Let’s Encrypt Free SSL Certificate and Nginx on Ubuntu

Let's Encrypt Free SSL Certificate

Encryption For The Masses by Let’s Encrypt

Let’s Encrypt brings Open, Free SSL Certificate to make encryption possible for the masses.

In case you missed the chatter, Let’s Encrypt is a new Certificate Authority providing Free SSL Certificate by automated process and best of all, Open.

Which means, you don’t need to pay for a Certificate for your Site to get a Certificate issued, you can use the Free SSL Certificate provided by Let’s Encrypt.

If you can’t wait till December 3, 2015 – by then they will be open for their Public Beta go ahead and Sign Up for their Limited Closed Beta.

I signed up two weeks ago, got my Closed Beta invite whitelisting few domains, two days ago and decided to play with it today.

Their client makes it pretty easy for one to get the Certificate and in few minutes you have your server up and running with SSL – Following these steps might make it much easier.

Installing Git

If you don’t have git installed already, you’d need it.

sudo apt-get update
sudo apt-get install git

That should get git installed in your server and before you begin, stop nginx – This would throw errors as the it would prevent from binding to port 80

Stopping Nginx

sudo service nginx stop

Downloading Let’s Encrypt Client

Now let’s move towards some real action by downloading the Let’s Encrypt Client

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Generating Let’s Encrypt Free SSL Certificate

The nifty letsencrypt-auto tool is used to update and manage dependencies in a Python Virtual Environment. You can run the command as a normal user and it will prompt when there is a need for su permissions.

./letsencrypt-auto certonly -a standalone –server https://acme-v01.api.letsencrypt.org/directory –agree-dev-preview

Running this would set up the environment and install dependencies and you’d be asked for your email address for notifications and Key Recovery.

It would next ask you read the Terms of Service and you’d have to Accept to proceed.

Next you’d be prompted to input your domains that were whitelisted and emailed to you. You can separate them using commas or spaces. Alternatively, you could specify them in the command by using the -d your_domain.tld – That’d look like this:

./letsencrypt-auto certonly -a standalone -d your_domain.tld –server https://acme-v01.api.letsencrypt.org/directory –agree-dev-preview

After a bit, it would give you the following output:

Updating letsencrypt and virtual environment dependencies…….
Running with virtualenv: sudo /home/user/.local/share/letsencrypt/bin/letsencrypt certonly -a standalone -d your_domain.tld –server https://acme-v01.api.letsencrypt.org/directory –agree-dev-preview

It’ll also tell you where the Certificate and Chain have been saved – By default that is at  /etc/letsencrypt/live/your_domain.tld/fullchain.pem

Using a Strong Diffie Hellman Group

You’ll have to generate a new Diffie-Hellman Group by using the following commands:

cd /etc/nginx
openssl dhparam -out dhparams.pem 2048

That should take about 2-3 minutes to generate a Strong DH Group and you’ll find dhparams.pem in the path /etc/nginx/

Using Mozilla’s SSL Configuration Generator for Nginx

You can use Mozilla’s SSL Configuration Generator to generate nginx Server Block configuration.

Here is the config for updating your nginx.conf or vhost configuration file for nginx:

server {
listen *:80;
listen *:443 ssl spdy;
ssl_certificate /etc/letsencrypt/live/your_domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_domain.tld/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits – Remember we generated this earlier
ssl_dhparam /etc/nginx/dhparams.pem;

# modern configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers ‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’;

ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling —
# fetch OCSP records from URL in ssl_certificate and cache them
ssl on;
ssl_stapling on;
ssl_stapling_verify on;

## verify chain of trust of OCSP response using Root CA and Intermediate certs

ssl_trusted_certificate /etc/letsencrypt/live/your_domain.tld/chain.pem;

#DNS Resolver Configuration
resolver 8.8.8.8 8.8.4.4 valid=86400;
resolver_timeout 10;

#Rest of your server configuration…

}

Starting Nginx

Once nginx or vhost configuration file has been updated, go ahead and start nginx by issuing the following command:

service nginx start

Testing your site loading with brand new Let’s Encrypt Free SSL Certificate

Now head to your browser and open your site and point to your https://your_domain.tld and it will be opening as a Secured Site with a valid certificate.

