SSL Configuration Generator
# generated 2023-06-15, Mozilla Guideline v5.7, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.7
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /path/to/dhparam;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# replace with the IP address of your resolver
resolver 8.8.8.8;
}
LET’S ENCRTYPT
openssl version
# OpenSSL 1.1.1n
sudo apt-get install letsencrypt
sudo certbot certificates
# if error bellow encountered, run: `sudo pip3 uninstall urllib3`
# ImportError: cannot import name 'appengine' from 'requests.packages.urllib3.contrib'
sudo certbot certonly --manual --preferred-challenges=dns -d *.example.com,example.com
# /etc/letsencrypt/live/example.com/fullchain.pem
# /etc/letsencrypt/live/example.com/privkey.pem
certbot certonly --manual --preferred-challenges=dns --cert-name *.example.com,example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): *.example.com,example.com
Requesting a certificate for *.example.com and 1 more domains
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.example.com.
with the following value:
_9C4d0naTfsOyPsometin5TL7GIvrandom6lj36yvalue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Please deploy a DNS TXT record under the name:
_acme-challenge.example.
with the following value:
v093HD0qT_cofdsfmKgG1_tOlFACkzr4BL5d-ySfdcreXo
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.example.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/*.example.com,example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/*.example.com,example.com/privkey.pem
This certificate expires on 2022-03-11.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SSL Ciphers
SSL Labs
SSL cipher mapping
curl -v -D - https://example.com
* Uses proxy env variable https_proxy == 'http://127.0.0.1:59527'
* Trying 127.0.0.1:59527...
* Connected to 127.0.0.1 (127.0.0.1) port 59527 (#0)
* allocate connect buffer
* Establish HTTP proxy tunnel to example.com:443
> CONNECT example.com:443 HTTP/1.1
> Host: example.com:443
> User-Agent: curl/7.87.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection Established
HTTP/1.1 200 Connection Established
<
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
* CApath: none
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS handshake, Server finished (14):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS handshake, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted http/1.1
* Server certificate:
* subject: CN=example.com
* start date: Dec 25 02:55:21 2023 GMT
* expire date: Mar 24 02:55:20 2024 GMT
* subjectAltName: host "example.com" matched cert's "example.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: example.com
> User-Agent: curl/7.87.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
Server: nginx/1.14.0 (Ubuntu)
< Date: Tue, 23 Jan 2024 13:33:29 GMT
Date: Tue, 23 Jan 2024 13:33:29 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 438
Content-Length: 438
< Connection: keep-alive
Connection: keep-alive
< Last-Modified: Tue, 23 Jan 2024 01:37:06 GMT
Last-Modified: Tue, 23 Jan 2024 01:37:06 GMT
< ETag: "65af1842-1b6"
ETag: "65af1842-1b6"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Strict-Transport-Security: max-age=63072000
Strict-Transport-Security: max-age=63072000
<
Use OpenSSL to confirm the Private Keys’s Integrity
openssl rsa -in [key-file.key] -check -noout
# RSA key error: n does not equal p q
# RSA key ok
# Confirm the Modulus Value Matching with Private Key and SSL/TLS certificate Key Pair
# Note: The modulus of the private key and certificate must match exactly.
openssl x509 -noout -modules -in ssl.cer
openssl rsa -noout -modules -in privatekey.key
# Perform Encryption with Public Key from certificate and Decryption with Private Key
openssl x509 -in [certificate-file.cer] -noout -pubkey > certificatefile.pub.cer
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
# Encrypt test.txt file content using the public key
openssl pkeyutl -encrypt -in test.txt -pubin -inkey certificatefile.pub.cer -out cipher.txt
# Decrypt from cipher.txt using the private key
openssl pkeyutl -decrypt -in cipher.txt -inkey [key-file.key]
Verify SSL certificate
# Assuming your certificates are in PEM format, you can do:
openssl verify cert.pem
# Warning, the openssl verify command is more permissive than you might expect! By default, in addition to checking the given CAfile, it also checks for any matching CAs in the system's certs directory e.g. /etc/ssl/certs. To prevent this behavior and make sure you're checking against your particular CA cert given by CAfile, you must also pass a -CApath option with a non-existant directory, e.g:
openssl verify -verbose -CApath nosuchdir -CAfile cacert.pem server.crt
# If you use -CApath nosuchdir then the combination of server.crt and cacert.pem must include the root CA; if openssl can only work up to an intermediate CA with those files then it will complain.
# Though don't use it for checking a bundle, verify only works for first certificate in server.pem
openssl verify -verbose -no-CAfile -no-CApath -untrusted ca.pem server.pem
# if your "ca-bundle" is a file containing additional intermediate certificates in PEM format:
openssl verify -untrusted ca-bundle cert.pem