docs: update SSL config with ECDSA keys, TLS 1.2+, Let's Encrypt

somethingwithproof · somethingwithproof · commit 0e352efef804 · 2026-03-10T13:57:04.000-07:00
Refs Cacti#220 Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
diff --git a/Cacti-SSL-Configuration.md b/Cacti-SSL-Configuration.md
@@ -1,43 +1,142 @@
-# Configuring and enabling SSL for Cacti with a self signed certificate
+# Configuring SSL for Cacti
 
-Enabling SSL for Cacti is mostly done at the webserver level. An example SSL
-config for HTTP is as follows:
+Enabling HTTPS for Cacti is done at the web server level. This page covers
+self-signed certificates for internal use and Let's Encrypt for public-facing
+servers.
 
-```bash
-yum install -y mod_ssl -y
-openssl genrsa -out ca.key 2048
-openssl req -new -key ca.key -out ca.csr
-openssl x509 -req -days 700 -in ca.csr -signkey ca.key -out ca.crt
-cp ca.crt /etc/pki/tls/certs
-cp ca.key /etc/pki/tls/private/ca.key
-cp ca.csr /etc/pki/tls/private/ca.csr
+> **Note**: If using multiple Data Collectors, all must have HTTPS enabled for
+> the remote polling feature to work correctly.
 
+## Self-Signed Certificate (Internal Use)
+
+Self-signed certificates are suitable for internal networks where you control
+the clients. Use ECDSA (secp384r1) for best performance, or RSA 4096 if your
+environment requires RSA.
+
+### ECDSA (recommended)
+
+```shell
+# RHEL/Rocky/AlmaLinux
+dnf install -y mod_ssl
+
+# Generate a 384-bit EC private key and self-signed certificate (valid 3 years)
+openssl req -x509 -nodes -newkey ec -pkeyopt ec_paramgen_curve:P-384 \
+    -keyout /etc/pki/tls/private/cacti.key \
+    -out /etc/pki/tls/certs/cacti.crt \
+    -days 1095 \
+    -subj "/CN=cacti.example.com" \
+    -addext "subjectAltName=DNS:cacti.example.com"
+
+chmod 600 /etc/pki/tls/private/cacti.key
 ```
 
-Then we need to update the Apache SSL configuration file:
+### RSA (alternative)
+
+```shell
+# 4096-bit RSA — use when EC is not supported by your TLS client pool
+openssl req -x509 -nodes -newkey rsa:4096 \
+    -keyout /etc/pki/tls/private/cacti.key \
+    -out /etc/pki/tls/certs/cacti.crt \
+    -days 1095 \
+    -subj "/CN=cacti.example.com" \
+    -addext "subjectAltName=DNS:cacti.example.com"
 
-```ini
-vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf
-SSLCertificateFile /etc/pki/tls/certs/ca.crt
-SSLCertificateKeyFile /etc/pki/tls/private/ca.key
+chmod 600 /etc/pki/tls/private/cacti.key
 ```
 
-Restart the httpd service:
+> **Key size**: RSA 2048-bit is below NIST SP 800-131A Rev 2 guidance for
+> long-term use. Use 4096-bit RSA or an ECDSA key.
+
+## Apache Configuration
+
+Update `/etc/httpd/conf.d/ssl.conf` (RHEL/Rocky/AlmaLinux) or
+`/etc/apache2/sites-available/cacti-ssl.conf` (Debian/Ubuntu):
 
-```bash
-systemctl restart httpd
+```apache
+<VirtualHost *:443>
+    ServerName cacti.example.com
+    DocumentRoot /var/www/html/cacti
+
+    SSLEngine on
+    # RHEL/Rocky/AlmaLinux cert paths:
+    #   SSLCertificateFile    /etc/pki/tls/certs/cacti.crt
+    #   SSLCertificateKeyFile /etc/pki/tls/private/cacti.key
+    # Debian/Ubuntu cert paths:
+    SSLCertificateFile    /etc/ssl/certs/cacti.crt
+    SSLCertificateKeyFile /etc/ssl/private/cacti.key
+
+    # Require TLS 1.2 or 1.3; TLS 1.0 and 1.1 are prohibited (RFC 8996)
+    SSLProtocol           -all +TLSv1.2 +TLSv1.3
+
+    # TLS 1.2 cipher suites -- no RC4, 3DES, or export ciphers
+    SSLCipherSuite        ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
+ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
+ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
+    SSLHonorCipherOrder   on
+
+    # TLS 1.3 cipher suites (SSLCipherSuite does not apply to TLS 1.3)
+    SSLOpenSSLConfCmd     Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+</VirtualHost>
+
+# Optional: redirect HTTP to HTTPS (uncomment to enable)
+#<VirtualHost *:80>
+#    ServerName cacti.example.com
+#    Redirect permanent / https://cacti.example.com/
+#</VirtualHost>
 ```
 
-After configuring the web server to accept https, you can enable https in the
-GUI
+Restart Apache after editing:
 
----
+```shell
+apachectl configtest
+systemctl restart httpd        # RHEL/Rocky/AlmaLinux
+systemctl restart apache2      # Debian/Ubuntu
+```
 
-**Note**: if using multiple pollers, all must have HTTPS enabled for the remote polling feature to work properly.
+## Let's Encrypt (Public-Facing Servers)
 
----
+For servers reachable from the internet, use Let's Encrypt for a
+browser-trusted certificate at no cost.
 
-**Note**: If your Cacti system is public, it is recommended to get a certificate from a trusted certificate provider.
+### RHEL/Rocky/AlmaLinux
+
+```shell
+dnf install -y certbot python3-certbot-apache
+certbot --apache -d cacti.example.com
+```
+
+### Debian/Ubuntu
+
+```shell
+apt-get install -y certbot python3-certbot-apache
+certbot --apache -d cacti.example.com
+```
+
+Certbot configures Apache and sets up automatic renewal. Verify auto-renewal
+works:
+
+```shell
+certbot renew --dry-run
+```
+
+## Verifying the Configuration
+
+After restarting Apache, confirm TLS is working and that weak protocols are
+disabled:
+
+```shell
+# Check the certificate and protocol support
+openssl s_client -connect cacti.example.com:443 -tls1_2 < /dev/null
+openssl s_client -connect cacti.example.com:443 -tls1   < /dev/null  # should fail
+```
+
+For a comprehensive scan, use [SSL Labs](https://www.ssllabs.com/ssltest/) on
+public servers or `testssl.sh` on internal hosts:
+
+```shell
+# testssl.sh (download from https://testssl.sh/)
+./testssl.sh cacti.example.com
+```
 
 ---
 
