Get A+ Grade in SSL vulnerability testing and prevent hacking.

Generate free wildcard SSL certificate using Let’s Encrypt — Certbot CLI.

Testing summary from www.ssllabs.com

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

It gives people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.

Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.

If you want to know more about Let’s Encrypt visit the official website https://letsencrypt.org/

Points to note:

  • Let’s Encrypt does not provide OV or EV certificates only DV.
  • Certificates are valid for 90 days. You can read about why here.
  • You can renew it manually either automate the process.

Generate SSL certificates

We use Apache2 on Ubuntu 18.04. You can refer instructions for other configurations on the Certbot’s website https://certbot.eff.org/.

First, add the repository:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

Install Certbot for Apache:

sudo apt-get install certbot python-certbot-apache

Install Wildcard SSL certificate for all the domains *.mydomain.com

sudo certbot certonly --manual --preferred-challenges=dns --email me@mydomain.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.mydomain.com

Please do DNS verification if it’s asked from Certbot. You just have to add a TXT record in your server to make sure the ownership of your domain name.

Now you can see the stored paths of your Wildcard SSL certificates.

Configure the certificate with Apache.

You can edit your virtual host files as per the SSL engine with the certificates.

Sample path: /etc/apache2/sites-available/mydomain.com.confg

You need to edit the certificate paths as per the Certbot result when generate.

Renewal process after 60–89 days.

Let’s Encrypt encourages automation, which is absolutely essential for ease-of-use

sudo certbot renew

SSL Vulnerability Testing

In order to make sure your certificate has no vulnerabilities, you can test the certificate using testing tools. I recommend some of them here.

Using Docker “testssl.sh”

docker run --rm -ti drwetter/testssl.sh -U mydomain.com

Reference: https://github.com/drwetter/testssl.sh

One of the best online testing tools.

https://www.ssllabs.com/ssltest/analyze.html

You will get an A+ grade at the end of the testing if your apache server configurations are under the best security practices.

Thank you and I’m Aslam Anver find me on GitHub and StackOverflow as aslamanver & Googlian

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aslam Anver

Aslam Anver

Passionate in AI Deep Learning, Find me on GitHub & StackOverflow