Category: SSL

certbot

Nginx Proxy SSL Verification

Install certbot

Certbot commands

Certbot SSL for Applications

Install certbot

wget https://raw.githubusercontent.com/serverok/server-setup/master/install/letsencrypt.sh
bash letsencrypt.sh

cd /usr/bin
wget https://dl.eff.org/certbot-auto
chmod a+x /usr/bin/certbot-auto
mv /usr/bin/certbot-auto /usr/bin/certbot

Install SSL certificate on Apache

certbot --authenticator webroot --webroot-path PATH_TO_DOC_ROOT_HERE --installer apache --agree-tos --no-eff-email --email admin@serverok.in -d YOUR-DOMAIN.EXT -d www.YOUR-DOMAIN.EXT

On Nginx

certbot --authenticator webroot --webroot-path PATH_TO_DOC_ROOT_HERE --installer nginx --agree-tos  --no-eff-email --email admin@serverok.in -d YOUR-DOMAIN.EXT -d www.YOUR-DOMAIN.EXT

This will stop web server. Generate SSL, then start web server.

Getting SSL with out installing

certbot certonly --authenticator webroot --webroot-path PATH_TO_DOC_ROOT_HERE --agree-tos --email admin@serverok.in -d YOUR-DOMAIN.EXT

Getting SSL with out web server

Domain should be pointed to the server IP and IP should be public to generate SSL. Run the following command.

certbot certonly --standalone --agree-tos --no-eff-email --email admin@serverok.in -d YOUR-DOMAIN.EXT

Auto Renew SSL Certificate

Set the following cronjob to auto-renew SSL

crontab -e

Add

@weekly /usr/bin/certbot renew > /var/log/le-renew.log 2>&1

List All SSL

certbot certificates

Change the Email Associated with the account

certbot register --update-registration --email YOUR_EMAIL_HERE

Search for LetsEncrypt SSL status

https://crt.sh

LetsEncrypt Renewal file

August 11, 2022

Certbot Remove a Domain Name from SSL Certficate

On a server, I have an SSL certificate with 2 domains (doaminA.com and domainB.com)

root@Tombe:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: doaminA.com
    Domains: doaminA.com www.doaminA.com domainB.com
    Expiry Date: 2022-08-18 11:06:35+00:00 (VALID: 6 days)
    Certificate Path: /etc/letsencrypt/live/doaminA.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/doaminA.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@Tombe:~#

domainB.com no longer pointed to this server, so the SSL auto-renewal failed because certbot can’t verify the domain name domainB.com

To fix the problem, run certbot without domainB.com

certbot --cert-name domainA.com -d domainA.com -d www.doaminA.com

This will remove domainB.com from the domainA.com SSL certificate.

Example

root@Tombe:~# certbot --cert-name domainA.com -d domainA.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate domainA.com to include new domain(s):
(None)

You are also removing previously included domain(s):
- domainB.com

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: U
Renewing an existing certificate

See Letsencrypt

August 11, 2022

How to find SSL Certificate fingerprint
To view the SSL certificate fingerprint, open the website in the google chrome browser. On the browser address bar, you will see the lock icon, click on it.

Click on “Connection is secure”

Click on “Certificate is Valid”. You will see SSL Certificate details as shown below.

You will see SHA-256 and SHA-1 Fingerprint.

To find the SSL certificate fingerprint using openssl command, run

SHA-256
```
openssl x509 -noout -fingerprint -sha256 -inform pem -in  SSL_CERT_FILE.CRT
```
SHA-1
```
openssl x509 -noout -fingerprint -sha1 -inform pem -in  SSL_CERT_FILE.CRT
```
July 22, 2022
acme.sh SSL using manual DNS method
To provision SSL certificate using acme.sh with manual DNS verification method, run
```
acme.sh --issue -d DOMAIN_NAME --dns -d www.DOMAIN_NAME --yes-I-know-dns-manual-mode-enough-go-ahead-please
```
When you run this command, you will get DNS TXT entry that needed to be added to your DNS server. Login to your DNS provider, add the DNS entry, then run the following command to confirm the SSL creation.
```
acme.sh --renew -d DOMAIN_NAME -d www.DOMAIN_NAME --yes-I-know-dns-manual-mode-enough-go-ahead-please --debug
```
See acme.sh
December 15, 2021
Extracting SSL certificate from the Java Keystore (JKS)
To extract SSL certificate and private key from Keystore (JKS) file, run
```
keytool -importkeystore \
    -srckeystore keystore.jks \
    -destkeystore keystore.p12 \
    -deststoretype PKCS12
```
It will ask for the new Keystore password and current Keystore password. Once you enter the password, JKS file gets converted to P12 format.

