Encryption everywhere, manually install free TLS/SSL Certificates

SSL/TLS in this day and age is nolonger an optional requirement but a mandatory expectation,

Usually let’s encrypt has an automated application that takes SSL/TLS installation, activation and refresh to a simplified easy to use level.

Letsencrypt, hosted at letsencrypt.org is an effort between the EFF (Electronic Frontier Foundation) and the Internet Security Research Group (ISRG) among others, feel free to visit the sites and donate for the great service offered.

letsencrypt-free-ssl-for-all
Image from: undebugable.wordpress.com

Unfortunately i am not using my own Virtual Private Server but rather a shared web hosting solution, this means i don’t control the OS and hence have to create certificates externally and import them into website cpanel; I used my personal laptop and then ported the certs to my websites.

Below are the steps followed;
INSTALLATION
**********************************************************************
1) Install git on the laptop (I had centos OS on my laptop), I used: yum install git
2) Download and install letsencrypt from the git repo: cd /opt/ && git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt

CREATE CERTIFICATE
**********************************************************************
3) Goto /opt/letsencrypt (this is where my letsecrypt files were installed when i run the command above)
4) Run the command: ./letsencrypt-auto certonly –manual

Note: test.com and all the keys below are not actual keys for security reasons but examples

[root@host6 letsencrypt]# ./letsencrypt-auto certonly –manual
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): test.com,www.test.com — This is an example domain, original domain removed
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/acme/jose/jwa.py:110: DeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
http-01 challenge for test.com
http-01 challenge for www.test.com

——————————————————————————-
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?
——————————————————————————-
(Y)es/(N)o: Y

——————————————————————————-
Create a file containing just this data:

8UOkRF9JJy1SSSyy_0anZISJ_J4xesHBU71ISqv.q0V9ZlhkHmHL1lVxTeR0B9lI_-h3lLWJM

And make it available on your web server at this URL:

http://test.com/.well-known/acme-challenge/RF9JJyy_0anZ_J4xesHBU71IS

——————————————————————————-
Press Enter to Continue

——————————————————————————-
Create a file containing just this data:

e2PcAxEGovMt4zFyJwgCg8g-ApT1sW4.q0V9ZlhkHmHxTeR0B9lI_vvgFR1Ed-h3lLWJM

And make it available on your web server at this URL:

http://www.test.com/.well-known/acme-challenge/emx2PcAxEGovMt4zFyJQm0ypmDCMwgCg8g-ApT1sWe4

——————————————————————————-
Press Enter to Continue
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/test.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/test.com-0001/privkey.pem
Your cert will expire on 2018-02-17. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run “letsencrypt-auto renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

[root@host6 letsencrypt]#

You will be prompted to create a file and a file entry per domain / subdomain after each, the signed certificates will be created and saved and the location printed an example as below;

Login to your control panel, search for TLS/SSL and upload the corresponding certificates generated above, this blog is primarily on the creation not the cpanel aspect, i believe there are many reference articles on that.

A summary of the upload procedure from the geocerts website;

  1. Install the SSL Server Certificate Files
  2. Login to cPanel
  3. Click SSL/TLS Manager > Certificates (CRT) > Generate, view, upload or delete SSL certificates
  4. In the Upload a New Certificate section click the Browse button and locate your SSL Server Certificate file your_domain_com.txt.
  5. Click the Upload button.
  6. Click the Go Back link to return to SSL/TLS Manger.

You may also like...

Popular Posts