Chapter 2. Configuring TLS encryption on a CUPS server
CUPS supports TLS-encrypted connections and, by default, the service enforces encrypted connections for all requests that require authentication. If no certificates are configured, CUPS creates a private key and a self-signed certificate. This is only sufficient if you access CUPS from the local host itself. For a secure connection over the network, use a server certificate that is signed by a certificate authority (CA).
Without encryption or with a self-signed certificates, a man-in-the-middle (MITM) attack can disclose, for example:
- Credentials of administrators when configuring CUPS using the web interface
- Confidential data when sending print jobs over the network
Prerequisites
- CUPS is configured.
- You created a private key, and a CA issued a server certificate for it.
- If an intermediate certificate is required to validate the server certificate, attach the intermediate certificate to the server certificate.
- The private key is not protected by a password because CUPS provides no option to enter the password when the service reads the key.
The Canonical Name (
CN
) or Subject Alternative Name (SAN) field in the certificate matches one of the following:- The fully-qualified domain name (FQDN) of the CUPS server
- An alias that the DNS resolves to the server’s IP address
- The private key and server certificate files use the Privacy Enhanced Mail (PEM) format.
- Clients trust the CA certificate.
- If the server runs RHEL 9.2 or later and the FIPS mode is enabled, clients must either support the Extended Master Secret (EMS) extension or use TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the Red Hat Knowledgebase solution TLS extension "Extended Master Secret" enforced.
Procedure
Edit the
/etc/cups/cups-files.conf
file, and add the following setting to disable the automatic creation of self-signed certificates:CreateSelfSignedCerts no
Remove the self-signed certificate and private key:
# rm /etc/cups/ssl/<hostname>.crt /etc/cups/ssl/<hostname>.key
Optional: Display the FQDN of the server:
# hostname -f server.example.com
Optional: Display the
CN
and SAN fields of the certificate:# openssl x509 -text -in /etc/cups/ssl/server.example.com.crt Certificate: Data: ... Subject: CN = server.example.com ... X509v3 extensions: ... X509v3 Subject Alternative Name: DNS:server.example.com ...
If the
CN
or SAN fields in the server certificate contains an alias that is different from the server’s FQDN, add theServerAlias
parameter to the/etc/cups/cupsd.conf
file:ServerAlias alternative_name.example.com
In this case, use the alternative name instead of the FQDN in the rest of the procedure.
Store the private key and server certificate in the
/etc/cups/ssl/
directory, for example:# mv /root/server.key /etc/cups/ssl/server.example.com.key # mv /root/server.crt /etc/cups/ssl/server.example.com.crt
ImportantCUPS requires that you name the private key
<fqdn>.key
and the server certificate file<fqdn>.crt
. If you use an alias, you must name the files<alias>.key
and<alias>.crt
.Set secure permissions on the private key that enable only the
root
user to read this file:# chown root:root /etc/cups/ssl/server.example.com.key # chmod 600 /etc/cups/ssl/server.example.com.key
Because certificates are part of the communication between a client and the server before they establish a secure connection, any client can retrieve the certificates without authentication. Therefore, you do not need to set strict permissions on the server certificate file.
Restore the SELinux context:
# restorecon -Rv /etc/cups/ssl/
By default, CUPS enforces encrypted connections only if a task requires authentication, for example when performing administrative tasks on the
/admin
page in the web interface.To enforce encryption for the entire CUPS server, add
Encryption Required
to all<Location>
directives in the/etc/cups/cupsd.conf
file, for example:<Location /> ... Encryption Required </Location>
Restart CUPS:
# systemctl restart cups
Verification
-
Use a browser, and access
https://<hostname>:631/admin/
. If the connection succeeds, you configured TLS encryption in CUPS correctly. -
If you configured that encryption is required for the entire server, access
http://<hostname>:631/
. CUPS returns anUpgrade Required
error in this case.
Troubleshooting
Display the
systemd
journal entries of thecups
service:# journalctl -u cups
If the journal contains an
Unable to encrypt connection: Error while reading file
error after you failed to connect to the web interface by using the HTTPS protocol, verify the name of the private key and server certificate file.
Additional resources
- How to configure CUPS to use a CA-signed TLS certificate in RHEL (Red Hat Knowledgebase)