Skip to content

Instantly share code, notes, and snippets.

@viirre

viirre/install_sslmate_forge.md

Last active September 18, 2015 15:03
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save viirre/8280e9d4ff3c49c5b745 to your computer and use it in GitHub Desktop.
Save viirre/8280e9d4ff3c49c5b745 to your computer and use it in GitHub Desktop.
Download ZIP
Install new certificate with SSLmate and Forge
Raw
install_sslmate_forge.md

1. Install SSLmate on the server

sudo wget -P /etc/apt/sources.list.d https://sslmate.com/apt/ubuntu1404/sslmate.list
sudo wget -P /etc/apt/trusted.gpg.d https://sslmate.com/apt/ubuntu1404/sslmate.gpg
sudo apt-get update
sudo apt-get install sslmate

2. Buy the certificate

mkdir /home/forge/ssl/HOSTNAME && cd /home/forge/ssl/HOSTNAME
sslmate buy HOSTNAME

# Eg:
sslmate buy adaptivemedia.se

Follow instructions and then this cert will be valid for adaptivemedia.se AND www.adaptivemedia.se

3. Test cert

sslmate test HOSTNAME

4. Generate config (optional)

sslmate mkconfig nginx HOSTNAME

5. Install on Forge

  • Copy contents of HOST.key into "Private key" in Forge.
  • Copy contents of HOST.chained.crt into "Certificate key" in Forge.

6. Make sure redirects are present in the nginx config, otherwise add them

Example of typical redirects for a @ domain (eg. adaptiveinvoice.se)

# http redirects
server {
    listen 80;
    server_name adaptiveinvoice.se www.adaptiveinvoice.se;
    return 301 https://adaptiveinvoice.se$request_uri;
}

# http www redirect
server {
    listen 443 ssl;
    server_name www.adaptiveinvoice.se;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/adaptiveinvoice.se/6082/server.crt;
    ssl_certificate_key /etc/nginx/ssl/adaptiveinvoice.se/6082/server.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    return 301 https://adaptiveinvoice.se$request_uri;
}

# https @
...

7. More info

Getting started with SSLmate

ssl on;
ssl_certificate_key freelway.com.key;
ssl_certificate freelway.com.chained.crt;

# Recommended security settings from https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/share/sslmate/dhparams/dh2048-group14.pem;

ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;

# Enable this if you want HSTS (recommended)
# add_header Strict-Transport-Security max-age=15768000;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment