IoT, Code, Security, Server Stuff etc

Views are my own and not my employer's.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View all of my posts.

ssl

Setting strong SSL cryptographic protocols and ciphers on Ubuntu and NGINX

by

This guide will aim to inform you of strong cryptographic protocols and ciphers to use on a web server on Ubuntu 16.04 and NGINX.

Secure encryption protocols are used to secure communications between a server and client. Older SSL protocols like Netscape’s Secure Sockets Layer (SSL) are flagged as DO NOT USE use by the Internet Engineering Task Force (IETF). Newer protocols like Transport Layer Security (TLS) are the newer recommended SSL protocols to use.

Wikipedia Article on Cryptographic Protocol’s

A security protocol (cryptographic protocol or encryption protocol) is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol describes how the algorithms should be used. A sufficiently detailed protocol includes details about data structures and representations, at which point it can be used to implement multiple, interoperable versions of a program.

Wikipedia on Ciphers

In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. To encipher or encode is to convert information into cipher or code. In common parlance, “cipher” is synonymous with “code,” as they are both a set of steps that encrypt a message; however, the concepts are distinct in cryptography, especially classical cryptography.

Wikipedia article on Elliptic-curve cryptography

Wikipedia article on Diffie–Hellman key exchange

Bad SSL Assumptions I have heard for not using HTTPS

  • I am not a bank so I don’t need HTTPS
  • SSL overhead is was too high on servers.
  • My site only has static content, I don’t need HTTPS
  • I don’t need SSL to secure my site I just need to be less of a target than others
  • I don’t hold confidential information (Wrong)

Don’t be Lazy and secure a site poorly

A local business that wanted me to buy their goods is not convincing me.

Bad SSL

(tested with SSL labs and asafaweb)

Why SSL

If you are unsure of why you need SSL visit https://doesmysiteneedhttps.com/, Avoiding the Not Secure Warning in Chrome, Why HTTPS matters and securing your site with HTTPS.

Google has an HTTPS usage graph for all communications to its services (hint it’s growing): https://transparencyreport.google.com/https/overview?hl=en

SSL Usage

SSL Future

SSL is here to stay, Non-SSL sites will soon be labelled insecure, Non-SSL sites will have Search Engine Optimization (SEO) adversely affected.

http insecure

Also, secure pages will be treated as normal (not flagged as secure)

History of Protocol’s – Launch Dates

  • SSL 1.0 (never launched)
  • SSL 2.0 1995
  • SSL 3.0 1996
  • TLS 1.0 1999
  • TLS 1.1 2006
  • TLS 1.2 2008
  • TLS 1.3 2018

Sites like https://caniuse.com can show you if our browser can use new protocols like TLS (e.g TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3)

  • TLS 1.0 is supported by All Browsers
  • TLS 1.1 is supported on IE11+, Edge, Firefox 24+, Chrome 22+, Safari 7+, Opera 12.1+, iOS Safari 5.1+, Chrome 62 on Android 5+ etc
  • TLS 1.2 is supported on IE11+, Edge, Firefox 27, Chrome 30+, Safari 7+, Opera 17+, iOS Safari 5.1, Chrome 62 on Android 5+ etc
  • TLS 1.3 is not supported by IE, Edge, Safari, iOS Safari, Android but is supported by Firefox 52, Chrome 56, Opera 43.

TLS 1.3

I have a guide here on setting up TLS 1.3 on Ubuntu 16.05 and Chrome, I use the draft build of OpenSSL but Open SSL 1.1.1 will support TLS 1.3. I am still figuring our TLS 1.3 on Ubuntu 18.04.

At the time of writing, you need to opt into TLS 1.3 draft specification in Chrome.

Enable TLS in Chrome

Cypher or Cypher

Read this page to see the history of the word Cipher or Cypher?

Buying an SSL certificate

Opening your wallet may not buy you the best certificate either, this was an SSL Labs review of a $150 SSL certificate Ii purchased a few years ago from a CPanel web host.

Bad CPanel SSL Certificate

I don’t buy commercial certificates anymore, I prefer free SSL certificates from Lets Encrypt

SSL Strength

I prefer to set up my own (free) SSL certificate with Lest Encrypt and tets those certificated with https://dev.ssllabs.com/ssltest/

You can configure your web server to only use certain protocols.

And define preferred ciphers

SSL Test 2018

Don’t forget to renew your SSL certificates ahead of time.

Also run a modern browser like Google Chrome Canary as some old browsers thnk expired SSL certificates are Secure

Ciphers

OpenSSL has implemented support for five TLS v1.3 cipher suites:

  • TLS13-AES-256-GCM-SHA384
  • TLS13-CHACHA20-POLY1305-SHA256
  • TLS13-AES-128-GCM-SHA256
  • TLS13-AES-128-CCM-8-SHA256
  • TLS13-AES-128-CCM-SHA256

Test OpenSSL Cipher Suites

A handy guide about using ciphers

SSL/TLS: How to choose your cipher suite

Testing a remote host’s ciphers and protocols with cipherscan

Clone this repository: https://github.com/mozilla/cipherscan

Scan a site

Result

Cipher scan can also recommend settings to change to help you harden a server (based on https://wiki.mozilla.org/Security/Server_Side_TLS)

Analyze Command

Results

More info on hardening here.

TLS 1.3 Information

More Reading

SSLLabs Grading of certificates

Read about SSL Labs grading here

snip from here

  • A+ – exceptional configuration
  • A – strong commercial security
  • B – adequate security with modern clients, with older and potentially obsolete crypto used with older clients; potentially smaller configuration problems
  • C – obsolete configuration, uses obsolete crypto with modern clients; potentially bigger configuration problems
  • D – configuration with security issues that are typically difficult or unlikely to be exploited, but can and should be addressed
  • E – unused
  • F – exploitable and/or patchable problems, misconfigured server, insecure protocols, etc.

We wish to make clear that, while A+ is clearly the desired grade, both A and B grades are acceptable and result in adequate commercial security. The B grade, in particular, may be applied to configurations designed to support very wide audiences, many of whom use very old programs to connect. The C grade is generally used for configurations that don’t follow best practices. Grades D and F are used for servers with serious configuration and security issues.

REady to go SSL configuration: https://cipherli.st/

Download ready to go Diffie–Hellman primes. https://2ton.com.au/dhtool/

We have dedicated 48 CPU cores to the task of continuously generating 2048, 3072, 4096 and 8192 bit DH parameters, and the public service we present here allows access to the most-recent 128 of each.

Diffie–Hellman key exchange (DH) is a method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as originally conceptualized by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography.

Traditionally, secure encrypted communication between two parties required that they first exchange keys by some secure physical channel, such as paper key lists transported by a trusted courier. The Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher.

Diffie–Hellman is used to secure a variety of Internet services. However, research published in October 2015 suggests that the parameters in use for many DH Internet applications at that time are not strong enough to prevent compromise by very well-funded attackers, such as the security services of large governments.

