What is a CSR?
How to generate free SSL cert with Lets Encrypt
How to redirect http sites to https and www to non www
What is a CSR?
A Certificate Signing Request (CSR) is a block of encoded text given to a Certificate Authority (CA) when applying for an SSL Certificate. Wikipedia definition here.
Process for installing an SSL Certificate
- Generate the key / CSR (using openssl). Keep the private key safe.
- Provide CSR to CA to apply for certificate
- CA provides signed certificate
- Install the key and signed cert on web server
What does a CSR look like?
-----BEGIN CERTIFICATE REQUEST-----
MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMR8w
HQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw53d3cuZ29v
Z2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApZtYJCHJ4VpVXHfV
IlstQTlO4qC03hjX+ZkPyvdYd1Q4+qbAeTwXmCUKYHThVRd5aXSqlPzyIBwieMZr
WFlRQddZ1IzXAlVRDWwAo60KecqeAXnnUK+5fXoTI/UgWshre8tJ+x/TMHaQKR/J
cIWPhqaQhsJuzZbvAdGA80BLxdMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIhl
4PvFq+e7ipARgI5ZM+GZx6mpCz44DTo0JkwfRDf+BtrsaC0q68eTf2XhYOsq4fkH
Q0uA0aVog3f5iJxCa3Hp5gxbJQ6zV6kJ0TEsuaaOhEko9sdpCoPOnRBm2i/XRD2D
6iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn
-----END CERTIFICATE REQUEST-----
How do you generate a CSR / key pair?
openssl req -nodes -new -sha256 -newkey rsa:4096 -subj '/C=AU/O=ORG WITH DOMAIN NAME/CN=DOMAIN_HERE/OU=ORG WHERE CERT INSTALLED/L=Sydney/ST=NSW/' -keyout DOMAIN_HERE.com-yyyymmdd.key -out DOMAIN_HERE.com-yyyymmdd.csr
How do you check a CSR?
openssl req -in -noout -text
Expected content
Data:
Subject: C=AU, O=Example Company Limited, CN=www.example.com, OU=Company Hosting Solution Pty Ltd, L=Sydney, ST=NSW
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
[..]
Signature Algorithm: sha256WithRSAEncryption
How to generate free SSL certificate with Lets Encrypt?
Lets encrypt getting started and how it works
- Ensure DNS points to new public IP
- What version of unix server (download instructions based on server)
- Stop web server
- Create / renew cert
- Start web server
Ensure DNS points to new public IP
When creating new cert lets-encrypt will do a verification acme challenge on domain, so DNS needs to point to correct server. Otherwise will get a timeout error during connect.
What version of unix server (download correct instructions)
uname -a
cat /etc/os-release
Download lets encrypt certbot instructions for specific unix / web server
Stop servers
If apache server on AWS bitnami docker container
- stop / start / status / restart servers
- 3 servers (mysql port 3306, php-fpm, apache port 80)
sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/ctlscript.sh start
sudo /opt/bitnami/ctlscript.sh status
sudo /opt/bitnami/ctlscript.sh restart apache
Renew cert
sudo certbot renew --dry-run
sudo certbot renew
Create new cert (eg domain = www.example.com)
- Don’t use example.com, until you know how to setup wildcard domain (eg *.example.com) but for that need a plugin, and currently not familliar with dns plugin for this to be easy.
- Until then: use www.example.com, and force all other requests (eg http / https://example.com) to https://www.example.com
- pem formats & other openssl formats (eg .csr, .key, .p12, .der, .crt, etc)
-- generates key pair: private & public keys
sudo certbot --apache certonly
- if apache server can't startup because port is already used (find process listening on port)?
lsof -i :80 => didn't return anything
sudo lsof -i :80 => worked (returned process so could kill it)
netstat -tunlp | grep 80 => only returned tcp6 (no process)
sudo netstat -tunlp | grep 80 => sorta worked, but not as good as lsof
- link apache key / cert (if server key / crt already exists)
cd /opt/bitnami/apache2/conf
sudo mv server.key server.key.orig
sudo mv server.crt server.crt.orig
sudo ln -s /etc/letsencrypt/live/www.example.com/privkey.pem /opt/bitnami/apache2/conf/server.key
sudo ln -s /etc/letsencrypt/live/www.example.com/fullchain.pem /opt/bitnami/apache2/conf/server.crt
Start servers
Run commands from stop server section above
How to redirect http sites to https and www to non www
As I haven’t setup wildcare domain, I had to pick whether to setup LetsEncrypt ssl to
- example.com
- www.example.com.
I went with example.com as it was shorter to type. With caveat that typing both example.com and www.example.com (http web sites) would redirect to https://example.com.
Using apache server, its supposedly possible to modify .htaccess file to redirect urls.
RewriteEngine On
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
However, I didn’t get this to work with various combinations. I only manged to get it working by installing wordpress plugins. Originally, I used “Force https” but it only redirected example.com -> https://example.com correctly. It didn’t redirect www.example.com correctly.
The combination that worked for me was using plugins
- Really simple ssl
- All in one redirection
This correctly redirected both “example.com” and “www.example.com” to “https://example.com“. Combination of plugins “Force https” and “All in one redirection” didn’t work.
Typing in “https://www.example.com” still didn’t work (warning: potential security risk) as I’ll need to install wildcard domain to have both “https://example.com” and “https://www.example.com” working.