|
Size: 2009
Comment: HPKP link
|
Size: 2433
Comment: more notes on how to update apps that use the certs
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## page was renamed from SslTesting | |
| Line 2: | Line 3: |
| Line 5: | Line 7: |
| 1. Buy an SSL cert, I'm getting a Positive SSL for 3 years ($5/yr): https://www.ssls.com/ * Pay it up, get the credit on your account 2. Generate your CSR {{{ openssl genrsa 2048 > shortgirls.net_key openssl req -new -key shortgirls.net_key -out shortgirls.net_csr }}} 3. Paste it in and click through for validation 4. I chose to validate the domain by uploading a file 5. I downloaded the file, uploaded it, now what..? * Wait a little while, you'll get a change in the UI and an email with your cert in it |
1. Buy an SSL cert, I'm getting a PositiveSSL Wildcard for 5 years ($39 USD/yr): https://www.ssls.com/ 2. Let them generate the key and CSR, it's easier 3. Get the domain ownership verification email sent to admin@thighhighs.top and follow the steps to enter the verification code 4. Wait for domain validation to happen on their backend 5. Download the archive containing the cert and CA chain bundle |
| Line 18: | Line 15: |
| 1. Concatenate the cert and the bundle, in that order | 1. Concatenate the cert and the chain/bundle, in that order, this is a general purpose cert file now (apps that only want the leaf cert will just read the first cert in the file) {{{ cat STAR_thighhighs_top.crt STAR.thighhighs.top.ca-bundle > STAR_thighhighs_top.combined.pem }}} |
| Line 20: | Line 19: |
| 3. Do the nginx config {{{ | * Dont' forget the private key as well 3. Do the various configs * Pihole with lighttpd: [[servers/calico#TLS_support]] * nginx support {{{ |
| Line 25: | Line 27: |
| server_name shortgirls.net ; | server_name thighhighs.top ; |
| Line 30: | Line 32: |
| ssl_certificate /etc/ssl/shortgirls.net_crt; ssl_certificate_key /etc/ssl/shortgirls.net_key; |
ssl_certificate /etc/ssl/STAR_thighhighs_top.combined.pem; ssl_certificate_key /etc/ssl/STAR_thighhighs_top.key; |
| Line 41: | Line 43: |
| * Fix up the Unifi controller, these notes are a bit stale as it's not containerised, but it's basically correct: [[UnifiController#A_real_signed_SSL_cert_for_the_controller]] * The Synology NAS uses individual key/cert/chain files; instead of Action-Renew just use Add-Replace; set it as the default system cert |
|
| Line 60: | Line 64: |
| Line 64: | Line 67: |
== HPKP == More headers? https://timtaubert.de/blog/2014/10/deploying-tls-the-hard-way/ https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning |
Contents
Buy
Buy an SSL cert, I'm getting a PositiveSSL Wildcard for 5 years ($39 USD/yr): https://www.ssls.com/
- Let them generate the key and CSR, it's easier
Get the domain ownership verification email sent to admin@thighhighs.top and follow the steps to enter the verification code
- Wait for domain validation to happen on their backend
- Download the archive containing the cert and CA chain bundle
Install
Concatenate the cert and the chain/bundle, in that order, this is a general purpose cert file now (apps that only want the leaf cert will just read the first cert in the file)
cat STAR_thighhighs_top.crt STAR.thighhighs.top.ca-bundle > STAR_thighhighs_top.combined.pem
Dump files in directory, like /etc/ssl/
- Dont' forget the private key as well
- Do the various configs
Pihole with lighttpd: servers/calico#TLS_support
nginx support
server { listen 80; listen 443 ssl; server_name thighhighs.top ; ... ssl on; ssl_certificate /etc/ssl/STAR_thighhighs_top.combined.pem; ssl_certificate_key /etc/ssl/STAR_thighhighs_top.key; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4; include /etc/nginx/fragment/gzip; }Restart nginx, add session caching and whatnot if you want: http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
Fix up the Unifi controller, these notes are a bit stale as it's not containerised, but it's basically correct: UnifiController#A_real_signed_SSL_cert_for_the_controller
- The Synology NAS uses individual key/cert/chain files; instead of Action-Renew just use Add-Replace; set it as the default system cert
- Test:
Improvements
Useful site: https://timtaubert.de/blog/2014/10/deploying-tls-the-hard-way/
Now figured out what to make of...
OCSP stapling
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
Exactly which certs need to be where is unclear
HSTS
Should be as easy as adding a header, best to split your http/https blocks in the config and redirect to HTTPS always.