One deep dive with haproxy and I have handed it complete control of all my certificates.

* One bind statement with every single cert file I own, and haproxy is instantly handling every host’s SSL handshaking using SNI
* It is handling dynamic conversion of http requests to https
* It has removed the need for https on any webserver on the secured LAN
* It allows incredibly flexible load balancing via host, port, url, etc etc
* It is easy to set up to use ssl best practices, so every one of your websites instantly gets A+ ratings on ssl labs

Unbelievable, I’m stunned.

Here’s all I needed to get ssl labs A+ ratings:


global

    # MDM NO SSLv3!  Good ciphers!
    ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
    ssl-default-bind-ciphers AES128+EECDH:AES128+EDH

frontend ....

  # MDM We need to provide an HSTS header to get A+ at ssllabs!
  http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
      
  reqadd X-Forwarded-Proto:\ https

Also needed this in wordpress wp-config.php:

if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
       $_SERVER['HTTPS']='on';

BAH THEY DONE FUCKED UP

  • StartCom sold out and let WoSign buy them up
  • WoSign backdated certs to get them grandfathered for some dumb reason
  • Mozilla and Google and Apple caught them and dropped support for them
  • alternativeto.net/software/startssl pointed me to Let’s Encrypt – LOOKS GOOD
  • there is also https://www.sslforfree.com/ which is a layer around Let’s Encrypt (no need? we’ll see…)

The king is dead, long live the king!

  • Whoa… it uses a BOT… from EFF.  Yay!
  • Whoa… certs are only good for 90 days!  Time to automate renewal!

Let’s take this to the wiki

 

There is only one way I know of to get free functional legitimate SSL encryption for your web server, and that’s through StartCom’s StartSSL service. You can get a free “class 1” certificate that will work out of the box in Firefox and Safari. Microsoft hasn’t added StartCom to IE, so people browsing to your site will have to specifically add StartCom’s authority certificate (instructions) (or ignore security warnings).

UPDATE: I am told as of Sept ’09, IE will include StartCom, yay! See comments for more…

Every year I have to renew my websites’ certificates, and the process is a bit clunky. Here’s a summary for next time around…

  • Sign up at the site; they will issue an [S/MIME client certificate] and “install it into your browser”; make sure you keep the stupid thing backed up, it’s the ONLY WAY BACK IN to your account! Here are backup instructions from their FAQ:
    Firefox: Select "Preferences" -> "Advanced" -> "Encryption" -> "View Certificates -> Your Certificates" and locate your certificate from the list. The certificate will be listed under StartCom Ltd. with "StartCom Free Certificate Member" as its name if this is your first one. Select the certificate and click on "Backup", choose a name for this backup file, provide a password and save it at a known location. Now you should either burn this file to a CD ROM or save it on a USB stick or smart card. Thereafter delete this file from your computer.
  • Every year, request to renew your S/MIME client certificate, as it expires; back it up to a safe place
  • Request to renew your domain certificate; provide a password; an ssl.key is generated
  • Use openssl to create a no-password key:
    openssl rsa -in ssl.key.passphrase -out ssl.key.nopassphrase
  • Grab the official StartCom certificates from https://www.startssl.com/certs/
    sub.class1.server.ca.pem
    ca.pem
  • WAIT for confirmation of your certificate (you’ll get an email)
  • Return to the website, log in, go to Tool Box -> Retrieve Certificate, save as ssl.crt
  • Set up apache to use ’em!
    
        SSLEngine on
        SSLCertificateFile /path_to_certs/2009-2010/ssl.crt
        SSLCertificateKeyFile /path_to_certs/2009-2010/ssl.key
        SSLCertificateChainFile /path_to_certs/2009-2010/sub.class1.server.ca.pem
        SSLCACertificateFile /path_to_certs/2009-2010/ca.pem
    

That’s the basics but it should be enough to help me through annual renewal. *sigh*…