Custom-made, luxury planet building.
Free SSL for your server

Kryptos Get free SSL from letsencrypt.org on your server. This full how-to takes us step-by-stop on CentOS 7.  letsencrypt.org is a Certificate Authority (CA) on a mission to encrypt the web.  So letsencrypt this blog.

Install letsencrypt utility

First, let's get the letsencrypt utility onto the server

# from https://letsencrypt.org/howitworks/
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
sudo ./letsencrypt-auto --help

Generate an SSL Certificate

The first run used yum, without asking, to install python-devel and python-virtualenv.  I love the mission, but that didn't build any trust with me.  Looking at the options for letsencrypt, there's a "certonly" parameter that just generates the SSL certificate.  Then I can install it into the webserver myself.  I'm very particular about my apache config files, so that option is for me.

./letsencrypt-auto certonly
Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: sudo /home/mjackson/.local/share/letsencrypt/bin/letsencrypt certonly

Running as an unprivileged user, the first thing the program does is elevate privileges to root taking advantage of my sudoers settings.  Again, without asking.  Not pleased.  Then it starts a tk-based gui.  I follow the prompts:

letsencrypt free ssl
tos Reasonable enough. I read the entire TOS... I promise...

letsencrypt free ssl
setup

They need my email address for the certificate. This seems reasonable.

letsencrypt free ssl
setup

I stopped here for a minute and did some digging.  letsencrypt doesn't want to support wildcart certs.  That means I can't generate a *mitchjacksontech.com certificate that will validate for any subdomain create later.  This is a slight inconvenience, but not a show-stopper.  I'll specify the root domain, and the www. (and anything else I might use, like owncloud. or wiki.)

There's a lot of crying over this in internet discussions, proving that sysadmins can be stupid babies too.  If you have a complicated application requiring a wildcard for a corporation, buy one.  It will not bust your IT budget.  Because of the potential for abuse, a full list of all domains to be used is perfectly reasonable.

letsencrypt free ssl setup

Somebody teachs this letsencrypt program some proper manners please.  Now it wants to run it's own webserver on port 80.  Again, without asking.  Apache is already running, so it complains and quits.

I have to stop the web server while running this program for it to complete.

sudo systemctl stop httpd
sudo ./letsencrypt-auto

When it's time to restart the server, of course...

sudo systemctl start httpd

letsencrypt free ssl setup

It returns directly to the domain list. Convenient.

letsencrypt free ssl setup

Fantastic.  The cert has been saved to disk.

Update the apache web server config

Seems the cert expires three months from now.  I'll have to add an entry into my calendar to re-run this utility before then.  I'll have to keep that calendar on any server I use their certificate service for.  If I forget, the websites will show users expired certificate errors.  Perhaps this can be automated, using a cpan package to automatically answer the prompts.

I'm a fan of the frequent certificate turn-around time.  This means any network interceptor that puts work onto cracking recorded SSL traffic would need to re-hack the data flow quarterly.

Now it's time to configure the web server to use the certificate.  (If you're interested in strong security, you should visit the ssl configuration.  I'm going to use the CentOS defaults for this blog.)

A new VirtualHost directive needs to be added to your apache configuration.  The new one will be listening on port 443.

<VirtualHost *:443>
  DocumentRoot /var/www/mitchjacksontech.com
  ServerName mitchjacksontech.com

  CustomLog /var/log/httpd/mitchjacksontech.com.access.log combined
  ErrorLog  /var/log/httpd/mitchjacksontech.com.error.log

  SSLEngine on
  SSLCertificateFile    /etc/letsencrypt/live/mitchjacksontech.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/mitchjacksontech.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/mitchjacksontech.com/fullchain.pem

  <FilesMatch "\.(cgi|shtml|phtml|php)$">
     SSLOptions +StdEnvVars
  </FilesMatch>
</VirtualHost>

I want all visitors to be redirected to the encrypted site from now on.  To do this, I replace the original VirtualHost directive on port 80 with this section:

<VirtualHost *:80>
  ServerName mitchjacksontech.com              
  ServerAlias www.mitchjacksontech.com
  Redirect permanent / https://mitchjacksontech.com/
</VirtualHost>

The final steps are to test the new config files and restart the server.

$> sudo httpd -t
Syntax OK

$>sudo systemctl restart httpd

Success!

Your sessions viewing my blog are now fully encrypted without an expensive and irritating SSL cert from a traditional security vendor.

Now get this done on your own servers.  Full docs for letsencrypt are Here.