Learning SSL Certificates

What is a CSR?
How to generate free SSL cert with Lets Encrypt
How to redirect http sites to https and www to non www

What is a CSR?

A Certificate Signing Request (CSR) is a block of encoded text given to a Certificate Authority (CA) when applying for an SSL Certificate.  Wikipedia definition here.

Process for installing an SSL Certificate

  1. Generate the key / CSR (using openssl).  Keep the private key safe.
  2. Provide CSR to CA to apply for certificate
  3. CA provides signed certificate
  4. Install the key and signed cert on web server

What does a CSR look like?

-----BEGIN CERTIFICATE REQUEST-----
MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMR8w
HQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw53d3cuZ29v
Z2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApZtYJCHJ4VpVXHfV
IlstQTlO4qC03hjX+ZkPyvdYd1Q4+qbAeTwXmCUKYHThVRd5aXSqlPzyIBwieMZr
WFlRQddZ1IzXAlVRDWwAo60KecqeAXnnUK+5fXoTI/UgWshre8tJ+x/TMHaQKR/J
cIWPhqaQhsJuzZbvAdGA80BLxdMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIhl
4PvFq+e7ipARgI5ZM+GZx6mpCz44DTo0JkwfRDf+BtrsaC0q68eTf2XhYOsq4fkH
Q0uA0aVog3f5iJxCa3Hp5gxbJQ6zV6kJ0TEsuaaOhEko9sdpCoPOnRBm2i/XRD2D
6iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn
-----END CERTIFICATE REQUEST-----

How do you generate a CSR / key pair?

openssl req -nodes -new -sha256 -newkey rsa:4096 -subj '/C=AU/O=ORG WITH DOMAIN NAME/CN=DOMAIN_HERE/OU=ORG WHERE CERT INSTALLED/L=Sydney/ST=NSW/' -keyout DOMAIN_HERE.com-yyyymmdd.key -out DOMAIN_HERE.com-yyyymmdd.csr

How do you check a CSR?

openssl req -in -noout -text

Expected content

Data:
Subject: C=AU, O=Example Company Limited, CN=www.example.com, OU=Company Hosting Solution Pty Ltd, L=Sydney, ST=NSW
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
[..]
Signature Algorithm: sha256WithRSAEncryption

How to generate free SSL certificate with Lets Encrypt?

Lets encrypt getting started and how it works

  1. Ensure DNS points to new public IP
  2. What version of unix server (download instructions based on server)
  3. Stop web server
  4. Create / renew cert
  5. Start web server

Ensure DNS points to new public IP

When creating new cert lets-encrypt will do a verification acme challenge on domain, so DNS needs to point to correct server. Otherwise will get a timeout error during connect.

What version of unix server (download correct instructions)

uname -a
cat /etc/os-release

Download lets encrypt certbot instructions for specific unix / web server

Stop servers

If apache server on AWS bitnami docker container

- stop / start / status / restart servers
- 3 servers (mysql port 3306, php-fpm, apache port 80)
sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/ctlscript.sh start
sudo /opt/bitnami/ctlscript.sh status
sudo /opt/bitnami/ctlscript.sh restart apache

Renew cert

sudo certbot renew --dry-run
sudo certbot renew

Create new cert (eg domain = www.example.com)

  • Don’t use example.com, until you know how to setup wildcard domain (eg *.example.com) but for that need a plugin, and currently not familliar with dns plugin for this to be easy.
  • Until then: use www.example.com, and force all other requests (eg http / https://example.com) to https://www.example.com
  • pem formats & other openssl formats (eg .csr, .key, .p12, .der, .crt, etc)
-- generates key pair: private & public keys
sudo certbot --apache certonly

- if apache server can't startup because port is already used (find process listening on port)?
lsof -i :80 => didn't return anything
sudo lsof -i :80 => worked (returned process so could kill it)
netstat -tunlp | grep 80 => only returned tcp6 (no process)
sudo netstat -tunlp | grep 80 => sorta worked, but not as good as lsof

- link apache key / cert (if server key / crt already exists)
cd /opt/bitnami/apache2/conf
sudo mv server.key server.key.orig
sudo mv server.crt server.crt.orig
sudo ln -s /etc/letsencrypt/live/www.example.com/privkey.pem /opt/bitnami/apache2/conf/server.key
sudo ln -s /etc/letsencrypt/live/www.example.com/fullchain.pem /opt/bitnami/apache2/conf/server.crt

Start servers

Run commands from stop server section above

How to redirect http sites to https and www to non www

As I haven’t setup wildcare domain, I had to pick whether to setup LetsEncrypt ssl to

  1. example.com
  2. www.example.com.

I went with example.com as it was shorter to type.  With caveat that typing both example.com and www.example.com (http web sites) would redirect to https://example.com.

Using apache server, its supposedly possible to modify .htaccess file to redirect urls.

RewriteEngine On
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

However, I didn’t get this to work with various combinations.  I only manged to get it working by installing wordpress plugins.  Originally, I used “Force https” but it only redirected example.com -> https://example.com correctly.  It didn’t redirect www.example.com correctly.

The combination that worked for me was using plugins

  1. Really simple ssl
  2. All in one redirection

This correctly redirected bothexample.com” and “www.example.com” to “https://example.com“.  Combination of plugins “Force https” and “All in one redirection” didn’t work.

Typing in “https://www.example.com” still didn’t work (warning: potential security risk) as I’ll need to install wildcard domain to have both “https://example.com” and “https://www.example.com” working.