Disabling HTTPS with HSTS for the OpsCenter Server

Disable HTTPS with HSTS for the OpsCenter server.

Disable HTTPS with HSTS for the OpsCenter server. To disable HTTPS without HSTS, simply comment out the SSL entries. If HTTPS is used in an HSTS environment, follow the steps in this procedure to phase out the HSTS header before altogether disabling HTTPS with HSTS.

opscenterd.conf

The location of the opscenterd.conf file depends on the type of installation:
  • Package installations: /etc/opscenter/opscenterd.conf
  • Tarball installations: install_location/conf/opscenterd.conf

Prerequisites

Removing HTTPS from an OpsCenter server is an uncommon action in production systems, but may be necessary during development and testing. HSTS complicates the process of disabling HTTPS because browsers that have recently received an HSTS header will refuse to connect to OpsCenter over unencrypted HTTP even if the HTTPS service has been disabled. When disabling HTTPS with HSTS, first lower hsts_max_age to a very small value such as 10 seconds (the default is 31536000 seconds, which equates to 1 year). Drastically lowering the value effectively disables HSTS on each browser that subsequently connects to OpsCenter and receives the updated header, ensuring that the header expires almost immediately. Continue to run OpsCenter with HTTPS enabled and a very short hsts_max_age for a sufficient period of time so that all browsers that visit OpsCenter receive the updated header. At that point, HTTPS and HSTS can be disabled entirely without disrupting the ability of supported browsers to connect to Opscenter.

If HTTPS has already been disabled and browsers are currently unable to connect to OpsCenter, the following options are available:
  • HTTPS can be re-enabled and hsts_max_age lowered as described above.
  • Manually clear the HSTS header cache in browsers. This requires visiting every browser that accesses OpsCenter, and referring to browser manufacturer documentation on clearing the HSTS header cache.

Procedure

  1. Open the OpsCenter configuration file, opscenterd.conf.
  2. In the [webserver] section, make the following changes as appropriate:
    1. If HSTS is enabled with a long max age, lower the hsts_max_age value.
    2. Save opscenterd.conf and restart OpsCenter.
    3. Run OpsCenter in this state for a while until you're confident that all browser clients have connected and received updated hsts-headers with a short max-age.
  3. Open opscenterd.conf again. Comment out the ssl and max age options. Set hsts_enabledto False (or comment out) as shown in the following example: 
    
[webserver]
port = 8888
interface = 127.0.0.1
#ssl_keyfile = /var/lib/opscenter/ssl/opscenter.key
#ssl_certfile = /var/lib/opscenter/ssl/opscenter.pem
#ssl_port = 8443
hsts_enabled = False
#hsts_max_age = 31536000
  4. Save opscenterd.conf and restart OpsCenter.
    If any clients with HSTS headers are unable to connect, either re-enable https with a short max age or consult your browser vendor docs about clearing the HSTS header cache.