SSL in a Day

pokey-mon really DO run fast!
SLow it DOWN there mister!

Yes, this is titled correctly. I did it.
Secure website on SSL in under a day, even with DNS propagation issues.
YEAH…that was a nightmare!
Did I say one day?
I meant Five minutes…


	This is a shared host. No root here.
	On my local machine I am root AND an admin. (Fedora 22)
	You need to be able to sign and do stuff, even if this is automated, you need to know what you are doing.

I had some issue with comodo. See Dreamhost has four boxes when enabling custom secure server(SSL) mode:

	signing request(not needed)
	private key(domain key in my instance)
	intermediate key

The trick is with the private key mostly.
As I said, I could not get comodo to work.
I tried to buy a cert from the webhost…FAILED.

Lets encrypt. FREE.

The trick is in the ACME(no kidding) system.
And like comodo, you are expected to drop some random gibberish on your server to say its your site and that you own it.

Everything else can be done on a local box.

Yes, I said it, YOU DO NOT need ROOT on the webserver.
You DO NOT need to install ANYTHING onto the webserver.
You run ONE file.

Push come to shove, get a live linux cd.
You will need a Linux box.

You should be able to install packages.
A spare hard drive would be WISE to use.
You need python and openssl(binaries) installed.

I modified the python script slightly.
The source is HERE.

But as-is, it is a misnomer(it still needs root), somehow the author couldnt figure out that a superceeded python webserver running locally on the web-host is practically the same as the webserver service itself.

No need to re-bind or host anything.
Port 80 and 443 are already open.
AND serving.

Not to mention this guy is some complete noob of a moron and Brainfuck (yes, thata a REAL programming language) idiot when it comes to writing code.

-And he wants to pansy antsy complain? FUCK HIM.

HERE is my modified (fixed) version.
Run it locally.
You should only need two windows now.

	the window to run the script
	a second window in the same folder(you will see why when you run the script)

Pay attention to the instructions in the python comments at the top.

This is crippled due to a testing limitation and needs to be uncrippled to correctly function.

I tell you how to do it but YOU need to do it or the script will fail to finish the process.
(Im still working out some bugs.)

The alternative is to copy the two sections from the source file at GitHub where it reads:

“Manually sign some files”

–only copy THESE sections over(into the code I HAVE). (IF you do this, you need three windows.Follow original directions.)

You will need the bottom half to correctly get a working certificate.
I burned up my tries figuring this stuff out.
There is no need for you to do same.

The process should be fully automatic now and not require manual sign of anything.
I need a live un-blacklisted, un-ratelimited site to finish my testing.

And bob’s your uncle.
Cut copy paste the certs into your web panel, or manually config them.

You need three files:

	the outputted (non empty) signed cert file
	the domain key file(private key)
	the intermediate cert file (included)

As I said, the domain.csr(request file) is optional.

There are two glitches, as noted above:

	Asterisk (*) with domains will not work and throws an error but shouldnt. 
	Using type v3 with SAN aka alternate domains refuses to work. (PEM<-->DER?)

-Some say this works but I cant verify it(yet).

Normal apache config:

	cd /etc/httpd/conf/ssl.crt (put certificate here) 
	put the other files in /etc/httpd/conf/ssl.key.

edit /etc/httpd/conf/httpd.conf or ssl.conf file:

	SSLEngine  on
	SSLCertificateFile /etc/httpd/conf/ssl.crt/certificate.crt
	SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain.key
	SSLCertificateChainFile /etc/httpd/conf/ssl.key/intermediate.pem

now issue:

	sudo apachectl restart
	sudo /etc/rc.d/init.d/httpd restart

keep in mind the following in case you fubar your ssl config file(/etc/pki/tls/openssl.cnf) by setting up v3 SAN and are forced to re-gen your cert:

Remember that the “certs per domain” rate limit is “5 out of 7 every 7 days, so as those 7 days expire, more certificates can be issued.”

	{"type":"urn:acme:error:rateLimited","detail":"Error creating new cert :: Too many certificates already issued for:xxx.com}

(Python) HTTP Error (unknown) 429

– is thrown in such a case. Just wait it out.