mirko tietgen koha.abunchofthings.net kohacon 2016...
TRANSCRIPT
![Page 1: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/1.jpg)
Mirko Tietgenkoha.abunchofthings.net
Kohacon 2016Aristotle University of Thessaloniki
30th May 2016
![Page 2: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/2.jpg)
HTTPPlain text communication between server and client
Browser –> 001011010101100 –> WebserverBrowser <– 001011010101100 <– Webserver
![Page 3: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/3.jpg)
HTTPPlain text communication between server and client
Browser –> 0010password100 –> WebserverBrowser <– 0010a_secret100 <– Webserver
![Page 4: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/4.jpg)
HTTPPlain text communication between server and client
Patrons –> 0010password100 –> Koha OPACPatrons <– 0010a_secret100 <– Koha OPAC
![Page 5: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/5.jpg)
HTTPPlain text communication between server and client
Librarian –> 0010password100 –> Koha IntranetLibrarian <– 0010a_secret100 <– Koha Intranet
![Page 6: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/6.jpg)
HTTPSSecure communication between server and client
Browser –> XXXXXXXXXXXXXXX –> WebserverBrowser <– XXXXXXXXXXXXXXX <– Webserver
![Page 7: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/7.jpg)
HTTPSTransport Layer Security (TLS)
▶ Encrypt communication between peers▶ Verify integrity of communication▶ Verify identity of peers▶ Based on certificates
![Page 8: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/8.jpg)
HTTPSCertificates
▶ Issued by a Certificate Authority (CA)▶ Different default levels of trust in web browsers▶ Different types (single, multiple subdomains, wildcard)▶ More or less expensive, depending on features
![Page 9: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/9.jpg)
HTTPScertificates: trusted
![Page 10: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/10.jpg)
HTTPSSelf-signed certificates
▶ Free▶ Blocked by default in web browsers▶ Need manual exceptions▶ Exception options hidden behind scary warnings
![Page 11: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/11.jpg)
HTTPSSelf-signed certificates: scary warnings
![Page 12: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/12.jpg)
Enter Let’s EncryptA free certificate authority
▶ Started by members of Electronic Frontier Foundation,Mozilla and University of Michigan
▶ Internet Security Research Group founded in 2013▶ Goal: Build a certificate authority that provides
▶ free TLS certificates▶ in an automated process▶ trusted by web browsers
![Page 13: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/13.jpg)
Enter Let’s EncryptA free certificate authority
▶ ACME: Automated Certificate Management Environment▶ Reference client implementation: letsencrypt
renamed to certbot recently▶ Public beta: 3rd December 2015▶ Left beta: 12th April 2016
![Page 14: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/14.jpg)
Enter Let’s EncryptA free certificate authority
So why don’t we use it in Koha?
![Page 15: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/15.jpg)
Enter Koha 16.05Released 26th May 2016
We do.
![Page 16: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/16.jpg)
KohaDebian package command
koha-create --create-db yourlibrarySet up a Koha instance using Debian packages
![Page 17: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/17.jpg)
Koha 16.05Debian package command: new option
koha-create --create-db --letsencrypt yourlibraryGet certificate and appropriate webserver configuration
![Page 18: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/18.jpg)
Let’s Encrypt in Koha 16.05Process happening in the background
koha-create creates a Koha instance as usual, then …▶ LE client adds information (token) to the Koha web folder▶ LE client asks LE server to connect to the Koha server▶ LE server connects to the Koha server, checks token
![Page 19: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/19.jpg)
Let’s Encrypt in Koha 16.05Process happening in the background
▶ If successful, a certificate is issued▶ The web server configuration is changed
Use the new certificate for secure connectionsForward all traffic to secure connection
▶ The web server is restarted to pick up the new configuration▶ Done
![Page 20: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/20.jpg)
Let’s Encrypt in Koha 16.05Requirements
▶ Koha server accessible from the Internet (port 80)LE server needs to check that you are allowed to get acertificate
▶ Global domain namesLE server can’t find your local domain name or IP address
![Page 21: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/21.jpg)
Limitations …… of the implementation in Koha 16.05
▶ Automation only works with Koha Debian packagesYou can use LE manually with Koha on other distros of course
▶ Only works for new Koha instancesAn option to handle existing Koha instances will follow
![Page 22: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/22.jpg)
DependenciesKoha automation
▶ Needs the letsencrypt (or certbot) package of yourGNU/Linux distributionIf there is none, there is a workaround
▶ For Debian Jessie, add the jessie-backports repository.▶ For other GNU/Linux distributions, check the certbot
website: https://certbot.eff.org/Choose None of the above as webserver
![Page 23: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/23.jpg)
DependenciesKoha automation
▶ If there is no package, follow the instructions on the certbotwebsite on how to get certbot-autoKoha will look for /usr/bin/letsencrypt, you can create asymlink to certbot-auto
▶ The patch was written before the name change tocertbot. Please test in a non production environmentand report problems if you find any.
![Page 24: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/24.jpg)
Limitations …… of LE itself
▶ No wildcard certificatesMultidomain (SAN) certificates are possibleCurrently limited to 100 entries per certificate
▶ 20 certificates within 7 daysNo problem for a regular Koha library, but might be for Kohasupport providers
▶ Certificates are valid for only 90 daysRenewal can be automated
![Page 25: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/25.jpg)
RenewalWith a LE package for your distro
▶ letsencrypt renew… will try to renew all certificates that expire in < 30 days
▶ letsencrypt renew --dry-run… will show you what will be renewed without applying it
▶ letsencrypt renew --quietSet up a cronjob for it
▶ Do the equivalent with certbot-auto if there is no packagedversion of LE
![Page 26: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/26.jpg)
Links
▶ https://letsencrypt.org▶ https://certbot.eff.org▶ https://bugs.koha-community.org/bugzilla3/show_
bug.cgi?id=15303
![Page 27: Mirko Tietgen koha.abunchofthings.net Kohacon 2016 ...static.livemedia.gr/livemedia/documents/al18403_us... · Patrons –> 0010password100 –> Koha OPAC Patrons](https://reader035.vdocuments.mx/reader035/viewer/2022071210/6021f0331caabb5286087771/html5/thumbnails/27.jpg)
More Koha enhancements related to encryptionSponsoring welcome
▶ Encryption for emails sent by Kohahttps://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8897
▶ Run a Tor hidden service (.onion address) for the Koha OPAChttps://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15540