Tag: ssl

  • Configure multiple SSL certificates in nuster

    Nuster is a high performance HTTP proxy cache server. It is based on haproxy.

    To configure multiple SSL certificates in nuster, create SSL in PEM format.

    Edit nuster.cfg, you will see something like the following.

    global
    nuster cache on dir /cache
    nuster manager on uri /internal/nuster purge-method PURGEX
frontend fe
    bind *:443 ssl crt /etc/ssl/ssl1.pem alpn h2,http/1.1
    mode http
    default_backend ssl_443
backend ssl_443
    mode http
    nuster cache off
    nuster rule all disk on ttl 7d
    http-request set-header X-Client-IP %[src]
    server s1 128.1.2.9:443 ssl verify none

    SSL is configured in the line

        bind *:443 ssl crt /etc/ssl/ssl1.pem alpn h2,http/1.1

    To add another domain SSL certificate, modify the line as follows

        bind *:443 ssl crt /etc/ssl/ssl1.pem crt /etc/ssl/ssl2.pem alpn h2,http/1.1

    You can add as many SSL certificate in the format

    crt /etc/ssl/SSL_FILE_NAME.pem

    Back to nuster

  • How to find SSL Certificate fingerprint

    How to find SSL Certificate fingerprint

    To view the SSL certificate fingerprint, open the website in the google chrome browser. On the browser address bar, you will see the lock icon, click on it.

    Chrome SSL certificate details

    Click on “Connection is secure”

    google chrome valid SSL certficate

    Click on “Certificate is Valid”. You will see SSL Certificate details as shown below.

    SSL certificate fingerprint in chrome

    You will see SHA-256 and SHA-1 Fingerprint.

    To find the SSL certificate fingerprint using openssl command, run

    SHA-256

    openssl x509 -noout -fingerprint -sha256 -inform pem -in  SSL_CERT_FILE.CRT

    SHA-1

    openssl x509 -noout -fingerprint -sha1 -inform pem -in  SSL_CERT_FILE.CRT
  • acme.sh SSL using manual DNS method

    acme.sh SSL using manual DNS method

    To provision SSL certificate using acme.sh with manual DNS verification method, run

    acme.sh --issue -d DOMAIN_NAME --dns -d www.DOMAIN_NAME --yes-I-know-dns-manual-mode-enough-go-ahead-please

    acme SSL manual DNS method

    When you run this command, you will get DNS TXT entry that needed to be added to your DNS server. Login to your DNS provider, add the DNS entry, then run the following command to confirm the SSL creation.

    acme.sh --renew -d DOMAIN_NAME -d www.DOMAIN_NAME --yes-I-know-dns-manual-mode-enough-go-ahead-please --debug

    See acme.sh

  • List contents of jks keystore file

    List contents of jks keystore file

    To list the content of jks keystore file used by tomcat web server, run command

    keytool -list -keystore FILE.jks

    It will ask Keystore password. Once you enter the password, it will list the contents of the file.

    keytool list certificates

    In the above keystore, there are 5 certificates with names inter, root1, root2, ssl_tomcat2, and tomcat.

    To get detailed information on the certificates, use the command

    keytool -list -v -keystore FILE.jks

    See keytool

  • PHP Script to verify private key matches SSL certificate?

    OpenSSL command can be used to verify if an SSL certificate matches a private key file. You need to find the checksum for the SSL certificate and Private key, if both checksums are the same, then the key matches.

    To make this process easier, I created a PHP script to verify if the SSL certificate matches the private key provided.

    Create a file

    mkdir ~/bin/
vi ~/bin/ssl-verify

    Add following content

    #!/usr/bin/php


    Make it executable
    

    chmod 755 ~/bin/ssl-verify

    

    To verify an SSL and key file, go to the folder where the SSL certificate and key file are present, then run the command
    

    ssl-verify

  • Lego – LetsEncrypt client

    Lego is a Let’s Encrypt client and ACME library written in Go.

    https://go-acme.github.io/lego

    Install Lego

    To install go to the release page, download the latest version.

    wget https://raw.githubusercontent.com/serverok/server-setup/master/install/lego.sh
bash ./lego.sh

    Create SSL certificate

    To create an SSL certificate standalone (built-in webserver), run

    lego --accept-tos --http --email="EMAIL-ADDRESS" --key-type rsa2048 --domains="DOMAIN_NAME" --domains="www.DOMAIN_NAME" --path="/etc/lego" run

