It still is » Still servers without SNI support » Missing root certificates on mobile devices » SSL Hardening » Heartbleed » Logjam » FREAK, BEAST » … Hannes Moser – @eliias 2016
Let’s Encrypt – Install You might get a warning/error like this. Creating virtual environment… Updating letsencrypt and virtual environment dependencies…../root/.local/share/letsencrypt/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning Command „python setup.py egg_info“ failed with error code 1 in /tmp/pip-build-TVlyY0/ConfigArgParse /root/.local/share/letsencrypt/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning Important part A true SSLContext object is not available. It is strongly recommended to upgrade to a newer Python version!1 1 https://community.letsencrypt.org/t/insecureplatformwarning-on-ubuntu-14-04-w-python-2-7-6/2871 Hannes Moser – @eliias 2016
Let’s Encrypt – Install letsencrypt —debug ATTENTION At least Ubuntu 14.04/Debian 7 systems are affected by this error. http://urllib3.readthedocs.org/en/latest/ security.html#insecureplatformwarning Hannes Moser – @eliias 2016
Let’s Encrypt – Install These plugins are available at the moment: - Apache - Standalone - Webroot For nginx and other clients ./letsencrypt-auto certonly —webroot -w /www -d abc.xyz -d www.abc.xyz Checks for this directory in webroot .well_known Hannes Moser – @eliias 2016
Let’s Encrypt – Install letsencrypt will automatically create the directory during certificate creation, but it must be serveable by nginx. Just in case it is not working, add the following config to your server. location /.well-known { allow all; } Hannes Moser – @eliias 2016
Location of files Goto directory cd /etc/letsencrypt/live cd abc.xyz Check files cert.pem chain.pem fullchain.pem privkey.pem Hannes Moser – @eliias 2016
SSL TLS Hardening SSL1, SSL2 are bad. Only use the following SSL/TLS versions when possible. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Do not support outdated or invalid ciphers! ssl_ciphers "…:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; Hannes Moser – @eliias 2016
Auto renewal » Will be part of ACME specification, but not anytime soon! » Use a script + cronjob to renew every 60 days le-renew-webroot # cli.ini rsa-key-size = 4096 email = [email protected] domains = conc.cat, www.conc.at webroot-path = /usr/share/nginx/html Hannes Moser – @eliias 2016
Auto renewal Issues You need a script and to install bc on your system. apt-get install -y bc The Script curl -L -o /usr/local/sbin/le-renew-webroot https://goo.gl/QEHVtG chmod +x /usr/local/sbin/le-renew-webroot /etc/cron.weekly/le-renewal #!/usr/bin/env bash le-renew-webroot >> /var/log/le-renewal.log Hannes Moser – @eliias 2016