Set up SSL¶
Let’s Encrypt¶
Let's Encrypt is a Certificate Authority (CA) that provides free, automated, and open security certificates. It enables website owners to get security certificates within minutes, and leads to a safer web experience for everyone.
Apply for SSL¶
Note
You may want to get your valid domain and server set up before applying for your certificate.
- Visit certbot (a Let's Encrypt client). Choose
None of the above
for Software and choose your OS for System. We will useCentOS/RHEL 7
as an example. - Certbot will bring up some instructions specific to your OS. For CentOS7 we will run the following commands:
yum install certbot certbot certonly
- Enter your email, domain and valid web root, e.g.
/usr/local/lsws/DEFAULT/html/
. - If your application is a success, you should see
Congratulations!
- Verify your certificate files exist:
ll /etc/letsencrypt/YOUR_DOMAIN/
- You should see the following files:
cert.pem
chain.pem
fullchain.pem
privkey.pem
Set up SSL on LSWS¶
Navigate to LiteSpeed Web Server Web Admin > Configuration > Listeners > SSL
There are two methods you can choose from: with fullchain, and without.
With fullchain¶
- Private Key File:
/etc/letsencrypt/live/Your_Domain/privkey.pem
- Certificate File:
/etc/letsencrypt/live/Your_Domain/fullchain.pem
- Chained Certificate:
Yes
- CA Certificate Path:
- CA Certificate File:
Without fullchain¶
- Private Key File:
/etc/letsencrypt/live/Your_Domain/privkey.pem
- Certificate File:
/etc/letsencrypt/live/Your_Domain/cert.pem
- Chained Certificate:
No
- CA Certificate Path:
- CA Certificate File:
/etc/letsencrypt/live/Your_Domain/chain.pem
Self-Signed¶
Self-signed certificates can be used to secure some web pages, like the web administration console, However, it is not recommended for a public web site, like an eCommerce web site. When you use a self-signed certificate, the browser will ask the user whether to accept the certificate or not as self-signed certificates are not trusted by the browser. You should follow the following step to create a self signed certificate.
Create a 443 Lister¶
Create a listener with Secure set to Yes
. The official Port for SSL is 443, but another port can be used instead.
Generate a Private Key¶
OpenSSL tool kit is required to generate a private key.
- Install OpenSSL if it is not installed already.
- Create an RSA private key for your web server by using this command:
openssl genrsa -out server.key 2048
The 2048
in the above command is the length of the private key in bits. Bigger private keys are more secure. For more information about creating SSL private key please see the OpenSSL documentation.
Note
LiteSpeed web server only supports private key files without encryption.
In theory, this is not as safe as using encryption. But in reality, it is impossible to let a user input a password for the SSL keys when the server starts or restarts. Some web servers can save the password somehow and automate the pass-phase when the server starts, but it is only as good as long as the machine is not compromised, unless your password is hardware protected.
The private key file along with the certificate file should be placed in a directory that is only readable by the user whom the server is running as. If you generated the encrypted key file, the pass-phase can be removed with the following command:
openssl rsa -in server.skey -out server.key
Create a Self-signed Certificate¶
Create a one year self-signed certificate with the following command:
openssl req -new -x509 -key server.key -out server.crt -days 365
You will be asked for more information about your organization and web site. Please give the correct information. You should give valid domain names of your web site when you are asked for Common Name, and not any aliases.
To determine the valid domain name, you can use commands such as nslookup, dig or host.
Example
If the web site can be accessed via both http://foo.bar
and http://www.foo.bar
, usually foo.bar
is the valid domain name (canonical name), and www.foo.bar
is an alias. In this case, foo.bar
should be used for the Common Name.
Set up the SSL Certificate¶
Click on the newly created listener, and go to the SSL settings tab. Set the self-signed Private Key File and Certificate File to the location of the key file.
Verify SSL is Working¶
Online SSL Testing Tool¶
Use ssllabs's testing tool.
Simple Browser Check¶
The exact mechanism depends on your browser, but you should be able to click an icon next to the URL to get site information, including connection security.
You can usually also click on the padlock or similar icon to get more information about the connection.