Using an SSL certificate with OTRS

Reasons for using HTTPS with OTRS

… well really, there is NO reason NOT to.browserbar

  • When you’re NOT using HTTPS you’re exposing your password in plain text when logging in. Even if you’d be only using OTRS on your corporate network, can you trust everything and everyone on your network?
  • You’re having data about your customers in OTRS. You should make sure this data is not exposed or leaked; so you should be using HTTPS when accessing OTRS from your web browser.
  • Apart from the encryption; there is also the aspect of MITM-attacks on your web server. If you have a certificate on your web server you can be fairly sure the server you’re looking at, and the password for you’re typing your password into, is actually YOUR server and not some guy using the same hotel wifi poisoning DNS.
  • Even if you would not care about security, using SSL and HTTPS is a pre-requisite for using mod_spdy with Apache, which brings many of the upcoming HTTP/2.0 features to the Apache webserver and modern web browsers such as Google Chrome and Mozilla Firefox. This makes OTRS faster!

Self-signed versus purchased

The ‘easiest’  way is to slap a self-signed certificate on your web server. This will lead to the well known nasty warning signs on your website. This can be perfectly acceptable if your OTRS system is just used by you and your co-worker and no customers log in to it. And after the first login, even the MITM-prevention will work because your web browser would complain if the certificate would change.

You can also purchase a certificate at a vendor such as Verisign. This does money but because the certificate authority is trusted by your web browser, the nasty warnings are gone. And certificates are not so expensive as they used to be, really.

Wildcard certificates, which you can use on many subdomains such as support.example.com, sales.example.com and www.example.com are still pretty pricey at a hundred euros or more per year, and Extended Validation certificates are also still expensive, but a simple certificate for www.example.com and example.com would be not even 10 euros per year at providers as NameCheap (full disclosure: affiliate link. I know this is never going to make any money).

Extended Validation and Organisation Validation levels only differ in the amount of work you have to do to make sure you prove to actually be this company before you can get a certificate, and do not make the encryption any stronger or weaker.

Configuring apache

So you’ve purchased or generated your certificate for your web server, great! Now you’ll have to install it, that will be difficult, right? WRONG! It’s super easy. Let me show you how.

You’d need to activate SSL. On Debian or Ubuntu, it’s pre-installed with Apache and you’d just need to enable it, like this:

sudo a2enmod ssl
sudo a2ensite default-ssl

On CentOS or Red Hat, it would be:

sudo yum install -y mod_ssl

now in the SSL configuration file, /etc/apache2/sites-enabled/default-ssl on Ubuntu/Debian and /etc/httpd/conf.d/ssl.conf on RHEL/CentOS, you’d add this for your purchased certificate:

SSLCertificateFile    /etc/apache2/certs/mydomain.crt
SSLCertificateKeyFile /etc/apache2/certs/mydomain.key
SSLCertificateChainFile /etc/apache2/certs/intermediate-rapidssl.crt

now you simply restart your web server, on Debian/Ubuntu:

sudo service apache2 restart

or on RHEL/CentOS:

sudo service httpd restart

Now you can log in OTRS using the ‘https://’ prefix. It’s THAT easy!

It would still be great if you can forward existing links into http:// URLs that might already exist in notifications and such to https:// – but that’s easy. Just add this to the HTTP virtualhost configuration:

RewriteEngine On
RewriteCond %{HTTPS} off 
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Verification of your certificate

The people at Qualys SSL Labs have a nice service which allows you to verify if your certificate was set up properly, you can find it here.

Configuring OTRS

In OTRS the configuration change is also quite easy. Just navigate to Admin > SysConfig > Framework > Core and set ‘HttpType’ to https.

httpsThis will make the links in outgoing email notifications contain ‘https’ and it will also set the secure attribute on your login cookies.

Conclusion

With just a couple of minutes of effort you can put a self-signed certificate on your system. If you’d throw in some ten euros you can grab a commercial certificate which increases the user experience. It’s really a no-brainer, and it should be part of every proper OTRS installation! I hope this article helped you setting it up.