for more information.
With the above procedure complete and the necessary entry added to the tomcat.ini, LISTSERV Maestro on that server will then bind two ports on the given IP address:
- The specified HTTPS port for HTTPS connections.
- The default HTTP port 80 for automatic HTTP-to-HTTPS redirects and to enable the server to automatically request and refresh certificates from the Let's Encrypt CA.
It's necessary for LISTSERV Maestro to not only bind the specified HTTPS port but also the standard HTTP port 80 for the automatic certificate mechanism to work. For the same reason, both ports must be accessible from the public internet. See Admin Tech Doc 9, section "4.2.1 Troubleshooting Port 80 Problems" for options if binding port 80 is not possible.
Remember that, as always when you make changes to the tomcat.ini, you need to restart LISTSERV Maestro on that server to make the changes effective.
If you are enabling HTTPS for the first time, then most likely you will also have to configure the applicable access URLs and/or tracking URLs to use the "https://" protocol. This is done on the Default URL Settings page (Global Settings > Maestro User Interface > Default URL Settings), and these defaults can also be overridden on account or group level.
Secure And Forget
After this procedure, your LISTSERV Maestro will now be accessible via HTTPS on the configured host names. And browsers will no longer show the LISTSERV Maestro login page as "not secure":
Furthermore, LISTSERV Maestro will do an automatic redirect from HTTP to HTTPS if a user should accidentally use the wrong protocol, and LISTSERV Maestro will automatically refresh the certificate well in time before it expires so that the server remains secure without the need for further administrator attention.
Subscribe to LISTSERV at Work.
|