|
Size: 2048
Comment: more representative and useful name
|
← Revision 8 as of 2025-11-08 15:24:17 ⇥
Size: 4426
Comment: update procedure for preparing new cert files
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 7: | Line 7: |
| 1. Buy an SSL cert, I'm getting a Positive SSL for 3 years ($5/yr): https://www.ssls.com/ * Pay it up, get the credit on your account 2. Generate your CSR {{{ openssl genrsa 2048 > shortgirls.net_key openssl req -new -key shortgirls.net_key -out shortgirls.net_csr }}} 3. Paste it in and click through for validation 4. I chose to validate the domain by uploading a file 5. I downloaded the file, uploaded it, now what..? * Wait a little while, you'll get a change in the UI and an email with your cert in it |
1. Buy an SSL cert, I'm getting a PositiveSSL Wildcard for 5 years ($39 USD/yr): https://www.ssls.com/ 2. Let them generate the key and CSR, it's easier 3. Get the domain ownership verification email sent to admin@thighhighs.top and follow the steps to enter the verification code 4. Wait for domain validation to happen on their backend 5. Download the archive containing the cert and CA chain bundle |
| Line 20: | Line 15: |
| 1. Concatenate the cert and the bundle, in that order 2. Dump files in directory, like `/etc/ssl/` 3. Do the nginx config {{{ |
Updated for November 2025, there's some small changes to my environment, and the files that I get from the provider. Notably, the trust root is now "Sectigo Public Server Authentication Root R46" (a completely different chain compared to last year). And although that root is trusted by my browser, the cert bundle actually includes a higher CA that has signed it for trust: USERTrust RSA Certification Authority. That cert is self-signed and included in the bundle. What's also interesting is that last year, the bundle included a CA about ''that'' one, being signed by AAA Certificate Services. Anyway it doesn't matter now. 1. Copy the new key, cert, and chain ("bundle") to the server, probably illustrious, to `/etc/ssl` using date-based filenames: {{{ STAR_thighhighs_top.key.2025 STAR_thighhighs_top.crt.2025 STAR_thighhighs_top.ca-bundle.2025 }}} 2. Concatenate the cert and the chain/bundle, in that order, this is a general purpose cert file now (apps that only want the leaf cert will just read the first cert in the file) {{{ cat STAR_thighhighs_top.crt.2025 STAR_thighhighs_top.ca-bundle.2025 > STAR_thighhighs_top.crtbundled.2025 }}} 3. Generate the .p12 file for things that might need it, one of these will do. I only just figured out how to include the chain in the p12 {{{ # no chain in P12 openssl pkcs12 -export -legacy \ -inkey STAR_thighhighs_top.key.2025 \ -in STAR_thighhighs_top.crt.2025 \ -out STAR_thighhighs_top.p12.2025 \ -name unifi -password pass:unifi # with chain in P12 openssl pkcs12 -export -legacy \ -chain -untrusted STAR_thighhighs_top.ca-bundle.2025 \ -inkey STAR_thighhighs_top.key.2025 \ -in STAR_thighhighs_top.crt.2025 \ -out STAR_thighhighs_top.p12.2025 \ -name unifi -password pass:unifi }}} 4. Update all the symlinks for apps that use certs {{{ ln -sf STAR_thighhighs_top.ca-bundle.2025 STAR_thighhighs_top.ca-bundle ln -sf STAR_thighhighs_top.crt.2025 STAR_thighhighs_top.crt ln -sf STAR_thighhighs_top.crtbundled.2025 STAR_thighhighs_top.crtbundled ln -sf STAR_thighhighs_top.key.2025 STAR_thighhighs_top.key ln -sf STAR_thighhighs_top.p12.2025 STAR_thighhighs_top.p12 }}} 5. Go fix up configs or restart services that use the cert * Pihole with lighttpd: [[servers/calico#TLS_support]] * Caddy: `systemctl restart caddy` * nginx support {{{ |
| Line 27: | Line 56: |
| server_name shortgirls.net ; | server_name thighhighs.top ; |
| Line 32: | Line 61: |
| ssl_certificate /etc/ssl/shortgirls.net_crt; ssl_certificate_key /etc/ssl/shortgirls.net_key; |
ssl_certificate /etc/ssl/STAR_thighhighs_top.combined.pem; ssl_certificate_key /etc/ssl/STAR_thighhighs_top.key; |
| Line 43: | Line 72: |
| 4. Test: | * Fix up the Unifi controller, these notes are a bit stale as it's not containerised, but it's basically correct: [[UnifiController#A_real_signed_SSL_cert_for_the_controller]] * The Synology NAS uses individual key/cert/chain files; instead of Action-Renew just use Add-Replace; set it as the default system cert * Update fenny as well, the Asustor Flashstor NAS. Its interface is surprisingly almost identical to Synology: Add, Replace, Import, upload the three files 6. Test: * https://ssllabs.com/ssltest/ |
