Lets Encrypt

Install

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
sudo apt-get install python-certbot-nginx (for nginx) 

Create new certificate

sudo certbot certonly --standalone
sudo certbot --nginx -d example.com -d www.example.com

Test certificate renewal

sudo certbot renew --dry-run

Renew certificates

certbot renew

Crontab renewal

$ sudo crontab -e

*  * 7,19 * * certbot -q renew

Docs

https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates

Fuente: www.akadia.com/services/ssh_test_certificate.html

Generate self signed certificate

1. Generate a Private Key

    openssl genrsa -des3 -out server.key 1024
   

    openssl genrsa -aes256 -out server.key 4096
   

   (better security)

2. Generate a CSR (Certificate Signing Request)

   openssl req -new -key server.key -out server.csr
   

   (YOUR name must be the fully qualified domain name ej: wiki.herrerosolis.com)

3. Remove passphrase from key

   cp server.key server.key.org && openssl rsa -in server.key.org -out server.key
   

   -rw-r----- 1 root ssl-cert 891 Jun 29 13:22 server.key
   -rw-r--r-- 1 root ssl-cert 891 Jun 29 13:22 server.crt

4. Generate Self-Signed Certificate

   openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
   

   will generate a temporary certificate which is good for 365 days

Generate self signed certificate one line

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Installing the Private Key and Certificate

1. • Apache:
   1. Copy server.crt and server.key to apache conf ssl path chmod 640 to .key and 644 to .crt

      cp server.crt /usr/local/apache/conf/ssl.crt # ALTERNATIVE: /etc/ssl/certs
      cp server.key /usr/local/apache/conf/ssl.key #ALTERNATIVE: /etc/ssl/private 

      Apache mod_ssl installed required, path may differ depending on apache how apache was compiled

   2. Configure Configuring SSL Enabled Virtual Hosts

      SSLEngine on
      SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
      SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
      SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
      CustomLog logs/ssl_request_log \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

   3. Secure SSL

      sudo nano /etc/apache2/mods-enable/ssl.conf
      SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
      SSLHonorCipherOrder on
      SSLProtocol TLSv1.2
      SSLCompression off

   4. Restart Apache and test
   • Django (Nginx-Gunicorn)
   1. TODO!

Nginx

server {

listen   443;

ssl    on;
ssl_certificate    /etc/ssl/su_dominio_com.crt; (o su_dominio_com.crt.pem)
ssl_certificate_key    /etc/ssl/su_dominio_com.key;
add_header Strict-Transport-Security max-age=31536000;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
server_name su.dominio.com;
access_log /var/log/nginx/nginx.vhost.access.log;
error_log /var/log/nginx/nginx.vhost.error.log;
location / {
root   /home/www/public_html/su.dominio.com/public/;
index  index.html;
}

} 

TODO: gunicorn: Poner aqui init.d script
TODO: Django: http://security.stackexchange.com/questions/8964/trying-to-make-a-django-based-site-use-https-only-not-sure-if-its-secure

Self Signed option 1

#!/bin/bash
# TODO: key name as parameter
#KEY_NAME=

VALID_DAYS=3650
die () {
    echo >&2 "$@"
    exit 1
}

[ "$#" -eq 1 ] || die "1 argument required (filename), $# provided"
KEY_NAME=$1

##################   Generate key  ############################################
openssl genrsa -aes256 -out ${KEY_NAME}.key 4096
cp ${KEY_NAME}.key ${KEY_NAME}.key.secure

#################   Remove password from key  #################################
cp ${KEY_NAME}.key ${KEY_NAME}.key.secure
openssl rsa -in ${KEY_NAME}.key.secure -out ${KEY_NAME}.key

#################   Generate CSR (Certificate Signing Request)  ###############
openssl req -new -key ${KEY_NAME}.key -out ${KEY_NAME}.csr

#################   Generate Self-Signed Certificate  #########################
openssl x509 -req -days ${VALID_DAYS} -in ${KEY_NAME}.csr -signkey ${KEY_NAME}.key -out ${KEY_NAME}.crt

Self Signed Option 2

1. Copy your openssl.cnf.
 
  ```
  cp /etc/pki/tls/openssl.cnf ./
  ```

2. Modify the configuration file template at ./openssl.cnf and make the following changes:
  - In section [req]
  
  ```
  req_extensions = v3_req # The extensions to add to a certificate request
  ```
  
 - Insection [v3_req]
 
 ```
 subjectAltName = @alt_names
 ```
 - At the end of the configuraiton file
 
  ```
 [ alt_names ]
  DNS.1 = hostname.example.com
  ```

3. Generate your certificate key
 
  ```
  openssl genrsa -out hostname.example.com.key 2048
  ```

4. Use the certificate key and the new openssl.cnf file to create a Certificate Signing Request (CSR):
  
  ```
  openssl req -new -key hostname.example.com.key -out hostname.example.com.csr -extensions v3_req -config openssl.cnf
  ```
  
5. You may either use the generated CSR to obtain a signed certificate from a recognized Certificate Authority (CA). Or, for testing purposes, you may use this to generate a self-signed certificate as follows:
  - Create a new configuration file, v3.cnf, that can host the information for the v3 requirements. Edit it to contain the following lines:
 
  ```
  [v3_req]
  subjectAltName = @alt_names
  [alt_names]
  DNS.1 = hostname.example.com
  ```
  
  - Run the following OpenSSL command to generate a self-signed certificate using the CSR and your local key:
 
  ```
  openssl x509 -req -days 365 -in hostname.example.com.csr -signkey hostname.example.com.key -out hostname.example.com.crt -extensions v3_req -extfile v3.cnf
  ```