Friday, October 14, 2016

Enabling HTTPS with Let's Encrypt

Summary

Let's Encrypt is a free certificate authority (CA) that in addition provides some nice tools for installing and automating renewal of certs.  Their certs are now supported on all the major browsers.

Implementation  

These guys have really made it simple to secure a website.  Below are the steps I took to secure mine (Apache web server on Centos).  The whole process takes a few minutes - if you don't hit any snags.
  • You need to be in control of a valid domain for this process to work.  That's the same requirement any CA imposes.
  • Assuming you have shell access, download the Certbot shell script for your particular operating system and web server combination.
  • I had to run the command below, twice.  This tool does various authentication handshakes with Let's Encrypt (checking that you control the domain) and makes modifications to the HTTPS configuration for your webserver.  In the case of Apache, the ssl.conf file.  For whatever reason, the CA authentication handshakes didn't complete on the first run, but did on the second.
certbot --apache -d your.domain.com
  • I then copied my virtual host info from httpd.conf to ssl.conf.
That's it.  After running the certbot tool, your website is now HTTPS-enabled with a real/trusted certificate.

Security

At the end of the certbot script it recommends you check the security of your HTTPS implementation with the Qualys SSL Labs' analysis tool.  That's actually a good idea.  On the first run of the tool against my newly HTTPS-enabled site it gave me a 'C' grade due to various security issues.  By adding or modifying the following directives in my ssl.conf file, I upped that grade to an 'A'.
SSLProtocol all -SSLv3 -SSLv2
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE
-RSA-AES256-SHA384:ECDHERSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA

Renewal

By design, Let's Encrypt certs are only valid for 90 days. Renewing them is simpler than the install. Below is the cron job I set up for renewals. It makes an attempt at renewal twice a week (Mondays and Thursdays at 8 am).
00 08 * * 1,4 user /user/certbot-auto renew --quiet 
Copyright ©1993-2024 Joey E Whelan, All rights reserved.