More to come, I hope this guide helps someone.

fyi:

Windows Protocol/Cipher installer: https://www.nartac.com/

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

V1.2 expired and use a modern browser

v1.1 bad SSL

v1.0 Initial post

Enabling TLS 1.3 SSL on a NGINX Website (Ubuntu 16.04 server) that is using Cloudflare

by

This guide will show you how to enable the latest Transport Layer Security (TLS) 1.3 protocol with it’s predecessor Secure Sockets Layer (SSL) with NGINX and OpenSSL for better website security on an Ubuntu 16.04 server

I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. Making sure your server is up to date and running the latest SSL software is important. I have updated Open SSL before and blogged about this here.  Do back up your server before changing settings and if you use  Cloudflare (if you don’t do it now) enable Development Mode (and disable caching until changes are made).

For the best performing VM host (UpCloud) read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).

TLS 1.3 is the latest SSL security protocol that can be used between clients and servers to encrypt connections on the web.

TLS 1.3 uptake is only 60% according to https://caniuse.com/#search=TLS%201.3

TLS 1.3

Read why TLS 1.3 is important and news on TLS 1.3 can be found here: https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/

The Good and Bad

Done be like this commercial site with very poor security (tested with SSL labs and asafaweb)

Bad SSL

Here is what the top 1 million sites do

Installing Open SSL on Ubuntu

Connect to your Ubuntu 16.04 server via SSH (I connected to my Vultr server)

Check what version of OpenSSL you have? My OpenSSL is out of date.

Tip: What Ciphers does your Open SSL Support?

Time to update Open SSL

OpenSSL 1.1.1 beta is available and supports TLS 1.3  but it is n BETA form.  OpenSSL code is available here.

I did the following to download and build the latest version of OpenSSL.

I tried to check the open SSL version but had an error?

A quick GitHub ticket revealed I needed to set a path variable.

Open SSL now reports it’s version.

What version NGINX do you have (1.13 supports TLS 1.3read here

Backup your NGINX

Do backup your server files and take a snapshot if need be.  I am not responsible;e for a broken server,

Edit NGINX Configuration

Update NGINX configuration: /etc/nginx/sites-available/default

tip: Review other NGINX hardening settings here.  Also remove TLSv1.0

I tested my NGINX config loaded them and restarted NGINX

Check the status of NGINX

If you have configured Cloudflare then log in and enable TLS support.

Cloudflare TLS Settings

Enable TLS 1.3 in Chrome by visiting chrome://flags/#tls13-variant This should be automatic in later versions of Chrome and other browsers.

Enable TLS in Chrome

Verify TLS

I used the developer tools in Chrome to confirm the page was verified in TLS 1.3.

Verify TLS

Updated to 1.1.1-pre6-dev

Don’t forget to test your SSL strength with https://dev.ssllabs.com/ssltest/

SSL Test 2018

I hope this guide helps someone.

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.4 fixed typo

v1.3 added bad ssl cert.

v1.2 ssl test v1.1 updated to 1.1.1-pre6-dev

v1.0 Initial post

How to optimize your sites Search Engine Optimization (SEO) and grow customers without paying for Ads

by

How to optimize your sites Search Engine Optimization (SEO) and grow customers without paying for Ads.

This guide is a shorter post around setting up SEO (Search Engine Optimization) and driving more traffic to your site without buying ADs.  In a nutshell, to have better SEO you need to jump some technical hurdles in order to drive more traffic to your site from search engines along with understanding your customer’s needs and making things easier for them.

I have blogged about these topics before but these posts are too long in reflection.

Buying Ad’s?

Facebook, Google, Bing and advertising agencies will recommend you set goals around growth and site traffic and pay for those goals to succeed (usually by advertisements).

Don’t get me wrong Advertising works but it is a competitive market, Online sites can easily setup the display of Ad’s on their site (my guide here Add Google AdWords to your WordPress blog, https://fearby.com/article/add-google-adwords-wordpress-blog/ ). You can buy physical billboard ad’s on the side of roads (e.g http://www.buythisspace.com.au/). I tried to enquire about the costs of a physical billboard but the agencies robot verification rejected my enquiry submission so I gave up.  Advertising is buying peoples times and people now how to avoid ad’s and not interact with them (7 Marketing Lessons from Eye-Tracking Studies https://blog.kissmetrics.com/eye-tracking-studies/)

Do more of what works

Spoiler: This guide will recommend you do more of what works over buying millions of ad’s and hoping for new and engaged customers and customer growth.

SEO Tip’s

This older article on  How to boost your site’s SEO  attempts to mention what you need to do it to get better SEO.

Do run a modern great site

I am a big fan of word of mouth over free/organic traffic over paid customers via advertising (Mostly because I am tight and realize advertising can be a bottomless pit). The single biggest thing you can do to have more organic traffic from search engines is run a modern and fast website, have valuable content and make it as easy for the customer as possible. This is why I moved my site and setup an SSL certificate (link to article).

Search engines like your site to be fast, updated frequently, have sitemaps to make their jobs easier and have an SSL certificate to keep the web safe etc.

Google, Bing and other search engines will not send traffic your way if you do not satisfy them that your site is liked or has valuable content.  Google makes money from Google Analytics by helping people understand their site’s visitors then recommend you pay for ad’s to use on sites that have AdWords on their site ( WordPress to a new self-managed server away from CPanel ).

Traffic Source types

  • Organic – An organic visitor to your site is one who found your site by searching something that was relevant to their search term and not by clicking on an advertisement.
  • Paid – A paid user is someone who has clicked an ad to come to your site.
  • Social – A social visitor is one who is known to come from a social media site, using social media sites like Twitter, Facebook or Instagram is a must to driving organic traffic (go where the people are).

Engagement

How engaged are your customers?  Have you asked your customers recently what they value or appreciate about your business or product? Have you asked for feedback recently?

User Engagement Levels

  • None – Do you have landing pages that quickly inform customers of your products or services?
  • Low – What do they need to know about your product or service?
  • Medium – Aware (engaged)
  • High – Can this person be an advocate for your business?
  • Gone – Did you get exit Feedback?

Ways to engage already engaged customers.

What can you do to help understand your customer’s needs and make their purchase processes easier?

Why are your customers leaving?

Understand more about your customers reasons for leaving and act upon preventing others from leaving.

  • Trying something new (Does your website need to be simpler?)
  • Are your products too expensive?.
  • Your site (or ordering) is not convenient (Do you need to setup online ordering/subscriptions and delivery?)
  • etc

Who are your customers

Are your customers.

  • Engaged
  • Informed
  • Advocates

Feedback

  • Do you have feedback loops (A simple feedback form can solve this)?

What do you know about your customers?

  • Product Satisfaction
  • Product Loyalty
  • Product Awareness

Paid Traffic (Ad’s)

Free Traffic (SEO + Organic Ad’s)

  • Blog Posts (Sharing value/passion)
  • Social Media Posts (use hashtags)
  • Instagram (Post value/passion)

Most importantly Do what works (Measure and replicate).

Focus on Business Value

Generate a  SWOT Analysis ( Free tool here https://xtensio.com/ )

  • What are your Strengths?
  • What are your Weaknesses?
  • What are your Opportunities?
  • What are your Threats?

Goals

Goals allow you to investigate, learn, act and measure I order to improve.

  • Investigate – Data.
  • Learn/Insight – Make Assumptions.
  • Act – Act and measure.

Read more about customer engagement here https://en.wikipedia.org/wiki/Customer_engagement

Bonus

 Do ensure your website is compliant with accessibility and technical standards

Conclusion

The more you know the better you can connect, Do set goals and as a minimum setup Google Analytics, SSL certificate and submit your site to search engines, then focus on a fast site that makes things simple for your customers.

