Proper SSL using letsencrypt.org

Now that letsencrypt.org entered public beta, I took the opportunity to use their fantastic service and deploy a new site certificate for madnet.ch and the other sites hosted on this platform.

The letsencrypt client was a bit confusing first but after I understood what the ACME protocol actually means, I saw the entire beauty behind this solution. So I did a quick review of the code in Github and shortly after I requested the first certificate. As I already have an Apache server running and don’t need the embedded web server stuff provided by the letsencrypt client, I only use the CSR and certificate download part of the client.

After a while I figured out how to request proper alternate subject names as well and was finally able to secure all the services running on madnet.ch with only a single certificate deployed to my Apache.

To request/renew a certificate for different hosts/domains, you basically just do:

letsencrypt-auto certonly \
--webroot \
--renew-by-default \
-w /home/to/htdocs/madnet.ch/ \
-d www.madnet.ch \
-d madnet.ch \
-d mail.madnet.ch \
-w /home/to/htdocs/anothersite/ \
-d www.anothersite.ch \
-d anothersite.ch

I also took the chance to improve the SSL configuration of my Apache web server considering recommendations from SSLLabs

After an upgrade to Apache 2.4.18, generating a proper DH parameter file and append it to the letsencrypt certificate chain, SSLLabs rates us with an A+.

SSLLabsResultMadNet

Apache 2.4 SSL configuration (ssl-global.conf) 

# Added dhparams to fullchain.pem
# If you have different certificates per vhost, 
# add these to your vhost config instead
SSLCertificateFile /etc/letsencrypt/live/xxxx/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xxxx/privkey.pem

SSLHonorCipherOrder     on

SSLProtocol All -SSLv2 -SSLv3

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

SNI enabled virtual host configuration

<VirtualHost *:443>
  SSLEngine On

  # Strict Transport Security per virtual host
  <IfModule mod_headers.c>
     Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
  </IfModule>
</VirtualHost>
 

Upgrade your SuSE server

I run a SuSE 11 internet server providing some basic services.
I recently had to upgrade to a new version of SuSE (11.3) and it took my quite some time to do so.
Therefore I am listing here the necessary steps, hoping that the next time I will spend less time on such an upgrade…

Services installed

  • dovecot IMAP/IMAPS Mail Server
  • dovecot POP3/POP3S Mail Server
  • postfix SMTP TLS MTA
  • Apache HTTP/HTTPs Webserver
  • Subversion Repository
  • WebDAV online Disk
  • BIND DNS

Preparations and basic setup

  1. Take the server off-line and make sure no mail arrives. The emails will be queued on the alternate MX and delivered later.
  2. Do the backup (rsync including all deletions)
  3. Dump the installed packes to an XML using yast2 Software Management
  4. Install base software from boot ISO over the network
  5. Setup Networking
  6. Restore /etc/passwd
  7. Restore /etc/shadow
  8. Restore /home in the background

Setup Mail Server

  1. Setup postfix (check possibility to restore /etc/sysconfig/postfix from backup), but do not start
  2. Setup dovecot (restore /etc/dovecot/dovecot.conf), but do not start
  3. Check certificate values in /etc/sysconfig/postfix (or restore from backup)
  4. Create postfix certificates and SSL CA using mkpostfixcert
  5. Edit the config file /usr/share/doc/packages/dovecot/dovecot-openssl.cnf (attention, will be overwritten when upgrading dovecot)
  6. Run /usr/share/doc/packages/dovecot/mkcert.sh
  7. Download and install roundcube mail in /srv/www/htdocs

Setup Apache Webserver

  1. Setup apache2 (check possibility to restore /etc/sysconfig/apache2)
  2. Restore /etc/apache2/vhost.d from backup
  3. Restore /etc/apache2/conf.d/subversion.conf from backup
  4. Generate the following certificates for apache using yast2 (mail, svn, disk)
  5. Export the PEM encoded certificates to /etc/apache/ssl.crt|key/

Setup BIND Name Server

  1. Restore /etc/named.conf from backup
  2. Restore /etc/named.d from backup
  3. Restore /var/lib/named/master from backup

Setup MySQL

  1. Restore /etc/my.cnf from backup
  2. Restore /var/lib/mysql from backup

Setup Subversion

  1. If subversion is the same version (or compatible) just restore /srv/svn from backup
  2. If subversion is not compatible anymore use svnadmin load to load the dump from the backup

There’s noting to do for the WebDAV disk 🙂

After all the configuration files etc. have been restored and the settings in /etc/sysconfig have been checked, run SuSEconfig for the last time and test the mail server.
Unplug from the internet and start postfix and dovecot.
Check if a locally created mail is correctly handled by postfix, amavis and successfully delivered with dovecot.
Also check if the IMAP mbox is created in /var/spool/mail.

If this test succeeds we can restore /var/spool/mail from backup and connect to the internet again.

Now use yast2 to edit the runlevel configuration and make sure all the services are started at boot-time.
Also start them now.

Stored e-mails should no be delivered and correctly handled by the mail server.

Test all the virtual apache servers, webmail, subversion and WebDAV.