Let’s Encrypt is a new Certificate Authority:
It’s free, automated, and open.
Arriving Summer 2015
but until then if you use ZPanel or Sentora you will have to play things sadly a little differently.
To follow these instructions you will need to have SSH access to the server, and have Admin access to the ZPanel / Sentora panel.
first off you will need to get a CSR (Certificate Signing Request) for your server, Digicert have a nice online aid for this at digicert.com/easy-csr
This then gives me
openssl req -new -newkey rsa:4096 -nodes -out skippy_org_uk.csr -keyout skippy_org_uk.key -subj "/C=GB/ST=Utah/L=TARDIS/O=Skippy/OU=Dpt of Sexy/CN=//skippy.org.uk"
to type into my (SSH) terminal.
Heading over to 123-reg to pick up a cheapish SSL certificate (£11.99 inc VAT), I needed to set up webmaster@//skippy.org.uk to keep 123-reg / AlphaSSL happy, the enrolment takes about 12 hours, and will result in a fair few emails being sent to you (you will need your .csr file).
One of the emails from 123 Reg will read like this:
Great news! Your SSL certificate has been issued and is now active.
Product type: 123-SSL
Valid for: 1years
What happens now?
You will now need to manually install your SSL certificate by following the instructions below.
Please note: Your SSL and intermediate certificates can found at the bottom of this email. Both certificates must be installed on your server.
1) Using a text editor, copy the intermediate ctext from the bottom of this email, (including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines) and Save As gs_intermediate_ca.crt on your server desktop.
2) Using a text editor, copy the SSL certificate text, from the bottom of this email (including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines) and Save As yourdomain.crt on your
3) For instructions on installing your certificate on your web server (different methods are required, depending on your web server and SSL certificate type) and information on backing up your certificate and private key, please see the following link: http://www.123-reg.co.uk/support/category/SSL-Certificates
MUST BE INSTALLED ON YOUR WEB SERVER:
Your Intermediate Certificate
…lots of text…
Your SSL Certificate (Formatted for the majority of web server software including IIS and Apache based servers):
…lots of text…
If you need any help, please visit our support site. There you will find useful guides and answers to common queries. You can also use the Contact Us option which sends a query email to our expert support staff.
All the best,
The 123-reg team
SSH into your server, and make a folder for your certificates, as I am going to SSL //skippy.org.uk I will make my folder at /etc/ssl/certs//skippy.org.uk
in this folder you will need to put the following:
- gs_intermediate_ca.crt (comes via email from 123-SSL).
- root.crt (perhaps not needed, but downloaded from AlphaSSL anyway)
- root.der (perhaps not needed, but downloaded from AlphaSSL anyway)
- root.pem (perhaps not needed, but downloaded from AlphaSSL anyway)
- //skippy.org.uk.crt (comes via email from 123-SSL).
- //skippy.org.uk.csr (generated by command at the beginning)
- //skippy.org.uk.key (generated by command at the beginning)
I needed to copy the files from Alpha SSL and the two I made above into etc/ssl/certs//skippy.org.uk
Log into the ZPanel CP and find Module Admin:
All the way to Force Update and beyond
Override a Virtual Host Setting
Clicking on select Vhost brings up this screen
Now for the parts that make this SSL enabled:
SSLEngine On SSLCertificateFile /etc/ssl/certs//skippy.org.uk//skippy.org.uk.crt SSLCertificateKeyFile /etc/ssl/certs//skippy.org.uk//skippy.org.uk.key SSLCACertificateFile /etc/ssl/certs//skippy.org.uk/gs_root.pem SSLCertificateChainFile /etc/ssl/certs//skippy.org.uk/gs_intermediate_ca.crt SSLProtocol -ALL +TLSv1 SSLHonorCipherOrder on SSLCipherSuite HIGH:!aNULL:!MD5
Once you have saved the above, you will want to ssh back into the server and run
sudo php -q /etc/zpanel/panel/bin/daemon.php
sudo apachectl restart
If there are any configuration errors (or files can't be found) you will need to look into why.
Further to setting the above up, I visited a SSL test website, and it only gave me a C rating, so I changed
SSLProtocol -ALL +TLSv1 SSLHonorCipherOrder on SSLCipherSuite HIGH:!aNULL:!MD5
SSLProtocol ALL -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
but that doesnt seem to have fixed it yet :S