How to encrypt your website traffic - Free SSL Cert

Syntax

Developer
Joined
Oct 10, 2007
Messages
2,840
Best answers
0
Reaction score
201
Location
Texas
Just secure it through CF. No reason not to have small sites going through them.
Free CDN and simple SSL.
 
OP
Merrok

Merrok

Magic Tomato
Joined
Jun 18, 2009
Messages
86
Best answers
4
Reaction score
97
Just secure it through CF. No reason not to have small sites going through them.
Free CDN and simple SSL.
Well you could do that. That would be the lazy solution, but definitely not the most reliable one.
It is really easy to install your own TLS Cert. So why not do it? Why rely on a third party?
Using CF means trusting their every step and there have been huge issues in the past where it was really easy to do a Man-in-the-Middle attack on Cloudflare Certificates and they didn't even notice until a magazine published an article on it.
So besides you having to rely on Cloudflares reliability, they also have fucked up badly in the past which leaves the question if you really wanna trust them or simply do it yourself. Doesn't take long to install a Let's Encrypt signed Certificate.
Although I gotta say, I'd rather see a website with a CF Certificate than with none at all.
 

Alpha

Relentless
Premium User
Joined
Apr 3, 2011
Messages
320
Best answers
5
Reaction score
81
Location
South Korea
Well you could do that. That would be the lazy solution, but definitely not the most reliable one.
It is really easy to install your own TLS Cert. So why not do it? Why rely on a third party?
Using CF means trusting their every step and there have been huge issues in the past where it was really easy to do a Man-in-the-Middle attack on Cloudflare Certificates and they didn't even notice until a magazine published an article on it.
So besides you having to rely on Cloudflares reliability, they also have fucked up badly in the past which leaves the question if you really wanna trust them or simply do it yourself. Doesn't take long to install a Let's Encrypt signed Certificate.
Although I gotta say, I'd rather see a website with a CF Certificate than with none at all.
I usually just do the best of both, and generate a LetsEncrypt cert which gets installed on my origin webserver, and then set CloudFlare to Strict (Full) SSL mode.
¯\_(ツ)_/¯
 

pablon94

New Member
Joined
Jan 2, 2013
Messages
25
Best answers
0
Reaction score
2
Getting this error
/etc/nginx/dhparam.pem: Permission denied
 
OP
Merrok

Merrok

Magic Tomato
Joined
Jun 18, 2009
Messages
86
Best answers
4
Reaction score
97
Getting this error
/etc/nginx/dhparam.pem: Permission denied
do
sudo chown www-data:www-data /etc/nginx/dhparam.pem
sudo chmod 511 /etc/nginx/dhparam.pem

Though this shouldn't happen anyways, because the mother instance of nginx is being run by root and the children (workers) only by nginx
But you can set the permissions to 777 (sudo chmod 777 /etc/nginx/dhparam.pem)as well if you want to and if you wanna make sure anyone can read-write-execute the file. It's not a secret file, so it doesn't really matter who can read it.
 
Last edited:

Klonera

Once upon a time.
Joined
Jul 16, 2016
Messages
522
Best answers
1
Reaction score
85
Location
Sweden
do
sudo chown www-data:www-data /etc/nginx/dhparam.pem
sudo chmod 511 /etc/nginx/dhparam.pem

Though this shouldn't happen anyways, because the mother instance of nginx is being run by root and the children (workers) only by nginx
But you can set the permissions to 777 (sudo chmod 777 /etc/nginx/dhparam.pem)as well if you want to and if you wanna make sure anyone can read-write-execute the file. It's not a secret file, so it doesn't really matter who can read it.
Why even recommend 777?
I mean just use this instead which guaranteed works.
Code:
chown -R www-data:www-data /var/www/html
&
Code:
chmod -R 755 /var/www/html[CODE]
 

pablon94

New Member
Joined
Jan 2, 2013
Messages
25
Best answers
0
Reaction score
2
Thank you guys, now I have no errors but my site is not showing the certificate, so it appears as not secure lol
 
