|
|
| (4 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| I am using free certificates from StartCom, http://startssl.com/ | | I am using free certificates from [https://letsencrypt.org/getting-started/ Let's Encrypt]. Their certbot app does all the heavy lifting, nice. Details: |
| They have a 1-year validity and therefore require annual renewal.
| |
|
| |
|
| INSTRUCTIONS
| | m@case:~/development/config/bitpost/etc/letsencrypt$ cat README |
| ------------
| |
| 1) browse to https://www.startssl.com
| |
| 2) click on Control Panel, Authenticate
| |
| If the browser does not already have a valid certificate to identify you (from a previous session),
| |
| you will not be authenticated. To get a new certificate to identify you:
| |
| Click Sign-up and re-enter details.
| |
| Use webmaster@thedigitalmachine.com (or other valid domain).
| |
| You'll get a code to verify email, use it.
| |
| Then, you might have to wait to get the browser certificate.
| |
| You will receive a link and a passcode; click the link and enter the passcode and a cert will be installed in the browser.
| |
| You can back this cert up, but honestly it's only good for a year and more often it ends up of not much reuse value.
| |
| I try to stick with wimpy-windows firefox, and sometimes the key is cached and reworks.
| |
| The last one I saved, I had used a password of "borlando" but not even sure where that was set. Whatever.
| |
|
| |
|
| 3) From the Control Panel, validate each domain through the Validation wizard. Requires email confirmation with webmaster@____
| | == INSTALL ON GENTOO == |
| Do domain name validations for these four base domain names:
| | emerge -av app-crypt/certbot app-crypt/certbot-apache |
| x ssl.thedigitalmachine.com
| |
| x ssl.thedigitalage.org
| |
| x ssl.abettersoftware.com
| |
| x ssl.bitpost.com
| |
|
| |
|
| 4) Create web server SSL/TLS Certificates
| | == INSTALL INITIAL CERTS INTO APACHE ON GENTOO == |
| It's easy enough to let startssl generate the keys (but do it locally if you have time? see below)...
| | certbot --apache |
| pw = (see private.txt)
| | (pick base urls of all configurations found) |
| keysize = high (4096)
| | (cerbot generates certs in /etc/letsencrypt/archive/....) |
| algo = SHA1 (Default)
| | (certbot sets up symlinks in /etc/letsencrypt/live/#HOSTNAME#/*.pem) |
| generate private...
| | (certbot updates apache ssl configs to point there) |
| save as ~m/config/StartCom/(site)/(year, eg 2014-)/ssl.withpassword.key
| | emacs the config file and break out chain: |
| create no-password key with: openssl rsa -in ssl.withpassword.key -out ssl.key
| |
| wait for email re: approval, then get ssl.crt from toolbox, save to same place
| |
| x ssl.abettersoftware.com
| |
| x ssl.bitpost.com
| |
| x ssl.thedigitalmachine.com
| |
| x ssl.thedigitalage.org
| |
| Put new ones here (eg): /home/m/config/StartCom/bitpost.com/2014-/
| |
| Ideally we'd make them readable ONLY by apache, but I am keeping a backup in git, so use:
| |
| sudo chmod -R 770 *
| |
|
| |
|
| 5) Update apache to use new certs
| | == RENEW ALL CERTS == |
| a) stop apache
| | # NOTE this runs once a month in crontab |
| b) move existing certs in /home/m/config/StartCom/(domain)/ out to (eg) (domain)/2013-/... (this may not be needed if a copy is already there)
| | ~/development/scripts/gentoo/bitpost/root/renew_ssl_certs_as_needed.sh |
| c) move new certs from (eg) /2014-/... up one dir to the base (where apache is looking)
| |
| d) restart apache and make sure it's happy (watch startup warnings, browse to each site)
| |
|
| |
|
| NOTE here is what Apache needs:
| | == UPGRADE ALL CERTS TO 4096 == |
| SSLCertificateFile /home/m/config/StartCom/bitpost.com/ssl.crt
