Get free SSL from letsencrypt.org on your server. This full how-to takes us step-by-stop on CentOS 7. letsencrypt.org is a Certificate Authority (CA) on a mission to encrypt the web. So letsencrypt this blog.
Install letsencrypt utility
First, let's get the letsencrypt utility onto the server
# from https://letsencrypt.org/howitworks/ git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt sudo ./letsencrypt-auto --help
Generate an SSL Certificate
The first run used yum, without asking, to install python-devel and python-virtualenv. I love the mission, but that didn't build any trust with me. Looking at the options for letsencrypt, there's a "certonly" parameter that just generates the SSL certificate. Then I can install it into the webserver myself. I'm very particular about my apache config files, so that option is for me.
./letsencrypt-auto certonly Updating letsencrypt and virtual environment dependencies...... Requesting root privileges to run with virtualenv: sudo /home/mjackson/.local/share/letsencrypt/bin/letsencrypt certonly
Running as an unprivileged user, the first thing the program does is elevate privileges to root taking advantage of my sudoers settings. Again, without asking. Not pleased. Then it starts a tk-based gui. I follow the prompts:
Reasonable enough. I read the entire TOS... I promise...
They need my email address for the certificate. This seems reasonable.
I stopped here for a minute and did some digging. letsencrypt doesn't want to support wildcart certs. That means I can't generate a *mitchjacksontech.com certificate that will validate for any subdomain create later. This is a slight inconvenience, but not a show-stopper. I'll specify the root domain, and the www. (and anything else I might use, like owncloud. or wiki.)
There's a lot of crying over this in internet discussions, proving that sysadmins can be stupid babies too. If you have a complicated application requiring a wildcard for a corporation, buy one. It will not bust your IT budget. Because of the potential for abuse, a full list of all domains to be used is perfectly reasonable.
Somebody teachs this letsencrypt program some proper manners please. Now it wants to run it's own webserver on port 80. Again, without asking. Apache is already running, so it complains and quits.
I have to stop the web server while running this program for it to complete.
sudo systemctl stop httpd sudo ./letsencrypt-auto
When it's time to restart the server, of course...
sudo systemctl start httpd
It returns directly to the domain list. Convenient.
Fantastic. The cert has been saved to disk.
Update the apache web server config
Seems the cert expires three months from now. I'll have to add an entry into my calendar to re-run this utility before then. I'll have to keep that calendar on any server I use their certificate service for. If I forget, the websites will show users expired certificate errors. Perhaps this can be automated, using a cpan package to automatically answer the prompts.
I'm a fan of the frequent certificate turn-around time. This means any network interceptor that puts work onto cracking recorded SSL traffic would need to re-hack the data flow quarterly.
Now it's time to configure the web server to use the certificate. (If you're interested in strong security, you should visit the ssl configuration. I'm going to use the CentOS defaults for this blog.)
A new VirtualHost directive needs to be added to your apache configuration. The new one will be listening on port 443.
<VirtualHost *:443> DocumentRoot /var/www/mitchjacksontech.com ServerName mitchjacksontech.com CustomLog /var/log/httpd/mitchjacksontech.com.access.log combined ErrorLog /var/log/httpd/mitchjacksontech.com.error.log SSLEngine on SSLCertificateFile /etc/letsencrypt/live/mitchjacksontech.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/mitchjacksontech.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/mitchjacksontech.com/fullchain.pem <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> </VirtualHost>
I want all visitors to be redirected to the encrypted site from now on. To do this, I replace the original VirtualHost directive on port 80 with this section:
<VirtualHost *:80> ServerName mitchjacksontech.com ServerAlias www.mitchjacksontech.com Redirect permanent / https://mitchjacksontech.com/ </VirtualHost>
The final steps are to test the new config files and restart the server.
$> sudo httpd -t Syntax OK $>sudo systemctl restart httpd
Your sessions viewing my blog are now fully encrypted without an expensive and irritating SSL cert from a traditional security vendor.
Now get this done on your own servers. Full docs for letsencrypt are Here.