    If you need to verify using port 443, use “–tls” instead of “–http”

    Verify SSL using webroot (existing webserver)

    lego --accept-tos --http --http.webroot="/var/www/html/" --email="EMAIL-ADDRESS" --key-type rsa2048 --domains="DOMAIN_NAME" --domains="www.DOMAIN_NAME" --path="/etc/lego" run

    Issue Wildcard SSL using manual DNS verification

    lego --email "EMAIL-ADDRESS" --key-type rsa2048 --domains="DOMAIN_NAME" --domains="*.DOMAIN_NAME" --dns "manual" --path="/etc/lego" run

    Renew SSL certificate

    To renew the SSL certificate, use the same command as SSL creation with “run” replaced with

    renew --days 30

    –days 30 means SSL will be renewed if the expiry date is with 30 days. If you need to force renew SSL, use –days 90.

    Now run

    lego --http --http.webroot="/var/www/html/" --email="EMAIL-ADDRESS" --key-type rsa2048 --domains="DOMAIN_NAME" --domains="www.DOMAIN_NAME" --path="/etc/lego" renew --days 30

    You need to restart the webserver after running this command.

    Renew Hook

    If you need to execute a script after SSL renewal, you can add

    --renew-hook="./myscript.sh"

    Example

    lego --http --http.webroot="/var/www/html/" --email="EMAIL-ADDRESS" --key-type rsa2048 --domains="DOMAIN_NAME" --domains="www.DOMAIN_NAME" --path="/etc/lego" renew --days 30 --renew-hook="./myscript.sh"

    If you are using the standalone method, you need to stop the webserver before running the lego command.

    SSL certificates will be in the directory

    /etc/lego/certificates/

    Make it readable by the web server with the command

    chmod -R 755 /etc/lego/

    See letsencrypt

  • Enable SSL for a site in EasyEngine

    To enable LetsEncrypt SSL for a web site hosted in EasyEngine server, run

    ee site update SITE_NAME_HERE --ssl=le

    Example

    EasyEngine LetsEncrypt SSL

    See EasyEngine

  • Apache Auto Renew SSL on Password Protected site

    I have a web site that is password protected using Apache basic autenticiation.

    I used following code in Apache config to password protect.

    
    AuthType Basic
    AuthName "Restricted Content"
    AuthUserFile /etc/apache2/demo-sok-htpaswd
    Require valid-user

    The problem is when SSL need auto renew, it need url like http://domain/.well-known/ to be accessable with out any password for domain ownership verification.

    To allow .well-known folder to be accessable with out password, i added following code in apache configuration file.

    
    Require all granted

    After restarting apache, urls startng with .well-known work with out needing any password.

    See Apache, SSL, LetsEncrypt

  • Change Email address of LetsEncrypt SSL

    To change email address of LetsEncrypt SSL certficate account, run

    certbot update_account --email [email protected]

    See LetsEncrypt

  • View SSL certficate Details

    To view certificate details 

    openssl x509 -text -noout -in SSL_FILE.crt

    For web server

    openssl s_client -showcerts -connect serverok.in:443

    Or

    curl -vI https://serverok.in

    IMAP via SSL

    openssl s_client -showcerts -connect mail.yourdomain.com:993 -servername mail.yourdomain.com

    POP3 via SSL

    openssl s_client -showcerts -connect mail.example.com:995  -servername mail.yourdomain.com

    SMTP via SSL

    openssl s_client -showcerts -connect mail.yourdomain.com:465  -servername mail.yourdomain.com

    SMTP via TLS/StartTLS

    openssl s_client -starttls smtp -showcerts -connect mail.yourdomain.com:25  -servername mail.yourdomain.com

    See SSL

  • Delete LetsEncrypt SSL certficate

    To list all available LetsEncrypt SSL certificates, run

    certbot certificates

    To delete a certificate, run

    certbot delete --cert-name NAME_OF_SSL_CERT

    You can find NAME_OF_SSL_CERT from the command “certbot certificates”.

    See LetsEncrypt

  • SSL Life Time Reduced to 397 days

    Due to changes in Apple, Mozilla and Google Root Store Policies, as of September 1, 2020, newly issued SSL/TLS certificates with a validity period greater than 13 months (397 days) are prohibited by policy and will not be trusted.

    https://www.globalsign.com/en/blog/maximum-ssltls-certificate-validity-now-one-year

    https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/