| | (haven't done this yet, may impact performance a bit) |
| SSLCertificateKeyFile /home/m/config/StartCom/bitpost.com/server.key | | certbot renew --force-renewal --rsa-key-size 4096 |
| SSLCertificateChainFile /home/m/config/StartCom/sub.class1.server.ca.pem
| |
| SSLCACertificateFile /home/m/config/StartCom/ca.pem.crt
| |
|
| |
|
| | | NOTE Through 2016, I used [[StartCom]]. |
| MORE NOTES
| |
| ----------
| |
| | |
| ALL 4 DOMAINS ARE NOW SYNCED for renewal in AUGUST/SEPT, try to remember dude
| |
| of course any new domains are going to be out of sync, pita, cest la vie
| |
| | |
| here, we store common docs:
| |
| | |
| browser_cert_install_first.p12
| |
| the browser cert that lets you log in to https://startssl.com
| |
| | |
| ca.pem.crt
| |
| sub.class1.server.ca.pem
| |
| the official certs for StartCom level 1
| |
| you can get these from Control Panel->Tool Box->StartCom CA certificates
| |
| | |
| | |
| GENERATING YOUR OWN KEYS
| |
| ------------------------
| |
| Note that you can generate your own keys.
| |
| Generally not worth it tho, I trust StartCom, and you have to give them the key anyway.
| |
| Plus, all the extra info you add to the key is discarded by StartCom since it's an unvalidated owner (ie free).
| |
| But for completeness, here's old notes on how to do it... (should it still be des3??)
| |
| | |
| server.key generated with:
| |
| | |
| openssl genrsa -des3 -out server.key 2048
| |
| | |
| CSR generated as follows:
| |
| | |
| ---
| |
| m@thedigitalmachine ~/config/StartCom/abettersoftware.com $ openssl req -new -key server.key -out server.csrEnter pass phrase for server.key:
| |
| You are about to be asked to enter information that will be incorporated
| |
| into your certificate request.
| |
| What you are about to enter is what is called a Distinguished Name or a DN.
| |
| There are quite a few fields but you can leave some blank
| |
| For some fields there will be a default value,
| |
| If you enter '.', the field will be left blank.
| |
| -----
| |
| Country Name (2 letter code) [AU]:US
| |
| State or Province Name (full name) [Some-State]:NC
| |
| Locality Name (eg, city) []:Raleigh
| |
| Organization Name (eg, company) [Internet Widgits Pty Ltd]:A better Software
| |
| Organizational Unit Name (eg, section) []:
| |
| Common Name (eg, YOUR name) []:Michael Behrns-Miller
| |
| Email Address []:noreply@abettersoftware.com
| |
| | |
| Please enter the following 'extra' attributes
| |
| to be sent with your certificate request
| |
| A challenge password []:
| |
| An optional company name []:
| |
| ---
| |
| | |
| then that gets pasted into StartCom form under the Certificates Wizard on the control panel
| |
| note from the form:
| |
| All content of the certificate signing request is ignored except its public key.
| |
I am using free certificates from Let's Encrypt. Their certbot app does all the heavy lifting, nice. Details:
m@case:~/development/config/bitpost/etc/letsencrypt$ cat README
INSTALL ON GENTOO
emerge -av app-crypt/certbot app-crypt/certbot-apache
INSTALL INITIAL CERTS INTO APACHE ON GENTOO
certbot --apache
(pick base urls of all configurations found)
(cerbot generates certs in /etc/letsencrypt/archive/....)
(certbot sets up symlinks in /etc/letsencrypt/live/#HOSTNAME#/*.pem)
(certbot updates apache ssl configs to point there)
emacs the config file and break out chain:
RENEW ALL CERTS
# NOTE this runs once a month in crontab
~/development/scripts/gentoo/bitpost/root/renew_ssl_certs_as_needed.sh
UPGRADE ALL CERTS TO 4096
(haven't done this yet, may impact performance a bit)
certbot renew --force-renewal --rsa-key-size 4096
NOTE Through 2016, I used StartCom.