Free Letsencrypt certificate guide + question (misconfigured chain)

3 posts / 0 new
Last post
#1 Mon, 04/11/2016 - 06:03
riba

Free Letsencrypt certificate guide + question (misconfigured chain)

This new Letsencrypt feature rocks (for webmin admin and virtual servers). My server is Debian Wheezy + latest Virtualmin.

Virtualmin virtual server

  1. Enable SSL for domain (Administration Options>Enabled features)

  2. Forward 443 port to your server

  3. Install Letsencrypt certificate for domain (Server Configuration>Manage SSL Certificate>Let's Encrypt) In "Months between automatic renewal" field enter "2", hit Request Certificate. Now you have installed your free certificate.

  4. Make redirect from http to https (optional): Add something like this to your .htaccess:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]

Test your settings here: https://www.ssllabs.com/ssltest/ You will probably get B or B- score. If you want A score follow this additional steps:

  1. You site will probably work OK in Chrome, but not in Firefox because you must add correct key chain. You can generate it here: https://whatsmychaincert.com/ Enter your domain and hit "Test". Download generated .crt file and upload it to your domains root.

  2. Go to /etc/apache2/sites-enabled/ and open your domains .conf file and find lines (at the end):

SSLEngine on
SSLCertificateFile /home/username/domains/yourdomain.com/ssl.cert
SSLCertificateKeyFile /home/username/domains/yourdomain.com/ssl.key
SSLCACertificateFile /home/username/domains/yourdomain.com/ssl.ca

Add this line:

SSlCertificateChainFile /home/username/domains/yourdomain.com/yourdomain.com.chain.crt

Now you need to enable Forward Secrecy and block RC4 (for best security). You can edit SSLCipherSuite line to suit your needs.

add this 3 lines:

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA$

So your SSL configuration looks like:

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA$
SSLCertificateFile /home/username/domains/yourdomain.com/ssl.cert
SSLCertificateKeyFile /home/username/domains/yourdomain.com/ssl.key
SSLCACertificateFile /home/username/domains/yourdomain.com/ssl.ca
SSlCertificateChainFile /home/username/domains/yourdomain.com/yourdomain.com.chain.crt

RESTART APACHE SERVER and run test again https://www.ssllabs.com/ssltest/

If everything is OK you should get A score.

Feature request: Virtualmin could automatically generate proper key chain so you wouldn't need to manually generate it and add this line: I don't know yet what will happen on renew.

SSlCertificateChainFile /home/username/domains/yourdomain.com/yourdomain.com.chain.crt

Maybe I missed something. Thank you!

Sources: https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrec... https://www.virtualmin.com/node/38853

Wed, 04/13/2016 - 17:32
kindnation

Awesome write up! I really hope they add Let's Encrypt for Nginx SSL website as well.

Thu, 03/22/2018 - 08:18
metrics

Is this still valid as of Webmin 1.881? if you go to Webmin/Webmin Configuration/SSL Encryption there is an option to select "Only strong ciphers with perfect forward secrecy" In addition, the test at https://whatsmychaincert.com/ returns a valid certificate with FF

That said, it appears Webmin 1.881 has some problem with PFS. The version of Net:::SSleavy (1.55) installed by default doesn't support PFS and updating the module is not a straight forward process.

Topic locked