Donate and make this blog better



Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

v1.0 Initial version

Beyond SSL with Content Security Policy, Public Key Pinning etc

by

A big shoutout goes to Troy Hunt and Leo Laporte and Steve Gibson from https://www.grc.com/securitynow for sharing their security knowledge.

Pre-Requisite: SSL Certificate

I have mentioned before how to obtain an A+ rating on your SSL certificate with the help of https://ssllabs.com/ssltest before in my Digital Ocean and AWS and Vultr Ubuntu server (NGINX, NodeJS etc) setup guides. Also an SSL certificate can be free and installed in 1 minute.

I will assume you have an SSL Labs A+ server rating on your site and you want to secure your site some more. You will need to secure your site some more by enabling content headers for Content Security Policy and Public Key Pinning.

Why

Read this article from Troy Hunt that explains why CSP is important: The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

HTTP Public Key Pinning

Full credit goes to this site for explaining how to setup HTTP Public Key Pin and (add a NGINX header to reference two new keys that we link to the main certificate). Basically, we need to generate two new certificates on our server (linked to our master certificate from our CA) and deliver the hashes to the client as a header.

openssl x509 -pubkey < chained.crt | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
> Base64Output01Removed###########################=

openssl genrsa -out chained.first.pin.key 4096
> Generating RSA private key, 4096 bit long modulus
> …

openssl req -new -key yourserver.first.pin.key -sha256 -out yourserver.first.pin.csr
> Country Name (2 letter code) [AU]:
> State or Province Name (full name) [Some-State]:
> Locality Name (eg, city) []:
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:
> Organizational Unit Name (eg, section) []:
> Common Name (e.g. server FQDN or YOUR name) []:
> Email Address []:
> Please enter the following ‘extra’ attributes
> to be sent with your certificate request
> A challenge password []:
> An optional company name []:

openssl req -pubkey < yourserver.first.pin.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
> Base64Output02###########################=

openssl genrsa -out chained.second.pin.key 4096
> Generating RSA private key, 4096 bit long modulus
> …

openssl req -new -key yourserver.second.pin.key -sha256 -out yourserver.second.pin.csr
> Country Name (2 letter code) [AU]:
> State or Province Name (full name) [Some-State]:
> Locality Name (eg, city) []:
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:
> Organizational Unit Name (eg, section) []:
> Common Name (e.g. server FQDN or YOUR name) []:
> Email Address []:
> Please enter the following ‘extra’ attributes
> to be sent with your certificate request
> A challenge password []:
> An optional company name []:

openssl req -pubkey < yourserver.second.pin.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
> Base64Output03###########################=

# Add the following to the NGINX default configuration

server {

add_header Public-Key-Pins ‘pin-sha256=”Base64Output01###########################=”; pin-sha256=”Base64Output02###########################=”; pin-sha256=”Base64Output03###########################=”; max-age=2592000; includeSubDomains’;

}

nginx -t
nginx -s reload
/etc/init.d/nginx restart

This should solve the pinning ratings. I can check with https://securityheaders.io

Content Security Policy

Content Security Policy helps prevent cross-site scripting (XSS), clickjacking and other code injection attacks on your site by allowing your site to pre-define where resources can load from. Content Security Policy is supported in modern web browsers only. Here is a good explanation of CSP and a hackers cheat sheet for how to XSS Inject a site.

You can use this site to review your websites (or your bank’s website security): https://securityheaders.io/

I decided to check a big bank’s CSP/XSS configuration.

websecurity-001

St George Bank appears to be missing a number of potential security configurations (above). I ran the checker over a site I was building and I got a missing Content Security Polity warning also.

If your site just delivers text (no images or media) and does not use Google Analytics or content from remote CDN’s then defining a Content Security Policy is easy in NGINX.

But chances are you will need to generate a detailed CSP to allow Google Analytics, Font’s and scripts to load/run.

There are loads of sites that will help you generate you a CSP ( here, here etc) but it is best to add the configuration above to your NGINX config then load your website google chrome and look for any CSP errors and then add them into the CSP generator, export to NGINX, save and recheck in google chrome until all issues are solved.

A recent version of Google Chrome will give you a good indication of what resources it blocked (that were not covered in your Content Security Policy).

websecurity-006

I suggest you go to https://report-uri.io/home/generate and for each failing resource resolve that issue by defining the allowed resources in your policy.

After about 20 reloads of my CSP at https://report-uri.io/home/generate on my site and CSP validation with https://cspvalidator.org/ I have a working minimum Content Security Policy allowing resources on my site (real names redacted, note my CDN server that I use for misc resources).

websecurity-007

My Final Content Security Policy.

script-src 'self' 'unsafe-inline' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; style-src 'self' 'unsafe-inline' https://myservername.com:* https://fonts.googleapis.com:*; img-src 'self' https://myservername.com:* https://*.google-analytics.com https://*.google.com; font-src 'self' data: https://myservername.com:* https://myservername-cdn:* https://fonts.googleapis.com:* https://fonts.gstatic.com:*; connect-src 'self' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; media-src 'self' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; child-src 'self' https://player.vimeo.com https://www.youtube.com; form-action 'self' https://myservername.com:* https://myservername-cdn:*;

Spaced out to see what is set.

script-src 'self' 'unsafe-inline' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; 
	style-src 'self' 'unsafe-inline' https://myservername.com:* https://fonts.googleapis.com:*; 
	img-src 'self' https://myservername.com:* https://*.google-analytics.com https://*.google.com; 
	font-src 'self' data: https://myservername.com:* https://myservername-cdn:* https://fonts.googleapis.com:* https://fonts.gstatic.com:*; 
	connect-src 'self' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; 
	media-src 'self' https://myservername.com:* https://myservername-cdn:* https://*.google-analytics.com https://*.google.com; 
	child-src 'self' https://player.vimeo.com https://www.youtube.com; 
	form-action 'self' https://myservername.com:* https://myservername-cdn:*;

Here is what I added to my NGINX configuration (but with my real servers names)

Misc SSL Certificate Issues

https://www.ssllabs.com/ssltest is the go-to site for checking your sites SSL certificate for issues.

websecurity-005

Basic Server testing with asafaweb.com

https://asafaweb.com/ is a great site that tests your server to common security issues. Click on the orange or red buttons for an explanation and resolution.

websecurity-004

Testing with SecurityHeaders.io

If everything is configured you will get all green.

websecurity-003

CVE Exploits Database

After your server is secure you cannot sit back and pat yourself on the back, vulnerabilities can appear overnight and it is up to you to patch and update your server, services and software.

Your Code

Once you have a secure web server, SSL, XSS pinning and other security configuration setup you will need to ensure any code you develop is secure too.

Read the Open Web Application Security Project’s Top 10 Developer Security considerations.

About OWASP.

Security

As a precaution, do check your website often in https://www.shodan.io and see if it has open software or is known to hackers.
Keep Yourself Informed

Follow as many security researchers as you can on Twitter and keep up to date. (e.g 0xDUDE)

Check out the extensive Hardening a Linux Server guide at thecloud.org.uk: https://thecloud.org.uk/wiki/index.php?title=Hardening_a_Linux_Server

Good luck.

