Web Certificate


Table of Contents


Web certificates encrypt different messages over the public internet so nobody can see what these messages contain.

Let's Encrypt - Certificate Authority (CA)

Let's Encrypt offers free 90 day SSL/TLS internet certificates, so you can run https:// to encrypt web page bodies, instead of http:// plain text over the internet. Certbot is used to obtain and renew certificates from the Let's Encrypt CA.

Reference: https://letsencrypt.org/

Certbot - Certificate Robot

This is a systemd service and software that will watch for expired certificates and notify you via E-Mail. Other pieces will let you perform a dry-run update of your certificate, and actually perform the certificate update and any configuration changes in your Apache or Nginx web server.

Reference: https://certbot.eff.org/

Install

sudo apt-get install certbot

Configure

Get a certificate and update the apache configuration.

Just follow the prompts, entering your host + domain name.

Instructions: https://certbot.eff.org/instructions

sudo certbot --apache

Schedule

The install creates a systemd timer to check for expiration and hopefully e-mail you a warning 30 days in advance of your 90 day certificate expiring.

$ sudo systemctl list-timers | grep certbot
Mon 2022-08-29 15:46:31 EDT 4h 16min left Mon 2022-08-29 06:38:15 EDT 4h 52min ago  certbot.timer                certbot.service 

Renewal is done on web host

I wrapped the certbot updater into a script to remind me of the various steps and places the certificate is used. I do not open port 80 and block malicious hosts, so I disable those for a few minutes while the update occurs.

File: ~/linux/certbot.sh

#!/bin/bash
#---------------------------------------------
# Change port forwarding on router
#---------------------------------------------
#
echo "REMINDER: Open port 80 on ROUTER first!"
read ans
#
#---------------------------------------------
# Disable firewall
#---------------------------------------------
#
echo "Disabling firewall"
sudo ufw disable
#
#---------------------------------------------
# Automatic renewal
#---------------------------------------------
#
read -p "Dry-run [y]: " reply
reply=${reply:-y}
 echo $reply
 if [[ $reply == "y" ]]; then
   sudo certbot renew --expand --dry-run
 else
   sudo certbot renew --expand
 fi
#
#---------------------------------------------
# Check certbot service timer is running
#---------------------------------------------
#
sudo systemctl list-timers|grep certbot
##NEXT                         LEFT           LAST                         PASSED       UNIT                   
##Sat 2019-12-28 13:31:07 EST  7h left        Sat 2019-12-28 01:26:25 EST  4h 37min ago certbot.timer          
#
#---------------------------------------------
# Enable firewall
#---------------------------------------------
#
echo "Enabling firewall"
sudo ufw enable
#
#---------------------------------------------
# Copy to mail for it's devecot (e-mail) service
#---------------------------------------------
#
read -p "copy to mail [y]: " reply
reply=${reply:-y}
 echo $reply
 if [[ $reply == "y" ]]; then
   ./copy-cert-to-mail.sh
 fi
#
#---------------------------------------------
# Change port forwarding on router
#---------------------------------------------
#
echo "REMINDER: Close port 80 on ROUTER now!"
read ans
#
#---------------------------------------------
# Restart matrix-synapse to pick up new certs
#---------------------------------------------
#
echo "NOTE: Restarting matrix-synapse service"
sudo systemctl restart matrix-synapse
#

Apache - Web Server for Nextcloud

Certbot will probably add the SSLCertificate[FIle|KeyFile] lines to the apache Virtual host entry.

Check that Strict-Transport-Security is set to force http to https conversions. The max-age[1], 31536000 seconds, is 365 days and will expire shared cache after that. Adjust if desired.

File: /etc/apache2/sites-enabled/nextcloud.conf

~
# Don - begin
# Use HTTP Strict Transport Security to force client to use secure connections only      
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains;"
SSLEngine on

# Don certbot
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
~
  1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control

Dovecot - Server for E-Mail Clients

If you have E-Mail User Agent Dovecot installed this allows IMAPS, which is Internet Message Access Protocol Secure. Basically SSL for E-Mail to encrypt E-Mails over the network.

File: /etc/dovecot/conf.d/10-ssl.conf

~
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
# Don - begin
#ssl_cert = </etc/dovecot/private/dovecot.pem
#ssl_key = </etc/dovecot/private/dovecot.key
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem                                        
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem  
# Don - end

~

# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
# submission service). The directory is usually /etc/ssl/certs in
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
# RedHat-based systems.
ssl_client_ca_dir = /etc/ssl/certs

~

# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </usr/share/dovecot/dh.pem

Matrix - Messaging Server

If you have the Matrix messaging server installed, this allows secure communication to clients.

File: /etc/matrix-synapse/homeserver.yaml

grep letsencrypt /etc/matrix-synapse/homeserver.yaml
tls_certificate_path: "/etc/letsencrypt/live/example.com/fullchain.pem"
tls_private_key_path: "/etc/letsencrypt/live/example.com/privkey.pem"

Verify Certificate

This script is good to run before and after the certbot update to view the begin/end valid dates of your certificate. It ensures everything went well and the certs are in a valid location.

File: ~/linux/cert_expire.sh

#!/bin/bash
# ----------------------------------------------------------------------
#
# File: cert_expire.sh
#
# Purpose: See what the expiration date is for Let's Encrypt Certificate
#
#
#  s_client : The s_client command implements a generic SSL/TLS client
#              which connects to a remote host using SSL/TLS.
#  -servername $DOM : Set the TLS SNI (Server Name Indication) extension
#                      in the ClientHello message to the given value.
#  -connect $DOM:$PORT : This specifies the host ($DOM) and optional
#                         port ($PORT) to connect to.
#  x509 : Run certificate display and signing utility.
#  -noout : Prevents output of the encoded version of the certificate.
#  -dates : Prints out the start and expiry dates of a TLS or SSL certificate.
#
# Don Cohoon - Jan 2023
# ----------------------------------------------------------------------
#
#
if [ $# -gt 0 ]; then
  A=${1}
else
  echo "1) E-Mail"
  echo "2) File"
  echo "3) Web"
  echo "4) Local"
  read A
fi
case ${A}
 in
   1)
	echo "REMINDER: Restart dovecot to enable new certs"
	echo "=> E-Mail Certificate: CTRL-C to exit"
	openssl s_client -connect mail.example.com:25 -starttls smtp 2>/dev/null|openssl x509 -noout -dates
	;;
   2)
	echo "=> File Certificate"
	sudo openssl x509 -enddate -noout -in /etc/letsencrypt/live/example.com/fullchain.pem
	;;
   3)
	echo "REMINDER: Restart apache2 and nginx to enable new certs"
	echo "=> www.example.com Certificate: CTRL-C to exit"
	openssl s_client -servername example.com -connect www.example.com:443 2>/dev/null | openssl x509 -noout -dates
	;;
   4)
	echo "REMINDER: Restart apache2 and nginx to enable new certs"
	echo "=> Local Web Certificate: CTRL-C to exit"
	openssl s_client -connect localhost:443 | openssl x509 -noout -dates
	;;
esac

Continue

Now that you have set up a certificate for your new server, consider installing some Network Attached Storage.

Proceed in the order presented, some things are depending on prior setups.

Book Last Updated: 29-March-2024



Web Secure Socket Layer (SSL) Certificate - Linux in the House - https://linux-in-the-house.org Creative Commons License