Enabling SSL

Nowadays getting a SSL certificate is pretty affordable and I thought it was time to get one. In this post, I will take you through the procedure of getting and installing one. Let’s keep it interesting and imagine we want to do the same for our new awesome domain, lovingsystemd.com.

Create a certificate request

In order to get a certificate we need to create a certificate request. Basically this request contains all the information regarding the domain we want the certificate for. There are some things important here:

Also you should know that www.lovingsystemd.com and lovinsystemd.com are two different things.

Let’s get started and genereate a CSR for our new domain.

$ openssl req -newkey rsa:2048 -nodes -keyout lovingsystemd.com.key -out lovingsystemd.com.csr
Generating a 2048 bit RSA private key
........................................+++
.........................................+++
writing new private key to 'lovingsystemd.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Madrid
Locality Name (eg, city) []:Madrid
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Geek on the road
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:lovingsystemd.com
Email Address []:admin@lovingsystemd.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: xxxxxx
An optional company name []:

You may notice the challange password thing. This is different from the password you would use for your private key. In this case we don’t need a password for the key because it would prompt it every time the service is restarted.

Get a SSL certificate

There are a bunch of options, but finally I got mine from Namecheap. If you have any trouble, take a look to the excellent resource from Digitalocean [1] on how to proceed and get yours.

Verify your certificates

At this point you should have a mail with two certificates embeeded as plain text. Now you need to copy those in two different files. If you want to save some time, check both certificates don’t prompt any error:

$ openssl x509 -in lovingsystemd.crt -text -noout 
unable to load certificate
1103315939110079:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:818:

This could happen if you copied some strange character to the file. If any of them prompts an error, the webserver will not start.

$ openssl x509 -in intermediate.crt -text -noout 

At this point you have to chain both certificates. I recommend you to follow exactly the intructions from your provider and nothing else.

$ cat intermediate.crt >>  lovingsystemd.crt

Install certificate

I run nginx, so here is the configuration for the website lovingsystemd.com

server {
    listen 80;
    server_name lovingsystemd.com;
    rewrite ^/(.*) https://lovingsystemd.com/$1 permanent;
}
server {
	server_name lovinsystemd.com;
	listen 443 ssl;
	
	# Chained certificate
	ssl_certificate /opt/nginx/ssl/lovingsystemd.crt;
	ssl_certificate_key /opt/nginx/ssl/lovingsystemd.com.key;

	# Options for  better grading on SSL tests.
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
	ssl_dhparam /opt/nginx/ssl/dhparam.pem;
}

I benchmarked the SSL score from ssllabs on each small modification. In this way I could see how the grading was changing and what was the problem about. I think this was a good approach. Check your grade in SSL labs.

References

[1] Installing ssl certificates - Digitalocean

[2] Strong SSL security - raymii.org

[3] Setting HSTS in Nginx - Scott Helme