Presentation
HTTPS is a protocol that consists of a communication layer called Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or Secure Sockets Layer (SSL). For simplicity’s sake, the expression SSL certificate will be used instead of TLS/SSL certificate.
Until now it was very expensive to put in place a HTTPS website. Not only the procedure was complicated, but the cost of the SSL certificates themself didn’t allow any try.
It is now possible to respectively buy a standard SSL certificate for $2,99/year or a wildcard SSL certificate for $4,99/year.
The difference between standard and wildcard certificates is simple:
- with a standard certificate, you can use it for only one website like www.mydomain.com,
- with a wildcard certificate (typically called *.mydomain.com), you can use it for several websites like www.mydomain.com, sub.mydomain.com, etc but not for www.sub.mydomain.com nor .mydomain.com.
They are some more advanced SSL certificates (read this article about the various types of SSL certificates) than the DV presented here but there are more geared towards big companies.
If you are serious about your website, you need a wilcard certificate because it will allow you to have a staging environment to test any change in your settings (html, css, javascript, software, architecture, etc). Otherwise you will have to juggle until a big problem happens.
HTTPS Pros and Cons
Pros:
- increase security and trust,
- provide a slightly better Google ranking.
Cons:
- add some latencies due to the HTTPS protocol and increase CPU power consumption,
- may involve some heavy work for an existing website: Google provides some guidelines.
This tutorial will not dive deeper into these various aspects.
Prerequisites
In order to set up a web site with SSL certificates with hostmybytes, you need to fulfill the following criteria:
- use a Paypal or BitPay account to pay the SSL certificates price,
- buy a domain name if not already done (called mydomain.com in this tutorial),
- install a server with RHEL 7/CentOS 7 if not already done,
- set up the reverse lookup associated with the domain name and check it (you can use this tool to help you),
- set up an email server on the domain name, involving the creation of DNS MX records (see the Postfix tutorial),
- create a user called admin to receive answers from the company producing the SSL certificate.
The remaining part of this tutorial will show how to create and put in place a wildcard SSL certificate.
RSA Key Generation
You need to create a private RSA 2048-bit key stored in the mydomain.com.key file:
# cd /etc/pki/tls/private # openssl genrsa -out mydomain.com.key 2048
Note: You can add the -des3 option to the previous command, forcing anybody wanting to use the key to enter a passphrase before. Problem: before starting your webserver, you will have to type the passphrase, which is not a good idea.
Assign minimal permissions to the private key to protect it:
# chmod 600 mydomain.com.key
Then, you need to create the CSR (Certificate Signing Request) called here mydomain.com.csr:
# cd /etc/pki/tls/certs # openssl req -new -key ../private/mydomain.com.key -out mydomain.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:Mountain View Organization Name (eg, company) [Default Company Ltd]:MyCompany Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:*.mydomain.com Email Address []:admin@mydomain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Note1: Replace all the mentioned details by your personal ones and obviously mydomain.com with your domain name.
Note2: For the Common Name, be sure to specify *.mydomain.com if it’s a wildcard SSL certificate and www.mydomain.com if it is a standard SSL certificate.
Note3: For the Email Address, be sure to type admin@mydomain.com
Certificate Purchase
Just after completing the order, you will receive several mails in the mailbox specified in the hostmybytes account. One of them is titled Order Confirmation and contains the Order Number.
Later, you will receive the following email:
Thank you for your SSL order with HostMyBytes! We need some more information in order to activate your SSL certificate.
Please open a support ticket in the "Support" department with the following information:
1. Certificate Signing Request (CSR) for your certificate
2. Domain name for the certificate (if wildcard, make sure it is *.mydomain.com)
3. Confirm that admin@mydomain.com exists.
The approver email will be sent to: admin@mydomain.com If you do not have access to this email address for some reason, please open a support ticket so we can re-send the approval email.
The next step in this process is to confirm the admin approver email and reply to this email once it has been approved.
