Server certificates: review of upgrade & troubleshooting sections

[sbesson]

Hopefully, this brings a conclusion to the great OMERO TLS saga of the Summer 2023 which was partly driven by this image.sc post ¹ and led to various OMERO component releases ^{2 3 4 5}. This PR aims to amend the reference OMERO documentation to capture the new requirement in terms of OMERO.server certificates.

As a quick preamble, the problem space is complex as we are dealing with server/client connection issues across a set of environments spanning different versions (& sometimes compilation options) of OpenSSL, Java and Python. This complexity was demonstrated to some extent by the extent of the testing required in order to review, approve and release the set of changes aforementioned.

Probably as important as the code changes, we want to communicate efficiently the impact of these changes with the appropriate level of details/language e.g. end-users wants to understand why they cannot connect to the server or system administrators want to know about to upgrade the server without necessarily feeling they have to understand why ADH configurations have been removed.

This PR amends the three main sections of the reference documentation discussing SSL to capture the latest code/plugin improvements and remove unnecessary technical details:

• the section about the server certificates in the OMERO.server upgrade page is supplemented with instructions about upgrading configurations created by old omero-certificates version
• the client/server section is amended to remove all references to weak ciphers or security settings
• the troubleshooting section is supplemented with concrete examples of SSL errors that could be received by an end-user and a link to the certificates section of the server upgrade page

A few notes:

• one of the limitations for the ugprade section is to produce an easy answer to the question "do I need to modify my server SSL configuration?". The current approach as per ¹ and the upcoming OMERO.py 5.16.1 ⁶ is to teach various omero commands to print loud warnings about the outdated server-side SSL configurations
• the Client Server SSL verification has been minimally changed but could possibly use a second round of review (outside the scope of this PR) especially for reviewing the validity the latter sections around certificate authority and client host verification. Arguably, this is the most relevant candidate for a reference page containing the technical details associated with SSL issues if this was deemed to be useful.

Critical feedback and suggestions very welcome in order to find the best wording

Footnotes

1. https://forum.image.sc/t/omero-login-ssl-error-dh-key/79574/17 ↩ ↩²

2. https://github.com/ome/omero-certificates/blob/0.3.0/CHANGELOG.md ↩

3. https://github.com/ome/omero-blitz/blob/v5.7.0/CHANGELOG.md ↩

4. https://github.com/ome/omero-blitz/blob/v5.7.1/CHANGELOG.md ↩

5. https://github.com/ome/omero-py/blob/v5.15.0/CHANGELOG.md#5160-september-2023 ↩

6. https://github.com/ome/omero-py/pull/382 ↩

[sbesson]

Staged at the following URLs for review

https://omero--2346.org.readthedocs.build/en/2346/sysadmins/server-upgrade.html#server-certificate
https://omero--2346.org.readthedocs.build/en/2346/sysadmins/client-server-ssl.html
https://omero--2346.org.readthedocs.build/en/2346/sysadmins/troubleshooting.html#ssl-connection-issues

[jburel]

broke job on merge-ci https://merge-ci.openmicroscopy.org/jenkins/job/OMERO-docs/221/

[sbesson]

I'll revert da299f5. I originally thought this was the reason for the readthedocs CI failures.

Note the CI job is using Sphinx 7.1.x but the changes were introduced in Sphinx 7.2.0. So I suspect this codepath will need to be upgraded eventually alongside the version in OME CI. Is there a mechanism to use the same version as readhtedocs?

[jburel]

see #2347

[pwalczysko]

Really unsure about 2 things:
Is the following paragraph describing how to re-use teh SSL certificates used to protect OMERO.web or, rather, as described above, is describing how to use the omero-certificates plugin ? If the former, where is a description about how to use the plugin ? Is the configuration example (using the Glacier2) described below valid for both ways ?

[sbesson]

Is the following paragraph describing how to re-use teh SSL certificates used to protect OMERO.web or, rather, as described above, is describing how to use the omero-certificates plugin ?

To the best of my knowledge the former. Maybe we need to dwelve back into history here to understand the assumptions and make decisions:

• this page was originally introduced in Client server SSL host verification #1942 in June 2019 on the OMERO 5.5.0 line
• the initial work on omero-certificates and the first release was a year later in March 2020 - see https://github.com/ome/omero-certificates/releases/tag/0.1.0

So the content of this page has been largely superseded by the omero-certificates plugin which runs several of the commands from the Server certificate section under the hood. The only notable difference is that the Server certificate section explains how to re-use an existing public certificate/private key e.g. used by Nginx rather than generating a self-signed certificate like the plugin dows

If the former, where is a description about how to use the plugin ?

That's probably the key issue: there is no canonical place to the best of my knowledge. At the moment:

• each of the server installation pages include a section explaining how to run the certificates - see https://omero.readthedocs.io/en/stable/sysadmins/unix/server-centos7-ice36.html#configuring-omero-server
• this PR updates the section of the upgrade page to update the certificate settings

Is the configuration example (using the Glacier2) described below valid for both ways ?

Largely yes. This PR adjusts the example to make it compatible with the settings of the latest omero certificates

[pwalczysko]

That makes sense, thank you.

[pwalczysko]

Where would I run these commands, on my OMERO.web installation ? Where does the server.p12 live ?

[sbesson]

server.p12 should live in a location defined by omero.glacier2.IceSSL.DefaultDir and accessible by OMERO.server.

This is probably one of the deviations with the plugin which will use a known location under the binary repository (/OMERO/certs) by default.

[pwalczysko]

Some questions (maybe naive) in #2346 (comment) and #2346 (comment)

[pwalczysko]

See #2346 (comment)

[sbesson]

Some questions (maybe naive) in #2346 (comment) and #2346 (comment)

Thanks. A few responses inline. Overall these questions point at the mismatch between the content of this section of the documentation and the authoritative way of omero certificates in the rest of the documentation. Happy to follow OME's guidance on how to make things clearer.

[pwalczysko]

@sbesson Thank you for the clarifications. I think I understand and imho, the clarification for a more expert user (which is the target of this doc) should be sufficient after #2346 (comment) and #2346 (comment) are accepted.