To remove password from SSL private key, run
|
1 |
openssl rsa -in PASSWORD_PROTECTED.key -out NO_PASSWORD.key |
This will ask for password. Once you enter password, key get saved with out password. […]
Convert SSL certificate into PFX format
To convert SSL certficiate into PFX format, run
|
1 |
openssl pkcs12 -export -out certificate.pfx -inkey private-key.key -in certificate.crt -certfile ca-certificate.crt |
Example for SSL from namecheap/ssls
|
1 |
openssl pkcs12 -export -out certificate.pfx -inkey serverok_in_key.txt -in serverok.in/serverok.in.crt -certfile serverok.in/serverok.in.ca-bundle |
[…]
Purchase SSL
Here are some cheap SSL providers https://www.sslforfree.com/ https://zerossl.com https://www.ssls.com/ https://www.gogetssl.com https://www.namecheap.com/security/ssl-certificates/comodo/ See SSL […]
Nginx Proxy SSL Verification
When using Nginx as reverse proxy, you may need to handle SSL verification request. Passing this request to backend server may not do any good as back end servers normally only handle application. To hanlde SSL validation request, use following Nginx Configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
server { listen 80; server_name YOUR-DOMAIN.EXTN www.YOUR-DOMAIN.EXTN; location ^~ /.well-known/acme-challenge/ { root /var/www/html; } location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $host; proxy_pass http://127.1.2.1:4200; } } |
Now restart Nginx
|
1 |
service nginx restart |
You can get SSL with following letsencrypt command […]
Create SSL pem file
To make .pem file from SSL certificate, run
|
1 |
cat yourdomain.key yourdomain.crt yourdomain.ca-bundle > yourdomain.pem |
Here is the format
|
1 2 3 4 5 6 7 8 9 |
-----BEGIN RSA PRIVATE KEY----- (Private Key: domain_name.key contents) -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- (Primary SSL certificate: domain_name.crt contents) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Intermediate certificate: certChainCA.crt contents) -----END CERTIFICATE---- |
ssls/namecheap SSL example
|
1 |
cat domain_com_key.txt domain.com/domain.com.crt domain.com/domain.com.ca-bundle > ssl.pem |
[…]
Verify SSL Key matches with Private Key
To verify if SSL key match with the private Key, run following commands and compare resulting hash, it should match if SSL and Keys are matching. Verify Private Key
|
1 |
openssl rsa -modulus -noout -in MY_DOMAIN.key | sha256sum |
Verify SSL
|
1 |
openssl x509 -modulus -noout -in MY_DOMAIN.crt | sha256sum |
Verify CSR
|
1 |
openssl req -modulus -noout -in MY_DOMAIN.csr | sha256sum |
ssl […]
Amazon Linux Invalid command SSLEngine
On Amazon Linux, when restarting Apache server, i get error
|
1 2 3 4 5 6 |
[root@ip-172-16-20-44 conf.d]# service httpd restart Stopping httpd: [ OK ] Starting httpd: AH00526: Syntax error on line 5 of /etc/httpd/conf.d/sendy.mayflower.com.my-le-ssl.conf: Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration [FAILED] [root@ip-172-16-20-44 conf.d]# |
This is because SSL module was not installed on the server. To fix, run
|
1 |
sudo yum install -y mod24_ssl |
See ssl […]
Nginx Curl SSL error
After installing SSL on Nginx server, it worked on browser, but when i try access using curl command, i get error
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# curl https://serverok.in curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. # |
This is fixed by adding ca-bundle to .crt file. The cert file should be in following format YOUR_DOMAIN.crt YOUR_DOMAIN.ca-bundle This can be done with
|
1 |
cat YOUR_DOMAIN.crt YOUR_DOMAIN.ca-bundle > YOUR_DOMAIN.ssl |
Now use YOUR_DOMAIN.ssl as your ssl certificate in […]
SSL
SSL Life Time Reduced to 397 days https://serverok.in/redirect Letsencrypt LetsEncrypt Windows self signed ssl Amazon Linux Invalid command SSLEngine Apache SSL Verify SSL Key matches with Private Key Disable TLSv1 in Nginx ssl checker Purchase SSL Convert SSL certificate into PFX format Remove SSL private key password Delete SSL Certificate in IIS Enable TLS 1.2 […]
Letsencrypt
Install letsencrypt
|
1 2 |
wget https://raw.githubusercontent.com/serverok/server-setup/master/install/letsencrypt.sh sh ./letsencrypt.sh |
OR
|
1 2 3 4 |
cd /usr/bin wget https://dl.eff.org/certbot-auto chmod a+x /usr/bin/certbot-auto mv /usr/bin/certbot-auto /usr/bin/certbot |
Install SSL certificate on Apache
|
1 |
certbot --authenticator webroot --webroot-path <path to served directory> --installer apache --agree-tos --email admin@serverok.in -d YOUR-DOMAIN.EXT -d www.YOUR-DOMAIN.EXT |
On Nginx
|
1 |
certbot --authenticator webroot --webroot-path <path to served directory> --installer nginx --agree-tos --email admin@serverok.in -d YOUR-DOMAIN.EXT -d www.YOUR-DOMAIN.EXT |
This will stop web server. Generate SSL, then start web server. Getting SSL with out web server Domain should be pointed to the server IP and IP should be public to generate SSL. Run following command.
|
1 |
certbot certonly --standalone -d YOUR-DOMAIN.EXT |
Auto Renew SSL Certificate […]