February 1, 2016
Encrypting the Net: Use "Let’s Encrypt" SSL to Set Up Secure Website Traffic
February 1, 2016
- Browser connects to a web server (website) secured with SSL (HTTPS). Browser requests that the server identify itself.
- Server sends a copy of its SSL Certificate, including the server’s public key.
- Browser checks the certificate root against a list of trusted CAs and ensures the certificate is unexpired, unrevoked, and that its common name is valid for the website it's connecting to. If the browser trusts the certificate, it creates, encrypts and sends back a symmetric session key using the server’s public key.
- Server decrypts the symmetric session key using its private key and sends back an acknowledgement, encrypted with the session key to start the encrypted session.
- Server and Browser now encrypt all transmitted data with the session key.
1 $ git clone https://github.com/letsencrypt/letsencrypt2 $ cd letsencrypt3 $ ./letsencrypt-auto --helpThe Let's Encrypt script will install all of its own dependencies and updates client code automatically.If you’re running Apache on Debian-based Operating System, you can try the Apache plugin included, which automates both obtaining and installing the SSL certs:
./letsencrypt-auto --apacheTo get a cert using the “webroot” plugin, which works with the webroot (www) directory of any webserver software:
./letsencrypt-auto certonly --webroot -w /var/www/example -d example.comThe this will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the domain. After doing this , you'll have to configure your web server to use the SLL Certificate you have just created. To do this:
edit the: httpd-ssl.conf Apache configuration file.To locate this file on your server, open a Terminal , and type:
Locate httpd-ssl.connfInside this file, you'll need to create a virtual host configured to use port 443 (which needs to be port forwarded, if on your own connection)
<VirtualHost *:443># General setup for the virtual host
TransferLog "/opt/lampp/logs/access_log"# SSL Engine Switch:# Enable/Disable SSL for this virtual host# SSLEngine on# Server Certificate:# Point SSLCertificateFile at a PEM encoded certificate. If# the certificate is encrypted, then you will be prompted for a# pass phrase. Note that a kill -HUP will prompt again. Keep# in mind that if you have both an RSA and a DSA certificate, you# can configure both in parallel (to also allow the use of DSA# ciphers, etc.)# Some ECC cipher suites (https://www.ietf.org/rfc/rfc4492.txt)# require an ECC certificate, which can also be configured in# parallel.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
</VirtualHost>-----------------------------------------Make sure you edit the following accordingly. This tells Apache where to look for the Certification that Let's encrypt created:
SSLCertificateChainFile "/etc/letsencrypt/live/example.com/chain.pem"Once you have your web server configured, close the file and restart the server.Now, you should be able to visit your domain on it's encrypted port 443:https://example.comAn SSL Certificate from Let's Encrypt looks something like this:
With this, I hope I was able to help some of you out there trying to Encrypt your Servers connection. Thank you.I also want to take the opportunity to thank @trevorh for helping me out with submitting this and getting my issues with OP3N resolved."Conformity is the jailer of freedom and the enemy of growth."https://github.com/krintoxi/