Donate and make this blog better




Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

V1.9 Added Let’s Encrypt info

V1.8 added Troy Hunt article on CSP

v1.7 added link to Hardening a Linux Server link

V1.6 security

Setting up a fast distributed MySQL environment with SSL

by

The following is a guest post from Shane Bishop from https://ewww.io/ (developer of the awesome EWWW Image Optimizer plugin for WordPress). Ready my review of this plugin here.

ewww3

Setting up a fast distributed MySQL environment with SSL

I’m a big fan of redundancy and distribution when it comes to network services. I don’t like to keep all my servers in one location, or even with a single provider. I’m currently using three different providers right now for various services. But when it comes to database communication, this poses a bit of a problem. Naturally, you would implement a firewall to restrict connections only to specific IP addresses, but if you’ve got servers all across the United States (or the globe), the communication is completely unencrypted by default.

Fortunately, MySQL has the ability to secure those communications and even require that specific user accounts use encryption for all communication. So, I’m going to show you how to setup that encryption, give a brief overview of setting up MySQL replication and give you several examples of different ways to securely connect to your database server(s). I used several different resources in setting this up for EWWW I.O. but none of them had everything I needed, or some had critical errors in them:

Setting up MySQL and secure connections

Getting Started with MySQL over SSL

How to enable SSL for MySQL server and client

I use Debian 8 (fewer major releases than Ubuntu, and rock-solid stability), so these instructions will apply to MySQL 5.5 and PHP 5.6, although most of it will work fine on any system. If you aren’t using PHP, you can just skip that section, and apply this to MySQL client connections, and replication. I’ll try to point out any areas where you might have difficulty on other versions, and you’ll need to modify any installation steps that use apt-get to use yum instead if you’re on CentOS, RHEL, or SuSE. If you’re running Windows, sorry, but just stop it. I would never trust a Windows server to do any of these things on the public Internet even with secured connections. You could attempt to do some of this on a Windows box for testing, but you can setup a Linux virtual machine using VirtualBox for free if you really want to test things out locally.

Setup the Server

First, we need to install the MySQL server on our system (you should always use sudo, instead of logging in as root, as a matter of “best practice”):

sudo apt-get install mysql-server

The installation will ask for a root password, and for you to confirm it. This is the account that has full and complete privileges on your MySQL server, so pick a good one. If this gets compromised, all is lost (or very nearly). Backups are your best friend, but even then it might be difficult to know what damage was done, and when. You’ll also want to run this, to make sure your server isn’t allowing test/guest access:

sudo mysql_secure_installation

You should answer yes to just about everything, although you don’t have to change your root password if you already set a good one. And just to make sure I’m clear on this. The root password here is not the same as the root password for the server itself. This root password is only for MySQL. You shouldn’t even ever use the root login on your server, EVER. It should be disabled so that you can only run privileged operations as sudo. Which you can do like this:

sudo passwd -l root

That command just disabled the root user, and should also be a good test to verify you already have an account that can sudo successfully, although I’d recommend testing it with something a little less drastic before you disable the root login.

Generating Certificates & Keys for the server

Normally, setting up secure connections involves purchasing a certificate from an established Certificate Authority (CA), and then downloading that certificate to your machine. However, the prevailing attitude with MySQL seems to be that you should build your own CA so that no one else has any influence on the private keys used to issue your server certificates. That said, you can still purchase a cert if that feels like the right route to go for you. Every organization has different needs, and I’m a bit new to the MySQL SSL topic, so I won’t pretend to be an expert on what everyone should do.

The Certificate Authority consists of a private key, and a CA certificate. These are then used to generate the server and client certificates. Each time you generate a certificate, you first need a private key. These private keys cannot be allowed to fall into the wrong hands, but you also need to have them available on the server, as they are used in establishing a secure connection. So if anyone else has access to your server, you should make sure the permissions are set so that only the root user (or someone with sudo privileges) can access them.

The CA and your server’s private key are used to authenticate the certificate that the server uses when it starts up, and the CA certificate is also used to validate any incoming client certificates. By the same token, the client will use that same CA certificate to validate the server’s certificate as well. I store the bits necessary in the /etc/mysql/ directory, so navigate into that directory, and we’ll use that as a sort of “working directory”. Also, the first command here lets you establish a “sudo shell” so that you don’t have to type sudo in front of every command. Let’s generate the CA private key:

sudo -s
cd /etc/mysql/
openssl genrsa 2048 > cakey.pem

Next, generate a certificate based on that private key:

openssl req -sha256 -new -x509 -nodes -days 3650 -key cakey.pem > cacert.pem

Of note are the -sha256 flag (do not use -sha1 anymore, it is weak), and the certificate expiration, set by “-days 3650” (10 years). Answer all the questions as best you can. The common name (CN) here is usually the hostname of the server, and I try to use the same CN throughout the process, although it shouldn’t really matter what you choose as the CN. If you follow my instructions, the CN will not be validated, only the client and server certificates get validated against the CA cert, as I already mentioned. Especially if you have multiple servers, and multiple servers acting as clients, the CN values would be all over the place, so best to keep it simple.

So the CA is now setup, and we need a private key for the server itself. We’ll generate the key and the certificate signing request (CSR) all at once:

openssl req -sha256 -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem > server-csr.pem

This will ask many of the same questions, answer them however you want, but be sure to leave the passphrase empty. This key will be needed by the MySQL service/daemon on startup, and a password would prevent MySQL from starting automatically. We also need to export the private key into the RSA format, or MySQL won’t be able to read it:

openssl rsa -in server-key.pem -out server-key.pem

Lastly, we create the server certificate using the CSR (based on the server’s private key) along with the CA certificate and key:

openssl x509 -sha256 -req -in server-csr.pem -days 3650 -CA cacert.pem -CAkey cakey.pem -set_serial 01 > server-cert.pem

Now we have what we need for the server end of things, so let’s edit our MySQL config in /etc/mysql/my.cnf to contain these lines in the [mysqld] section:

ssl-ca=/etc/mysql/cacert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem

If you are using Debian, those lines are probably already present, but commented out (with a # in front of them). Just remove the # from those three lines. If this is a fresh install, you’ll also want to set the bind-address so that it will allow communication from other servers:

bind-address = 198.51.100.10 # replace this with your actual IP address

or you can let it bind to all interfaces (if you have multiple IP addresses):

bind-address = *

Then restart the MySQL service:

sudo service mysql restart

Permissions

If this is an existing MySQL setup, you’ll want to wait until you have all the client connections setup to require SSL, but on a new install, you can run this to setup a new user with SSL required:

GRANT ALL PRIVILEGES ON 'database'.* TO 'database-user'@'%' IDENTIFIED BY 'reallysecurepassword' REQUIRE SSL;

I recommend creating individual user accounts for each database you have, so substitute the name of your database in the above command, as well as replacing the database-user and “really secure password” with suitable values. The command above also allows them to connect from anywhere in the world, and you may only want them to connect from a specific host, so you would replace the ‘%’ with the IP address of the client. I prefer to use my firewall to determine who can connect, as it is a bit easier than running a GRANT statement for every single host that is permitted. One could use a wildcard hostname like *.example.com but that would entail a DNS lookup for every connection unless you make sure to list all your addresses in /etc/hosts on the server (yuck). Additionally, using your firewall to limit which hosts can connect helps prevent brute-force attacks. I use ufw for that, which is a nice and simple command-line interface to iptables. You also need to run this after you GRANT privileges:

FLUSH PRIVILEGES;

Generating a Certificate and Key for the client

With most forms of encryption, only the server needs a certificate and key, but with MySQL, both server and client can have encryption keys. A quick test from my local machine indicated that it would automatically trust the server cert when using the MySQL client, but we’ll setup the client to use encryption just to be safe. Since we already have a CA setup on the server, we’ll generate the client cert and key on the server. First, the private key and CSR:

openssl req -sha256 -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem > client-csr.pem

Again, we need to export the key to the RSA format, or MySQL won’t be able to view it:

openssl rsa -in client-key.pem -out client-key.pem

And last step is to create the certificate, which is again based off a CSR generated from the client key, and sign the certificate with the CA cert and key:

openssl x509 -sha256 -req -in client-req.pem -days 3650 -CA cacert.pem -CAkey cakey.pem -set_serial 01 > client-cert.pem

We now need to copy three files to the client. The certs are just text files, so you can copy and paste them, or you can use scp to transfer them:

  • cacert.pem
  • client-key.pem
  • client-cert.pem

If you don’t need the full mysql-server on the client, or you just want to test it out, you can install the mysql-client like so:

sudo apt-get install mysql-client

Then, open /etc/mysql/my.cnf and put these three lines in the [client] section (usually near the top):

ssl-ca = /etc/mysql/cacert.pem
ssl-cert = /etc/mysql/client-cert.pem
ssl-key = /etc/mysql/client-key.pem

You can then connect to your server like so:

mysql -h 198.51.100.10 -u database-user -p

It will ask for a password, which you set to something really awesome and secure, right? At the MySQL prompt, you can just type the following command shortcut, and look for the SSL line, which should say something like “Cipher in use is …”

\s

You can also specify the –ssl-ca, –ssl-cert, and –ssl-key settings on the command line in the ‘mysql’ command to set the locations dynamically if need be. You may also be able to put them in your .my.cnf file (the leading dot makes it a hidden file, and it should live in ~/ which is your home directory). So for me that might be /home/shanebishop/.my.cnf

Using SSL for mysqldump

To my knowledge, mysqldump does not use the [client] settings, so you can specify the cert and key locations on the command line like I mentioned, or you can add them to the [mysqldump] section of /etc/mysql/my.cnf. To make sure SSL is enabled, I run it like so:

mysqldump --ssl -h 198.51.100.10 -u database-user -p reallysecurepassword > database-backup.sql

Setup Secure Connection from PHP

That’s all well and good, but most of the time you won’t be manually logging in with the mysql client, although mysqldump is very handy for automated nightly backups. I’m going to show you how to use SSL in a couple other areas, the first of which is PHP. It’s recommended to use the “native driver” packages, but from what I could see, the primary benefit of the native driver is decreased memory consumption.  There just isn’t much to see in the way of speed improvement, but perhaps I didn’t look long enough. However, being one to follow what the “experts” say, you can install MySQL support in PHP like so:

sudo apt-get install php5-mysqlnd

If you are using PHP 7 on a newer version of Ubuntu, the “native driver” package is now standard:

sudo apt-get install php7.0-mysql

If you are on a version of PHP less than 5.6, you can use the example code at the Percona Blog. However, in PHP 5.6+, certificate validation is a bit more strict, and early versions just fell over when trying to use the mysqli class with self-signed certificates like we have. Now that the dust has settled with PHP 5.6 though, we can connect like so:

<?php
$server = '198.51.100.10';
$dbuser = 'database-user';
$dbpass = '[email protected]@s$worD';
$database = 'database';
$connection = mysqli_init();
if ( ! mysqli_real_connect( $connection, $server, $dbuser, $dbpass', $database, 3306, '/var/run/mysqld/mysqld.sock', MYSQLI_CLIENT_SSL ) ) { //optimize1
    error_log( 'Connect Error (' . mysqli_connect_errno() . ') ' . mysqli_connect_error() );
    die( 'Connect Error (' . mysqli_connect_errno() . ') ' . mysqli_connect_error() );
}
$result = mysqli_query( $connection, "SHOW STATUS like 'Ssl_cipher'" );
print_r( mysqli_fetch_assoc( $result ) );
mysqli_close( $connection );
?>

Saving this as mysqli-ssl-test.php, you can run it like this, and you should get similar output:

[email protected]:~$ php mysqli-ssl-test.php
Array
(
  [Variable_name] => Ssl_cipher
  [Value] => DHE-RSA-AES256-SHA
)

Setup Secure (SSL) Replication

That’s all fine for a couple servers, but at EWWW.IO. I quickly realized I could speed things up if each server had a copy of the database. In particular, a significant speed improvement can be had if you setup all SELECT queries to use the local database (replicated from the master). While a query to the master server might take 50ms or more, querying the local database gives you sub-millisecond query times. Beyond that, I also wanted to have redundant write ability, so I set up two masters that would replicate off each other and ensure I never miss an UPDATE/INSERT/DELETE transaction if one of them dies. I’ve been running this setup since the Fall of 2013, and it has worked quite well. There are a few things you have to watch out for. The biggest is if a master server has a hard reboot, and MySQL doesn’t get shut down properly, you have to re-setup the replication on any slaves that communicate with that master, as the binary log gets corrupted. You also have to resync the other master in a similar manner.

The other things to be careful of are conflicting INSERT statements. If you try to INSERT two records with the same primary key from two different servers, it will cause a collision if those keys are set to be UNIQUE. You also have to be careful if you are using numerical values to track various data points. Use MySQLs built-in arithmetic, rather than trying to query a value, add to it in your code, and then updating the new value in a separate query.

So first I’ll show you how to setup replication (just basic master to slave), and then how to make sure that data is encrypted in transit. We should already have the MySQL server installed from above, so now we need to make some changes to the master configuration in /etc/mysql/my.cnf. All of these changes should be made in the [mysqld] section:

max_connections = 500 # the default is 100, and if you get a lot of servers running in your pool, that may not cut it
server-id = 1 # any numerical value will do, but every server should have a unique ID, I started at 1 for simplicity
log-bin = /var/log/mysql/mysql-bin.log
log-slave-updates = true # this one is only needed if you're running a dual-master setup

I’ve also just discovered that it is recommended to set sync_binlog to 1 when using InnoDB, which I am. I haven’t had a chance to see how that impacts performance, so I’ll update this after I’ve had a chance to play with it. The beauty of that is it *should* avoid the problems with a server crash that I mentioned above. At most, you would lose 1 transaction due to an improper server shutdown. All my servers use SSD, so the performance hit should be minimal, but if you’re using regular spinning platters, then be careful with the sync_binlog setting.

Next, we do some changes on the slave config:

server-id = 2 # make sure the id is unique
report-host = myserver.example.com # this should also be unique, so that your master knows which slave it is talking to
log-bin = /var/log/mysql/mysql-bin.log

Once that is setup, you can run a GRANT statement similar to the one above to add a user to do replication, or you can just give that user REPLICATION_SLAVE privileges.

IMPORTANT: If you run this on an existing slave-master setup, it will break replication, as the REQUIRE SSL statement seems to apply to all privileges granted to this user, and we haven’t told it what certificate and key to use. So run the CHANGE MASTER TO statement further down, and then come back here to enforce SSL for your replication user.