This will include all certificates in the keystone. If you only need a specific certificate, then use
```
-srcalias NAME_HERE
```
To see all certificates in a JKS file, see List contents of jks keystore file

To extract SSL certificate (Apache format), run
```
openssl pkcs12 -in keystore.p12  -nokeys -out cert.pem
```
To extract Private key, run
```
openssl pkcs12 -in keystore.p12  -nodes -nocerts -out key.pem
```
Back to keytool
October 19, 2021

How to enable SSL/TLS for Express.js application

For node.js applications, you can enable SSL on the application side or using Nginx or Apache running as a reverse proxy. To enable SSL for a node.js express application, use the following code.

const fs = require('fs')
const https = require('https')
const express = require('express')

var port = 3000;

var options = {
    key: fs.readFileSync('./ssl/ssl.key'),
    cert: fs.readFileSync('./ssl/ssl.crt'),
};

var app = express();

var server = https.createServer(options, app).listen(port, function(){
  console.log("Express server listening on port " + port);
});

app.get('/', function (req, res) {
    res.writeHead(200);
    res.end("hello world\n");
});

See node.js

September 1, 2021

Find expiry date for SSL certificate using openssl
To find the expiry date of an SSL certificate using openssl command, run
```
openssl x509 -noout -dates -in /path/to/domain.crt
```
Example
```
root@ok:~# openssl x509 -noout -dates -in /etc/ssl/serverok.in.crt
notBefore=Aug 16 22:37:11 2021 GMT
notAfter=Sep 17 22:37:11 2022 GMT
root@ok:~# 
```
notBefore is the start date for the SSL. notAfter is the expiry date for the SSL.

See OpenSSL
August 17, 2021

acme.sh list all SSL certificates

acme.sh is an open source bash script that makes it easy to issue free SSL certificates using LetsEcrypt and ZeroSSL.

To list all SSL certificates, use the command

acme.sh --list

Example

Acme.sh list SSL certificates

If you need to delete an SSL certficate, run command

acme.sh --remove -d DOMAIN_NAME_HERE

Example

root@ok:~# acme.sh --remove -d booctep.com
[Tue 17 Aug 2021 08:25:20 AM UTC] booctep.com is removed, the key and cert files are in /root/.acme.sh/booctep.com
[Tue 17 Aug 2021 08:25:20 AM UTC] You can remove them by yourself.
root@ok:~#

See acme.sh

August 17, 2021

ACME (acme.sh) Free SSL Certificate
ACME (acme.sh) is a shell script for generating LetsEncrypt SSL certificate. acme.sh is written in bash, so it works on any Linux server without special requirements. For getting SSL, another popular option is to use certbot.
To install, run
```
cd /usr/local/src
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
./acme.sh --install -m admin@serverok.in
source ~/.bashrc
```
When you install, it will set a daily cronjob for auto SSL renewal. You can see it with “crontab -l” command.

Set acme.sh to use LetsEncrypt SSL (Defaul is ZeroSSL)
```
acme.sh --set-default-ca --server letsencrypt
```
Set to ZeroSSL, run
```
acme.sh --set-default-ca --server zerossl
```
To issue an SSL certificate, run
```
acme.sh --issue -d example.com -d www.example.com -w /home/example.com/html/
```
Standalone mode (nginx)
```
acme.sh  --issue  -d example.com  --standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl restart nginx"
```
Using non-standard port
```
acme.sh  --issue  -d example.com  --standalone --httpport 88
```
For more ways to issue SSL certificates, see

https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert

Install SSL Certificate

To install the SSL certificate, run
```
acme.sh --install-cert -d DOMAIN_NAME \
--fullchain-file /etc/ssl/DOMAIN_NAME.crt \
--key-file /etc/ssl/DOMAIN_NAME.key \
--reloadcmd "systemctl restart nginx"
```
For Apache
```
acme.sh --install-cert -d DOMAIN_NAME \
--cert-file /etc/ssl/DOMAIN_NAME.crt \
--key-file /etc/ssl/DOMAIN_NAME.key \
--fullchain-file /etc/ssl/DOMAIN_NAME.ca \
--reloadcmd "service apache2 force-reload"
```
If you use Apache, replace “service nginx force-reload” with “service apache2 force-reload”. For CentOS/RHEL, use httpd instead of apache2.

You can find how to enable SSL on Nginx server at Configure Nginx Server with SSL, For Apache web server, see Configure Apache Webserver with SSL

See LetsEncrypt
July 20, 2021
Create dhparam.pem
To generate dhparam.pem, run
```
cd /etc/ssl/
openssl dhparam -out dhparam.pem 4096
```
To add dhparam in Nginx, add
```
ssl_dhparam /etc/ssl/dhparam.pem;
```
See SSL
February 11, 2021
Enable SSL for a site in EasyEngine
To enable LetsEncrypt SSL for a web site hosted in EasyEngine server, run
```
ee site update SITE_NAME_HERE --ssl=le
```
Example

See EasyEngine
January 31, 2021
Install LetsEncrypt in CentOS 7
certbot deprecated support for CentOS 7, so new version of certbot-auto script won’t work on CentOS 7.

To install certbot (letsencrypt command line tool), run
```
yum install -y epel-release 
yum install -y python2-certbot.noarch
```
To run it, use command
```
/usr/bin/certbot-2
```
See LetsEncrypt
January 10, 2021

Category: SSL

Install certbot

Certbot commands

Certbot SSL for Applications

Install certbot

Install SSL Certificate