SSL : Generating Single or Wildcard SSL CSR

** Must install OpenSSL on your system

1. Single-name SSL Certificates

# openssl req -new -newkey rsa:2048 -nodes -keyout abc.com.key -out abc.com.csr

After pressing enter, you’ll be prompted with the following:

- Country Name (2 letter code) : Use your 2 char country code
- State or Province Name (full name) : Use your current State
- Locality Name (eg, city): City name
- Organization Name (eg, company) : Company name
- Organizational Unit Name (eg, section) : Your team in the organization.
- Common Name (eg, fully qualified host name): Domain name
- Email Address : Your offical email address
- Password :Leave it blank.

2. Wildcard SSL Certificates

- Create a configuration file
# openssl.cnf

- Add parameter as below

[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
commonName = *.abc.com
countryName = MY
stateOrProvinceName = <state>
localityName = <city>
organizationName = <org.name>

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1=abc.com
DNS.2=*.abc.com

- Generate private key
#openssl genrsa -out private.key 2048

- Generate CSR
#openssl req -new -nodes -key abc.com.key -config openssl.cnf -out abc.com.csr


3.Verification of CSR
#openssl req -in abc.com.csr -noout -text

Read More

Letsencrypt : Generate Let’s Encrypt Wildcard SSL Certificate

1.Install Let’s Encrypt Certbot Tool
#sudo apt-get OR dnf install letsencrypt

2.Generate Let’s Encrypt Wildcard SSL Certificate
#sudo certbot certonly --manual --preferred-challenges=dns --email webmaster@example.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d example.com  -d *.example.com

3.Certificates are generated and can be downloaded from the following path
#/etc/letsencrypt/live/example.com/

4.Generate Let’ Encrypt SSL certificate Manually using the DNS record using Certbot
- Create a variable for your desired domain
#DOMAIN=example.com

- Request a certificate using Certbot
#certbot certonly --manual -d *.$DOMAIN -d $DOMAIN --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --register-unsafely-without-email --rsa-key-size 4096

- A value for a new DNS record will prompt
--------------------------------------------------------------------
Please deploy a DNS TXT record under the name_acme-challenge.example.com with the following value:XXXXXXXXXXXXXXXXXXXXXXXXX
Before continuing, verify the record is deployed.
--------------------------------------------------------------------

- Copy and add the value into DNS server, add a new TXT record
_acme-challenge.iderc.my.    3600    IN    TXT    "XXXXXXXXXXXXXXXXXXXXXXXXX"

- Before Enter the second time check if records were deployed 

- Install Certificate and Key
key will generate in this folder /etc/letsencrypt/live/example.com

5.Generate Let’ Encrypt SSL certificate Manually using the http challenge using Certbot
- Create a variable for your desired domain
#DOMAIN=example.com

- Request a certificate using Certbot
#certbot certonly --manual --preferred-challenges http -d *.$DOMAIN -d $DOMAIN --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory --register-unsafely-without-email --rsa-key-size 4096

- After get an output, then need to create an index.html with the above string
/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxx/index.html

- Install Certificate and Key
key will generate in this folder /etc/letsencrypt/live/example.com

Read More

Generate a CSR (Certificate Signing Request) in Linux

1.Issue the following command to generate a CSR and the key that will protect your certificate.

#openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr

2. After creating CSR, view the contents of the file using a cat

#cat example.com.csr
#cat example.com.key

 

source: https://www.tecmint.com/generate-csr-certificate-signing-request-in-linux/

Read More

SSL : RSA server certificate CommonName (CN) `abc.com.my' does NOT match server name!?

Issue : 
 
[warn] RSA server certificate CommonName (CN) `abc.com.my' does NOT match server name!?

