This site is being served as https and yours can be too! Keep reading and find out how to get free valid browser trusted https certificates. Slides of my talk at the SagLacIO inside!
What’s Let’s Encrypt?
Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.
I’ll jump straight to what’s interesting; What are the steps to have a fully working and valid free https certificate on a website behind
nginx and how to get a nice score on ssltest.
Most of the things needed to get started are described on Let’s Encrypt getting started page along with most up to date informations.
Have a look to Get HTTPS for free! on github which shows you what happens in the background when using the client. Everything is client side!
Grab letsencrypt official client on your server this way:
It should get you on tracks.
_site is the public folder of my static website, but really, this is up to you. Grab what fits your needs in the config ;)
Request a cert + renew command
First, create a config file:
Then run the following:
Yay https! Now run the above command in a daily cron job at a random hour to auto renew! Let’s Encrypt certificates expires after 3 months and you don’t want to do this by hand ;). That’s it, no more human intervention ever.
Try running ssltest on gableroux.com. Spoiler, it looks like this:
So there is a new problem in the wild! My ssltest went from an A+ to an F in no time! Here’s an handy tool to verify vulnerability: FiloSottile/CVE-2016-2107
Solution: upgrade to openssl 1.0.2h (64bit)
On trusty Ubuntu 14.04 LTS
openssl version -v
OpenSSL 1.0.1f 6 Jan 2014
These will take a few minutes to run:
wget https://www.openssl.org/source/openssl-1.0.2h.tar.gz tar -xzvf openssl-1.0.2h.tar.gz cd openssl-1.0.2h sudo ./config sudo make sudo make install sudo ln -sf /usr/local/ssl/bin/openssl $(which openssl) openssl version -v
OpenSSL 1.0.2h 3 May 2016
Inspired by Miguel’s solution
I was still getting the error, and I found this blog post: How to fix high severity OpenSSL bugs (Memory corruption, Padding oracle) in Ubuntu, CentOS, RedHat, OpenSuse and other Linux servers
apt-get install --only-upgrade libssl1.0.0
Now verify it did apply the patch by reading the changelog:
zgrep -ie "CVE-2016-2107" /usr/share/doc/libssl1.0.0/changelog.Debian.gz
- debian/patches/CVE-2016-2107.patch: check that there are enough
Great! But still an F
From nginx announcement, upgrade nginx to
sudo apt-get install --upgrade nginx
Now let’s verify again localy
CVE-2016-2107 gableroux.com 2016/06/10 13:32:17 Vulnerable: false
Awesome, scoring A+ again, solved! :)
Btw, there are a few interesting links at the end of the slides.
See full page presentation website