Excalibur's Sheath

SSL with Let's Encrypt and Webmin

Apr 18, 2016 • website,web

[SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security) allows two computers to communicate securely. Secure communication can be used with web traffic, email traffic, and FTP Traffic. I am going to speak about setting up SSL with web traffic, and email traffic in mind, because for secure file transfer I prefer to use SFTP, which provides its own secure connection. ### Why SSL is Important SSL prevents attacks against data as it travels between two computers on a network, like between a web-browser and a web-server. SSL does not encrypt data while its on the server, or when it reaches its destination. Let's Encrypt SSL encrypted websites, and email are really good; they protect privacy, and help keep sensitive information secure. If SSL is so good, why is it not more widely implemented? Why is it that not every website is secure by default? The largest block to implenting widespread SSL encryption is that while every Linux server can generate SSL certificates they are not trusted. This is because it is like when two strangers meet, and introduce themselves. They do not really know if the other is telling the truth. To solve this issue Certificate Authorities were invented. A certificate Authority is a trusted source which can create certificates for others. To use the previous analogy, its like there is a person both people who are meeting for the first time, and they conduct introductions; because of the trust the two parties have in the third, they can trust that the people are who they say they are. Usually the certificate authorities charge money for issueing certificates. This is where [Let's Encrypt](https://letsencrypt.org/) comes in. They provide a way to generate valid certificates, which browsers and email servers will take without generating errors. Let's Encrypt also has generated automated processes to issue and renew the certificates this helps because the certificates they issue are good for 90 days. ###Installing Let's Encrypt I started my installation trying to do the following steps, which work for many:
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
These commands produced errors, and did not install the Let's Encrypt client for me. I found out I'm [not the only one](https://github.com/letsencrypt/letsencrypt/issues/1803) who had similar errors. I added the backports repository to Debian Jessie in the /etc/apt/sources.list file, and installed with Aptitute.
deb http://ftp.debian.org/debian jessie-backports main
deb-src http://ftp.debian.org/debian jessie-backports main
### Setting Up Webmin I used [this guide](https://frostfenix.com/tech/lets-encrypt-virtualmin-ubuntu/) about installing Let's Encrypt with Webmin/Virtualmin. Once I was past the issue with actually installing the client, I found the rest of the guide really useful for getting the certificates setup. When I tested the strength of the SSL certificates, I found it all set up great, except for the subdomain of my Webmin login. I found [this guide](https://www.mikenabhan.com/how-to-use-lets-encrypt-to-issue-a-certificate-for-webmin/) which helped me set up encryption on my webmin login. The steps were: 1. Stop Apache 1. Create a certificate for the subdomain outside of Webmin/Virtualmin with the letsencrypt command 1. Restart Apache 1. Change the key, certificate, and chain locations to * /etc/letsencrypt/live/webmin.mydomain.com/privkey.pem * /etc/letsencrypt/live/webmin.mydomain.com/cert.pem * /etc/letsencrypt/live/webmin.mydomain.com/chain.pem The guide calls for copying the files to the webmin location. I suggest either linking as I have done, or creating a symlink, so that you don't have to copy everytime the certificate is renewed. ### Conclusion After a lot of reading over the last two days I have my websites secured with SSL, my email secured, and my Webmin login is secured as well. I will have to manually / use a cronjob to renew the certificate for my Webmin login, but that is not hard to do. I also changed my email servers from mail.domain for all of my domains to excalibursheath.com, and I have working email which is SSL secured.