OP
Merrok

Merrok

Magic Tomato
Joined
Jun 18, 2009
Messages
86
Best answers
4
Reaction score
97
Thank you guys, now I have no errors but my site is not showing the certificate, so it appears as not secure lol
Look at your PMs. I'll help you solve this in private messages :)

@Klonera
Yeah it wasn't a recommendation, I just said it doesn't matter for this kind of file and would solve it for sure without knowing the exact origin of the issue.
 

pink_panther

Member
Joined
Sep 10, 2016
Messages
105
Best answers
0
Reaction score
24
Wow very nice, didn't knew it could be free.. some devs tried to fool me with some BS costs...
These are pretty basic certs that only last a short period at a time, not every hosting provider support it because it CAN stuff up.

The "BS cost" is probably like 10 bucks for a 12 month certificate. and I wouldn't say you're being fooled for paying for a proper certificate, but this will do the job,


Further to this, many WHM cPanel hosting services come with something called AutoSSL, which is similar to this, free SSL Certs for webpages that renew every 3 months.
 
Last edited:

pink_panther

Member
Joined
Sep 10, 2016
Messages
105
Best answers
0
Reaction score
24
COULD YOU ADD TUTORIAL FOR WINDOWS? GREAT CONTRIBUTION

This is the same service, certs from Lets Encrypt, but done via webpage so you don't have to use that tool. Much easier if you're not competent with linux.

You need to be able to edit the DNS records for your domain to verify, thats the easier one IMO.

They export the private key, but not a PFX file, you will also need to download OpenSSL for Windows to convert the cert + private key to a PFX so you can import it into IIS (If you're using Windows IIS for your webpage)
 
OP
Merrok

Merrok

Magic Tomato
Joined
Jun 18, 2009
Messages
86
Best answers
4
Reaction score
97

This is the same service, certs from Lets Encrypt, but done via webpage so you don't have to use that tool. Much easier if you're not competent with linux.

You need to be able to edit the DNS records for your domain to verify, thats the easier one IMO.

They export the private key, but not a PFX file, you will also need to download OpenSSL for Windows to convert the cert + private key to a PFX so you can import it into IIS (If you're using Windows IIS for your webpage)
Could do that, but that also means that this random website now has access to your private key and could technically read all your traffic.
I don't know. I wouldn't trust them. I'd rather do it myself. It's really easy to do.
The only a bit more complicated thing is editing your webserver the right way to get the maximum out of the certificate.

These are pretty basic certs that only last a short period at a time, not every hosting provider support it because it CAN stuff up.

The "BS cost" is probably like 10 bucks for a 12 month certificate. and I wouldn't say you're being fooled for paying for a proper certificate, but this will do the job,


Further to this, many WHM cPanel hosting services come with something called AutoSSL, which is similar to this, free SSL Certs for webpages that renew every 3 months.
They offer other kinds of certificates by now as well. But that doesn't really matter for an OT.
And LetsEncrypt certificates are "proper" certificates as you call them. To be exact even self-signed certificates can be proper if made correctly, which is not hard. The issue with self-signed certificates is that no browser will show them as secure because the issuer (you) is unknown.
LetsEncrypt on the other side is a non-profit project that is being supported and sponsored by many huge companies and thereby is supported by every web browser.
 

pink_panther

Member
Joined
Sep 10, 2016
Messages
105
Best answers
0
Reaction score
24
I don't know. I wouldn't trust them.
It's the same CA. They don't save the Private key, it generates and downloads on the spot. You can also choose to upload your own CSR of you want to.

Taken from the web page:
  1. Let's Encrypt is the first free and open CA
    We generate certificates using their ACME server by using domain validation.
  2. Private Keys are generated in your browser and never transmitted.For browsers which support Web Cryptography (all modern browsers) we generate a private key in your browser using the Web Cryptography API and the private key is never transmitted. The private key also gets deleted off your browser after the certificate is generated. If your browser does not support the Web Cryptography API then the keys will be generated on the server using the latest version of OpenSSL and outputted over SSL and never stored. For the best security you are recommended to use a supported browser for client generation. You can also provide your own CSR when using manual verification in which case the private key is handled completely on your end.



to be exact even self-signed certificates can be proper if made correctly, which is not hard.
Self signed certificates will come up as untrusted to everyone but you.