| Line 45: | Line 78: |
| * https://ssllabs.com/ssltest/ * http://checkgzipcompression.com/ * http://gzipwtf.com/ |
|
| Line 62: | Line 92: |
| Line 66: | Line 95: |
== HPKP == More headers? https://timtaubert.de/blog/2014/10/deploying-tls-the-hard-way/ https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning |
Contents
Buy
Buy an SSL cert, I'm getting a PositiveSSL Wildcard for 5 years ($39 USD/yr): https://www.ssls.com/
- Let them generate the key and CSR, it's easier
Get the domain ownership verification email sent to admin@thighhighs.top and follow the steps to enter the verification code
- Wait for domain validation to happen on their backend
- Download the archive containing the cert and CA chain bundle
Install
Updated for November 2025, there's some small changes to my environment, and the files that I get from the provider. Notably, the trust root is now "Sectigo Public Server Authentication Root R46" (a completely different chain compared to last year). And although that root is trusted by my browser, the cert bundle actually includes a higher CA that has signed it for trust: USERTrust RSA Certification Authority. That cert is self-signed and included in the bundle. What's also interesting is that last year, the bundle included a CA about that one, being signed by AAA Certificate Services. Anyway it doesn't matter now.
Copy the new key, cert, and chain ("bundle") to the server, probably illustrious, to /etc/ssl using date-based filenames:
STAR_thighhighs_top.key.2025 STAR_thighhighs_top.crt.2025 STAR_thighhighs_top.ca-bundle.2025
Concatenate the cert and the chain/bundle, in that order, this is a general purpose cert file now (apps that only want the leaf cert will just read the first cert in the file)
cat STAR_thighhighs_top.crt.2025 STAR_thighhighs_top.ca-bundle.2025 > STAR_thighhighs_top.crtbundled.2025
Generate the .p12 file for things that might need it, one of these will do. I only just figured out how to include the chain in the p12
# no chain in P12 openssl pkcs12 -export -legacy \ -inkey STAR_thighhighs_top.key.2025 \ -in STAR_thighhighs_top.crt.2025 \ -out STAR_thighhighs_top.p12.2025 \ -name unifi -password pass:unifi # with chain in P12 openssl pkcs12 -export -legacy \ -chain -untrusted STAR_thighhighs_top.ca-bundle.2025 \ -inkey STAR_thighhighs_top.key.2025 \ -in STAR_thighhighs_top.crt.2025 \ -out STAR_thighhighs_top.p12.2025 \ -name unifi -password pass:unifiUpdate all the symlinks for apps that use certs
ln -sf STAR_thighhighs_top.ca-bundle.2025 STAR_thighhighs_top.ca-bundle ln -sf STAR_thighhighs_top.crt.2025 STAR_thighhighs_top.crt ln -sf STAR_thighhighs_top.crtbundled.2025 STAR_thighhighs_top.crtbundled ln -sf STAR_thighhighs_top.key.2025 STAR_thighhighs_top.key ln -sf STAR_thighhighs_top.p12.2025 STAR_thighhighs_top.p12
- Go fix up configs or restart services that use the cert
Pihole with lighttpd: servers/calico#TLS_support
Caddy: systemctl restart caddy
nginx support
server { listen 80; listen 443 ssl; server_name thighhighs.top ; ... ssl on; ssl_certificate /etc/ssl/STAR_thighhighs_top.combined.pem; ssl_certificate_key /etc/ssl/STAR_thighhighs_top.key; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4; include /etc/nginx/fragment/gzip; }Restart nginx, add session caching and whatnot if you want: http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
Fix up the Unifi controller, these notes are a bit stale as it's not containerised, but it's basically correct: UnifiController#A_real_signed_SSL_cert_for_the_controller
- The Synology NAS uses individual key/cert/chain files; instead of Action-Renew just use Add-Replace; set it as the default system cert
- Update fenny as well, the Asustor Flashstor NAS. Its interface is surprisingly almost identical to Synology: Add, Replace, Import, upload the three files
- Test:
Improvements
Useful site: https://timtaubert.de/blog/2014/10/deploying-tls-the-hard-way/
Now figured out what to make of...
OCSP stapling
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
Exactly which certs need to be where is unclear
HSTS
Should be as easy as adding a header, best to split your http/https blocks in the config and redirect to HTTPS always.