From a7f5b3e3bed062bfe71bc58e772c4536ce9567a5 Mon Sep 17 00:00:00 2001 From: Thomas Vincent Date: Tue, 10 Mar 2026 13:57:04 -0700 Subject: [PATCH] docs: update SSL config with ECDSA keys, TLS 1.2+, Let's Encrypt Refs #220 Signed-off-by: Thomas Vincent --- Cacti-SSL-Configuration.md | 155 ++++++++++++++++++++++++++++++------- 1 file changed, 125 insertions(+), 30 deletions(-) diff --git a/Cacti-SSL-Configuration.md b/Cacti-SSL-Configuration.md index 928df788..f127cd6d 100644 --- a/Cacti-SSL-Configuration.md +++ b/Cacti-SSL-Configuration.md @@ -1,47 +1,142 @@ -# Configuring and enabling SSL for Cacti with a self-signed certificate +# Configuring SSL for Cacti -Enabling SSL for Cacti is done at the web server level. An example HTTPS -configuration for Apache is as follows: +Enabling HTTPS for Cacti is done at the web server level. This page covers +self-signed certificates for internal use and Let's Encrypt for public-facing +servers. -```bash -yum install -y mod_ssl -openssl genrsa -out ca.key 4096 -openssl req -new -key ca.key -out ca.csr -openssl x509 -req -days 700 -in ca.csr -signkey ca.key -out ca.crt -cp ca.crt /etc/pki/tls/certs -cp ca.key /etc/pki/tls/private/ca.key -cp ca.csr /etc/pki/tls/private/ca.csr +> **Note**: If using multiple Data Collectors, all must have HTTPS enabled for +> the remote polling feature to work correctly. + +## Self-Signed Certificate (Internal Use) + +Self-signed certificates are suitable for internal networks where you control +the clients. Use ECDSA (secp384r1) for best performance, or RSA 4096 if your +environment requires RSA. + +### ECDSA (recommended) + +```shell +# RHEL/Rocky/AlmaLinux +dnf install -y mod_ssl + +# Generate a 384-bit EC private key and self-signed certificate (valid 3 years) +openssl req -x509 -nodes -newkey ec -pkeyopt ec_paramgen_curve:P-384 \ + -keyout /etc/pki/tls/private/cacti.key \ + -out /etc/pki/tls/certs/cacti.crt \ + -days 1095 \ + -subj "/CN=cacti.example.com" \ + -addext "subjectAltName=DNS:cacti.example.com" + +chmod 600 /etc/pki/tls/private/cacti.key ``` -> **Note on key size**: A 4096-bit RSA key is used above. NIST SP 800-57 -> recommends a minimum of 3072 bits for RSA keys through 2030. 2048-bit keys -> are below that threshold and should not be used for new certificates. +### RSA (alternative) -Then we need to update the Apache SSL configuration file: +```shell +# 4096-bit RSA — use when EC is not supported by your TLS client pool +openssl req -x509 -nodes -newkey rsa:4096 \ + -keyout /etc/pki/tls/private/cacti.key \ + -out /etc/pki/tls/certs/cacti.crt \ + -days 1095 \ + -subj "/CN=cacti.example.com" \ + -addext "subjectAltName=DNS:cacti.example.com" -```ini -vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf -SSLCertificateFile /etc/pki/tls/certs/ca.crt -SSLCertificateKeyFile /etc/pki/tls/private/ca.key +chmod 600 /etc/pki/tls/private/cacti.key ``` -Restart the httpd service: +> **Key size**: RSA 2048-bit is below NIST SP 800-131A Rev 2 guidance for +> long-term use. Use 4096-bit RSA or an ECDSA key. + +## Apache Configuration + +Update `/etc/httpd/conf.d/ssl.conf` (RHEL/Rocky/AlmaLinux) or +`/etc/apache2/sites-available/cacti-ssl.conf` (Debian/Ubuntu): -```bash -systemctl restart httpd +```apache + + ServerName cacti.example.com + DocumentRoot /var/www/html/cacti + + SSLEngine on + # RHEL/Rocky/AlmaLinux cert paths: + # SSLCertificateFile /etc/pki/tls/certs/cacti.crt + # SSLCertificateKeyFile /etc/pki/tls/private/cacti.key + # Debian/Ubuntu cert paths: + SSLCertificateFile /etc/ssl/certs/cacti.crt + SSLCertificateKeyFile /etc/ssl/private/cacti.key + + # Require TLS 1.2 or 1.3; TLS 1.0 and 1.1 are prohibited (RFC 8996) + SSLProtocol -all +TLSv1.2 +TLSv1.3 + + # TLS 1.2 cipher suites -- no RC4, 3DES, or export ciphers + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\ +ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\ +ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 + SSLHonorCipherOrder on + + # TLS 1.3 cipher suites (SSLCipherSuite does not apply to TLS 1.3) + SSLOpenSSLConfCmd Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 + + +# Optional: redirect HTTP to HTTPS (uncomment to enable) +# +# ServerName cacti.example.com +# Redirect permanent / https://cacti.example.com/ +# ``` -After configuring the web server to accept HTTPS, you can enable HTTPS in the -GUI. +Restart Apache after editing: + +```shell +apachectl configtest +systemctl restart httpd # RHEL/Rocky/AlmaLinux +systemctl restart apache2 # Debian/Ubuntu +``` -> **Note for public-facing servers**: Instead of a self-signed certificate, -> use a certificate from a trusted CA. [Certbot](https://certbot.eff.org/) -> from Let's Encrypt provides free, automatically-renewed certificates and -> is the recommended approach for any internet-accessible Cacti instance. +## Let's Encrypt (Public-Facing Servers) ---- +For servers reachable from the internet, use Let's Encrypt for a +browser-trusted certificate at no cost. -**Note**: if using multiple pollers, all must have HTTPS enabled for the remote polling feature to work properly. +### RHEL/Rocky/AlmaLinux + +```shell +dnf install -y certbot python3-certbot-apache +certbot --apache -d cacti.example.com +``` + +### Debian/Ubuntu + +```shell +apt-get install -y certbot python3-certbot-apache +certbot --apache -d cacti.example.com +``` + +Certbot configures Apache and sets up automatic renewal. Verify auto-renewal +works: + +```shell +certbot renew --dry-run +``` + +## Verifying the Configuration + +After restarting Apache, confirm TLS is working and that weak protocols are +disabled: + +```shell +# Check the certificate and protocol support +openssl s_client -connect cacti.example.com:443 -tls1_2 < /dev/null +openssl s_client -connect cacti.example.com:443 -tls1 < /dev/null # should fail +``` + +For a comprehensive scan, use [SSL Labs](https://www.ssllabs.com/ssltest/) on +public servers or `testssl.sh` on internal hosts: + +```shell +# testssl.sh (download from https://testssl.sh/) +./testssl.sh cacti.example.com +``` ---