SSL, TLS, HTTPS with StartSSL on Apache, Dovecot, Exim and Prosody

7. August 2012
von Hödlmoser
Apache / Debian / Dovecot / Exim / SSL

Outdated! see TLS Everywhere with Let’s Encrypt.

just some quick and dirty notes for myself on setting up SSL, TLS, HTTPS, … with StartSSL.

pre-requisites

get a cert as described in heise articel SSL für lau (english version: SSL for free).

could be, that you will enjoy my scripts for generating a key and a certificate signing request.

generate key

#!/bin/bash

if ! which openssl > /dev/null ; then
  echo "openssl is not installed!" 1>&2
  exit 1
fi

if [ "$#" == "0" ]; then
  echo "usage: $0 commonName"
  exit 1
fi

CN=$1
KEY=$CN.key

if [ -f $KEY ]; then
  echo "$KEY exists already!"
  exit 2
fi

openssl genrsa -out $KEY 2048

chmod 600 $KEY

generate certificate signing request

#!/bin/bash

if ! which openssl > /dev/null ; then
  echo "openssl is not installed!" 1>&2
  exit 1
fi

if [ "$#" == "0" ]; then
  echo "usage: $0 commonName"
  exit 1
fi

CN=$1
KEY=$CN.key
CSR=$CN.csr

if [ -f $CSR ]; then
  echo "$CSR exists already!"
  exit 2
fi

if ! [ -f $KEY ]; then
  echo "$KEY missing!"
  exit 3
fi

SSLEAY="$(tempfile -m600 -pexi)"

cat > $SSLEAY <<EOM
[ req ]
default_days                    = 730
default_keyfile                 = $KEY
distinguished_name              = req_distinguished_name
#req_extensions                  = v3_req
[ req_distinguished_name ]
commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_default              = $CN
commonName_max                  = 64
countryName                     = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Nowhere Land
localityName                    = Locality Name (eg, city)
localityName_default            = Nowhere City
organizationName                = Organization Name (eg, company)
organizationName_default        = Nowhere Company
emailAddress                    = Email Address
emailAddress_default            = certmaster@<fqdn>
emailAddress_max                = 64
#[ v3_req ]
#subjectAltName                  = DNS:*.$CN
EOM

openssl req -batch -config $SSLEAY -new -key $KEY -out $CSR

rm -f $SSLEAY

chmod 640 $CSR

cat $CSR

due to your certificate is signed with an intermediate certificate which is not included in every client (only the root certificate) you need to push it to the client, so, first, download CAs certs. be carefully if you go for Class 2 certificates, …

cd /etc/ssl/certs
wget http://www.startssl.com/certs/sub.class1.server.ca.pem
wget http://www.startssl.com/certs/ca.pem

Apache

enable SSL module in Apache.

a2enmod ssl

your ports.conf shoud look like the following and respect also the hint for site default-ssl.

NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
  # If you add NameVirtualHost *:443 here, you will also have to change
  # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
  # to <VirtualHost *:443>
  NameVirtualHost *:443
  Listen 443
</IfModule>

duplicate your VirtualHost section of port 80 for port 443 and add the SSL directives as below.

SSLEngine on
SSLCertificateKeyFile   /etc/ssl/private/<fqdn>.key
SSLCertificateFile      /etc/ssl/certs/<fqdn>.crt
SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
SSLCACertificateFile    /etc/ssl/certs/ca.pem

if you’d like to redirecty everybody accessing your site to https add the following to your port 80 VirtualHost section, as described here.

Redirect permanent / https://<fqdn>/

 Dovecot

combine the intermediate certificate with your own certificate.

cd /etc/ssl/certs
cat <fqdn>.crt sub.class1.server.ca.pem > <fqdn>.pem

add the key and the certificate to your dovecot config in /etc/dovecot/conf.d/10-ssl.conf

ssl_cert = /etc/ssl/certs/<fqdn>.pem
ssl_key = /etc/ssl/private/<fqdn>.key

Exim

same here, combine the intermediate certificate with your own certificate.

cd /etc/ssl/certs
cat <fqdn>.crt sub.class1.server.ca.pem > <fqdn>.pem

we do it like as described in 2.2.2. Enabling TLS support for Exim as server in /usr/share/doc/exim4-base/README.Debian.gz

edit your /etc/exim4/conf.d/main/00_local-config_macros and follow the hint of the owner-ship of the key and also of the certificate file.

# enable TLS
MAIN_TLS_ENABLE=1

# Full paths to Certificate and Private Key. The Private Key file
# must be kept 'secret' and should be owned by root.Debian-exim mode
# 640 (-rw-r-----).
MAIN_TLS_CERTIFICATE = /etc/ssl/certs/<fqdn>.pem
MAIN_TLS_PRIVATEKEY = /etc/ssl/private/<fqdn>.key

Prosody

same here, combine the intermediate certificate with your own certificate.

cd /etc/ssl/certs
cat <fqdn>.crt sub.class1.server.ca.pem > <fqdn>.pem

respect the order!

enabled SSL/TLS on your Prosody server the following way, we want just disable SSLv3.

ssl = {
  key = "/etc/ssl/private/jabber.rekmp.net.key";
  certificate = "/etc/ssl/certs/jabber.rekmp.net.pem";
  -- see https://prosody.im/doc/advanced_ssl_config
  -- Prosody's default, as of 0.9.2, added no_sslv3
  options = { "no_sslv2", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use", "no_sslv3" }; 
}

for more details just have a look into Certificates and Advanced SSL/TLS configuration. additionally you should test the security of your Jabber/XMPP server on IM Observatory.