Chapter 2. Configuring TLS encryption on a CUPS server


CUPS supports TLS-encrypted connections and, by default, the service enforces encrypted connections for all requests that require authentication. If no certificates are configured, CUPS creates a private key and a self-signed certificate. This is only sufficient if you access CUPS from the local host itself. For a secure connection over the network, use a server certificate that is signed by a certificate authority (CA).

Warning

Without encryption or with a self-signed certificates, a man-in-the-middle (MITM) attack can disclose, for example:

  • Credentials of administrators when configuring CUPS using the web interface
  • Confidential data when sending print jobs over the network

Prerequisites

  • CUPS is configured.
  • You created a private key, and a CA issued a server certificate for it.
  • If an intermediate certificate is required to validate the server certificate, attach the intermediate certificate to the server certificate.
  • The private key is not protected by a password because CUPS provides no option to enter the password when the service reads the key.
  • The Canonical Name (CN) or Subject Alternative Name (SAN) field in the certificate matches one of the following:

    • The fully-qualified domain name (FQDN) of the CUPS server
    • An alias that the DNS resolves to the server’s IP address
  • The private key and server certificate files use the Privacy Enhanced Mail (PEM) format.
  • Clients trust the CA certificate.
  • If the server runs RHEL 9.2 or later and the FIPS mode is enabled, clients must either support the Extended Master Secret (EMS) extension or use TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the Red Hat Knowledgebase solution TLS extension "Extended Master Secret" enforced.

Procedure

  1. Edit the /etc/cups/cups-files.conf file, and add the following setting to disable the automatic creation of self-signed certificates:

    CreateSelfSignedCerts no
  2. Remove the self-signed certificate and private key:

    # rm /etc/cups/ssl/<hostname>.crt /etc/cups/ssl/<hostname>.key
  3. Optional: Display the FQDN of the server:

    # hostname -f
    server.example.com
  4. Optional: Display the CN and SAN fields of the certificate:

    # openssl x509 -text -in /etc/cups/ssl/server.example.com.crt
    Certificate:
      Data:
        ...
        Subject: CN = server.example.com
        ...
        X509v3 extensions:
          ...
          X509v3 Subject Alternative Name:
            DNS:server.example.com
      ...
  5. If the CN or SAN fields in the server certificate contains an alias that is different from the server’s FQDN, add the ServerAlias parameter to the /etc/cups/cupsd.conf file:

    ServerAlias alternative_name.example.com

    In this case, use the alternative name instead of the FQDN in the rest of the procedure.

  6. Store the private key and server certificate in the /etc/cups/ssl/ directory, for example:

    # mv /root/server.key /etc/cups/ssl/server.example.com.key
    # mv /root/server.crt /etc/cups/ssl/server.example.com.crt
    Important

    CUPS requires that you name the private key <fqdn>.key and the server certificate file <fqdn>.crt. If you use an alias, you must name the files <alias>.key and <alias>.crt.

  7. Set secure permissions on the private key that enable only the root user to read this file:

    # chown root:root /etc/cups/ssl/server.example.com.key
    # chmod 600 /etc/cups/ssl/server.example.com.key

    Because certificates are part of the communication between a client and the server before they establish a secure connection, any client can retrieve the certificates without authentication. Therefore, you do not need to set strict permissions on the server certificate file.

  8. Restore the SELinux context:

    # restorecon -Rv /etc/cups/ssl/
  9. By default, CUPS enforces encrypted connections only if a task requires authentication, for example when performing administrative tasks on the /admin page in the web interface.

    To enforce encryption for the entire CUPS server, add Encryption Required to all <Location> directives in the /etc/cups/cupsd.conf file, for example:

    <Location />
      ...
      Encryption Required
    </Location>
  10. Restart CUPS:

    # systemctl restart cups

Verification

  1. Use a browser, and access https://<hostname>:631/admin/. If the connection succeeds, you configured TLS encryption in CUPS correctly.
  2. If you configured that encryption is required for the entire server, access http://<hostname>:631/. CUPS returns an Upgrade Required error in this case.

Troubleshooting

  • Display the systemd journal entries of the cups service:

    # journalctl -u cups

    If the journal contains an Unable to encrypt connection: Error while reading file error after you failed to connect to the web interface by using the HTTPS protocol, verify the name of the private key and server certificate file.

Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.