CD over HTTPS



  • I will be moving our current or creating a new CD Server in a very secure test environment.
    I will ONLY be allowed to configure CD to use HTTPS for the Web UI.

    How do I correctly set that up during or post install?



  • You would just follow the standard procedure for either IIS or Apache depending on the OS you chose.



  • To start off with, thanks for CloneDeploy btw. The more I use it the more I appreciate it.

    Anyway, I got https working but I also starting thinking about SMB security. To the best of my knowledge samba traffic isn't encrypted without the [i]smb encrypt = required[/i] setting in the share configuration. I tried that and it appears that I can can connect to the share from both Linux and Windows 10 machines (I don't know about windows < 10) but, for whatever reason, clone deploy won't cooperate. It would be nice if we could use encrypted shares because that way we could safely transport secrets such as passwords and private keys from the resources directory through SMB. In the meantime I either have to accept unencrypted SMB traffic (I don't think its a terribly serious problem on the workplace LAN but I'm not perfectly happy) or, perhaps, modify the clonedeploy descripts to drop a password somewhere in the file system (if that's possible to do).



  • As far as I know, it should be supported, perhaps the smb mount command just needs changed. What's the error that you get when using encrypted SMB?



  • @clonedeploy_admin

    What I see on the client is as follows:

    *** Mounting SMB Share **
    ..... Connecting to Default
    *** An Error Has Occurred **
    ...... Could Not Mount SMB Share and Server Is Not Clustered
    *** Rebooting in 1 minutes.
    

    I can mount it fine manually from other linux systems with the following command:

    mount -t cifs -o user=cd_share_ro //192.168.254.2/cd_share tmpmount
    

    Also I can connect to it fine from Windows 10

    My version of smbd is 4.7.9

    Thanks for looking into this.



  • I also have the following from my server log.

    [2019/01/11 14:49:25.771447,  0] ../source3/smbd/trans2.c:4229(call_trans2setfsinfo)
      call_trans2setfsinfo: encryption required and info level 0x200 sent.
    [2019/01/11 14:49:25.779344,  0] ../source3/smbd/trans2.c:4157(call_trans2qfsinfo)
      call_trans2qfsinfo: encryption required and info level 0x104 sent.
    [2019/01/11 14:49:25.780001,  0] ../source3/smbd/trans2.c:4157(call_trans2qfsinfo)
      call_trans2qfsinfo: encryption required and info level 0x105 sent.
    [2019/01/11 14:49:25.783027,  0] ../source3/smbd/trans2.c:9339(handle_trans2)
      handle_trans2: encryption required with call 0x5
    [2019/01/11 14:49:25.815026,  0] ../source3/smbd/trans2.c:4229(call_trans2setfsinfo)
      call_trans2setfsinfo: encryption required and info level 0x200 sent.
    [2019/01/11 14:49:25.815585,  0] ../source3/smbd/trans2.c:4157(call_trans2qfsinfo)
      call_trans2qfsinfo: encryption required and info level 0x104 sent.
    [2019/01/11 14:49:25.816077,  0] ../source3/smbd/trans2.c:4157(call_trans2qfsinfo)
      call_trans2qfsinfo: encryption required and info level 0x105 sent.
    [2019/01/11 14:49:25.818762,  0] ../source3/smbd/trans2.c:9339(handle_trans2)
      handle_trans2: encryption required with call 0x5
    
    

    It looks vaguely as though the samba available on the client may be missing something.



  • Have you tried booting to the client console to mount it manually to see if it says anything on the client? As far as I can see the latest kernels should have support for encrypted SMB.



  • @clonedeploy_admin
    Hi,
    I just did that.
    I booted to the client console. The kernel is 4.13.2 X86_64 (is this new enough?).

    The following command fails when the share is encrypted:

    mount -t cifs //192.168.254.2/cd_share tmpdir -o user=cd_share_ro,pass=XXX,vers=3.0
    

    The error message I get is:

    mount: mounting //130.15.209.221/cd_share on tmpdir failed: No such file or directory
    

    However, if run the same command when the share is unencrypted it works fine.

    For some reason using the version of mount on the clients I cannot use the --verbose flag to get debugging information.

    Also the authentication works because if I put in a bad password I get a Permission denied error, so it's getting past the authentication and then failing after that.



  • Hi again.
    This was all my fault. Its fine with kernel 4.16.1. For some dumb reason I just assumed that encryption wasn't supported and that's how this all started. Once again sorry for wasting your time. Everything is fine now.