Bureaucrats, confirmed, Administrators
4,558
edits
Changes
Jump to navigation
Jump to search
aka SSL or HTTPS We want to be able to offer secure web services. We intend to use free certificates from the "Let's Encrypt" project. == Ansible Role ==I've written a role '''ansible-certbot''' that installs certbot in /opt == Pre Requisites ==Do the DNS first. You can't use certbot until the host your targeting is the same in public DNS because that's the way it works. == To use the role == # copy your public key to 'authorized_keys' on the target# make sure the target is in your ansible hosts file# run the role <code>ansible-playbook certbot.yml</code> We can either incorporate the role into a larger playbook; or run it independently. == Install Certificates ==You can now use certbot like so (however it will fail because there is no A record for this IP)<source lang="bash">/opt/certbot/certbot-auto --domain wiki.slicer.org --apache certonly --dry-run ./certbot-auto --apache -d freephile.org --agree-tos --email info@equality-tech.com</source> == Post Installation ==Once we have certs in place, we'll need to renew them frequently (they expire in 90 days). A cron job will do the trick<source lang="bash">#### Renew our LetsEncrypt certificates automatically every 3 months because they expire every 90 days05 04 01 */3 * root /opt/certbot/certbot-auto renew</source> == More ==See https://certbot.eff.org/#ubuntutrusty-apache for more on certbot and https://github.com/geerlingguy/ansible-role-certbot for more on the certbot installer role === Checking Ciphers ===As far as getting good TLS support from 14.04<source lang="bash">nmap --script +ssl-enum-ciphers equality-tech.com</source><pre>Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-25 17:12 UTCNmap scan report for equality-tech.com (104.236.31.19)Host is up (0.0017s latency).rDNS record for 104.236.31.19: eqt.equality-tech.comNot shown: 993 filtered portsPORT STATE SERVICE22/tcp open ssh25/tcp open smtp53/tcp closed domain80/tcp open http443/tcp open https| ssl-enum-ciphers: | SSLv3: No supported ciphers found| TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong| TLS_RSA_WITH_AES_128_CBC_SHA - strong| TLS_RSA_WITH_AES_256_CBC_SHA - strong| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong| compressors: | NULL| TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong| TLS_RSA_WITH_AES_128_CBC_SHA - strong| TLS_RSA_WITH_AES_256_CBC_SHA - strong| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong| compressors: | NULL| TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong| TLS_RSA_WITH_AES_128_CBC_SHA - strong| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong| TLS_RSA_WITH_AES_256_CBC_SHA - strong| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong| compressors: | NULL|_ least strength: strong465/tcp closed smtps587/tcp closed submission Nmap done: 1 IP address (1 host up) scanned in 35.98 seconds</pre> <source lang="bash">greg@p2-wiki-nyc1-01:/$ nmap --script +ssl-enum-ciphers wiki.slicer.org</source><pre>Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-25 17:15 UTCNmap scan report for wiki.slicer.org (134.174.9.180)Host is up (0.0074s latency).Not shown: 997 filtered portsPORT STATE SERVICE53/tcp closed domain80/tcp open http443/tcp open https| ssl-enum-ciphers: | SSLv3: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong| TLS_RSA_WITH_AES_128_CBC_SHA - strong| TLS_RSA_WITH_AES_256_CBC_SHA - strong| TLS_RSA_WITH_RC4_128_MD5 - strong| TLS_RSA_WITH_RC4_128_SHA - strong| compressors: | NULL| TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong| TLS_RSA_WITH_AES_128_CBC_SHA - strong| TLS_RSA_WITH_AES_256_CBC_SHA - strong| TLS_RSA_WITH_RC4_128_MD5 - strong| TLS_RSA_WITH_RC4_128_SHA - strong| compressors: | NULL|_ least strength: strong Nmap done: 1 IP address (1 host up) scanned in 25.07 seconds</pre>{{Deprecated}}
Special:Badtitle/NS100:QualityBox/TLS (view source)
Revision as of 15:37, 6 November 2016
, 15:37, 6 November 2016Replaced content with "{{Deprecated}}"
