SSL

Another non-eOS blog, but this has wasted some of my time this week and thought it might be useful (at least to me in 3 months time!)

In today’s internet world, creating and using a Secure Sockets Layer (SSL) certificate (cert) should be much easier.  Ok, it’s actually a lot easier than it used to be a few years ago, but it’s probably still beyond most people running a simple web site/server (including me!)

I first got interested in SSL when I started using ownCloud and initially used a self-signed cert.  These are great for testing stuff out but invariably will generate error messages when accessing the sites through most browsers.  If you have complete control over the machine, you can trust the self-signed cert, but where you don’t it’s a case of ignoring the errors which become a pain every time you go there.

In the end, I bought a cheap Comodo cert from PossitiveSSL which cost about £10 for 3 years.  When I set everything up, I choose to access ownCloud through a prefix (a bit like my web.domain address) which seemed like a good idea.  In hindsight, it probably wasn’t and buying a cert for my whole domain would have made much more sense.  I’ll probably sort this when the Comodo cert expires.

I’m not going to get into all the details here, but I run all my externally facing web services through a Nginx proxy, so could have a domain cert validating things there.

Anyway, when I set-up my FEMP server for playing about with WordPress (and Joomla and Drupal and various other things) I thought I better create an SSL cert.  A quick Google took me to Letsencrypt, who provide free validated certificates, with the downside that they only last for 90 days and have to be renewed.  Not a big problem, as there are tools (e.g. certbot) which can automate this process so, in theory, you have an SSL cert that validates through most browsers and auto-renews every ~90 days.

Everything was set-up swimmingly, although I was approaching the end of my 90 days, so expected the cert to update.  Over the weekend it expired, even though everything looked like the renewal had run OK, and I had a new cert.  I didn’t really think things through long enough, so yesterday went through the process of generating a Letsencrypt cert through a web service (zeroSSL) and installed this onto my FEMP server.  It was only when this didn’t appear to work, and in a light-bulb-like moment, I realised I needed the SSL cert on my proxy server, doh!

Copying the files across (pretty straight forward as they are both running in separate jails on freenas1) and updating the Nginx.conf file and we’re back up and running with SSL!

I’ll need to try and set-up certbot on the Nginx proxy server, which will hopefully keep everything up to date, with a cronjob to renew the cert and then copy the updated files to the FEMP server.  This got me wondering whether I actually need the SSL certs on the FEMP server if people are connecting through the Nginx proxy, or whether having in both places is just a belt and braces approach.  I’ll need to understand a little more about all this SSL stuff and let you know…

Anyway, haven’t really spent much time with eOS as a result so nothing new to report there.