ILWC What is loading Privacy Statement About ILWC
Registreer
117
securing a site with a ssl-certificate
martijn
security web
The need for a certificate started to grow. On this site I mainly write about tech-related stuff. A site wich is not even remotely secure, isn't a way to advertise that you are somewhat technical oriented....so there definitly is a need.

Also, some major browsers, are labeling http-sites as unsecure in the URL bar now. So it becomes rather visible in the browser....

I allready had some really good experiences with Let's Encrypt, so why not use them to for this site.

The certificates from Let's Encrypt can be handled by hand, but the far more convenient way is to use the certbot. The certbot is a a program which enables Let's Encrypt to ensure that the website you are requesting a certificate for is actually under your control.
Sorry...what...???
Uh.....Well, you can only request certificates for sites that are actually under your control. Somehow Let's Encrypt should make sure that you control the site you are requesting a certificate for. And that is one of the tasks that the cert bot performs. For a very clear explanation take a look at how it works.

The process is as follows:
  1. Install the cert-bot (for apache)
    [root@bloemkool conf]# dnf list certbot
    Last metadata expiration check: 2:10:14 ago on Tue 10 Jul 2018 08:59:51 PM CEST.
    Installed Packages
    certbot.noarch                                             0.25.1-3.fc28                                             @updates
    [root@bloemkool conf]# dnf info certbot
    Last metadata expiration check: 2:10:37 ago on Tue 10 Jul 2018 08:59:51 PM CEST.
    Installed Packages
    Name         : certbot
    Version      : 0.25.1
    Release      : 3.fc28
    Arch         : noarch
    Size         : 23 k
    Source       : certbot-0.25.1-3.fc28.src.rpm
    Repo         : @System
    From repo    : updates
    Summary      : A free, automated certificate authority client
    URL          : https://pypi.python.org/pypi/certbot
    License      : ASL 2.0
    Description  : certbot is a free, automated certificate authority that aims
                 : to lower the barriers to entry for encrypting all HTTP traffic on the internet.
    
    [root@bloemkool conf]#
    
    When I decided to write this up, the screen with the install log was allready gone. But....dnf (Fedora/redhat fanboy :-)) works great, and the certbot installed without a problem.
  2. Make sure you have the virtual hosts in place in your httpd.conf
  3. Run the certbot
    The site ilwc.nl was allready done, so I'll show here the securing of www.ilwc.nl (The green is my input):
    [root@bloemkool letsencrypt]# certbot
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator apache, Installer apache
    
    Which names would you like to activate HTTPS for?
    -------------------------------------------------------------------------------
    1: ilwc.nl
    2: www.ilwc.nl
    -------------------------------------------------------------------------------
    Select the appropriate numbers separated by commas and/or spaces, or leave input
    blank to select all options shown (Enter 'c' to cancel): 2
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for www.ilwc.nl
    Waiting for verification...
    Cleaning up challenges
    Deploying Certificate to VirtualHost /etc/httpd/conf/httpd.conf
    Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
    -------------------------------------------------------------------------------
    1: No redirect - Make no further changes to the webserver configuration.
    2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
    new sites, or if you're confident your site works on HTTPS. You can undo this
    change by editing your web server's configuration.
    -------------------------------------------------------------------------------
    Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/www.ilwc.nl/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/www.ilwc.nl/privkey.pem
       Your cert will expire on 2018-10-08. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot again
       with the "certonly" option. To non-interactively renew *all* of
       your certificates, run "certbot renew"
    [root@bloemkool letsencrypt]#
    
  4. Let's see what the certbot added:
        SSLCertificateFile /etc/letsencrypt/live/ilwc.nl/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/ilwc.nl/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
    
  5. Restart your webserver
Hopefully you are looking at a website wich is more secure now.

Also hopefully I demonstrated here how very easy it is to create a more secure website with aid of Let's Encrypt. Go out there....and secure the web.



836 martijn 2018-07-12 09:04:49
What I forgot:
SSLEngine on

The above should also be in the virtual host configuration.
Otherwise, there would be no SSL at all.