GRANT REPLICATION SLAVE ON *.* TO 'database-user'@'%' REQUIRE SSL;

Now we’re ready to synchronize the database from the master to the slave the first time. The slave needs 3 things:

  1. a dump of the existing data
  2. the binary log filename, as MySQL adds a numerical identifier to the log-bin setting above, and increments this periodically as it the binary logs hit their max size
  3. the position within the binary log where the slave should start applying changes

The hard way (that I used 3 years ago), can be found in the MySQL Documentation. The easy way is to use mysqldump (found on a different page in the MySQL docs), which you probably would have used anyway for obtaining a dump of the existing data:

mysqldump --all-databases --master-data -u root -p > dbdump.db

By using the –master-data flag, it will insert items #2 and #3 into the SQL file generated, and you will avoid having to hand type the binary log filename and coordinates. At any rate, you then need to login via your MySQL client on the slave server, and run a few commands at the MySQL prompt to prep the slave for the import (replacing the values as appropriate:

mysql -uroot -p
mysql> STOP SLAVE;
mysql> CHANGE MASTER TO
    -> MASTER_HOST='master_host_name',
    -> MASTER_USER='replication_user_name',
    -> MASTER_PASSWORD='replication_password';
exit

Then you can import the dbdump.db file (copy it from the master using SCP or SFTP):

mysql -uroot -p < dbdump.db

Once that is imported, we want to make sure our replication is using SSL. You can also run this on an existing server to upgrade the connection to SSL, but be sure to STOP SLAVE first:

mysql> CHANGE MASTER TO MASTER_SSL=1,
    -> MASTER_SSL_CA='/etc/mysql/cacert.pem',
    -> MASTER_SSL_CERT='/etc/mysql/client-cert.pem',
    -> MASTER_SSL_KEY='/etc/mysql/client-key.pem';

After that, you can start the slave:

START SLAVE;

Give it a few seconds, but you should be able to run this to check the status pretty quick:

SHOW SLAVE STATUS\G;

A successfully running slave should say something like “Waiting for master to send event”, which simply indicates that it has applied all transactions from the master, and is not lagging behind.

If you have additional slaves to setup, you can use the same exact dbdump.db and all the SQL statements that followed the mysqldump command, but if you add them a month or so down the road, there are two ways of doing it:

  1. Grab a fresh database dump using the mysqldump command, and repeat all of the steps that followed the mysqldump command above.
  2. Stop the MySQL service on an existing slave and the new slave. Then copy the /var/lib/mysql/ folder to the new slave and make sure it is owned by the MySQL user/group: chown -R mysql:mysql /var/lib/mysql/ Lastly, start both slaves up again, and they’ll catch up pretty quick to the master.

Conclusion

In a distributed environment, securing your MySQL communications is an important step in preventing unauthorized access to your services. While it can be a bit daunting to put all the pieces together, it is well worth the effort to make sure no one can intercept traffic from your MySQL server(s). The EWWW I.O. API supports encryption at every layer of the stack, to make sure our customer information stays private and secure. Doing so in your environment creates trust with your user base, and customer trust is a precious commodity.

Security

As a precaution, do check your website often in https://www.shodan.io and see if it has open software or is known to hackers.
Shane Bishop

Contact: https://ewww.io/contact-us/

Twitter: https://twitter.com/nosilver4u

Facebook: https://www.facebook.com/ewwwio/

Check out the fearby.com guide on bulk optimizing images automatically in WordPress.  Official Site here: https://ewww.io/

Donate and make this blog better




Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

V1.1 added shodan.io info

Update OpenSSL on a Digital Ocean VM

by

You may be reading this after reading my guide here https://fearby.com/article/adding-a-commercial-ssl-certificate-to-a-digital-ocean-vm

Related Guide:  How to buy a new domain and SSL cert from NameCheap, a Server from Digital Ocean and configure it.

Having strong SSL and security is a constant battle.  Recently a bug  OpenSSL Padding Oracle vulnerability (CVE-2016-2107) in OpenSSL. More information here.

You can check your websites SSL security here https://www.ssllabs.com/ssltest/ and this this tool https://filippo.io/CVE-2016-2107/.

Hopefully you do not see this:

oraclecve

How to Fix (1/2) – Update Misc.

sudo apt-get update
sudo apt-get dist-upgrade

How to Fix (2/2) – Manual Update OpenSSL

Head on over to ftp://ftp.openssl.org/source/ and check the filename of the latest update.

Run the following commands in a terminal.

wget ftp://ftp.openssl.org/source/openssl-1.0.2h.tar.gz
tar -xvzf openssl-1.0.1g.tar.gz 
cd openssl-1.0.1g 
./config --prefix=/usr/ 
make 
sudo make install

You can verify you are running the latest OpenSSL by typing:

[email protected]:~/temp/openssl-1.0.2h# openssl version
OpenSSL 1.0.2h  3 May 2016

You may also need to restart your web server:

sudo service nginx restart

Review more security advice here: https://wiki.ubuntu.com/Security/Upgrades

Re test your website with https://filippo.io/CVE-2016-2107/.

Security

Cheap may not be good (hosting or DIY), do check your website often in https://www.shodan.io and see if it has open software or is known to hackers.

I hope this helps.

Donate and make this blog better




Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

How to buy a new domain (dedicated server from digital ocean) and add a SSL certificate from namecheap.

by

This guide will show you how to buy a domain and and link it to a Digital Ocean VM.

Update (June 2018): I don’t use Digital Ocean anymore. I moved my domain to UpCloud (they are that awesome). Use this link to signup and get $25 free credit. Read the steps I took to move my domain to UpCloud here.

Upcloud Site Speed in GTMetrix

Buy a domain name from Namecheap here.

Domain names for just 88 cents!

This old post is available fyi,

1. How to buy a new website domain from namecheap.com

1.1 Create an account at namecheap.com then navigate to registrations

1.2 Search for your domain (don’t forget to click show more to see other domain extension types).

1.3 Select the domain you want.

1.4 I am going to opt for a free year of Free WhoisGuard – (WhoisGuard is a service that allows customers to keep their domain contact details hidden from spammers, marketing firms and online fraudsters. When purchased, the WhoisGuard subscription is permanently assigned to a domain and stays attached to it as long as the fee is paid).

1.5 I will also opt-in into the discounted PositiveSSL for $2.74 (bargain) (fyi: name cheap ssl types).

1.6 Check the name cheap coupons page and apply this months coupon for 10% off.

1.7 Confirmed the order for $11.05 USD.

1.8 Congratulations you have just ordered a domain and SSL certificate.

More details: https://www.digitalocean.com/community/tutorials/how-to-point-to-digitalocean-nameservers-from-common-domain-registrars

2. Create a http://www.c9.io account

This will give you a nice UI to manager your unmanaged server.

2.1 Upgrade from the free account to the “Micro $9.00 / monthly” at https://c9.io/account/billing (this will allow you to use the c9.io IDE to connect to as many Ubuntu VM’s as you wish).

3. Buy the hosting (droplet) from digital ocean

3.1 Go to https://wwww.digitalocean.com and create an account and log in.

Note: If you are adding an additional server (droplet) to a digital ocean account and you want the droplets to talk to each other make sure your existing servers have a private network setup.

