Tuesday, August 15, 2017

Getting SSL Certificates Using ACME Clients

Previously I discussed the growing importance of SSL and HTTPS, in particular, how they may help protect user privacy. To run an application that supports SSL or HTTPS, one must obtain a SSL certificate. Although SSL certificates have become less costly and some vendors even offer free SSL certificates, there are still a few barriers for many users, such as, a user still needs to manage renewal, suspension, and installation of SSL certificates, and very few vendors provide free SSL certificates. Recently, the development of "Automatic Certificate Management Environment (ACME) protocol" has made the adoption SSL or HTTPS and acquiring SSL more easily.

The following example demonstrates the steps to use an ACME client, the certbot to acquire and install certificates for an Apache HTTP Server instance at a CentOS 7 system.
  1. Install CentOS 7
  2. This step and the steps that follow are done at the CentOS 7 system. Install Apache HTTP Server with mod_ssl. 
    
    sudo yum install httpd mod_ssl
  3. Enable and start the HTTP service. 
    
  sudo systemctl enable httpd.service
  sudo systemctl start httpd.service
  4. Enable the EPEL repository. 
    
  sudo rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
  5. Install certbot, an ACME client from the EPEL repository. 
    
   sudo yum install certbot-apache
  6. Acquire SSL certificates from "Let's Encrypt", and install them at the Apache HTTP server. 
    
  sudo certbot --apache
  7. The certificates are set to expire in 90 days. Therefore, we need to set up an automatic renewal, which can be done either in a systemd/Timers or a cron job. Below is a cron job. However before proceeding to schedule a renewal job, we can test the renewal via the following, 
    
  certbot renew --dry-run
  8. We now schedule the renewal job twice a day as advised by the "Let's Encrypt" site.
    "If you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks."
    Following the advice, a cron job runs twice is added via crontab -e as root. 
    
  0 5,17 * * * /bin/certbot renew > /var/log/certbot.log 2>&1
  9. To test your HTTPS site, you may use SSLLab's service. For instance, if you site is www.example.com, you can point your browser to https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com&latest

Except the certbot, there are many other ACME clients. See the Let's Encrypt site for a recommended list.
Posted by at
Labels: , , , ,

1 comment:

  1. Mr JerryAugust 16, 2017 at 8:24 AM

    Free easy & simple way to learn programming online we provide niit projects, assignments, cycle tests and much more..
    visit ====>>> https://githubhelp.blogspot.in

    ReplyDelete

Subscribe to: Post Comments (Atom)