Install commercial SSL certificate
- Installing a SSL certificate on Apache
- How To Set Up a Host Name with DigitalOcean This includes information about WHOIS, changing domain server, configuring domain (A record, AAAA record, CNAME record, MX record, et al)
Check openssl version
[email protected]:~$ apt-cache policy openssl openssl: Installed: 1.0.2g-1ubuntu4.5 Candidate: 1.0.2g-1ubuntu4.5 Version table: *** 1.0.2g-1ubuntu4.5 500 500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf Packages 500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf Packages 100 /var/lib/dpkg/status 1.0.2g-1ubuntu4 500 500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages # Ubuntu 14.04 $ openssl version OpenSSL 1.0.1f 6 Jan 2014 # Macbook Pro 10.11 $ openssl version OpenSSL 0.9.8zh 14 Jan 2016
Check openssl location
A more general way is to use openssl version -d
# On Ubuntu 14.04 $ openssl version -d OPENSSLDIR: "/usr/lib/ssl" $ ls /usr/lib/ssl certs misc openssl.cnf private $ ls -l /usr/lib/ssl total 4 lrwxrwxrwx 1 root root 14 Oct 7 11:03 certs -> /etc/ssl/certs drwxr-xr-x 2 root root 4096 Feb 11 09:12 misc lrwxrwxrwx 1 root root 20 Jan 30 15:42 openssl.cnf -> /etc/ssl/openssl.cnf lrwxrwxrwx 1 root root 16 Oct 7 11:03 private -> /etc/ssl/private $ ls -l /etc/ssl/certs | head total 912 lrwxrwxrwx 1 root root 26 Oct 7 11:03 00673b5b.0 -> thawte_Primary_Root_CA.pem lrwxrwxrwx 1 root root 45 Oct 7 11:03 02265526.0 -> Entrust_Root_Certification_Authority_-_G2.pem lrwxrwxrwx 1 root root 29 Oct 7 11:03 024dc131.0 -> Microsec_e-Szigno_Root_CA.pem lrwxrwxrwx 1 root root 31 Oct 7 11:03 02b73561.0 -> Comodo_Secure_Services_root.pem lrwxrwxrwx 1 root root 36 Oct 7 11:03 03179a64.0 -> Staat_der_Nederlanden_EV_Root_CA.pem lrwxrwxrwx 1 root root 25 Oct 7 11:03 034868d6.0 -> Swisscom_Root_EV_CA_2.pem lrwxrwxrwx 1 root root 16 Oct 7 11:03 03f2b8cf.0 -> WoSign_China.pem lrwxrwxrwx 1 root root 41 Oct 7 11:03 04f60c28.0 -> USERTrust_ECC_Certification_Authority.pem lrwxrwxrwx 1 root root 40 Oct 7 11:03 052e396b.0 -> AddTrust_Qualified_Certificates_Root.pem $ ls -l /etc/ssl/certs | wc -l 533 # On Macbook Pro 10.11 $ openssl version -d OPENSSLDIR: "/System/Library/OpenSSL" $ ls -l /System/Library/OpenSSL total 8 drwxr-xr-x 2 root wheel 68 May 15 2016 certs drwxr-xr-x 8 root wheel 272 May 15 2016 misc -rw-r--r-- 1 root wheel 9390 May 15 2016 openssl.cnf drwxr-xr-x 2 root wheel 68 May 15 2016 private $ ls -l /System/Library/OpenSSL/certs/ $ # empty results
openssl & patch bug
- Check out https://launchpad.net/ubuntu/+source/openssl to see the latest openssl version (number may be different for each of Ubuntu version). As of this writing, the latest openssl on Ubuntu 14.04 is 1.0.1f-1ubuntu2.15 and for Ubuntu 12.04 it is 1.0.1-4ubuntu5.31 (this kind of representation can be obtained using the sudo dpkg -l | grep openssl command; see below). The full list of the publishing history can be accessed through View full publishing history link. From there, we can restrict to Target = Trusty, for example.
- http://askubuntu.com/questions/444702/how-to-patch-the-heartbleed-bug-cve-2014-0160-in-openssl. The following is an output after running sudo apt-get update; sudo apt-get upgrade.
[email protected]:~$ sudo dpkg -l | grep openssl ii libgnutls-openssl27:amd64 2.12.23-12ubuntu2.2 amd64 GNU TLS library - OpenSSL wrapper ii openssl 1.0.1f-1ubuntu2.15 amd64 Secure Sockets Layer toolkit - cryptographic utility ii python-openssl 0.13-2ubuntu6 amd64 Python 2 wrapper around the OpenSSL library
- http://www.liquidweb.com/kb/update-and-patch-openssl-on-ubuntu-for-the-ccs-injection-vulnerability/. As you can see although a bug in OpenSSL has been found affecting versions 1.0.1 through 1.0.1f (inclusive), and openssl version is still 1.0.1f in Ubuntu 14.04.1, the build date is on June 2014. So it is safe.
[email protected]:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.1 LTS Release: 14.04 Codename: trusty [email protected]:~$ openssl version -a OpenSSL 1.0.1f 6 Jan 2014 built on: Fri Jun 20 18:54:02 UTC 2014 platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 OPENSSLDIR: "/usr/lib/ssl" [email protected]:~$ sudo apt-get changelog openssl | grep CVE-2014-0224 - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after - debian/patches/CVE-2014-0224.patch: set the CCS_OK flag when using - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in - CVE-2014-0224
- Let's Encrypt通用憑證上線了!
- https://letsencrypt.org/getting-started/ & https://letsencrypt.org/how-it-works/ & https://certbot.eff.org/#ubuntuxenial-apache: install python-certbot-apache package
- How To Secure Apache with Let's Encrypt on Ubuntu 16.04: install python-certbot-apache package
- How to Install Let’s Encrypt on Apache2: install python-letsencrypt-apache package
It takes less than 5 minutes for the whole process!
sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-apache sudo certbot --apache
Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The Let's Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.
So we can add the following line to the cron job that will execute the letsencrypt-auto renew command every Monday at 2:30 am. sudo crontab -e
30 2 * * 1 certbot renew >> /var/log/le-renew.log
Note if you currently have already had a working SSL certificate (eg from a purchased one), then even you have removed the certificate from the relevant Apache files you still can't run through sudo certbot. But once your current working SSL certificate expires, sudo certbot will successfully go through even you don't manually remove the certificate from your system.
- Mentioned by KeeWeb
- What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?
- How to get .pem file from .key and .crt files?