SSL

From Just another day in the life of a linux sysadmin
Jump to navigation Jump to search

Cipers
AutoSSL
Lets Encrypt


TLS is the new name for SSL. Namely, SSL protocol got to version 3.0; TLS 1.0 is "SSL 3.1". TLS versions currently defined include TLS 1.1 and 1.2. Each new version adds a few features and modifies some internal details. We sometimes say "SSL/TLS".

HTTPS is HTTP-within-SSL/TLS. SSL (TLS) establishes a secured, bidirectional tunnel for arbitrary binary data between two hosts. HTTP is a protocol for sending requests and receiving answers, each request and answer consisting of detailed headers and (possibly) some content. HTTP is meant to run over a bidirectional tunnel for arbitrary binary data; when that tunnel is an SSL/TLS connection, then the whole is called "HTTPS".

To explain the acronyms:

"SSL" means "Secure Sockets Layer". This was coined by the inventors of the first versions of the protocol, Netscape (the company was later bought by AOL). "TLS" means "Transport Layer Security". The name was changed to avoid any legal issues with Netscape so that the protocol could be "open and free" (and published as a RFC). It also hints at the idea that the protocol works over any bidirectional stream of bytes, not just Internet-based sockets. "HTTPS" is supposed to mean "HyperText Transfer Protocol Secure", which is grammatically unsound. Nobody, except the terminally bored pedant, ever uses the translation; "HTTPS" is better thought of as "HTTP with an S that means SSL". Other protocol acronyms have been built the same way, e.g. SMTPS, IMAPS, FTPS... all of them being a bare protocol that "got secured" by running it within some SSL/TLS.



Joels Handy Guide to forcing a site to use an SSL

Edit .htaccess for the site
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.domain.com/$1 [R,L]

Change domain to the domain obviously :)


SSL TLS STUFF

https://www.ssllabs.com/ssltest/

Info needed for CSR

Email: 	
Password: 	 	
Verify Password: 	
	
Host to make cert for: 	
City: 	
State: 	
Country:
(2 letter abbreviation) 	
Company Name: 	
Company Division:

Approval E-mails

webmaster@domain.com 	 	 
admin@domain.com 	 
administrator@domain.com 	 
hostmaster@domain.com 	 
postmaster@domain.com


Manual Install without WHM

http://www.thegeekstuff.com/2009/07/linux-apache-mod-ssl-generate-key-csr-crt-file/

1. Generate Private Key on the Server Running Apache + mod_ssl

First, generate a private key on the Linux server that runs Apache webserver using openssl command as shown below.

# openssl genrsa -des3 -out www.thegeekstuff.com.key 1024
Generating RSA private key, 1024 bit long modulus
.......................................++++++
...................................................++++++
e is 73547 (0x01001)
Enter pass phrase for www.thegeekstuff.com.key:
Verifying - Enter pass phrase for www.thegeekstuff.com.key:

# ls -ltr www.thegeekstuff.*
-rw-r--r-- 1 root root   963 Jun 13 20:26 www.thegeekstuff.com.key

The generated private key looks like the following.

# cat www.thegeekstuff.com.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,485B3C6371C9916E

ymehJu/RowzrclMcixAyxdbfzQphfUAk9oK9kK2
jadfoiyqthakLKNqw9z1MoaqkPyqeHevUm26no
AJKIETHKJADFS2BGb0n61/Ksk8isp7evLM4+QY
KAQETKjdiahteksMJOjXLq+vf5Ra299fZPON7yr
-----END RSA PRIVATE KEY-----

2. Generate a Certificate Signing Request (CSR)

Using the key generate above, you should generate a certificate request file (csr) using openssl as shown below.

# openssl req -new -key www.thegeekstuff.com.key -out www.thegeekstuff.com.csr
Enter pass phrase for www.thegeekstuff.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:California
Locality Name (eg, city) [Newbury]:Los Angeles
Organization Name (eg, company) [My Company Ltd]:The Geek Stuff
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []: thegeekstuff
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# ls -ltr www.thegeekstuff.*
-rw-r--r-- 1 root root   963 Jun 13 20:26 www.thegeekstuff.com.key
-rw-r--r-- 1 root root   664 Jun 13 20:35 www.thegeekstuff.com.csr

3. Generate a Self-Signed SSL Certificate

For testing purpose, you can generate a self-signed SSL certificate that is valid for 1 year using openssl command as shown below.

# openssl x509 -req -days 365 -in www.thegeekstuff.com.csr -signkey www.thegeekstuff.com.key -out www.thegeekstuff.com.crt
Signature ok
subject=/C=US/ST=California/L=Los Angeles/O=thegeekstuff/OU=IT/CN=www.thegeekstuff.com
Getting Private key
Enter pass phrase for www.thegeekstuff.com.key:

# ls -l www.thegeekstuff*
-rw-r--r-- 1 root root   963 Jun 13 20:26 www.thegeekstuff.com.key
-rw-r--r-- 1 root root   664 Jun 13 20:35 www.thegeekstuff.com.csr
-rw-r--r-- 1 root root   879 Jun 13 20:43 www.thegeekstuff.com.crt

# cat www.thegeekstuff.com.crt
-----BEGIN CERTIFICATE-----
haidfshoaihsdfAKDJFAISHTEIHkjasdjadf9w0BAQUFADCB
kjadfijadfhWQIOUQERUNcMNasdkjfakljasdBgEFBQcDAQ
kjdghkjhfortoieriqqeurNZXCVMNCMN.MCNaGF3dGUuY29
-----END CERTIFICATE-----


Canned Response

If you would like to renew this SSL certificate, please visit the account management interface's SSL dashboard at https://manage.liquidweb.com/manage/ssl and renew your certificate from the SSL dashboard by clicking the "Renew" button, selecting the renewal period and then re-verify the certificate .


Lets Encrypt

Let's Encrypt now has official cPanel support for WHM version 58 and later. Prior versions of WHM and core managed servers are still considered Best Effort and you should consult the information below for further assistance.
All that is needed to install this in WHM 58 is to run the following command:

  /scripts/install_lets_encrypt_autossl_provider


This enables letsencrypt as a provider for the autossl feature in WHM. You can disable letsencrypt using the following command:

  /scripts/uninstall_lets_encrypt_autossl_provider