Best Regards,
CSR Handling
As you already got the CSR and the Order Number, you only need to open a support ticket (Open Ticket -> Technical Support).
In the Open Ticket page, you should specify:
- the Subject:
- Request for wildcard certificate, Order Number: XXXXXXXXXX, domain name: *.mydomain.com
- Request for standard certificate, Order Number: XXXXXXXXXX, domain name: www.mydomain.com
- the Department: Technical support
- the Related Service: AlphaSSL wildcard or AlphaSSL standard
- the Priority: High/Medium/Low (doesn’t matter)
- the Message: (doesn’t matter)
- the Attachment: the CSR
When all the fields are set, you can click on the Submit button.
SSL Certificate Receipt
Some time later, you will receive in the admin@mydomain.com mailbox a mail like this one:
From: approval@globalsign.com To: admin@mydomain.com Subject: Order ID CE2015XXXXXXXX AlphaSSL - Approve SSL Application Content-Type: text/plain; charset=UTF-8 Status: RO An application for a SSL Certificate has been placed with AlphaSSL for *.mydomain.com and Order ID CE201508216076. In order for AlphaSSL to issue the SSL Certificate, the domain owner or administ rator must approve the order. Please follow the below link to choose to APPROVE or NOT APPROVE the application. Only if you approve the application will the SSL Certificate be issued. https://regist.alphassl.com/ra/dvApproval/dvApproval/DvApproval.do?r=6c740fed&e= b5a181f2a610fb&c=3f6470416a0f0684d43a6c3f88f3d9a606220150 Make sure your browser address bar contains the complete unbroken URL. For your information, the Applicant has provided the following details: Domain Name: *.mydomain.com Applicant Email Address: myaddress@gmail.com If you have any questions about this application, please contact us using the de tails below. Kind Regards, AlphaSSL Support Team ************************************************* support@alphassl.com www.alphassl.com Tel US: 720 3591 590 Tel EU: +44 870 4325190 *************************************************
Then, you need to approve the application (in bold in the above mail) in a browser.
Finally, you will receive a mail titled
CE2015XXXXXXXX: Your SSL Certificate for *.mydomain.com has been issued containing the SSL certificate between the BEGIN CERTIFICATE and the END CERTIFICATE at the end of the mail.
If you get this mail, you are not very far from success!
Environment Preparation
Before going further, you need to follow several steps.
Store the previously received SSL certificate into the /etc/pki/tls/certs/mydomain.com.crt (with the –BEGIN CERTIFICATE– and –END CERTIFICATE– parts).
Go to the AlphaSSL website and get the Root CA certificate in .txt format:
# cd /etc/pki/tls/certs # wget https://www.alphassl.com/support/roots/root.txt # mv root.txt root_ca.pem
Then, get the AlphaSSL intermediate CA titled SHA-256 – Orders March 31, 2014 and After and paste it into the /etc/pki/tls/certs/alphassl_ca.pem file.
Finally, generate the CA certificate:
# cd /etc/pki/tls/certs # cat root_ca.pem alphassl_ca.pem > bundle.crt
Add the HTTPS service to the firewall configuration and reload it:
# firewall-cmd --permanent --add-service=https Success # firewall-cmd --reload Success
Set the httpd_unified SELinux boolean to 1:
# setsebool -P httpd_unified 1
Create a test file:
# cd /var/www/html # echo "Test" > index.html # restorecon index.html
Apache Configuration
Install the Web Server package group:
# yum groupinstall -y "Web server"
Note: If you type yum install httpd, you will not get the mod_ssl package.
