To remove password from SSL private key, run
|
1 |
openssl rsa -in PASSWORD_PROTECTED.key -out NO_PASSWORD.key |
This will ask for password. Once you enter password, key get saved with out password.
Convert SSL certificate into PFX format
To convert SSL certficiate into PFX format, run
|
1 |
openssl pkcs12 -export -out certificate.pfx -inkey private-key.key -in certificate.crt -certfile ca-certificate.crt |
Example for SSL from namecheap/ssls
|
1 |
openssl pkcs12 -export -out certificate.pfx -inkey serverok_in_key.txt -in serverok.in/serverok.in.crt -certfile serverok.in/serverok.in.ca-bundle |
Purchase SSL
Here are some cheap SSL providers
- https://www.sslforfree.com/
- https://zerossl.com
- https://www.ssls.com/
- https://www.gogetssl.com
- https://www.namecheap.com/security/ssl-certificates/comodo/
See SSL
Nginx Proxy SSL Verification
When using Nginx as reverse proxy, you may need to handle SSL verification request. Passing this request to backend server may not do any good as back end servers normally only handle application.
To hanlde SSL validation request, use following Nginx Configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
server { listen 80; server_name YOUR-DOMAIN.EXTN www.YOUR-DOMAIN.EXTN; location ^~ /.well-known/acme-challenge/ { root /var/www/html; } location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $host; proxy_pass http://127.1.2.1:4200; } } |
Now restart Nginx
|
1 |
service nginx restart |
You can get SSL with following letsencrypt command
|
1 |
certbot --authenticator webroot --webroot-path /var/www/html --installer nginx -d DOMAIN.EXTN -d www.DOMAIN.EXTN |
If you have a redirect to HTTPS in your nginx server block, use something like
|
1 2 3 4 5 6 7 8 9 10 11 12 |
server { listen 80; server_name YOUR-DOMAIN.EXTN www.YOUR-DOMAIN.EXTN; location ^~ /.well-known/acme-challenge/ { root /var/www/html; } location / { return 301 https://DOMAIN.EXTN$request_uri; } } |
See LetsEncrypt, Nginx
Create SSL pem file
To make .pem file from SSL certificate, run
|
1 |
cat yourdomain.key yourdomain.crt yourdomain.ca-bundle > yourdomain.pem |
Here is the format
|
1 2 3 4 5 6 7 8 9 |
-----BEGIN RSA PRIVATE KEY----- (Private Key: domain_name.key contents) -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- (Primary SSL certificate: domain_name.crt contents) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Intermediate certificate: certChainCA.crt contents) -----END CERTIFICATE---- |
ssls/namecheap SSL example
|
1 |
cat domain_com_key.txt domain.com/domain.com.crt domain.com/domain.com.ca-bundle > ssl.pem |
Verify SSL Key matches with Private Key
To verify if SSL key match with the private Key, run following commands and compare resulting hash, it should match if SSL and Keys are matching.
Verify Private Key
|
1 |
openssl rsa -modulus -noout -in MY_DOMAIN.key | sha256sum |
Verify SSL
|
1 |
openssl x509 -modulus -noout -in MY_DOMAIN.crt | sha256sum |
Verify CSR
|
1 |
openssl req -modulus -noout -in MY_DOMAIN.csr | sha256sum |
Amazon Linux Invalid command SSLEngine
On Amazon Linux, when restarting Apache server, i get error
|
1 2 3 4 5 6 |
[root@ip-172-16-20-44 conf.d]# service httpd restart Stopping httpd: [ OK ] Starting httpd: AH00526: Syntax error on line 5 of /etc/httpd/conf.d/sendy.mayflower.com.my-le-ssl.conf: Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration [FAILED] [root@ip-172-16-20-44 conf.d]# |
This is because SSL module was not installed on the server. To fix, run
|
1 |
sudo yum install -y mod24_ssl |
See ssl
Nginx Curl SSL error
After installing SSL on Nginx server, it worked on browser, but when i try access using curl command, i get error
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# curl https://serverok.in curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. # |
This is fixed by adding ca-bundle to .crt file.
The cert file should be in following format
YOUR_DOMAIN.crt
YOUR_DOMAIN.ca-bundle
This can be done with
|
1 |
cat YOUR_DOMAIN.crt YOUR_DOMAIN.ca-bundle > YOUR_DOMAIN.ssl |
Now use YOUR_DOMAIN.ssl as your ssl certificate in nginx.
|
1 2 3 |
ssl on; ssl_certificate /etc/ssl/YOUR_DOMAIN.ssl; ssl_certificate_key /etc/ssl/YOUR_DOMAIN.key; |
SSL
- https://serverok.in/redirect
- Letsencrypt
- self signed ssl
- Amazon Linux Invalid command SSLEngine
- Apache SSL
- Verify SSL Key matches with Private Key
- Disable TLSv1 in Nginx
- ssl checker
- Purchase SSL
- Convert SSL certificate into PFX format
- Remove SSL private key password
View SSL details from command line
|
1 |
openssl s_client -showcerts -connect serverok.in:443 |
Ca Bundle
SSL Tools
Letsencrypt
Install letsencrypt
|
1 2 |
wget https://raw.githubusercontent.com/serverok/server-setup/master/install/letsencrypt.sh sh ./letsencrypt.sh |
OR
|
1 2 3 4 |
cd /usr/bin wget https://dl.eff.org/certbot-auto chmod a+x /usr/bin/certbot-auto mv /usr/bin/certbot-auto /usr/bin/certbot |
Install SSL certificate on Apache
|
1 |
certbot --authenticator webroot --webroot-path <path to served directory> --installer apache --agree-tos --email admin@serverok.in -d YOUR-DOMAIN.EXT -d www.YOUR-DOMAIN.EXT |
On Nginx
|
1 |
certbot --authenticator webroot --webroot-path <path to served directory> --installer nginx --agree-tos --email admin@serverok.in -d YOUR-DOMAIN.EXT -d www.YOUR-DOMAIN.EXT |
This will stop web server. Generate SSL, then start web server.
Getting SSL with out web server
Domain should be pointed to the server IP and IP should be public to generate SSL. Run following command.
|
1 |
certbot certonly --standalone -d YOUR-DOMAIN.EXT |
Auto Renew SSL Certificate
Set following cronjob to auto renew SSL
|
1 |
crontab -e |
Add
|
1 |
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log |
List All SSL
|
1 |
certbot certificates |
Change Email Associated with account
|
1 |
certbot register --update-registration --email YOUR_EMAIL_HERE |
Search for LetsEncrypt SSL status
certbot certificates
Enable LetsEncrypt SSL in ISPConfig
Nginx Proxy SSL Verification