Get A+ Grade in SSL vulnerability testing and prevent hacking.
Generate free wildcard SSL certificate using Let’s Encrypt — Certbot CLI.
Certbot is a Python CLI which helps to generate certificates.
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
It gives people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.
Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
If you want to know more about Let’s Encrypt visit the official website https://letsencrypt.org/
Points to note:
- Let’s Encrypt does not provide OV or EV certificates only DV.
- Certificates are valid for 90 days. You can read about why here.
- You can renew it manually either automate the process.
Generate SSL certificates
We use Apache2 on Ubuntu 18.04. You can refer instructions for other configurations on the Certbot’s website https://certbot.eff.org/.
First, add the repository:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
Install Certbot for Apache:
sudo apt-get install certbot python-certbot-apache
Install Wildcard SSL certificate for all the domains *.mydomain.com
sudo certbot certonly --manual --preferred-challenges=dns --email firstname.lastname@example.org --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.mydomain.com
Please do DNS verification if it’s asked from Certbot. You just have to add a TXT record in your server to make sure the ownership of your domain name.
Now you can see the stored paths of your Wildcard SSL certificates.
Configure the certificate with Apache.
You can edit your virtual host files as per the SSL engine with the certificates.
Sample path: /etc/apache2/sites-available/mydomain.com.confg
You need to edit the certificate paths as per the Certbot result when generate.
Renewal process after 60–89 days.
Let’s Encrypt encourages automation, which is absolutely essential for ease-of-use
sudo certbot renew
SSL Vulnerability Testing
In order to make sure your certificate has no vulnerabilities, you can test the certificate using testing tools. I recommend some of them here.
Using Docker “testssl.sh”
docker run --rm -ti drwetter/testssl.sh -U mydomain.com
One of the best online testing tools.
You will get an A+ grade at the end of the testing if your apache server configurations are under the best security practices.