Difference between revisions of "NetMan - SSL Certs"

From The TinkerNet Wiki
Jump to navigation Jump to search
Line 15: Line 15:
 
The SSL key file should only be readable by root; the certificate file may be globally readable. These files are read by the Apache parent process which runs as root, and it is therefore not necessary to make the files readable by the www-data user.
 
The SSL key file should only be readable by root; the certificate file may be globally readable. These files are read by the Apache parent process which runs as root, and it is therefore not necessary to make the files readable by the www-data user.
  
====<s>Creating self-signed certificates</s>====
 
<s>If you install the ssl-cert package, a self-signed certificate will be automatically created using the hostname currently configured on your computer. You can recreate that certificate (e.g. after you have changed '/etc/hosts' or DNS to give the correct hostname) as user root with:</s>
 
 
<code><s>make-ssl-cert generate-default-snakeoil --force-overwrite</s></code>
 
 
<s>To create more certificates with different host names, you can use</s>
 
 
<code><s>make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /path/to/cert-file.crt</s></code>
 
 
<s>This will ask you for the hostname and place both SSL key and certificate in the file '/path/to/cert-file.crt'. Use this file with the SSLCertificateFile directive in the Apache config (you don't need the SSLCertificateKeyFile in this case as it also contains the key). The file '/path/to/cert-file.crt' should only be readable by root. A good directory to use for the additional certificates/keys is '/etc/ssl/private'.</s>
 
 
====Getting proper certificates onto the machine====
 
====Getting proper certificates onto the machine====
 
This requires that the server have a legit FQDN that works.
 
This requires that the server have a legit FQDN that works.

Revision as of 03:30, 26 June 2020

On an Apache based server

From /usr/share/doc/apache2/README.Debian.gz

Enabling SSL

To enable SSL, type (as user root):

sudo a2ensite default-ssl

sudo a2enmod ssl

If you want to use self-signed certificates, you should install the ssl-cert
package (see below). Otherwise, just adjust the SSLCertificateKeyFile and SSLCertificateFile directives in '/etc/apache2/sites-available/default-ssl.conf' to point to your SSL certificate. Then restart apache:

sudo systemctl restart apache2

The SSL key file should only be readable by root; the certificate file may be globally readable. These files are read by the Apache parent process which runs as root, and it is therefore not necessary to make the files readable by the www-data user.

Getting proper certificates onto the machine

This requires that the server have a legit FQDN that works.

But, it's pretty straightforward.

certbot

(if ya wanna get fancier... There's a Documentation Page.)

Installing on a Webserver Directly accessible from the Internet
Installing on a Webserver that will be proxied

(This part of the instructions will probably change...)

  • install certbot (assuming a LAMP install)
    • sudo apt-get install certbot python-certbot-apache
  • Make the machine visible on port 80 to the internet. (see CertGetter)
  • Obtain & install the certificate
    • sudo certbot --apache
A trick or two...
  • Add certification for the root of the domain (i.e.: no "www.")
    • sudo /usr/local/bin/certbot-auto certonly -d www.FOOBAR.net -d FOOBAR.net
  • Create certificates for other machines on the network
    • Still working on this one...scroll a little bit further...

SSL for the rest of the network

Getting the certs for a manual install

certbot instructions

See CertGetter

Installing manual certs on an ESXi server

See SSL - ESXi