It is now possible to have a fully secure internet for totally free!
(I mean this in the grand scale of things, not just downsizing the word "internet" to mean "http", eheh)
(it does sound preacherlike, but I am very excited by this :D)
This text describes one of the many ways to implement secure HTTP for lighttpd and STARTTLS for postfix and courier-imap.
Domain certificates used to cost at least 100$ (probably more!) per year minimum to get SSL/TLS keys for a single domain (https://)! Now, with let's encrypt, this is totally free! And the certificates are fully legitimate. This is not just some self signed certificate that only certain browsers support. This is fully compatible with a lot (I wanted to write all, eheh, but I'm staying prudent) of the most important pillars of the current internet.
There are absolutely no reasons not to do this. It might become mandatory for websites to offer secure http soon; There are talks that every websites will need to support encrypted HTTP on the internet. While this will probably never happen, the fact that this can be done for free will certainly be a major stepping stone for this important (read very!) vision.
Here are some reasons why implementing secure HTTP is important :
on your system:
optional parts :
Let's encrypt provides certificate signing using the ACME protocol (Nothing has be done on their website; there is no need to create an account and give out sensitive private information).
There are quite a few different clients that were made to interface with let's encrypt's ACME server instance. This link contains quite a few different options. I chose dehydrated, mainly because it is implemented fully as a shell script. It can be ran whenever we wish (like put in a cron script) and is fairly easy to use.
To get dehydrated, we'll simply clone their git repository from github.
So just clone the dehydrated git repository.
There's only 2 configuration files we have to edit to get rolling. (You can also set up a shell script file called 'hook.sh' if you need to do more finegrained steps in your certificate signing process)
The first is the file "domains.txt" : This file should start with the domain name, followed by the full URL of all the subdomains for this domain separated by space. Each line should be for a single domain and it's subdomains
example content of "domains.txt" :
foobar.org www.foobar.org test.foobar.org kernel.org www.kernel.org git.kernel.org bugs.kernel.org example.org www.example.org mail.example.org
The second is the file "config" :
we want to start with the example from "docs/example/config"
add this :
just after :
This will make the us request the staging (test) server rather than the production one.
(very important! It is very easy to be temporarily banned and it takes quite some time to be allowed afterwards)
Later on, when everything works correctly with our staging dummy certificates, we can comment the first one and uncomment the second. (We'll get on that later)
To be awarded a signed certificate, ACME needs to make sure that we are indeed the owner of the domain name (and of the website). ACME ownership verification can be done using 2 methods with the particular client we will show in this guide. A website method and a dns method. We will go over only the website method in this guide.
(Note that the website method is not technically a perfect way to ensure that a server is really controlled by the person owning the domain name. Strictly because it would be possible for someone controlling a web server to use these methods to gain a certificate for a domain name they do not own (granted the domain name points to that server's IP). However, it is fully accepted by the ACME protocol and it is the method we will show in this guide)
first uncomment this line in the "config" :
You can change it, just make sure that your lighttpd has read access to it and that the user with which you will run the dehydrated script has read and write access to that directory. This is where the test data will be posted. The ACME server will then need to have HTTP access to files in this location (files in it will have some kind of hashed name approximately of 10 random characters).
In lighttpd (or any web server for that effect), we will need to make the path "/.well-known/acme-challenge/" point to "/var/www/dehydrated" and make any external source able to read it's content.
To do that reliably on all domain names, we will make use of lighttpd's "mod_alias" plugin, so you need to make sure it is activated in your "server.modules". Here's what you need to add to your lighttpd configuration file :
# ACME challenge for HTTPS alias.url += ( "/.well-known/acme-challenge/" => "/var/www/dehydrated/" )
With this, for whatever domain they will access, the URL "/.well-known/acme-challenge" will point to "/var/www/dehydrated". So say "http://foobar.org/.well-known/acme-challenge/" must be the content of "/var/www/dehydrated" (I don't mean that it should actually "show" the content, just that if an external source knows what to look for, it should be able to download it from there).
Now that we have this set up, it's time to test! Double check in the section "Dehydrated, an ACME client" that you effectively have your CA set to the staging URL.
Now, rubs hands, just run this :
It will verbosely show the process of getting the certificates signed and all. It will also say if you did a correct job setting your "Wellknown" set up.
lighttpd postfix courier-imap
great tool to help know what to put in your HTTP server configuration : https://mozilla.github.io/server-side-tls/ssl-config-generator/ disable SSL3, why (http://disablessl3.com/) test with ssllabs.com (https://www.ssllabs.com/ssltest/)
forward secretive ciphers/key echange : what it means