Chapter 2. Configuring TLS encryption on a CUPS server
CUPS supports TLS-encrypted connections and, by default, the service enforces encrypted connections for all requests that require authentication. If no certificates are configured, CUPS creates a private key and a self-signed certificate. This is only sufficient if you access CUPS from the local host itself. For a secure connection over the network, use a server certificate that is signed by a certificate authority (CA).
Without encryption or with a self-signed certificates, a man-in-the-middle (MITM) attack can disclose, for example:
- Credentials of administrators when configuring CUPS using the web interface
- Confidential data when sending print jobs over the network
- CUPS is configured.
- You created a private key, and a CA issued a server certificate for it.
- If an intermediate certificate is required to validate the server certificate, attach the intermediate certificate to the server certificate.
- The private key is not protected by a password because CUPS provides no option to enter the password when the service reads the key.
The Canonical Name (
CN) or Subject Alternative Name (SAN) field in the certificate matches one of the following:
- The fully-qualified domain name (FQDN) of the CUPS server
- An alias that the DNS resolves to the server’s IP address
- The private key and server certificate files use the Privacy Enhanced Mail (PEM) format.
- Clients trust the CA certificate.
- If the server runs RHEL 9.2 or later and the FIPS mode is enabled, clients must either support the Extended Master Secret (EMS) extension or use TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the TLS extension "Extended Master Secret" enforced Knowledgebase article.
/etc/cups/cups-files.conffile, and add the following setting to disable the automatic creation of self-signed certificates:
Remove the self-signed certificate and private key:
# rm /etc/cups/ssl/<hostname>.crt /etc/cups/ssl/<hostname>.key
Optional: Display the FQDN of the server:
# hostname -f server.example.com
Optional: Display the
CNand SAN fields of the certificate:
# openssl x509 -text -in /etc/cups/ssl/server.example.com.crt Certificate: Data: ... Subject: CN = server.example.com ... X509v3 extensions: ... X509v3 Subject Alternative Name: DNS:server.example.com ...
CNor SAN fields in the server certificate contains an alias that is different from the server’s FQDN, add the
ServerAliasparameter to the
In this case, use the alternative name instead of the FQDN in the rest of the procedure.
Store the private key and server certificate in the
/etc/cups/ssl/directory, for example:
# mv /root/server.key /etc/cups/ssl/server.example.com.key # mv /root/server.crt /etc/cups/ssl/server.example.com.crtImportant
CUPS requires that you name the private key
<fqdn>.keyand the server certificate file
<fqdn>.crt. If you use an alias, you must name the files
Set secure permissions on the private key that enable only the
rootuser to read this file:
# chown root:root /etc/cups/ssl/server.example.com.key # chmod 600 /etc/cups/ssl/server.example.com.key
Because certificates are part of the communication between a client and the server before they establish a secure connection, any client can retrieve the certificates without authentication. Therefore, you do not need to set strict permissions on the server certificate file.
Restore the SELinux context:
# restorecon -Rv /etc/cups/ssl/
By default, CUPS enforces encrypted connections only if a task requires authentication, for example when performing administrative tasks on the
/adminpage in the web interface.
To enforce encryption for the entire CUPS server, add
Encryption Requiredto all
<Location>directives in the
/etc/cups/cupsd.conffile, for example:
<Location /> ... Encryption Required </Location>
# systemctl restart cups
Use a browser, and access
https://<hostname>:631/admin/. If the connection succeeds, you configured TLS encryption in CUPS correctly.
If you configured that encryption is required for the entire server, access
http://<hostname>:631/. CUPS returns an
Upgrade Requirederror in this case.
systemdjournal entries of the
# journalctl -u cups
If the journal contains an
Unable to encrypt connection: Error while reading fileerror after you failed to connect to the web interface by using the HTTPS protocol, verify the name of the private key and server certificate file.