Introduction
SSL Web Hosting has been made free by a number of providers such as Let’s Encrypt and ZeroSSL for years now. I wrote this blog because I truly believe web administrators and developers should leverage this if they aren’t already.
I’ve personally come across an amazing tool called Dehydrated which I used to leverage this. The best part about Dehydrated is that it even operates using the MIT license, meaning it’s also completely free to use!
Dehydrated Setup
An ideal SSL Web Hosting solution comes with the perfect tool to do all of the work for you…
Installation
# # Make sure curl is installed: # # RedHat/CentOS v5,6, and 7 Users sudo yum install -y curl # RedHat/CentOS v8+ and Fedora Systems: sudo dnf install -y curl # Debian/Ubuntu Systems sudo apt update && sudo apt get curl # Download Dehydrated (as root) curl https://raw.githubusercontent.com/dehydrated-io/dehydrated/master/dehydrated \ --output /usr/bin/dehydrated # Set proper permissions chmod 755 /usr/bin/dehydrated # Make a wellknown directory for the acme-challenge strings mkdir -p /var/www/dehydrated # SELinux Proof it (for those that use it - and you should!) semanage fcontext -a -t httpd_sys_content_t \ '/var/www/dehydrated/(/.*)?'
Initial Preparation
Next we need to just prepare some basic configuration needed by Dehydrated:
mkdir -p /etc/pki/dehydrated pushd /etc/pki/dehydrated # SSL Hosting Configuration; Identify your hosts # # Below shows how I set up nuxref.com; you will want to # identify ALL of the SSL hostnames you plan on supporting # here: cat << _EOF > domains.txt # nuxref Hosts; swap these with your own: # syntax: # domain sub1.domain sub2.domain subx.domain > output_file nuxref.com www.nuxref.com repo.nuxref.com > nuxref_com _EOF # Create ourselves a config file: cat << _EOF > config # our wellknown directory WELLKNOWN=/var/www/dehydrated _EOF # First time use only /usr/bin/dehydrated --register --accept-terms
Nginx Configuration
You’ll want to create the the following parameter file that you can source in all of your domain configuration files:
cat << _EOF > /etc/nginx/dehydrated_params location ^~ /.well-known/acme-challenge { alias /var/www/dehydrated; } _EOF
The sourcing part is really easy now. You must add this entry in all of your configuration files that you’ve defined in your /etc/pki/dehydrated/domains.txt
file (above).
# Place this in all of your NginX files in the server{} block(s): include dehydrated_params;
You’ll want to make sure once you got all of the include
statements in place, and that you reload NginX so that it can take on your new configuration:
sudo systemctl reload nginx
Generating our SSL Keys
We’re now at the part of the blog where we test to see if all of our setup (defined above) was correctly put into place.
# We must always run Dehydrated from within this directory pushd /etc/pki/dehydrated # Force an initial update dehydrated -c
The above command will run against all of the domains you defined in /etc/pki/dehydrated/domains.txt
and attempt to verify them (in order to generate an SSL key for you). If it fails, it’s most likely because of the following:
- You’re not correctly hosting that domain on port 80 on this server we just set up together.
- You have an error in your NginX configuration and/or you forgot to add an
include dehydrated_params;
within one of your domain configuration(s).
If everything went smoothly, you’ll now have new SSL keys you can add to your NginX configuration. This allows you to host your website secured now using your own set of registered SSL keys. You’re almost home free now! You need to dive back into NginX and prepare yourself a new server block of code that listens on port 443 with SSL turned on.
server { # SSL listen 443; ssl on; # # your security setup and location entries here # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html # for some ideas # Don't forget to point to your newly generated SSL Keys: # swap nuxref_com ssl_certificate /etc/pki/dehydrated/certs/nuxref_com/cert.pem; ssl_certificate_key /etc/pki/dehydrated/certs/nuxref_com/privkey.pem; }
Set It and Forget It
Free SSL Web Hosting keys being free do however come with a catch: they don’t last long. They don’t expire in 2-3 years like a normal paid key would – these ones expire in 30 days in some cases. So it’s up to you to either remember to run dehydrated -c
often, OR just automated it like so:
# next add a cronjob so it updates automatically cat << _EOF > /etc/cron.d/dehydrated # at 14:20 every day update SSL certificates 20 14 * * * root cd /etc/pki/dehydrated/ && dehydrated -c &>/dev/null && systemctl reload nginx &>/dev/null _EOF
Sources
- Let’s Encrypt Official Website
- Dehydrated Official Website
- A great blog on SSL/NGINX Security and Setup
- A Nagios blog I wrote which you can use the monitor your servers and notify you if your SSL key is getting close to expiry (should something prevent your cron from running).