I got tired of the errors, and didn’t want to add the self-signed CA to my browsers, so I set up a cert that is valid in all browsers.
The certificate I’m using is the free option from http://www.startssl.com/. For this to work, you do need to have control of a domain. I was hoping originally to use a dyndns.com url, but I cannot create a certificate for a domain I don’t own. So, I setup a subdomain with a CNAME to my dynamic DNS subdomain. This way my dynamic DNS continues to update, and I can have a valid certificate for the subdomain I own that gets directed to the correct IP through the CNAME.
First, I added the CNAME for the subdomain on my domain host.
Second, I signed up at StartSSL and made the cert for my owned subdomain.
They have you enter a password to secure the private key, then you can download it as ssl.key. Alternatively you can create your own key and CSR – that way your private key is never revealed outside your server. To create your own CSR do the following:
sudo openssl req -new -newkey rsa:4096 -nodes -sha256 -out server.csr -keyout server.key
If you create your own CSR and key, there is no need to unencrypt the key so you can skip the first 3 steps below.
After that the certificate is generated, and you can copy and paste that into a file we’ll call ssl.crt.
The third file we’ll need is the StartSSL Class 1 intermediary certificate from here.
I saved all these into ~/Documents/, then do the following:
sudo openssl rsa -in ssl.key -out ssl.key.insecure sudo cp ssl.key ssl.key.secure sudo cp ssl.key.insecure ssl.key sudo cp ssl.key /etc/apache2/private/server.key sudo cp ssl.crt /etc/apache2/cert/server.crt sudo cp sub.class1.server.ca.pem /etc/apache2/cert/StartSSL_Class1.pem
Then we need to add the following to /etc/apache2/sites-available/default-ssl:
SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key SSLCertificateChainFile /etc/ssl/certs/StartSSL_Class1.pem
In order to enable forward secrecy for the majority of browsers, I highly recommend also adding the following lines to your default-ssl site file:
SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"
Additonally, within Webmin Configuration -> SSL Encryption, the following items need to be set:
Private key file: /etc/ssl/private/server.key Certificate file: /etc/ssl/certs/server.key Additional certificate files: /etc/apache2/cert/StartSSL_Class1.pem
Then restart both daemons:
sudo service apache2 restart sudo server webmin restart
Leave a Reply