SSL¶
Show info:
openssl x509 -noout -issuer -enddate -in root.pem
# show cert expire time
openssl x509 -in /etc/letsencrypt/live/example.com/fullchain.pem -text -noout | grep -A3 Validity
Validate the certificate even though the protocol used to communicate with server is not based on HTTP. For example:
curl -v --cacert ca.crt https://logs.mycompany.com:5044
Self-signed¶
Generate on Linux:
sudo openssl req -x509 -newkey rsa:4096 -keyout key.key -out cert.crt -days 365 -nodes -batch [-subj "/CN=frontend.local/O=frontend.local"]
# alternate
openssl req -x509 -newkey rsa:4096 -keyout logstash.key -out logstash.crt -days 3650 -nodes -batch -subj '/CN=test.com/subjectAltName=DNS.1=test.com,DNS.2=test2.com'
Without questions -batch
. Add /CN -subj /CN=test
.
You can also add -nodes
if you don’t want to protect your private key with a passphrase, otherwise it will prompt you for “at least a 4 character” password.
The days parameter (365
) you can replace with any number to affect expiration date.
It will then prompt you for things like “Country Name” but you can just hit enter and accept defaults.
Self-signed certs are not validated with any third party unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a CA.
Self-signed with SAN¶
Create config ssl.conf
:
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[ req_distinguished_name ]
O = My Organisation
[ v3_req ]
basicConstraints = CA:TRUE
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *
DNS.2 = *.*
DNS.3 = *.*.*
DNS.4 = *.*.*.*
DNS.5 = *.*.*.*.*
DNS.6 = *.*.*.*.*.*
DNS.7 = *.*.*.*.*.*.*
IP.1 = 10.10.11.222
IP.2 = 127.0.0.1
Note
In [ alt_names ]
section you can describe only one host DNS name or IP.
Run generate command:
sudo openssl req -x509 -newkey rsa:4096 -keyout key.key -out cert.crt -days 3650 -nodes -batch -config ssl.conf
Letsencrypt¶
Let’s Encrypt - https://letsencrypt.org/getting-started/
Add to web-server config (if not exist):
# [Nginx]
location /.well-known {
root /var/www/html;
}
Generate certificates:
sudo apt install letsencrypt
# Replace with your webroot and hostname
letsencrypt certonly --webroot -w /var/www/html -d my.company.com
# Letsencrypt will generate certs and show path to them (paste this path to web-server config)
Add CRON tasks (auto renew):
sudo crontab -e
# Check or renew certs twice per day
30 12 * * * letsencrypt renew
0 18 * * * letsencrypt renew
Certbot¶
Generate certificates (certbot):
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
# Replace with your webroot and hostname
certbot certonly --webroot -w /var/www/html -d my.company.com
# Certbot will generate certs and show path to them (paste this path to web-server config)
Add CRON tasks (auto renew, with reload nginx):
sudo crontab -e
# Check or renew certs twice per day
0 12,18 * * * certbot renew --post-hook "systemctl reload nginx"
Cerbot - Docker¶
# Get certs (will be saved at /etc/letsencrypt/live)
docker run -p 80:80 -it --rm --name certbot -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" certbot/certbot certonly --standalone --preferred-challenges http -d <dns> -d <www.dns> --email <email@example.com> --non-interactive --agree-tos
# --test-cert - staging certs
# Delete certs (staging for example)
docker run -p 80:80 -it --rm --name certbot -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" certbot/certbot delete --cert-name <dns>