3.2 Click Create Droplet

3.3 Enter a server name: e.g “yourdomainserver”

3.4 Select a Server Size (this can be upgraded later), Digital Ocean recommends a server with at least 30GB for a WordPress install (but you can upgrade later).

3.5 Select an Image (you can stick with a plain ubuntu image) but it may save you time to install an image with the LAMP stack already on it.

LAMP stack is a popular open-source web platform commonly used to run dynamic websites and servers. It includes Linux, Apache, MySQL, and PHP/Python/Perl and is considered by many the platform of choice for development of high-performance web applications which require a solid and reliable foundation.  I will select LAMP.

3.6 Tick “private networking” if you think you may add more servers later (growing business)?

3.7 Paste in your SSH key from your c9.io account at https://c9.io/account/ssh (this is important, don’t skip this).

3.8 Click Create Droplet

3.9 Congratulations you have just created an Ubuntu VM in the cloud.

3.10 If you type your droplets IP into a web browser it should load your pages from your web server.

3.11 You can view your ubuntu droplet details in the digital ocean portal.  You may need to reboot the server, make snapshots (backups) of reset passwords here.

3.12 You will need to change your droplets root password that was emailed to you from digital ocean (if you never received one you can reset a root password change in the digitalocean.com portal).  You can change your password by using the VNC window in the digital ocean portal https://cloud.digitalocean.com/droplets/ -> Access -> Console Access). If you had no luck changing you password with the VNC method you may use your Mac terminal and type: ssh [email protected] (where xx is your droplets IP) – then type yes, enter your password from the digital ocean email and change the password to a new/strong password (and write it down).

3.13 Now we will need to install the distro stable nodejs (for c9.io IDE) into the droplet by typing “sudo apt-get update” then “sudo apt-get install nodejs“.

4. Now we can link the digital ocean ubuntu server to the http://www.c9.io IDE.

4.1 Login to your c9.io account.

4.2 Click Create a new workspace.

4.3 Enter a Workspace name and description.

4.4 Click Remote SSH Workspace

4.5 Enter “root” as the username

4.6 Type in your new servers IP (obtained from viewing your droplet at digital ocean https://cloud.digitalocean.com/droplets ).

4.6 Set the initial path as: ./

4.7 Set the NodeJS path as: /user/bin/nodejs

4.7 Ensure your SSH key is the same one you entered ito the droplet.

4.8 Click Create Workspace.

Troubleshooting: If your workspace cannot login you may need to SSH back into your droplet (via Digital ocean VNC or telnet SSH and paste your c9.io SSH key into the ~/authorized_keys file and save it). I used the command “sudo nano ~/.ssh/authorized_keys”, pasted in my c9.io SSH key then pressed CTRL+0 then ENTER then CRRL+X

4.9 If all goes well you will see c9.io now has a workspace shortcut for you to launch your website.

4.10 You will be able to connect to your droplet from c9.io and edit files or upload files (without the hassle of using SFTP and CPanel).

5. No we will link the domain name to the IP based droplet.

5.1 Login to your name cheap account.

5.2 Click “Account” then  “Domain List“, turn off domain parking and then click  “Manage”  (next to the new domain) then click “Advanced DNS

5.3 Click “Edit” next to “Domain Nameserver Type” then choose “Custom“.

5.4 Add the following three name servers “ns1.digitalocean.com“, “ns2.digitalocean.com” and “ns3.digitalocean.com” and click “Save Changes“.

namecheapnameservers

5.5 Login to https://cloud.digitalocean.com/domains and select your droplet and type your domain name (e.g “yourdomain.com”) into the domain box and select your droplet

5.6 Configure the following DNS A Name records “@”-“XXX.XXX.XXX.XXX” where XXX is our server name and CName Records “www”-“www.yourdomain.com.” and “*”-“www.yourdomain.com.”

It can take from 24-48 hours for DNS to replicate around the world so I would suggest you goto bed at this stage: You can use https://www.whatsmydns.net/#A/yourdomain.com to check the DNS replication progress.

5.7 But if you are impatient check out the DNS replication around the world using this link: https://www.whatsmydns.net

fyi: The full name cheap DNS guide is here.

fyi: The Digital Ocean DNS guide is located here

Setup a SSL Certificate

You can skip section 6 to 6.17 and install a free SSL certificate if you wish (read this guide on using Lets Encrypt ).

Follow the rest of this guide if you want to buy an SSL cert from Namecheap (Comodo (Lets Encrypt is easier)).

6. Login to the Namecheap server.

6.1 Open your c9.io workspace to your domain

6.2 Click the Windows then New Terminal menu

6.3 Type: cd ~/.ssh/

6.4 openssl req -newkey rsa:2048 -nodes -keyout servername.key -out servername.csr

6.2 Type the following to generate CSR files  (my server is “servername.com”, replace this with your server name ).

# cd ~/.ssh
.ssh#

openssl req -newkey rsa:2048 -nodes -keyout servername.key -out servername.csr

Generating a 2048 bit RSA private key
.............................+++
............+++
writing new private key to 'servername.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:New South Wales
Locality Name (eg, city) []:Your City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Fearby.com
Organizational Unit Name (eg, section) []:Developer
Common Name (e.g. server FQDN or YOUR name) []:servername.com
Email Address []: [email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:****************
string is too long, it needs to be less than  20 bytes long
A challenge password []:***************
An optional company name []:Your Nmae
~/.ssh# ls -al
total 20
drwx------ 2 root root 4096 Oct 17 10:20 .
drwx------ 7 root root 4096 Oct 17 10:17 ..
-rw------- 1 root root  399 Oct 17 08:06 authorized_keys
-rw-r--r-- 1 root root 1175 Oct 17 10:20 servername.csr
-rw-r--r-- 1 root root 1704 Oct 17 10:20 servername.key

6.3 Using the folder structure in c9.io browser to /root/.ssh/ and open the text file “servername.csr” and copy the file contents.

6.4 In a separate window go to https://ap.www.namecheap.com/ProductList/SslCertificates paste in the “” file contents and click Submit

6.5 Verify your details and click next

6.6 Next you will need to verify your domain by downloading and uploading a file to your server. Under “DCV Method” select “HTTP” and follow the prompts at name cheap to download the file.

6.7 Complete the Form (company contacts and click next).

6.8  Go to Certificate Details page to download the validation file. Or you can wait for the email with zip file attached.

fyi: the support forums for this certificate are https://support.comodo.com (but the site is rubbish, most pages load empty (e.g this one)).

6.9 Under “DCV Methods in Use” click ‘Edit Methods” then “Download File”

6.10 Using the c9.io interface upload the file to the /var/www/html folder (drag and drop)

6.11 Wait 1/2 hour and then go back to your name cheap dashboard and see if the certificate has been verified (it may take longer than that).

