the itjerk

my adventures with technology

Tag Archives: ssl

caa records

If you bother to read this, CAA Mandated by CA/Browser Forum you’ll learn that CAA (Certificate Authority Authorization) standard designed to prevent bad actors from creating unauthorized SSL/TLS certificates has been implemented as of September 2017. CAA records allow domain owners to specify which Certificate Authorities (CAs) are permitted to issue certificates. This is acheived by adding CAA information to your domain’s records at the host level.

Good news. My host added this functionality, and it’s a simple process to now identity who can issue an SSL certificate to your domain. In my case, it’s letsencrypt.org. Now my SSL rating has gone up. Legit.

caa

Advertisements

ssl 24/7

While I’ve had ssl on my website for sometime (for anything login related), I had never enabled it by default. First, I had to install the patch the Video Filter module to work with https connections to Youtube. Then, using the developers tools built into Chrome, I found I had a http link to a Facebook logo (I have no idea why it isn’t local). That had to be fixed in the site’s theme. Finally, I found I had the remnants of ShareThis in a block. Although I deleted the module eons ago, I forgot about the block (which is how it appears on a page). Thankfully, those developer tools in Chrome made it plain as day. Now that all that was fixed, I edited the .htaccess file for the site, and entered the following to force https connections. (Remember to restart Apache after you edit .htaccess.)

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://mywebsite.com/$1 [R,L]

With a free certificate from Let’s Encrypt, why not enable ssl. Oddly enough, only Chrome, Firefox and Microsoft browsers make it obvious when your connection to a website is secure. What’s up with that Apple?

let’s encrypt – free ssl

Let’s Encrypt is “a free, automated, and open certificate authority” from the ISRG (and now apparently the EFF), and a growing list of technology big-names. And in the sounds too good to be true department, they offer not only free ssl certificates, but an easy to use tool that configures your web server, or ACME – automated certificate management environment, in a just a few easy steps. Encrypting web traffic should be utilized not only with sites running e-commerce or email, but whenever the use of passwords is involved.

First step is to install the client via git:

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Then run the config:

cd /opt/letsencrypt
./letsencrypt-auto --apache -d yoursite.com

The client will ask a few questions about the certificate you want to install. Most importantly, remember that you probably need to apply it to your default-ssl.conf. To test your new certificate, use SSLLabs website:

https://www.ssllabs.com/ssltest/analyze.html?d=yoursite.com&latest

The tutorial below even shows you how to add renewal options to cron for set and forget ease. Remember to git pull and stash to keep everything up to date. And most of all, it’s a free service!
On the web:

Let’s Encrypt – Free SSL/TLS Certificates

How To Secure Apache with Let’s Encrypt on Ubuntu 14.04

ssl and your server

Setting up ssl to your server is quite easy. Getting everything to work correctly is also a pretty easy, especially with some good guidance. Why use ssl? Because it encrypts traffic so no one can listen in on it. Really, it's that simple. Just like closing open ports on a server, by encrypting packets, your traffic is secure.

I purchased a ssl certificate from Go Daddy because it was $5.99/year. That's cheap. They have pretty good instructions on their site on how to generate it, but the gist of the matter is to first generate a key, then have your ssl-provider verify who you are and generate a certificate that matches that key. You'll also need an intermediate certificate (certificate authority or "ca") from the ssl-provider.

Once you have the certificate, you'll need to set it up on your server. Easy enough, just copy the key, cert and ca files to /path/to/your/certs, and make sure the permission are 600 for each file. Once installed you'll then need to configure services to use the cert, setting a path to the crt, key and ca files. Also remember to open any ports on your server in your firewall so you can get their in the first place (like 443 for https)!

For Apache2, you'll need to copy your /etc/apache2/sites-available/default file to /etc/apache2/sites-available/default-ssl and configure it for ssl. The salient parts are:

SSLCertificateFile /path/to/file/myserver.com.crt
SSLCertificateKeyFile /path/to/file/myserver.com.key
SSLCertificateChainFile /path/to/file/ca_bundle.crt

Once that's done, restart Apache, and modify .htaccess if you want to force https browsing.

For Dovecot, edit /etc/dovecot.conf and ensure the following are there:

ssl = required
ssl_cert = </path/to/myserver.com.crt 
ssl_key = </path/to/file/myserver.com.key 
ssl_ca_file = /path/to/file/ca_bundle.crt

Finally your can test your ssl installation at Digicert by providing the hostname.com:port. You'll want to check 443, pop3s or imaps.

You can also test your ssl installation with the openssl command, e.g.:

openssl s_client -connect myserver.com:port