InfrastructureAWSGoDatabaseMonitoringRaspberryPIPythonTerraformGitAIDIYData Analytics
Catalogue
Issuing a Free SSL Certificate and Scoring an A+ on Security! ~Apache Edition~
Posted 2016-02-25Infrastructure7 minutes read (About 1120 words)

Issuing a Free SSL Certificate and Scoring an A+ on Security! ~Apache Edition~

🌐 日本語で読む

Overview

With the upcoming version upgrade of the Veritrans module,
an SSL certificate issued with SHA256 became mandatory.

When running the Veritrans module upgrade test in our test environment,
the need to install an SSL certificate arose.

While we couldn’t go so far as to install the same paid SSL as in production,
we needed to build something close to it, so we issued and installed a free SSL certificate.

I’ve summarized the above procedure below.

Environment

We are using AWS Marketplace: CentOS 6 (x86_64) - with Updates HVM.

  • CentOS release 6.7 (Final)
  • Apache 2.4.12

Procedure

Generating the CSR

As preparation, generate the CSR on the server where the SSL certificate will be installed.

Please refer to the following for how to generate a SHA256-compatible CSR.

Apache + OpenSSL でSHA256対応CSR生成 - 長生村本郷Engineers'Blog
以下に移行しました。kenzo0107.github.io

Registering with StartCom

Click Sign-up in the header menu

StartSSL

Fill in the required fields and click the “send verification code” button

A verification code will be sent to the registered email address.

You’ll receive an email like this.

Enter the verification code to complete registration

SSL Issuance Procedure

Select the free version

Select the SSL for Web Server

Domain Validation

Enter the domain of the server where the SSL certificate will be installed

Verification by email

You need to make it possible to receive mail at the email address specified by StartSSL.

The following article was helpful for setting up mail reception on an EC2 instance. Thank you.

Receiving mail with postfix on AWS

One caveat regarding the article above:
running yum update right after creating the instance is fine,
but sometimes running yum update on AWS can cause a kernel panic.
Perhaps it was because I had reinstalled Python from source instead of via yum, and did various other things…

I haven’t been able to fully track down the cause, but for instances that have been running for years, I’d like to refrain from running yum update.

When mail reception isn’t set up properly

  • Constantly tail /var/log/maillog to check the logs.

  • If you already have a receivable email address, change the destination with aliases.
    postmaster@(domain) → root@(domain)

  • If you get Permission denied in the mailbox and
    can’t save received mail, forcibly change the mail directory as follows.

1
2
3
4
/etc/postfix/main.cf

- home_mailbox = Maildir/
+ home_mailbox = ../home/ec2-user/Maildir/

Proceed to ordering the SSL certificate

Once verification by email is cleared, proceed to ordering the SSL certificate.

Creating the credentials

After entering the information, (domain).zip will be downloaded.

  • Since the web server is Apache this time, we’ll refer to ApacheServer.

Upload the following two files inside ApacheServer in the extracted zip file to a directory of your choice.

  • 1_root_bundle.crt
  • 2_(domain).crt

This time, the upload destination directory will be the path where server.key and so on reside (/etc/httpd/conf/ssl.csr/).

Configuring ssl.conf

Installing an SSL certificate means
having Apache load it via the specified directives in its configuration file.

The main settings are as follows.

| Item | Value | Explain |
| ———————– | —————————————– |
| SSLCertificateChainFile | /etc/httpd/conf/ssl.csr/1_root_bundle.crt | Intermediate certificate |
| SSLCertificateFile | /etc/httpd/conf/ssl.csr/2_(domain).crt | SSL server certificate |
| SSLCertificateKeyFile | /etc/httpd/conf/ssl.csr/server.key | Private key paired with the SSL server certificate |

The following URL suggests the optimal configuration method based on each web server and openssl version.

https://ssl-config.mozilla.org/

/etc/httpd/conf.d/ssl.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
LoadModule ssl_module modules/mod_ssl.so

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin


SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300


#SSLMutex default
Mutex default ssl-cache

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

SSLCryptoDevice builtin

<VirtualHost _default_:443>

  DocumentRoot "/var/www/html"
  ServerName (domain):443

  ErrorLog /var/log/ssl_error_log
  TransferLog /var/log/ssl_access_log
  LogLevel warn

  SSLEngine on
  SSLCertificateFile /etc/httpd/conf/ssl.csr/2_(domain).crt
  SSLCertificateKeyFile /etc/httpd/conf/ssl.csr/server.key
  SSLCertificateChainFile /etc/httpd/conf/ssl.csr/1_root_bundle.crt


  <Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
  </Files>
  <Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
  </Directory>


  SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

  CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  <Directory "/var/www/html">
    AllowOverride All
    Options -Indexes +FollowSymLinks +Includes +ExecCGI
    Order allow,deny
    Allow from all
  </Directory>

</VirtualHost>

SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

SSLHonorCipherOrder on

SSLCompression off
SSLSessionTickets off

No performance tuning has been done at all.
Please note that this is strictly about installing the SSL certificate.

Checking the syntax of the config file

1
2
3
4
5
// Syntax check
# httpd -t

// If there are no syntax errors, it will be displayed as follows.
Syntax OK

If a syntax error occurs, the relevant location will be displayed, so check it again.
However, just because there are no syntax errors doesn’t guarantee that no error will occur when Apache reloads,
so just in case, it’s a good idea to prepare a command that can immediately revert things.

For example,
renaming ssl.conf to ssl.conf.bk so that Apache won’t treat it as a configuration file.

Reloading the Apache config file

1
2
# service httpd reload
Reloading httpd:             [  OK  ]

Accessing from a browser

I accessed it with Chrome.

  • Detailed authentication information

Security check

You can run a diagnosis at the following site.
QUALYS SSL LABS

I got an “A”!

By the way,
if it’s a site where always using https communication is fine, configure it as follows

1
2
3
4
5
<VirtualHost *:443>
  ...
  Header always set Strict-Transport-Security "max-age=15768000"
  ...
</VirtualHost>

and I was able to get an “A+”!

Always-on https is secure, but it also depends on the site’s specifications, so it varies by situation.

That’s all.

#
kenzo0107

kenzo0107

About me

Like this article? Support the author with

×