certbot deprecated support for CentOS 7, so new version of certbot-auto script won’t work on CentOS 7. To install certbot (letsencrypt command line tool), run
|
1 2 |
yum install -y epel-release yum install -y python2-certbot.noarch |
To run it, use command
|
1 |
/usr/bin/certbot-2 |
See LetsEncrypt […]
To change email address of LetsEncrypt SSL certficate account, run
|
1 |
certbot update_account --email you@your-domain.com |
See LetsEncrypt […]
To view certificate details
|
1 |
openssl x509 -text -noout -in SSL_FILE.crt |
For web server
|
1 |
openssl s_client -showcerts -connect serverok.in:443 |
IMAP via SSL
|
1 |
openssl s_client -showcerts -connect mail.yourdomain.com:993 -servername mail.yourdomain.com |
POP3 via SSL
|
1 |
openssl s_client -showcerts -connect mail.example.com:995 -servername mail.yourdomain.com |
SMTP via SSL
|
1 |
openssl s_client -showcerts -connect mail.yourdomain.com:465 -servername mail.yourdomain.com |
SMTP via TLS/StartTLS
|
1 |
openssl s_client -starttls smtp -showcerts -connect mail.yourdomain.com:25 -servername mail.yourdomain.com |
See SSL […]
To list all available LetsEncrypt SSL certficates, run
|
1 |
certbot certificates |
To delete a certificate, run
|
1 |
certbot delete --cert-name NAME_OF_SSL_CERT |
You can find NAME_OF_SSL_CERT from command “certbot certificates”. See LetsEncrypt […]
To remove password from SSL private key, run
|
1 |
openssl rsa -in PASSWORD_PROTECTED.key -out NO_PASSWORD.key |
This will ask for password. Once you enter password, key get saved with out password. […]
To convert SSL certficiate into PFX format, run
|
1 |
openssl pkcs12 -export -out certificate.pfx -inkey private-key.key -in certificate.crt -certfile ca-certificate.crt |
Example for SSL from namecheap/ssls
|
1 |
openssl pkcs12 -export -out certificate.pfx -inkey serverok_in_key.txt -in serverok.in/serverok.in.crt -certfile serverok.in/serverok.in.ca-bundle |
[…]
Here are some cheap SSL providers https://www.sslforfree.com/ https://zerossl.com https://www.ssls.com/ https://www.gogetssl.com https://www.namecheap.com/security/ssl-certificates/comodo/ See SSL […]
When using Nginx as reverse proxy, you may need to handle SSL verification request. Passing this request to backend server may not do any good as back end servers normally only handle application. To hanlde SSL validation request, use following Nginx Configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
server { listen 80; server_name YOUR-DOMAIN.EXTN www.YOUR-DOMAIN.EXTN; location ^~ /.well-known/acme-challenge/ { root /var/www/html; } location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $host; proxy_pass http://127.1.2.1:4200; } } |
Now restart Nginx
|
1 |
service nginx restart |
You can get SSL with following letsencrypt command […]
To make .pem file from SSL certificate, run
|
1 |
cat yourdomain.key yourdomain.crt yourdomain.ca-bundle > yourdomain.pem |
Here is the format
|
1 2 3 4 5 6 7 8 9 |
-----BEGIN RSA PRIVATE KEY----- (Private Key: domain_name.key contents) -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- (Primary SSL certificate: domain_name.crt contents) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Intermediate certificate: certChainCA.crt contents) -----END CERTIFICATE---- |
ssls/namecheap SSL example
|
1 |
cat domain_com_key.txt domain.com/domain.com.crt domain.com/domain.com.ca-bundle > ssl.pem |
[…]
To verify if SSL key match with the private Key, run following commands and compare resulting hash, it should match if SSL and Keys are matching. Verify Private Key
|
1 |
openssl rsa -modulus -noout -in MY_DOMAIN.key | sha256sum |
Verify SSL
|
1 |
openssl x509 -modulus -noout -in MY_DOMAIN.crt | sha256sum |
Verify CSR
|
1 |
openssl req -modulus -noout -in MY_DOMAIN.csr | sha256sum |
ssl […]