Tag Archives: security

HPKP with Letsencrypt certificates

1 Reply

This post will explain how you can keep using HPKP while switching from commercial certificates to Letsencrypt certificates. In my previous post I already explained how to get a brand new certificate from Letsencrypt.org. If you’re working with HPKP, it’s critical that your public key doesn’t change when you’re installing a new certificate. The easiest solution is re-using an older Certificate Signing Request to request the new cert. If you still have the CSR, you can jump to “Let’s sign the CSR”.

Creating a new CSR

This section only applies if you don’t or can’t reuse the existing CSR. Since I had a need for extra Subject Alternative Names, let’s start to create a new CSR.

openssl req -new -key www.rivy.org.key -nodes -sha512 -subj "/CN=rivy.org" -reqexts SAN -out rivy.org.csr.der -outform der -config <(
cat <<-EOF
[req]
distinguished_name = dn
[dn]
[SAN]
subjectAltName=DNS:rivy.org,DNS:www.rivy.org,DNS:mail.rivy.org,DNS:webmail.rivy.org,DNS:imap.rivy.org
EOF
)

This single command writes the new CSR in DER format to rivy.org.csr.der. Note that I’m re-using the old key that was generated a long time ago. The public key corresponding to this private key is pinned in the HPKP header. For this reason, it’s critical that you don’t create a new key. If you do, HPKP (RFC7469) will kick in, and your browse will refuse to display the website.

Let’s sign the CSR

The previous post explains you how to install the letsencrypt client. Once installed, issue the next command to get your new CSR signed. Obviously you have to adapt these commands to your needs.

root@certserver:~/letsencrypt# ./letsencrypt-auto certonly -t --csr ../rivy.org.csr.der 
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly -t --csr ../rivy.org.csr.der

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /root/letsencrypt/0001_chain.pem. Your cert will expire on
   2016-03-10. To obtain a new version of the certificate in the
   future, simply run Let's Encrypt again.
 - If like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@certserver:~/letsencrypt#

Congratulations! You can find you’re new certificate here : /root/letsencrypt/0001_chain.pem. Note the file contains the issuer and the certificate. If I remove the issuer from the file and recalculate the PIN, it’s still exactly the same as previously.

rivy@certserver:~$ openssl x509 -in cert.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64
writing RSA key
VhFYptFYvVRv1KVvcUg3EfHvv15wkBFpRU332RNC2sM=
rivy@asuslin:~$

The old version can be found in the previous post.

Getting a cert from LetsEncrypt.org

1 Reply

This post explains how to get your first certificate from letsencrypt.org. Everyone can get a free and valid certificate for any of the domains that you own. The following steps have been tested on a fresh install of Ubuntu 14.04.

Getting the software

Let’s start with installing git. This is required to get the letsencrypt software. Note that I have been running all commands as root. Maybe this is not required for all steps, but since some of the following commands are installing software, you’ll need to have root rights for those steps.

root@certserver:~# apt-get install git

Git and all of its dependencies will now install. When finished, we use git to fetch the latest version of letsencrypt.

root@certserver:~# git clone https://github.com/letsencrypt/letsencrypt
Cloning into 'letsencrypt'...
remote: Counting objects: 25493, done.
remote: Compressing objects: 100% (45/45), done.
remote: Total 25493 (delta 21), reused 0 (delta 0), pack-reused 25448
Receiving objects: 100% (25493/25493), 6.72 MiB | 2.91 MiB/s, done.
Resolving deltas: 100% (17859/17859), done.
Checking connectivity... done.
root@certserver:~#

Now change directory and execute the main install script.

root@certserver:~# cd letsencrypt/
root@certserver:~/letsencrypt# ./letsencrypt-auto

This wil take some time and install lots of packages. After a few minutes, the installation ended and these were the last 2 lines printed.

Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt
No installers seem to be present and working on your system; fix that or try running letsencrypt with the "certonly" command

The message is displayed because no supported webserver is installed on my server. In my case that’s normal as I did not install Apache or Nginx on this freshly installed server. My only goal was to get certificates for my domain and that can be accomplished with the “certonly” command.

Requesting your first certificates

Note that I added the “-t” option to stay in text mode and not ncurses. Just to make it easier to copy and paste the output on this document.

 root@certserver:~/letsencrypt# ./letsencrypt-auto certonly -t
Enter email address (used for urgent notices and lost key recovery) (Enter 'c'
to cancel):

Give them your email address.
Next you’ll have to read and agree to the Term of Service. After you accept the ToS, pay attention to the most important step of the process. You have to enter your domain names.

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel):

I suggest to list all domains for which you would to request a certificate. In my case this would be

rivy.org www.rivy.org mail.rivy.org webmail.rivy.org

If all went fine, you’ll see the following message.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/rivy.org/fullchain.pem. Your cert will
   expire on 2016-03-09. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - If like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@certserver:~/letsencrypt#

Possible errors

Failed authorization procedure. mail.rivy.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge.

If you get this error check these 2 things:

  • Is the domainname resolving to the IP address of the server?
  • Is the server reachable on port 80 and 443 from the internet?
    These 2 items are required to check ownership of the domain. And obviously you need to control the domain to get a cert from letsencrypt.org

    • Enable Public Key Pinning on Apache2

    2 Replies

    How to enable Public Key Pinning Extension for HTTP (HPKP) on Apache2. HPKP tries to detect MITM attacks with valid certificates. The first time a browser visits a HPKP enabled website, it stores the hash from the public key. For all subsequent TLS connections, the received key against is checked against the stored key.

    How to enable HPKP on Apache2?

    Calculate the sha256 hash for the public key

    In this example I’m using the certificate as a base to extract the public key.

    $ openssl x509 -in www_rivy_org.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64
writing RSA key
VhFYptFYvVRv1KVvcUg3EfHvv15wkBFpRU332RNC2sM=

    Continue reading