Using SSL Lab’s SSL Server Test

Finally, for feel good factor head to SSL Lab’s SSL Server Test and enter your domain name, submit and wait for it to give you A+ Rating.

Install Node.js 5.0 Stable on Ubuntu 14.04 LTS

Node.js 5.0 is a Stable version released in October 2015, right after Node.js 4.2 Argon LTS was released.

We’ll look about how to install Node.js 5.0 stable on Ubuntu 14.04 LTS.

Get the setup script:

curl -sL https://deb.nodesource.com/setup_5.x | sudo -E bash

Once done, start installation of Node.js by executing the following command:

sudo apt-get install -y nodejs

That’s all folks, you should now have Node.js 5.0 Stable installed and ready to go!

You can test the installation with the following command to find the version:

node -v

You should get an output as:

v5.0.0

Enjoy hacking with node.js

WordPress Permalinks Issue Solved

Almost after Twenty hours of nerve wrecking and hair splitting search, finally got the much irritating WordPress Permalinks Issue solved for my blog.

Yes, the one you are reading right now.

There are some standard procedures you might not want to skip.

First, check if mod_rewrite is enabled in your Apache config and to enable mod_rewrite in Apache if not already, type the following in your terminal

sudo a2enmod rewrite

It should enable or tell you “Module rewrite already enabled”

Now that mod_rewrite has been sorted, lets get to telling Apache that its alright if the .htaccess file overrides some server level settings.

Look for “AllowOverride none” in your 000-default.conf, httpd.conf, httpd-vhosts.conf and change it to “AllowOverride all” – It is important that you check in all these files as it took me several hours of searching to figure that out as primarily I was tinkering with my httpd-vhosts.conf and httpd.conf and didn’t pay attention to the 000-default.conf file.

Once you’ve made the change, restart Apache using the following command

service apache2 restart

Now, ensure there is a .htaccess file in your WordPress install directory.

If its not there, then create an empty one using the following command in your terminal

touch .htaccess && chmod 666 .htaccess

Don’t worry yet about adding anything in the .htaccess file. WordPress will handle it for you.

Now go to your WordPress Settings and set your Permalinks to whatever options given there pleases you and save the settings. This should generate the required content for the .htaccess file automatically.

You can visit your site and check if the fancy Permalinks are working and then change the permission for the .htaccess file to 644.

That should set you right with your WordPress Permalinks Issue.

ShellShock – CVE-2014-6271 and CVE-2014-7169 Bash Vulnerability

If you are running a *nix machine, personal or in a server capacity, in most probability your system is affected by this vulnerability thats been reported. I just ran a check on my boxlet running Ubuntu 12.4 LTS and yes, it was indeed vulnerable. This quick note covers identifying, fixing the ShellShock Bash Vulnerability.

At this point there seem to be incomplete fixes available and we’d have to wait to see more development on this. Keep a close watch on your favorite distro’s security updates and ensure your boxlet is patched.

How to check if your *nix boxlet is vulnerable to the ShellShock Bash Vulnerability?

Open a terminal and copy paste this command:

env x=‘() { :;}; echo vulnerable’ bash c ‘echo hello’

If your boxlet is not vulnerable, you should get the following message as response:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
hello

If your boxlet is indeed vulnerable, most likely, it would be, you should get the following message as response:

vulnerable
hello

How to fix the ShellShock Bash Vulnerability?

Now to the fix, its pretty much nothing but an update, to do so, type the following in the terminal:

sudo apt-get update && sudo apt-get install bash

Heres what happens “sudo apt-get update”  makes sure that you have the latest packages list and that should include the fixed version of bash and “sudo apt-get install bash” installs the latest, fixed version of bash.

With that, you should be patched for the ShellShock Bash Vulnerability.

However, there are no certainty but to keep a close watch on security sites to see more development and fixes as they evolve.

Keep safe and Keep Peace!