Difference between revisions of "SSL Certificate"
Jump to navigation
Jump to search
Rafahsolis (talk | contribs) |
Rafahsolis (talk | contribs) |
||
| Line 6: | Line 6: | ||
sudo apt-get install python-certbot-nginx (for nginx) | sudo apt-get install python-certbot-nginx (for nginx) | ||
sudo certbot --nginx -d example.com -d www.example.com | sudo certbot --nginx -d example.com -d www.example.com | ||
| + | == Test certificate renewal == | ||
| + | sudo certbot renew --dry-run | ||
== Create new certificate == | == Create new certificate == | ||
sudo certbot certonly --standalone | sudo certbot certonly --standalone | ||
Revision as of 07:29, 13 November 2017
Lets Encrypt
Install
sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot sudo apt-get install python-certbot-nginx (for nginx) sudo certbot --nginx -d example.com -d www.example.com
Test certificate renewal
sudo certbot renew --dry-run
Create new certificate
sudo certbot certonly --standalone
Renew certificates:
certbot renew
Crontab renewal
$ sudo crontab -e
* 7,19 * * * certbot -q renew
Docs
https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates
Fuente: www.akadia.com/services/ssh_test_certificate.html
Generate self signed certificate
- Generate a Private Key
openssl genrsa -des3 -out server.key 1024- (better security)
openssl genrsa -aes256 -out server.key 4096
- Generate a CSR (Certificate Signing Request)
- (YOUR name must be the fully qualified domain name ej: wiki.herrerosolis.com)
openssl req -new -key server.key -out server.csr
- Remove passphrase from key
- -rw-r----- 1 root ssl-cert 891 Jun 29 13:22 server.key
cp server.key server.key.org && openssl rsa -in server.key.org -out server.key
-rw-r--r-- 1 root ssl-cert 891 Jun 29 13:22 server.crt
- Generate Self-Signed Certificate
- will generate a temporary certificate which is good for 365 days
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Generate self signed certificate one line
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Installing the Private Key and Certificate
- Apache:
- Copy server.crt and server.key to apache conf ssl path chmod 640 to .key and 644 to .crt
- cp server.crt /usr/local/apache/conf/ssl.crt # ALTERNATIVE: /etc/ssl/certs
- cp server.key /usr/local/apache/conf/ssl.key #ALTERNATIVE: /etc/ssl/private
- Configure Configuring SSL Enabled Virtual Hosts
- SSLEngine on
- SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
- SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
- SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
- CustomLog logs/ssl_request_log \
- "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
- Secure SSL
- sudo nano /etc/apache2/mods-enable/ssl.conf
- SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
- SSLHonorCipherOrder on
- SSLProtocol TLSv1.2
- SSLCompression off
- Restart Apache and test
- Django (Nginx-Gunicorn)
- TODO!
Nginx
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/su_dominio_com.crt; (o su_dominio_com.crt.pem)
ssl_certificate_key /etc/ssl/su_dominio_com.key;
add_header Strict-Transport-Security max-age=31536000;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
server_name su.dominio.com;
access_log /var/log/nginx/nginx.vhost.access.log;
error_log /var/log/nginx/nginx.vhost.error.log;
location / {
root /home/www/public_html/su.dominio.com/public/;
index index.html;
}
}
TODO: gunicorn: Poner aqui init.d script
TODO: Django: http://security.stackexchange.com/questions/8964/trying-to-make-a-django-based-site-use-https-only-not-sure-if-its-secure