Wanted to make our websites running Apache to be SSL enabled. Since we use Cloudflare, and Cloudflare has an option by which we can use self-signed certificates on the origin web-server, decided to try self-signed certificates first.
Followed this tutorial on digitalocean, which is concise, complete and to the point.
1. Our current servers use su and not sudo.
2. Creating a key pair with
3. Creating ssl-params.conf in /etc/apache2/conf-available with the following text:
Followed this tutorial on digitalocean, which is concise, complete and to the point.
1. Our current servers use su and not sudo.
2. Creating a key pair with
openssl req -x509 -nodes -days 365 -newkey rsa:2048
-keyout /etc/ssl/private/apache-selfsigned.key
-out /etc/ssl/certs/apache-selfsigned.crt3. Creating ssl-params.conf in /etc/apache2/conf-available with the following text:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11, so commented out
#SSLSessionTickets Off4. Modifying /etc/apache2/sites-available/default-ssl.conf by adding the correct contact info, and the correct key-pair paths. In our case, I had to copy the directives in default.conf, since there were a lot of changes to be done.
5. For finding Apache version,
apache2 -versiona2enmod ssla2enmod headersa2ensite default-ssla2enconf ssl-paramsapache2ctl configtestservice apache2 restart 6. In our case, cloudflare could do the https redirecting. But redirecting all traffic to https breaks our pages which have POST links, since those are not redirected. (Edit 21 Feb - after the POST links were updated to https, turned "Always use HTTPS" on. No issues.)
7. Found that this procedure can reasonably be easily replicated with a certificate from letsencrypt -
https://letsencrypt.org/getting-started/
https://certbot.eff.org/
In our case, perhaps doing a cert only cron job with certbot would be desirable.
certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d 'ourdomain.tld,*.ourdomain.tld'
I did try it out manually. For automating it, we would need to put the Cloudflare API key on the server, or the newer token with more limited powers, for automatically updating the DNS TXT record used for validation by certbot and letsencrypt. Or perhaps even the simpler option given at the certbot website might be enough.
certbot-auto certonly --apache
In this case, it takes a bit of time, and asks which domain we want the certificate for. After that, it works, with http authentication. May need some tweaking to automate this, since there are multiple domains involved. But renewal seems to be simple. As the closing notes say,
Performing the following challenges:
http-01 challenge for our.domain.tld
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/our.domain.tld/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/our.domain.tld/privkey.pem
Your cert will expire on 2020-04-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
No comments:
Post a Comment