A Free SSL Web Hosting Solution

Introduction

SSL Web Hosting has been made free by a number of providers such as Let’s Encrypt and ZeroSSL for years now. I wrote this blog because I truly believe web administrators and developers should leverage this if they aren’t already.

I’ve personally come across an amazing tool called Dehydrated which I used to leverage this. The best part about Dehydrated is that it even operates using the MIT license, meaning it’s also completely free to use!

Dehydrated Setup

An ideal SSL Web Hosting solution comes with the perfect tool to do all of the work for you…

Installation

#
# Make sure curl is installed:
#
# RedHat/CentOS v5,6, and 7 Users
sudo yum install -y curl

# RedHat/CentOS v8+ and Fedora Systems:
sudo dnf install -y curl

# Debian/Ubuntu Systems
sudo apt update && sudo apt get curl

# Download Dehydrated (as root)
curl https://raw.githubusercontent.com/dehydrated-io/dehydrated/master/dehydrated \
   --output /usr/bin/dehydrated

# Set proper permissions
chmod 755 /usr/bin/dehydrated

# Make a wellknown directory for the acme-challenge strings
mkdir -p /var/www/dehydrated

# SELinux Proof it (for those that use it - and you should!)
semanage fcontext -a -t httpd_sys_content_t \
          '/var/www/dehydrated/(/.*)?'

Initial Preparation

Next we need to just prepare some basic configuration needed by Dehydrated:

mkdir -p /etc/pki/dehydrated
pushd /etc/pki/dehydrated

# SSL Hosting Configuration; Identify your hosts
#
# Below shows how I set up nuxref.com; you will want to
# identify ALL of the SSL hostnames you plan on supporting
# here:
cat << _EOF > domains.txt
# nuxref Hosts; swap these with your own:
# syntax:
#   domain sub1.domain sub2.domain subx.domain > output_file
nuxref.com www.nuxref.com repo.nuxref.com > nuxref_com
_EOF

# Create ourselves a config file:
cat << _EOF > config
# our wellknown directory
WELLKNOWN=/var/www/dehydrated
_EOF

# First time use only
/usr/bin/dehydrated --register --accept-terms

Nginx Configuration

You’ll want to create the the following parameter file that you can source in all of your domain configuration files:

cat << _EOF > /etc/nginx/dehydrated_params
location ^~ /.well-known/acme-challenge {
   alias /var/www/dehydrated;
}
_EOF

The sourcing part is really easy now. You must add this entry in all of your configuration files that you’ve defined in your /etc/pki/dehydrated/domains.txt file (above).

# Place this in all of your NginX files in the server{} block(s):
include        dehydrated_params;

You’ll want to make sure once you got all of the include statements in place, and that you reload NginX so that it can take on your new configuration:

sudo systemctl reload nginx

Generating our SSL Keys

We’re now at the part of the blog where we test to see if all of our setup (defined above) was correctly put into place.

# We must always run Dehydrated from within this directory
pushd /etc/pki/dehydrated

# Force an initial update
dehydrated -c

The above command will run against all of the domains you defined in /etc/pki/dehydrated/domains.txt and attempt to verify them (in order to generate an SSL key for you). If it fails, it’s most likely because of the following:

  1. You’re not correctly hosting that domain on port 80 on this server we just set up together.
  2. You have an error in your NginX configuration and/or you forgot to add an include dehydrated_params; within one of your domain configuration(s).

If everything went smoothly, you’ll now have new SSL keys you can add to your NginX configuration. This allows you to host your website secured now using your own set of registered SSL keys. You’re almost home free now! You need to dive back into NginX and prepare yourself a new server block of code that listens on port 443 with SSL turned on.

server {
  # SSL
  listen 443;
  ssl on;

  #
  # your security setup and location entries here
  # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  # for some ideas

  # Don't forget to point to your newly generated SSL Keys:
  # swap nuxref_com
  ssl_certificate /etc/pki/dehydrated/certs/nuxref_com/cert.pem;
  ssl_certificate_key /etc/pki/dehydrated/certs/nuxref_com/privkey.pem;
}

Set It and Forget It

Free SSL Web Hosting keys being free do however come with a catch: they don’t last long. They don’t expire in 2-3 years like a normal paid key would – these ones expire in 30 days in some cases. So it’s up to you to either remember to run dehydrated -c often, OR just automated it like so:

# next add a cronjob so it updates automatically
cat << _EOF > /etc/cron.d/dehydrated
# at 14:20 every day update SSL certificates
20 14 * * * cd /etc/pki/dehydrated/ && dehydrated -c &>/dev/null && systemctl reload nginx &>/dev/null
_EOF

Sources

Leave a Reply

Your email address will not be published. Required fields are marked *