SSL and its successor protocol TLS enable secure connections over an inherently insecure Internet. Through the use of HTTPS, confidentiality, integrity and availability of a service can be more strongly enforced.
In this exercise, the objective is to correctly configure and install an TLS certificate on the web server built earlier.
Let's Encrypt provides easier access to trusted TLS certificates. At the time of posting, the project is still in beta and installation on Enterprise Linux including CentOS has to performed manually.
Getting the Certificate
From terminal, run the following commands:
git clone https://github.com/letsencrypt/letsencrypt1 cd letsencrypt
Replace mydomain.com with the target domain:
./letsencrypt-auto certonly --manual -d mydomain.com -d
This will create temporary files that the certificate authority will use to validate the given request.
This next step requires a new shell terminal running with root privilege.
mkdir -p /var/www/html/.well-known/acme-challenge cd /var/www/html
From the first terminal, copy and paste the string of text starting from printf "%s".
Returning to the first shell, pressing enter should return a confirmation message. If successful, the generated certificate and chain are now stored at the location /etc/letsencrypt/live/mydomain.com/fullchain.pem.
This next step is the manual configuration, enabling the web server to correctly use the installed certificate.
Using a text editor, the following amendments are made to /etc/httpd/conf.d/ssl.conf.
<VirtualHost *:443> ... SSLEngine on SSLCertificateFile SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem SSLCACertificateFile /etc/letsencrypt/live/mydomain.com/chain.pem # HSTS (mod_headers is required) (15768000 seconds = 6 months) Header always set Strict-Transport-Security "max-age=15768000" ... </VirtualHost> # modern configuration, tweak to your needs SSLProtocol all -SSLv3 -TLSv1 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off # OCSP Stapling, only in httpd 2.3.3 and later SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000)
This configuration will break HTTPS on obsolete browsers therefore it is the service owner's discretion on whether to support weaker cryptographic protocols or additionally offer the service through HTTP.
Remember to enable port 443 on the web server ;-)