Activate at boot time and start the service:
# systemctl enable httpd && systemctl start httpd
Edit the /etc/httpd/conf.d/ssl.conf file, search for the SSLCertificate string and replace as follows:
SSLCertificateFile /etc/pki/tls/certs/mydomain.com.crt SSLCertificateKeyFile /etc/pki/tls/private/mydomain.com.key SSLCACertificateFile /etc/pki/tls/certs/bundle.crt
In the same file, search for the ServerName string and replace as follows:
ServerName www.mydomain.com:443
Again, search for the SSLProtocol string and replace as follows:
SSLProtocol all -SSLv2 -SSLv3
Search for the SSLCipherSuite string and replace as follows:
SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM \ EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 \ EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 \ EECDH !ECDHE-RSA-DES-CBC3-SHA EDH+aRSA RSA+3DES \ !aNULL !eNULL !LOW !SEED !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"
Note: This is certainly not the best cypher configuration but two experts will not agree on the same configuration and I’m not a cypher expert!
Check the validity of the configuration:
# httpd -t Syntax OK
Restart the Apache webserver:
# apachectl restart
If an error occurs, check the /var/log/httpd/error_log and /var/log/httpd/ssl_error_log files.
Check the virtual host configuration:
# httpd -D DUMP_VHOSTS VirtualHost configuration: *:443 is a NameVirtualHost default server www.mydomain.com (/etc/httpd/conf.d/ssl.conf:56) port 443 namevhost www.mydomain.com (/etc/httpd/conf.d/ssl.conf:56) port 443 namevhost www.mydomain.com (/etc/httpd/conf.d/ssl.conf:56)
Nginx Configuration
Install the Nginx package:
# yum install epel-release # yum install nginx
Activate at boot time and start the service:
# systemctl enable nginx && systemctl start nginx
Create the /etc/nginx/conf.d/mydomain.conf file and paste the following lines:
server {
listen 443 default_server ssl;
server_name www.mydomain.com;
root /var/www/html;
index index.html index.htm index.php;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5:!kEDH;
error_log /var/log/nginx/mydomain-error_log warn;
access_log /var/log/nginx/mydomain-access_log main;
location / {
try_files $uri $uri/ /index.php?$args;
# Enable HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
}
# deliver a static 404 error_page 404 /404.html;
location /404.html {
internal;
}
# deliver 404 instead of 403 "Forbidden"
error_page 403 = 404;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
Due to the way Nginx works, you have to add the website certificate itself to the list of CA certificates:
# cd /etc/pki/tls/certs # cat mydomain.com.crt bundle.crt > chained.crt
Two options:
- If you bought a wildcard SSL certificate, edit the /etc/nginx/nginx.conf and paste the following lines in the http stanza (this way, you will be able to use the wildcard SSL certificate with all the *.mydomain.com virtual servers):
ssl_certificate /etc/pki/tls/certs/chained.crt; ssl_certificate_key /etc/pki/tls/private/mydomain.com.key;
- If you purchased a standard SSL certificate, edit the /etc/nginx/conf.d/mydomain.conf file and paste the following lines in the server stanza:
ssl_certificate /etc/pki/tls/certs/chained.crt; ssl_certificate_key /etc/pki/tls/private/mydomain.com.key;
Check the validity of the configuration:
# nginx -t Syntax OK
Restart the Nginx webserver:
# systemctl restart nginx
If an error occurs, check the /var/log/nginx/error.log and /var/log/nginx/mydomain-error_log files.
Time to Test
If you are confident in your setting, it is now time to test it.
The company SSLlabs provides the perfect tool for that.
Troubleshooting
If you need to troubleshoot the configuration, use the following command:
# openssl s_client -connect localhost:443 -state
Additional Resources
You can go to the Apache TLS configuration page to get some additional tips.
You can also read these pages about optimal cypher configuration, strong cypher on Nginx and 100% Qualys SSL Test A+.
The www.nginxtips.com website provides a tutorial about Hardening Nginx SSL/TLS Configuration.
Bjorn Johansen’s website is full of useful information about Nginx configuration.
You can also have a look at this interesting survey about the complexity of deploying HTTPS.
The Ssllabs provide their SSL-and-TLS Deployment Best Practices.
Daniel Aleksandersen wrote an article about Allowing OCSP stapling in Apache Web Server with SELinux policies.
The official RedHat knowledgebase provides an article about Securing Apache/mod_ssl with SSL/TLS on RHEL7.
Recent Comments