ILWC
Tags
oracle (17)cbo (10)linux (9)index (6)shell (6)security (5)lvm (4)privacy (4)web (4)bash (3)chrome (3)c (2)extension (2)ilwc (2)javascript (2)dns (1)elisp (1)gdb (1)google (1)gpg (1)mariadb (1)mysql (1)php (1)programming (1)rman (1)script (1)sqlplus (1)storage (1)svn (1)table (1)
Month-Year
2019 - 2 (1)2019 - 1 (2)2018 - 12 (1)2018 - 11 (1)2018 - 10 (4)2018 - 9 (4)2018 - 8 (1)2018 - 7 (5)2018 - 6 (5)2018 - 5 (12)2018 - 4 (8)2018 - 3 (12)2018 - 2 (5)
Privacy Statement About ILWC
Registreer
117
securing a site with a ssl-certificate
martijn
security web 		2018-07-10 22:57:39
2018-07-10 11:30:00
2018-08-10 11:30:00
The need for a certificate started to grow. On this site I mainly write about tech-related stuff. A site wich is not even remotely secure, isn't a way to advertise that you are somewhat technical oriented....so there definitly is a need.

Also, some major browsers, are labeling http-sites as unsecure in the URL bar now. So it becomes rather visible in the browser....

I allready had some really good experiences with Let's Encrypt, so why not use them to for this site.

The certificates from Let's Encrypt can be handled by hand, but the far more convenient way is to use the certbot. The certbot is a a program which enables Let's Encrypt to ensure that the website you are requesting a certificate for is actually under your control.
Sorry...what...???
Uh.....Well, you can only request certificates for sites that are actually under your control. Somehow Let's Encrypt should make sure that you control the site you are requesting a certificate for. And that is one of the tasks that the cert bot performs. For a very clear explanation take a look at how it works.

The process is as follows:
  1. Install the cert-bot (for apache) 
    [root@bloemkool conf]# dnf list certbot
Last metadata expiration check: 2:10:14 ago on Tue 10 Jul 2018 08:59:51 PM CEST.
Installed Packages
certbot.noarch                                             0.25.1-3.fc28                                             @updates
[root@bloemkool conf]# dnf info certbot
Last metadata expiration check: 2:10:37 ago on Tue 10 Jul 2018 08:59:51 PM CEST.
Installed Packages
Name         : certbot
Version      : 0.25.1
Release      : 3.fc28
Arch         : noarch
Size         : 23 k
Source       : certbot-0.25.1-3.fc28.src.rpm
Repo         : @System
From repo    : updates
Summary      : A free, automated certificate authority client
URL          : https://pypi.python.org/pypi/certbot
License      : ASL 2.0
Description  : certbot is a free, automated certificate authority that aims
             : to lower the barriers to entry for encrypting all HTTP traffic on the internet.

[root@bloemkool conf]#
    When I decided to write this up, the screen with the install log was allready gone. But....dnf (Fedora/redhat fanboy :-)) works great, and the certbot installed without a problem.
  2. Make sure you have the virtual hosts in place in your httpd.conf
  3. Run the certbot
    The site ilwc.nl was allready done, so I'll show here the securing of www.ilwc.nl (The green is my input): 
    [root@bloemkool letsencrypt]# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: ilwc.nl
2: www.ilwc.nl
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.ilwc.nl
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/httpd/conf/httpd.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.ilwc.nl/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.ilwc.nl/privkey.pem
   Your cert will expire on 2018-10-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
[root@bloemkool letsencrypt]#
  4. Let's see what the certbot added: 
        SSLCertificateFile /etc/letsencrypt/live/ilwc.nl/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/ilwc.nl/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
  5. Restart your webserver
Hopefully you are looking at a website wich is more secure now.

Also hopefully I demonstrated here how very easy it is to create a more secure website with aid of Let's Encrypt. Go out there....and secure the web.



836 martijn 2018-07-12 09:04:49
What I forgot:
SSLEngine on

The above should also be in the virtual host configuration.
Otherwise, there would be no SSL at all.