Published: Wed 25 January 2023
Updated: Fri 19 April 2024
By Don Cohoon
In linux .
tags: security web
Web Certificate
Web certificates encrypt different messages over the public internet so nobody can see what these messages contain.
Web certificates encrypt different messages over the public internet so nobody can see what these messages contain.
Let's Encrypt - Certificate Authority (CA)
Let's Encrypt offers free 90 day SSL/TLS internet certificates, so you can run https:// to encrypt web page bodies, instead of http:// plain text over the internet. Certbot is used to obtain and renew certificates from the Let's Encrypt CA.
Reference: https://letsencrypt.org/
Certbot - Certificate Robot
This is a systemd service and software that will watch for expired certificates and notify you via E-Mail. Other pieces will let you perform a dry-run update of your certificate, and actually perform the certificate update and any configuration changes in your Apache or Nginx web server.
Reference: https://certbot.eff.org/
Install
sudo apt-get install certbot
Get a certificate and update the apache configuration.
Just follow the prompts, entering your host + domain name.
Instructions: https://certbot.eff.org/instructions
Schedule
The install creates a systemd timer to check for expiration and hopefully e-mail you a warning 30 days in advance of your 90 day certificate expiring.
$ sudo systemctl list-timers | grep certbot
Mon 2022 -08-29 15 :46:31 EDT 4h 16min left Mon 2022 -08-29 06 :38:15 EDT 4h 52min ago certbot.timer certbot.service
Renewal is done on web host
I wrapped the certbot updater into a script to remind me of the various steps and places the certificate is used. I do not open port 80 and block malicious hosts, so I disable those for a few minutes while the update occurs.
File: \~/linux/certbot.sh
#!/bin/bash
#---------------------------------------------
# Change port forwarding on router
#---------------------------------------------
#
echo "REMINDER: Open port 80 on ROUTER first!"
read ans
#
#---------------------------------------------
# Disable firewall
#---------------------------------------------
#
echo "Disabling firewall"
sudo ufw disable
#
#---------------------------------------------
# Automatic renewal
#---------------------------------------------
#
read -p "Dry-run [y]: " reply
reply = ${ reply :- y }
echo $reply
if [[ $reply == "y" ]] ; then
sudo certbot renew --expand --dry-run
else
sudo certbot renew --expand
fi
#
#---------------------------------------------
# Check certbot service timer is running
#---------------------------------------------
#
sudo systemctl list-timers| grep certbot
##NEXT LEFT LAST PASSED UNIT
##Sat 2019-12-28 13:31:07 EST 7h left Sat 2019-12-28 01:26:25 EST 4h 37min ago certbot.timer
#
#---------------------------------------------
# Enable firewall
#---------------------------------------------
#
echo "Enabling firewall"
sudo ufw enable
#
#---------------------------------------------
# Copy to mail for it's devecot (e-mail) service
#---------------------------------------------
#
read -p "copy to mail [y]: " reply
reply = ${ reply :- y }
echo $reply
if [[ $reply == "y" ]] ; then
./copy-cert-to-mail.sh
fi
#
#---------------------------------------------
# Change port forwarding on router
#---------------------------------------------
#
echo "REMINDER: Close port 80 on ROUTER now!"
read ans
#
#---------------------------------------------
# Restart matrix-synapse to pick up new certs
#---------------------------------------------
#
echo "NOTE: Restarting matrix-synapse service"
sudo systemctl restart matrix-synapse
#
Apache - Web Server for Nextcloud
Certbot will probably add the SSLCertificate[FIle|KeyFile] lines to the apache Virtual host entry.
Check that Strict-Transport-Security is set to force http to https conversions. The max-age[1], 31536000 seconds, is 365 days and will expire shared cache after that. Adjust if desired.
File: /etc/apache2/sites-enabled/nextcloud.conf
~
# Don - begin
# Use HTTP Strict Transport Security to force client to use secure connections only
Header always set Strict - Transport - Security "max-age=31536000; includeSubDomains;"
SSLEngine on
# Don certbot
SSLCertificateFile / etc / letsencrypt / live / example .com / fullchain .pem
SSLCertificateKeyFile / etc / letsencrypt / live / example .com / privkey .pem
Include / etc / letsencrypt / options - ssl - apache .conf
</ VirtualHost >
~
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
Dovecot - Server for E-Mail Clients
If you have E-Mail User Agent Dovecot installed this allows IMAPS, which is Internet Message Access Protocol Secure. Basically SSL for E-Mail to encrypt E-Mails over the network.
File: /etc/dovecot/conf.d/10-ssl.conf
~
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
# Don - begin
# ssl_cert = </etc/dovecot/private/dovecot.pem
# ssl_key = </etc/dovecot/private/dovecot.key
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem
# Don - end
~
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
# submission service). The directory is usually /etc/ssl/certs in
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
# RedHat-based systems.
ssl_client_ca_dir = /etc/ssl/certs
~
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </usr/share/dovecot/dh.pem
Matrix - Messaging Server
If you have the Matrix messaging server installed, this allows secure communication to clients.
File: /etc/matrix-synapse/homeserver.yaml
grep letsencrypt /etc/matrix-synapse/homeserver.yaml
tls_certificate_path: "/etc/letsencrypt/live/example.com/fullchain.pem"
tls_private_key_path: "/etc/letsencrypt/live/example.com/privkey.pem"
Verify Certificate
This script is good to run before and after the certbot update to view the begin/end valid dates of your certificate. It ensures everything went well and the certs are in a valid location.
File: \~/linux/cert_expire.sh
#!/bin/bash
# ----------------------------------------------------------------------
#
# File: cert_expire.sh
#
# Purpose: See what the expiration date is for Let's Encrypt Certificate
#
#
# s_client : The s_client command implements a generic SSL/TLS client
# which connects to a remote host using SSL/TLS.
# -servername $DOM : Set the TLS SNI (Server Name Indication) extension
# in the ClientHello message to the given value.
# -connect $DOM:$PORT : This specifies the host ($DOM) and optional
# port ($PORT) to connect to.
# x509 : Run certificate display and signing utility.
# -noout : Prevents output of the encoded version of the certificate.
# -dates : Prints out the start and expiry dates of a TLS or SSL certificate.
#
# Don Cohoon - Jan 2023
# ----------------------------------------------------------------------
#
#
if [ $# -gt 0 ] ; then
A = ${ 1 }
else
echo "1) E-Mail"
echo "2) File"
echo "3) Web"
echo "4) Local"
read A
fi
case ${ A }
in
1 )
echo "REMINDER: Restart dovecot to enable new certs"
echo "=> E-Mail Certificate: CTRL-C to exit"
openssl s_client -connect mail.example.com:25 -starttls smtp 2 >/dev/null| openssl x509 -noout -dates
;;
2 )
echo "=> File Certificate"
sudo openssl x509 -enddate -noout -in /etc/letsencrypt/live/example.com/fullchain.pem
;;
3 )
echo "REMINDER: Restart apache2 and nginx to enable new certs"
echo "=> www.example.com Certificate: CTRL-C to exit"
openssl s_client -servername example.com -connect www.example.com:443 2 >/dev/null | openssl x509 -noout -dates
;;
4 )
echo "REMINDER: Restart apache2 and nginx to enable new certs"
echo "=> Local Web Certificate: CTRL-C to exit"
openssl s_client -connect localhost:443 | openssl x509 -noout -dates
;;
esac
Continue
Now that you have set up a certificate for your new server, consider installing some Network Attached Storage.
Proceed in the order presented, some things are depending on prior setups.