To change email address of LetsEncrypt SSL certficate account, run
|
1 |
certbot update_account --email you@your-domain.com |
See LetsEncrypt […]
View SSL certficate Details
To view certificate details
|
1 |
openssl x509 -text -noout -in SSL_FILE.crt |
For web server
|
1 |
openssl s_client -showcerts -connect serverok.in:443 |
IMAP via SSL
|
1 |
openssl s_client -showcerts -connect mail.yourdomain.com:993 -servername mail.yourdomain.com |
POP3 via SSL
|
1 |
openssl s_client -showcerts -connect mail.example.com:995 -servername mail.yourdomain.com |
SMTP via SSL
|
1 |
openssl s_client -showcerts -connect mail.yourdomain.com:465 -servername mail.yourdomain.com |
SMTP via TLS/StartTLS
|
1 |
openssl s_client -starttls smtp -showcerts -connect mail.yourdomain.com:25 -servername mail.yourdomain.com |
See SSL […]
Delete LetsEncrypt SSL certficate
To list all available LetsEncrypt SSL certficates, run
|
1 |
certbot certificates |
To delete a certificate, run
|
1 |
certbot delete --cert-name NAME_OF_SSL_CERT |
You can find NAME_OF_SSL_CERT from command “certbot certificates”. See LetsEncrypt […]
Remove SSL private key password
To remove password from SSL private key, run
|
1 |
openssl rsa -in PASSWORD_PROTECTED.key -out NO_PASSWORD.key |
This will ask for password. Once you enter password, key get saved with out password. […]
Convert SSL certificate into PFX format
To convert SSL certficiate into PFX format, run
|
1 |
openssl pkcs12 -export -out certificate.pfx -inkey private-key.key -in certificate.crt -certfile ca-certificate.crt |
Example for SSL from namecheap/ssls
|
1 |
openssl pkcs12 -export -out certificate.pfx -inkey serverok_in_key.txt -in serverok.in/serverok.in.crt -certfile serverok.in/serverok.in.ca-bundle |
[…]
Purchase SSL
Here are some cheap SSL providers https://www.sslforfree.com/ https://zerossl.com https://www.ssls.com/ https://www.gogetssl.com https://www.namecheap.com/security/ssl-certificates/comodo/ See SSL […]
Nginx Proxy SSL Verification
When using Nginx as reverse proxy, you may need to handle SSL verification request. Passing this request to backend server may not do any good as back end servers normally only handle application. To hanlde SSL validation request, use following Nginx Configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
server { listen 80; server_name YOUR-DOMAIN.EXTN www.YOUR-DOMAIN.EXTN; location ^~ /.well-known/acme-challenge/ { root /var/www/html; } location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $host; proxy_pass http://127.1.2.1:4200; } } |
Now restart Nginx
|
1 |
service nginx restart |
You can get SSL with following letsencrypt command […]
Create SSL pem file
To make .pem file from SSL certificate, run
|
1 |
cat yourdomain.key yourdomain.crt yourdomain.ca-bundle > yourdomain.pem |
Here is the format
|
1 2 3 4 5 6 7 8 9 |
-----BEGIN RSA PRIVATE KEY----- (Private Key: domain_name.key contents) -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- (Primary SSL certificate: domain_name.crt contents) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Intermediate certificate: certChainCA.crt contents) -----END CERTIFICATE---- |
ssls/namecheap SSL example
|
1 |
cat domain_com_key.txt domain.com/domain.com.crt domain.com/domain.com.ca-bundle > ssl.pem |
[…]
Verify SSL Key matches with Private Key
To verify if SSL key match with the private Key, run following commands and compare resulting hash, it should match if SSL and Keys are matching. Verify Private Key
|
1 |
openssl rsa -modulus -noout -in MY_DOMAIN.key | sha256sum |
Verify SSL
|
1 |
openssl x509 -modulus -noout -in MY_DOMAIN.crt | sha256sum |
Verify CSR
|
1 |
openssl req -modulus -noout -in MY_DOMAIN.csr | sha256sum |
ssl […]
Amazon Linux Invalid command SSLEngine
On Amazon Linux, when restarting Apache server, i get error
|
1 2 3 4 5 6 |
[root@ip-172-16-20-44 conf.d]# service httpd restart Stopping httpd: [ OK ] Starting httpd: AH00526: Syntax error on line 5 of /etc/httpd/conf.d/sendy.mayflower.com.my-le-ssl.conf: Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration [FAILED] [root@ip-172-16-20-44 conf.d]# |
This is because SSL module was not installed on the server. To fix, run
|
1 |
sudo yum install -y mod24_ssl |
See ssl […]