We're an ISO27001:2013 Certified Supplier

info@tiger-computing.co.uk 01600 483 484
Close
SSL Connection

There is a general trend towards making all websites available over HTTPS. For public-facing sites, Google will take into account whether sites use HTTPS as part of their ranking algorithm. On internal sites, users are starting to expect a more secure connection. Even if your users aren’t asking for HTTPS, sometimes the right thing to do is lead them by the hand.

It Wasn’t Easy…

To provide an HTTPS connection, the site needs a TLS certificate (formally known as an SSL certificate). Historically, to obtain a TLS certificate, there were two options:

  • Buy a certificate from one of the big Certificate Authorities (CA), such as Comodo; or
  • Use a “self-signed” certificate

The issues around buying a certificate from one of the major Certificate Authorities include:

  • Cost
  • Complexity – they required someone to generate a Certificate Signing Request (CSR) and submit it to the CA. Once the certificate was issued, it needed to be added to the web server configuration
  • Reliance on email – the CA would typically send an email to a predetermined address on the domain in question. That email would contain a link which, when clicked, would authorise the CA to issue the certificate. In these days of spam and email filtering, actually receiving that email can be one of the more challenging steps.
  • Time – to carry out the above actions requires time from a number of people, including waiting for that email.

Using a self-signed certificate avoids the cost, but still requires the other steps. In addition, unless you jump through some hoops, users will have to “accept” the certificate when they first visit the site.

…But It’s Easier Now

In 2014, a number of companies including the Electronic Frontier Foundation, Mozilla and Cisco created Let’s Encrypt, a Certificate Authority that provides free certificates. These are “only” domain-validated certificates as the process for such certificates can be fully automated ( Organization Validation and Extended Validation Certificates are unlikely to be made available). However, domain-validated certificates are perfectly adequate for the vast majority of cases.

The certificates are valid for 90 days, which initially sounds like a very short period, but the beauty of the system is that it is relatively straightforward to arrange for them to be automatically renewed. Once set up, when the certificates have only a predetermined number of days of validity remaining, they are renewed transparently.

The necessary software – all Open Source – is already part of the Debian Linux distribution, and can be downloaded to others.

Setting Up Let’s Encrypt on Debian

Here’s a quick summary of the steps needed to set up Let’s Encrypt on Debian (Jessie and later).

  • Download or otherwise install the dehydrated client:
apt-get install dehydrated

Add configuration in /etc/dehydrated/config:

# dehydrated main configuration
CONFIG_D=/etc/dehydrated/conf.d
BASEDIR=/var/lib/dehydrated
WELLKNOWN="${BASEDIR}/acme-challenges"
  • Create /etc/dehydrated/domains.txt and add domains, one line per certificate and with space-separated subjectAltName. For example:
mail.example.com
www.example.com example.com
  • Publish /var/lib/dehydrated/acme-challenges as /.well-known/acme-challenge to the world. Note that this must be accessible via HTTP (port 80). Use the dehydrated-apache2 package, or manual configuration; for example, in Apache:
# /etc/apache2/conf-available/acme-challenge.conf
Alias /.well-known/acme-challenge /var/lib/dehydrated/acme-challenges
<Directory /var/lib/dehydrated/acme-challenges>
Require all granted
AllowOverride none
DirectoryIndex off
</Directory>
  • Run dehydrated -c to request the certificates, which will end up in /var/lib/dehydrated/certs.
  • For ongoing renewal, dehydrated should be run in cron mode (-c) on a regular basis. This will renew certificates with less that 30 days’ validity remaining, so for example /etc/cron.weekly/dehydratedmight be:
#!/bin/sh

/usr/bin/dehydrated -c | logger -t "dehydrated" --

Using The Certificates

The certificates will be created in /var/lib/dehydrated/certs/$DOMAIN/. An Apache configuration example:

SSLEngine On
SSLCertificateFile /var/lib/letsencrypt.sh/certs/www.example.com/fullchain.pem
SSLCertificateKeyFile /var/lib/letsencrypt.sh/certs/www.example.com/privkey.pem
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite HIGH:!aNULL

Further Information

Could This Linux Tip Be Improved?

Let us know in the comments below.

Related posts:

  1. Linux Tips: Sharing an Encrypted Directory
  2. Linux Tips: Delete Files Over a Certain Age
  3. Linux Tips: Which distribution is this anyway?
  4. Linux Tips: Uptime

Leave a Reply

Your email address will not be published. Required fields are marked *

Secure. Reliable. Scalable.

If that doesn't describe your current Linux systems, check out our FREE Linux Survival Guide to help you get your systems up to scratch today!

  • This field is for validation purposes and should be left unchanged.