UPDATE: It’s about time to update this article or write a new one with the fact that there is letsencrypt now & that the SPDY protocol has been deprecated in favor of http 2.0.
Also see https://certbot.eff.org/ if you haven’t already.
Recently, I spent sometime setting up the Transport Layer Security (SSL) for the sites https://bubbl.in and https://marvindanig.com each. It was simple to do and went pretty much smoothly except for a few warts here and there that I found SSL industry is generally plagued with. But more on that later.
Starting today, both Bubblin and Marvindanig sites are going to be served only on secured http a.k.a https. For the record all our traffic is now forced over TLS, and we have ensured forward secrecy as well.
Marvindanig::Application.configure do
config.force_ssl = true
I sourced our SSL certificate for $9 via NameCheap (a referral URL) but you can buy it from anywhere you like. Remember to use a working email address of the domain name you wish to buy the certificate for. Your SSL provider will validate you with the domain name of the email address you provide.
Setting up SSL certificate is easy but it does take some time. It took about 45 minutes for me to get it up and running so that will give you some idea about what follows below.
Here are the steps, if you’re on a Ubuntu/Linux distro with Nginx/Unicorn to serve your app:
SSH/login to your server
1. Install OpenSSL
$ apt-get update
$ apt-get upgrade
$ apt-get install openssl
$ mkdir /etc/ssl/certs #if this directory doesn’t exist already.
2. Issue a Certificate Signing Request (CSR)
Go into the certs directory
$ cd /etc/ssl/certs
$ openssl req -new -newkey rsa:2048 -nodes -days 365 -keyout http://www.mydomain.com.key -out http://www.mydomain.com.csr
This is what you’ll see next:
Generating a 2048 bit RSA private key ......................................................++++++ ....++++++ writing new private key to 'www.mydomain.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]: California Locality Name (eg, city) []: MountainView Organization Name (eg, company) [YourCompanyName] Organizational Unit Name (eg, section) []: Web Product Common Name (eg, YOUR name) []:www.yourdomain.com Email Address []:admin@yourdomain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Ignore the extra attributes if you want. Now you’ll have a .key
and a .csr
file generated inside your certs directory.
Secure the generated key with the following command:
$ chmod 400 /etc/ssl/certs/www.mydomain.com.key
You can also move the .key
file into private (etc/ssl/private
) directory of your server (where you’ll also find another file with an interesting name: ssl-cert-snakeoil.key
.) and secure it there.
3. Buy a Commericial SSL
Now use the .csr
file created above to obtain a signed certificate from NameCheap or another provider. Once you’ve completed purchasing SSL, upon validation of email you’ll receive a zipped package containing all your certs – a signed domain_name cert and root and intermediary certificates.
1. Download the zipped folder and unpack its contents. You’ll see a couple of cert files that look something like this:
www_bubbl_in.crt (www_yourdomain_com.crt)
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
AddTrustExternalCARoot.crt
2. Login into your server and copy all the certs into /etc/ssl/certs
directory.
You can also use the latest version 3+ Capistrano-Unicorn-Nginx recipe to handle all things SSL from the comfort of your computer, but I recommend doing it step-by-step manually.
Now chain up all the certificates provided up there into one file with cat
command like shown below. I fail to understand why this complication of chaining SSL certificates into one file has been left to customers at all, but:
$ cat www_yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > http://www.yourdomain.chained.crt
Order of appearance of filenames as shown above is important. We’re all set.
4. Configure Nginx and Restart
The server block on your nginx configuration (inside /etc/nginx/sites-enabled folder) will look something like this:
server { listen 443 ssl spdy; ssl_certificate /etc/ssl/certs/www.yourdomain.com.chained.crt; ssl_certificate_key /etc/ssl/private/www.yourdomain.com.key; … }
Note we’ve also enabled SPDY alongside SSL in there. ☺ .
Simply restart Nginx and voila!, your site is SSL-ready!
While you’re at it, you might want to patch up the heartbleed and other known SSL/TLS related vulnerabilities. Ask your hosting provider for more details.
To verify if everything is set up correctly use the Qualys SSL Analyzer online.
We scored an A+ score there.