Now that letsencrypt.org entered public beta, I took the opportunity to use their fantastic service and deploy a new site certificate for madnet.ch and the other sites hosted on this platform.
The letsencrypt client was a bit confusing first but after I understood what the ACME protocol actually means, I saw the entire beauty behind this solution. So I did a quick review of the code in Github and shortly after I requested the first certificate. As I already have an Apache server running and don’t need the embedded web server stuff provided by the letsencrypt client, I only use the CSR and certificate download part of the client.
After a while I figured out how to request proper alternate subject names as well and was finally able to secure all the services running on madnet.ch with only a single certificate deployed to my Apache.
To request/renew a certificate for different hosts/domains, you basically just do:
letsencrypt-auto certonly \ --webroot \ --renew-by-default \ -w /home/to/htdocs/madnet.ch/ \ -d www.madnet.ch \ -d madnet.ch \ -d mail.madnet.ch \ -w /home/to/htdocs/anothersite/ \ -d www.anothersite.ch \ -d anothersite.ch
I also took the chance to improve the SSL configuration of my Apache web server considering recommendations from SSLLabs
After an upgrade to Apache 2.4.18, generating a proper DH parameter file and append it to the letsencrypt certificate chain, SSLLabs rates us with an A+.
Apache 2.4 SSL configuration (ssl-global.conf)
# Added dhparams to fullchain.pem # If you have different certificates per vhost, # add these to your vhost config instead SSLCertificateFile /etc/letsencrypt/live/xxxx/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/xxxx/privkey.pem SSLHonorCipherOrder on SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SNI enabled virtual host configuration
<VirtualHost *:443> SSLEngine On # Strict Transport Security per virtual host <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" </IfModule> </VirtualHost>