Free Letsencrypt certificate guide + question (misconfigured chain)

Virtualmin
1

This new Letsencrypt feature rocks (for webmin admin and virtual servers).
My server is Debian Wheezy + latest Virtualmin.

Virtualmin virtual server

  1. Enable SSL for domain (Administration Options>Enabled features)

  2. Forward 443 port to your server

  3. Install Letsencrypt certificate for domain (Server Configuration>Manage SSL Certificate>Let’s Encrypt)
    In “Months between automatic renewal” field enter “2”, hit Request Certificate. Now you have installed your free certificate.

  4. Make redirect from http to https (optional):
    Add something like this to your .htaccess:

RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]

Test your settings here: https://www.ssllabs.com/ssltest/
You will probably get B or B- score. If you want A score follow this additional steps:

  1. You site will probably work OK in Chrome, but not in Firefox because you must add correct key chain. You can generate it here: https://whatsmychaincert.com/
    Enter your domain and hit “Test”. Download generated .crt file and upload it to your domains root.

  2. Go to /etc/apache2/sites-enabled/ and open your domains .conf file and find lines (at the end):

SSLEngine on SSLCertificateFile /home/username/domains/yourdomain.com/ssl.cert SSLCertificateKeyFile /home/username/domains/yourdomain.com/ssl.key SSLCACertificateFile /home/username/domains/yourdomain.com/ssl.ca

Add this line:

SSlCertificateChainFile /home/username/domains/yourdomain.com/yourdomain.com.chain.crt

Now you need to enable Forward Secrecy and block RC4 (for best security). You can edit SSLCipherSuite line to suit your needs.

add this 3 lines:

SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA$

So your SSL configuration looks like:

SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA$ SSLCertificateFile /home/username/domains/yourdomain.com/ssl.cert SSLCertificateKeyFile /home/username/domains/yourdomain.com/ssl.key SSLCACertificateFile /home/username/domains/yourdomain.com/ssl.ca SSlCertificateChainFile /home/username/domains/yourdomain.com/yourdomain.com.chain.crt

RESTART APACHE SERVER and run test again https://www.ssllabs.com/ssltest/

If everything is OK you should get A score.

Feature request:
Virtualmin could automatically generate proper key chain so you wouldn’t need to manually generate it and add this line:
I don’t know yet what will happen on renew.

SSlCertificateChainFile /home/username/domains/yourdomain.com/yourdomain.com.chain.crt

Maybe I missed something. Thank you!

Sources:
https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm
https://www.virtualmin.com/node/38853

1 Like
2

Awesome write up! I really hope they add Let’s Encrypt for Nginx SSL website as well.

3

Is this still valid as of Webmin 1.881?
if you go to Webmin/Webmin Configuration/SSL Encryption
there is an option to select “Only strong ciphers with perfect forward secrecy”
In addition, the test at https://whatsmychaincert.com/ returns a valid certificate with FF

That said, it appears Webmin 1.881 has some problem with PFS. The version of Net:::SSleavy (1.55) installed by default doesn’t support PFS and updating the module is not a straight forward process.

1 Like