Resolve:

• Edit Apace SSL file : /etc/httpd/conf.d/ssl.conf 
• Change line # SSL Engine Switch from ON to OFF - SSLEngine off

Read More

SSL : Disable SSL on Webmin

1. Edit /etc/webmin/miniserv.conf
2. Change value of "ssl" entry from 1 to  0

• ssl=1 (enable)
• ssl=0 (disable)

3. Restart webmin services # /etc/init.d/webmin restart
4. Restart apache services # /etc/init.d/httpd restart

Read More

Letsencrypt : Secure Apache on Virtualmin

The guide :

FOLDER DOMAIN : In virtualmin directory
FULL DOMAIN: www.example.com

1. First install Let's Encrypt script/programme

Login to SSH and get root privileges (root/sudo -i):

cd /home/<FOLDER DOMAIN>/ && git clone https://github.com/letsencrypt/letsencrypt

OR

cd /root/ && git clone https://github.com/letsencrypt/letsencrypt

* This will download the Let's Encrypt from github with executable script

2. Create your directory where you will be saving your certificate later on. Reason for this is because Virtualmin has a protection where it only allows a certificate from the user/domains directory:

mkdir /home/MYUSERNAMEFORDOMAIN/ssl_certificates

3. Setup your cronjobs by running: "sudo crontab -e"

01 3 1 * * cd /home/<FOLDER DOMAIN>/letsencrypt/ && ./letsencrypt-auto certonly --email info@<FULL DOMAIN> --agree-tos --webroot --renew-by-default -w /home/<FOLDER DOMAIN>/public_html/ -d <FULL DOMAIN> -d <FULL DOMAIN> --authenticator webroot && cp -f /etc/letsencrypt/live/<FULL DOMAIN>/cert.pem /home/<FOLDER DOMAIN>/ssl/cert.pem && cp -f /etc/letsencrypt/live/<FULL DOMAIN>/chain.pem /home/<FOLDER DOMAIN>/ssl/chain.pem && cp -f /etc/letsencrypt/live/<FULL DOMAIN>/fullchain.pem /home/<FOLDER DOMAIN>/ssl/fullchain.pem && cp -f /etc/letsencrypt/live/<FULL DOMAIN>/privkey.pem /home/<FOLDER DOMAIN>/ssl/privkey.pem

OR

01 3 1 * * cd /root/letsencrypt/ && ./letsencrypt-auto certonly --email info@MYDOMAIN --agree-tos --webroot --renew-by-default -w /home/<FOLDER DOMAIN>/public_html/ -d <FULL DOMAIN> -d MYDOMAIN.net --authenticator webroot && cp /etc/letsencrypt/live/<FULL DOMAIN>/cert.pem /home/<FOLDER DOMAIN>/ssl/cert.pem && cp -f /etc/letsencrypt/live/<FULL DOMAIN>/chain.pem /home/<FOLDER DOMAIN>/ssl/chain.pem && cp -f /etc/letsencrypt/live/www.MYDOMAIN.net/fullchain.pem /home/<FOLDER DOMAIN>/ssl/fullchain.pem && cp -f /etc/letsencrypt/live/<FULL DOMAIN>/privkey.pem /home/<FOLDER DOMAIN>/ssl/privkey.pem

* Above command will copy the certificates to the correct directory after requesting them. It will do this every 1st of the month during the night. The reason we do this every month is because the certs are only valid 90 days and we have plenty of time to repair if something appears to be wrong with the cert later on..

Allright! The hard part is done!

3.1 Please log into your Virtualmin admin panel, Select "Webmin -> System -> Scheduled Cron Jobs". Go to your newly created Cronjob by clicking on it and select "RUN NOW".

4. in Virtualmin, select you domain and go to "Edit virtual server", make sure that SSL is enabled under "Enabled features".

5. Under "Server configuration" go to "Manage SSL Certificate". Select the tab "Update Certificate and Key" and under "Signed SSL certificate" select the option "File on server", fill in the location of the certificate: "/home/<FOLDER DOMAIN>/ssl/cert.pem"

6. Do the same for section "Matching private key". Select: "/home/<FOLDER DOMAIN>/ssl/privkey.pem"

7. Click on "Install Now".

8. Switch to tab "CA Certificate", select "In file on server " and fill in: "/home/<FOLDER DOMAIN>/ssl/fullchain.pem"

9. Click on "Save Certificate". ***

DONE! ! ! It will now auto update every month :)

Go to your website with HTTPS,

source : https://www.virtualmin.com/node/38853

Read More