6.12 After a while a certificate will be issued, Unser See Details click Download Certificate.

6.13 Upload the certificate files (“weatherpanorama_link.ca-bundle”,”weatherpanorama_link.crt” and “servername.p7b” ) files using the c9.io IDE to /root/.ssh/

6.14 Add this “ServerName localhost” to “/etc/apache2/apache2.conf”.

6.16 In a c9.io terminal run this command “sudo nano /etc/hosts” and add this line “127.0.0.1 servername.com”

6.17 Run this command in a  c9.io terminal  ‘sudo a2enmod ssl”

fyi: Comodo support forums: https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/1

fyi: Comodo apache certificate installation instructions: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/637/37/certificate-installation-apache–mod_ssl

Don’t forget to cache content to optimise your Web server

Security

Having a server introduces risks, do check your website often in https://www.shodan.io and see if it has open software or is known to hackers.
todo: SSL https://www.namecheap.com/support/knowledgebase/article.aspx/794/67/how-to-activate-ssl-certificate

Easily deploy an SSD cloud server on @DigitalOcean in 55 seconds. Sign up using my link and receive $10 in credit: https://wwww.digitalocean.com

end skip —

Seriously Lets Encrypt allows you to add an  SSL cert in minutes (over Comodo SSL certificates)

Donate and make this blog better


Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

v1.7 added some more.

Adding a commercial SSL certificate to a Digital Ocean VM

by

fyi: Consider reading this first (newer blog post):  How to buy a new domain and SSL cert from NameCheap, a Server from Digital Ocean and configure it.

If you have read my quickest way to setup a scalable development ide and web server guide chances are you setup a www.c9.io development IDE connected and Digital Ocean Ubuntu VM in the cloud for about $5 a month.  It did not take me long to install an NGINX web server, PHP, MySQL and phpMyAdmin sites. The next logical step is to secure my site with an SSL certificate.

I have purchased commercial SSL certificate in the past for a CPanel sub domain and they cost about $150 a year.  I always thought the certificate was set in stone and if it was a weak certificate it would perform poorly in the essential https://www.ssllabs.com/ssltest/index.html certificate tester.

I ran a quick test over my previously purchased managed host provided certificate (lets just say it performs poorly).

Managed WebServices SSL
Managed WebServices SSL Report

Generating a $0 self signed SSL Certificate (Digital Ocean VM)

Digital Ocean have fantastic guides and I searched Google for “digital ocean how to create an ssl certificate” and read this guide. Within a few minutes I had generated a self signed certificate and added it to my NGINX config and had SSL enabled on my site.  The only problem the certificate said it was not trusted by a third party (this may be ok for a closed development box but it would not be good on a production environment).

Self Signed Certificates are not trusted
Self Signed Certificates are not trusted

Generating a $9 commercial SSL Certificate (Digital Ocean VM)

I googled and found this Digital Ocean guide How To Install an SSL Certificate from a Commercial Certificate Authority.

Without listing each step I performed I was able to generate a “key” and “csr” file (from the digital ocean guide, I ignored the Namecheap’s guide). These files are needed to seed the commercial SSL certificate.

I decided to buy a domain certificate from RapidSSL via Namecheap (as they responded to a Livechat support request where GoDaddy ignored the live chat). A Namecheap certificate for my subdomain was going to cost me $9 US a year (that is mega cheap compared to the $150 a CPanel host was going to charge me).  Maybe the $9 certificate will be crap?

I followed the digital ocean guide and to my surprise I had a valid certificate emailed to me within 15 minutes once I followed the process to purchase, verify activate the certificate. To Namecheap’s credit the live chat person (“Anastasia B”) stuck with me as answered frequent questions I had (I thought $9 was too good to be true).

Once I had the commercial keys I was able to generate the private/public keys that feed into the commercial certificate with this command (replace “thesubdomain” with your subdomain and the “the domain” with your domain, if you are not applying the certificate to a subdomain then exclude the sub domain.).

>cd /etc/nginx/ssl/

> openssl req -newkey rsa:2048 -nodes -keyout thesubdomain_thedomain_com.key -out thesubdomain_thedomain_com.csr

The contents of the locally generated certificates were then pasted into the Namecheap SSL pages based on the digital ocean guide. At the end of the Namecheap purchase and verification process I was emailed 4 files that make up the certificate. The Digital Ocean and Namecheap guides were a bit short on combining the certificated but this was the working command to merge the bits intone valid certificate.

> cd /etc/nginx/ssl/

>cat thesubdomain_thedomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> cert_chain.crt

Then all I had to do was configure NGINX to use the certificate.

> listen 443 ssl;
> server_name thesubdomain.thedomain.com;
> ssl_certificate /etc/nginx/ssl/cert_chain.crt;
> ssl_certificate_key /etc/nginx/ssl/thesubdomain.thedomain.key;

SSL Enabled

A quick restart of the NGINX server and the certificate was good to go, I now had trusted SSL certificate enabled on my site.

I ran a SSL labs test over the site and got a lame C ranking.  WTF, I though SSL was supposed to make sites secure. Maybe there is more I can do to make this secure.

SSL Test After Install
SSL Test After Install

Research and Lockdown Mode

I googled as much as I could find on NGINX and SSL security.

Essential reading:

To me the biggest failing point in the OpenSSL test was a weak PRIME in the Diffe-Hellman crypto,  I thought I could just disable these crypto algorithms but this was not the case.  The secret is to generate a new 2048 bit key on my digital ocean server for ssl to use in connections with browsers instead of the known 1024 bit key.  This was as simple as running this command (and waiting 10 mins):

>cd /etc/nginx/ssl/

> openssl dhparam -out dhparams.pem 2048
>Generating DH parameters, 2048 bit long safe prime, generator 2
>This is going to take a long time

Then when the key is generated you can add it to your NGINX config

>  ssl_dhparam /etc/nginx/path/dhparams.pem;

So after much trial and error this is the bulk of my NGINX configuration

listen 443 ssl;

# Change to your server
server_name thesubdomain.thedomain.com;
# Location of the private key and merged certificates
ssl_certificate /etc/nginx/ssl/cert_chain.crt;
ssl_certificate_key /etc/nginx/ssl/thesubdomain.thedomain.com.key;

# Here are the cyphers we are ignoring
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

# Only use a small set of ciphers (may not work on older devices or browsers (but screw them)
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

# Force only allowing the ciphers above
ssl_prefer_server_ciphers on;

#use the 2048bit DH key
ssl_dhparam /etc/nginx/ssl/dhparams.pem;

# Don't allow old encryption methods like SSL3
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# Set SSL caching and storage/timeout values: 
# More info: http://nginx.com/blog/improve-seo-https-nginx/
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 4h;
# Prevent Clickjacking
add_header X-Frame-Options DENY;

# Prevent MIME Sniffing
add_header X-Content-Type-Options nosniff;

# Disable session tickets
ssl_session_tickets off; # Requires nginx >= 1.5.9

# OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7

# Use Google DNS
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# force https over http
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

# No need to manually redirect all traffic to https as the header above does this
#rewrite ^/(.*) https://thesubdomain.thedomain.com/$1 permanent;

Conclusion

This is my result on SSLLabs SSL test now. Not bay for $9 and a few hours researching.

Final SSL Labs Score
Final SSL Labs Score

A big Thank You goes to “Anastasia B” on the Namecheap Livechat, they stuck with me while I jumped ahead and ignored the guides.

If you need an SSL certificate choose https://www.namecheap.com/ and don’t forget http://www.digitalocean.com for full access VM’s.

Also listen to this podcast of you an to understand how HTTPS and the internt works.

Also check out how to update your Open SSL and security: https://fearby.com/article/update-openssl-on-a-digital-ocean-vm/

Security

Having ssl may not be enough, do check your website often in https://www.shodan.io and see if it has open software or is known to hackers.
Please signup for our newsletter
[mc4wp_form]

Donate and make this blog better




Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]