And LetsEncrypt certificates are "proper" certificates as you call them
Yes, but they last 3 months, which means to you need to renew it 4 times a year instead of maybe 1 every 2 years.


Just saying.

I might make a post later about how to do this, convert to PFX and install to IIS for Windows people, like myself :)
 
Last edited:
OP
Merrok

Merrok

Magic Tomato
Joined
Jun 18, 2009
Messages
86
Best answers
4
Reaction score
97
It's the same CA. They don't save the Private key, it generates and downloads on the spot. You can also choose to upload your own CSR of you want to.

Taken from the web page:
  1. Let's Encrypt is the first free and open CA
    We generate certificates using their ACME server by using domain validation.
  2. Private Keys are generated in your browser and never transmitted.For browsers which support Web Cryptography (all modern browsers) we generate a private key in your browser using the Web Cryptography API and the private key is never transmitted. The private key also gets deleted off your browser after the certificate is generated. If your browser does not support the Web Cryptography API then the keys will be generated on the server using the latest version of OpenSSL and outputted over SSL and never stored. For the best security you are recommended to use a supported browser for client generation. You can also provide your own CSR when using manual verification in which case the private key is handled completely on your end.
Well I didn't read it that well :D I just assumed they would only use API to issue a certificate for you, which now thinking about it, wouldn't make alot of sense or be possible that easily.

Self signed certificates will come up as untrusted to everyone but you.
That's literally what I said.


So yeah maybe it is a nice alternative for people who don't know their way around unix systems. But then again, you just gotta follow the tutorial step by step, not even use your brain. And if you use a unix system, you need to learn it anyways. Always trying to find a way around it is neither efficient nor smart. You wanna make an OT? Do it right! It's really not that hard!

And I got 7 certificates for my domains on my server, all from LetsEncrypt. And I do renew them manually. I do get alerted before it expires via Telegram from my server, so in the next 7 days after the alert i simply sit down for 1min and renew them. It's really not a problem.
 
OP
Merrok

Merrok

Magic Tomato
Joined
Jun 18, 2009
Messages
86
Best answers
4
Reaction score
97
can i do this using apache?
of course you can.
It's the same principle though some of the parameter names might be different.
But google will show you the equivalent of each parameter like ssl_ciphers in nginx would be SSLCipherSuite in apache I belive.
I always recommend nginx, but if you chose apache already you can do it there too of course. Just have to adapt it a bit.
 
OP
Merrok

Merrok

Magic Tomato
Joined
Jun 18, 2009
Messages
86
Best answers
4
Reaction score
97
Great tutorial :) For anyone that doesn't want to deal with too much technical stuff: You could also use SSL For Free - Free SSL Certificates in Minutes (https://www.sslforfree.com/) which issues Let's Encrypt Certs for you. You just need to proof it's your domain by uploading a validation text file or DNS validation :)
Thanks
Yeah pink_panther already said the same thing.
Though generating the certificate is the easiest part of the "technical stuff" of including the certificate. You still got to configure your webserver accordingly.
But as I already said, in my opinion you need to learn how to deal with the "technical stuff" anyways. Taking shortcuts the whole time won't get you anywhere. If you want to make an OT, do it right! And you only have to follow the tutorial step by step. It's really nothing you need experience for :p
 

Damon

Check my status to contact me :)
Joined
Mar 26, 2011
Messages
6,102
Best answers
1
Reaction score
1,860
Location
Germany
Thanks
Yeah pink_panther already said the same thing.
Though generating the certificate is the easiest part of the "technical stuff" of including the certificate. You still got to configure your webserver accordingly.
But as I already said, in my opinion you need to learn how to deal with the "technical stuff" anyways. Taking shortcuts the whole time won't get you anywhere. If you want to make an OT, do it right! And you only have to follow the tutorial step by step. It's really nothing you need experience for :p
Agree that learning how to do it is part of the whole process. I have a while ago and it's really not a big deal, like you are saying. Still it can be beneficial for some people to know about the shortcut :)
 
Top