Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 2. Configuring TLS encryption on a CUPS server
CUPS supports TLS-encrypted connections and, by default, the service enforces encrypted connections for all requests that require authentication. If no certificates are configured, CUPS creates a private key and a self-signed certificate. This is only sufficient if you access CUPS from the local host itself. For a secure connection over the network, use a server certificate that is signed by a certificate authority (CA).
Without encryption or with a self-signed certificates, a man-in-the-middle (MITM) attack can disclose sensitive data, for example:
- Credentials of administrators when configuring CUPS by using the web interface
- Confidential data when sending print jobs over the network
Prerequisites
- CUPS is configured.
- You created a private key, and a CA issued a server certificate for it.
- If an intermediate certificate is required to validate the server certificate, append the intermediate certificate to the server certificate.
- The private key is not protected by a password because CUPS provides no option to enter the password when the service reads the key.
The Canonical Name (
CN) or Subject Alternative Name (SAN) field in the certificate matches one of the following:- The fully-qualified domain name (FQDN) of the CUPS server
- An alias that the DNS resolves to the server’s IP address
- The private key and server certificate files use the Privacy Enhanced Mail (PEM) format.
- Clients trust the CA certificate.
- If the FIPS mode is enabled, clients must either support the Extended Master Secret (EMS) extension or use TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the Red Hat Knowledgebase solution TLS extension "Extended Master Secret" enforced.
Procedure
Edit the
/etc/cups/cups-files.conffile, and add the following setting to disable the automatic creation of self-signed certificates:CreateSelfSignedCerts no
CreateSelfSignedCerts noCopy to Clipboard Copied! Toggle word wrap Toggle overflow Remove the self-signed certificate and private key:
rm /etc/cups/ssl/<hostname>.crt /etc/cups/ssl/<hostname>.key
# rm /etc/cups/ssl/<hostname>.crt /etc/cups/ssl/<hostname>.keyCopy to Clipboard Copied! Toggle word wrap Toggle overflow Optional: Display the FQDN of the server:
hostname -f
# hostname -f server.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow Store the private key and server certificate in the
/etc/cups/ssl/directory, for example:mv /root/server.key /etc/cups/ssl/server.example.com.key mv /root/server.crt /etc/cups/ssl/server.example.com.crt
# mv /root/server.key /etc/cups/ssl/server.example.com.key # mv /root/server.crt /etc/cups/ssl/server.example.com.crtCopy to Clipboard Copied! Toggle word wrap Toggle overflow ImportantCUPS requires that you name the private key
<fqdn>.keyand the server certificate file<fqdn>.crt. If you use an alias, you must name the files<alias>.keyand<alias>.crt.Set secure permissions on the private key that enable only the
rootuser to read this file:chown root:root /etc/cups/ssl/server.example.com.key chmod 600 /etc/cups/ssl/server.example.com.key
# chown root:root /etc/cups/ssl/server.example.com.key # chmod 600 /etc/cups/ssl/server.example.com.keyCopy to Clipboard Copied! Toggle word wrap Toggle overflow Because certificates are part of the communication between a client and the server before they establish a secure connection, any client can retrieve the certificates without authentication. Therefore, you do not need to set strict permissions on the server certificate file.
Restore the SELinux context:
restorecon -Rv /etc/cups/ssl/
# restorecon -Rv /etc/cups/ssl/Copy to Clipboard Copied! Toggle word wrap Toggle overflow Optional: Display the
CNand SAN fields of the certificate:Copy to Clipboard Copied! Toggle word wrap Toggle overflow If the
CNor SAN fields in the server certificate contains an alias that is different from the server’s FQDN, add theServerAliasparameter to the/etc/cups/cupsd.conffile:ServerAlias alternative_name.example.com
ServerAlias alternative_name.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow In this case, use the alternative name instead of the FQDN in the rest of the procedure.
By default, CUPS enforces encrypted connections only if a task requires authentication, for example when performing administrative tasks on the
/adminpage in the web interface.To enforce encryption for the entire CUPS server, add
Encryption Requiredto all<Location>directives in the/etc/cups/cupsd.conffile, for example:<Location /> ... Encryption Required </Location>
<Location /> ... Encryption Required </Location>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Restart CUPS:
systemctl restart cups
# systemctl restart cupsCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
-
Use a browser, and access
https://<hostname>:631/admin/. This requires that your browser trusts the CA certificate. If the connection succeeds, you configured TLS encryption in CUPS correctly. -
If you configured that encryption is required for the entire server, access
http://<hostname>:631/. CUPS returns anUpgrade Requirederror in this case.
Troubleshooting
Display the
systemdjournal entries of thecupsservice:journalctl -u cups
# journalctl -u cupsCopy to Clipboard Copied! Toggle word wrap Toggle overflow If the journal contains an
Unable to encrypt connection: Error while reading fileerror after you failed to connect to the web interface by using the HTTPS protocol, verify the name of the private key and server certificate file.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}