Bureaucrats, confirmed, Administrators
4,558
edits
Changes
Jump to navigation
Jump to search
Special:Badtitle/NS100:QualityBox/TLS (view source)
Revision as of 16:48, 2 September 2016
, 16:48, 2 September 2016initial documentation
aka SSL or HTTPS We want to be able to offer secure web services. We intend to use free certificates from the "Let's Encrypt" project.
== Ansible Role ==
I've written a role '''ansible-certbot''' that installs certbot in /opt
== Pre Requisites ==
Do the DNS first. You can't use certbot until the host your targeting is the same in public DNS because that's the way it works.
== To use the role ==
# copy your public key to 'authorized_keys' on the target
# make sure the target is in your ansible hosts file
# run the role <code>ansible-playbook certbot.yml</code>
We can either incorporate the role into a larger playbook; or run it independently.
== Install Certificates ==
You can now use certbot like so (however it will fail because there is no A record for this IP)
<source lang="bash">
/opt/certbot/certbot-auto --domain wiki.slicer.org --apache certonly --dry-run
./certbot-auto --apache -d freephile.org --agree-tos --email info@equality-tech.com
</source>
== Post Installation ==
Once we have certs in place, we'll need to renew them frequently (they expire in 90 days). A cron job will do the trick
<source lang="bash">
#### Renew our LetsEncrypt certificates automatically every 3 months because they expire every 90 days
05 04 01 */3 * root /opt/certbot/certbot-auto renew
</source>
== More ==
See https://certbot.eff.org/#ubuntutrusty-apache for more on certbot and https://github.com/geerlingguy/ansible-role-certbot for more on the certbot installer role
=== Checking Ciphers ===
As far as getting good TLS support from 14.04
<source lang="bash">
nmap --script +ssl-enum-ciphers equality-tech.com
</source>
<pre>
Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-25 17:12 UTC
Nmap scan report for equality-tech.com (104.236.31.19)
Host is up (0.0017s latency).
rDNS record for 104.236.31.19: eqt.equality-tech.com
Not shown: 993 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp closed domain
80/tcp open http
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
465/tcp closed smtps
587/tcp closed submission
Nmap done: 1 IP address (1 host up) scanned in 35.98 seconds
</pre>
<source lang="bash">
greg@p2-wiki-nyc1-01:/$ nmap --script +ssl-enum-ciphers wiki.slicer.org
</source>
<pre>
Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-25 17:15 UTC
Nmap scan report for wiki.slicer.org (134.174.9.180)
Host is up (0.0074s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
53/tcp closed domain
80/tcp open http
443/tcp open https
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 25.07 seconds
</pre>
== Ansible Role ==
I've written a role '''ansible-certbot''' that installs certbot in /opt
== Pre Requisites ==
Do the DNS first. You can't use certbot until the host your targeting is the same in public DNS because that's the way it works.
== To use the role ==
# copy your public key to 'authorized_keys' on the target
# make sure the target is in your ansible hosts file
# run the role <code>ansible-playbook certbot.yml</code>
We can either incorporate the role into a larger playbook; or run it independently.
== Install Certificates ==
You can now use certbot like so (however it will fail because there is no A record for this IP)
<source lang="bash">
/opt/certbot/certbot-auto --domain wiki.slicer.org --apache certonly --dry-run
./certbot-auto --apache -d freephile.org --agree-tos --email info@equality-tech.com
</source>
== Post Installation ==
Once we have certs in place, we'll need to renew them frequently (they expire in 90 days). A cron job will do the trick
<source lang="bash">
#### Renew our LetsEncrypt certificates automatically every 3 months because they expire every 90 days
05 04 01 */3 * root /opt/certbot/certbot-auto renew
</source>
== More ==
See https://certbot.eff.org/#ubuntutrusty-apache for more on certbot and https://github.com/geerlingguy/ansible-role-certbot for more on the certbot installer role
=== Checking Ciphers ===
As far as getting good TLS support from 14.04
<source lang="bash">
nmap --script +ssl-enum-ciphers equality-tech.com
</source>
<pre>
Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-25 17:12 UTC
Nmap scan report for equality-tech.com (104.236.31.19)
Host is up (0.0017s latency).
rDNS record for 104.236.31.19: eqt.equality-tech.com
Not shown: 993 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp closed domain
80/tcp open http
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
465/tcp closed smtps
587/tcp closed submission
Nmap done: 1 IP address (1 host up) scanned in 35.98 seconds
</pre>
<source lang="bash">
greg@p2-wiki-nyc1-01:/$ nmap --script +ssl-enum-ciphers wiki.slicer.org
</source>
<pre>
Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-25 17:15 UTC
Nmap scan report for wiki.slicer.org (134.174.9.180)
Host is up (0.0074s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
53/tcp closed domain
80/tcp open http
443/tcp open https
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 25.07 seconds
</pre>
