I've switched to Let's Encrypt for TLS encryption on my personal email server

Years ago I started using iRedmail for my personal email. I love it, and it's super easy to setup. Way back then I purchased a three year Comodo SSL certificate for it. Well that certificate expired, and it looks like none of the affordable SSL companies are offering three year certificates anymore... Bummer.

Oh, well. I figured why waste the money anyway when I could just get a free certificate from Let's Encrypt! The only issue I have with Let's Encrypt is that they only issue three month certificates. Apparently they think it's more secure that way. Here are the reasons they give from their blog:

• They limit damage from key compromise and mis-issuance. Stolen keys and mis-issued certificates are valid for a shorter period of time.
• They encourage automation, which is absolutely essential for ease-of-use. If we’re going to move the entire Web to HTTPS, we can’t continue to expect system administrators to manually handle renewals. Once issuance and renewal are automated, shorter lifetimes won’t be any less convenient than longer ones.

Well, they are right about one thing, the automated renewal process is pretty convenient. The only issue I had with it was that they recommend using Certbot for Linux based servers. When I followed this post (How To Secure Nginx with Let's Encrypt on Ubuntu 16.04) on how to install it, I got a bunch of errors and jacked up my Ubuntu based iRedmail server... (Thank God for backups!)

Anyway, there are much easier scripts and utilities around that can basically do the same thing. I opted for acme.sh! From their page:

• An ACME protocol client written purely in Shell (Unix shell) language.
• Full ACME protocol implementation.
• Support ACME v1 and ACME v2
• Support ACME v2 wildcard certs
• Simple, powerful and very easy to use. You only need 3 minutes to learn it.
• Bash, dash and sh compatible.
• Simplest shell script for Let's Encrypt free certificate client.
• Purely written in Shell with no dependencies on python or the official Let's Encrypt client.
• Just one script to issue, renew and install your certificates automatically.
• DOES NOT require root/sudoer access.
• Docker friendly
• IPv6 support
• It's probably the easiest & smartest shell script to automatically issue & renew the free certificates from Let's Encrypt.

Installation was easy, and so was requesting my first certificate. A part of the install process is that it creates a cron job to automatically renew your certificates. The one modification I had to do was to create a script with the following to copy the new certs from the default location in the installer user's home directory to the directory where I keep my certificates and keys:

 #!/bin/bash  
 cd ~/.acme.sh/domainname.com/  
 yes | cp -rf *.cer /pathto/ssl/certs/  
 yes | cp -rf *.key /pathto/ssl/private/  
 service apache2 restart  
 service dovecot restart  
 service postfix restart  

After that, I created a cron job to run that script nightly since their renewal script runs twice a day. Boom, done! Now I shouldn't have to worry about SSL certificates on this server for a very long time, or until I built my next one.

Do you use Let's Encrypt on your servers? Do you like it? Why or why not? Let us know in the comments!

Read more »

Script To Configure Your Azure Application Gateway For TLS 1.2 Only

If you are just reading this post, you are cutting things pretty close with PCI/DSS compliance! After all, you have until the end of the month to remove older versions of TLS to remain PCI compliant.

Well, if you are using Application Gateways in Azure to secure your web servers, you're in luck, because setting a custom SSL policy is pretty easy. You just have to do it via PowerShell.

Now, this script assumes you've already created your Application Gateway. If you are trying to configure one from scratch, you'll have to keep Googling my friend... Sorry.

Before you can run your script, you must first connect to Azure via PowerShell, and select your subscription.

• Connect-AzureRmAccount
• Select-AzureRmsubscription -SubscriptionName "<Subscription name>"

After that, you can copy and paste the below script to set your custom SSL policy. Be sure to replace the Application Gateway Name and the Resource Group Name to match your environment.

Here's the script:

 # get an application gateway resource  
 $gw= Get-AzureRmApplicationGateway -Name <Application Gateway Name> -ResourceGroup <Resource Group Name>  
 # set the SSL policy on the application gateway  
 Set-AzureRmApplicationGatewaySslPolicy -ApplicationGateway $gw -PolicyType Custom -MinProtocolVersion TLSv1_2 -CipherSuite "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256"  
 # validate the SSL policy locally  
 Get-AzureRmApplicationGatewaySslPolicy -ApplicationGateway $gw  
 # update the gateway with validated SSL policy  
 Set-AzureRmApplicationGateway -ApplicationGateway $gw  

After that, your Application Gateway will only support TLS 1.2, and will use the following ciphers in order:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256

Pretty easy right? Did this help you out? Let us know in the comments!

Read more »