trude/web
1
0
Fork 0
mirror of https://github.com/TrudeEH/web.git synced 2025-12-06 08:23:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2c6d0e104d6522296ec40044713c1cbcc35cc0ff
web/content/notes/https-ssl-certs.md

65 lines
3.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
tags:
- networking
- notes
- web
author: TrudeEH
draft: false
showToc: true
title: HTTPS and SSL Certificates
---
## HTTP(s)
The `http` protocol sends data as plaintext, which is an issue when sharing sensitive data such as messages and passwords.
`https` uses `TLS` to encrypt sensitive traffic between the client and server, creating a secure connection between the two.
## TLS
TLS is a form of [[encryption]], used to secure HTTPS connections.
TLS replaces SSL (a deprecated protocol), however, the term SSL is still used often.
### Handshake
To establish a secure connection, a 'handshake' is performed between the client and the server.
1. The client send a message with browser and OS info, and all supported encryption algorithms.
2. The server selects the strongest supported algorithm, and responds with some server info, the selected algorithm, and an SSL Certificate (contains the domain name, certificate authority and public key).
3. The client checks the certificate to ensure that it is valid and signed by a valid certificate authority.
4. If the certificate is valid, the client generates a random session key, and encrypts it with the server's public key.
5. The session key is sent to the server.
6. The server decrypts the session key, using its own private key. If the key is valid, the server sends a finish message back to the client.
7. The client sends its own finish message, and a secure connection is established.
### SSL Certificates
SSL Certificates are needed because without them, a malicious actor could intercept the client's first handshake message, and establish a secure connection with the client, obtaining its secrets.
A trusted third party is needed to validate that the public key sent to the client matches the server's actual public key.
[Lets Encrypt](https://letsencrypt.org) is a non-profit organization that signs certificates for free.
#### Certbot
The easiest way to generate a *Let's Encrypt* certificate is through `certbot`, which is available as a snap package.
```Shell
sudo apt install snapd
sudo snap install core && sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
```
> If you use a firewall, open port 80, as it is required for `certbot` to verify your domain information.
> Once `certbot` is installed, you can either generate a standalone certificate (for example, to use for IRC), or follow the [official instructions](https://certbot.eff.org/instructions) for any web service that you already own.
For example, for an IRC server, run the following command:
```Shell
sudo certbot certonly --standalone --preferred-challenges http -d irc.example.com
```
Replace `irc.example.com` with your actual domain.
The certificate will be stored as two files …
- `/etc/letsencrypt/live/irc.example.com/fullchain.pem`
- `/etc/letsencrypt/live/irc.example.com/privkey.pem`
… which you can copy to any location you need.
These files will be renewed every 90 days, so remember to either update them manually, or add a `crontab` entry to automate the process.
Reference in New Issue View Git Blame Copy Permalink