A Better Way to Purchase and Install SSL Certificates

Introducing sslmate

I always used to dread purchasing SSL certificates. Registrars typically have terrible websites, the process is full of forms and email, and since renewal happens only once a year, I would always struggle to remember the process.

All that changed when I discovered sslmate. It’s entire purpose is to sell (and renew) SSL certificates in a developer-friendly context: on the command line. Here’s how it works:

1. Create an account and enter your credit card and contact information once on the sslmate website (Stripe is used to process and store the card).
2. Install the sslmate command-line app on your web server that needs the certificate (any of the usual package managers will work, e.g. brew, apt, yum).
3. Run sslmate buy [domain] to purchase a certificate. (Yes, it’s that easy.)
4. Configure Nginx to point to the key and latest certificates, which sslmate helpfully stores (and keeps updated!) in /etc/sslmate.

Simple, right? But the biggest win is the renewal step: sslmate certs auto-renew by default, and obtaining the new certs is as simple as sslmate download --all. You can run that command as a cronjob to guarantee that your SSL certs always stay up to date. Beautiful.

If you’re a devops nerd like me, I’m sure you’re excited to try this out. Keep reading for a quick tutorial for Nginx on Ubuntu 14.04 LTS.

(Full disclosure: I am in no way affiliated with sslmate; just a happy customer.)

1. Create an sslmate account

Visit the sslmate website to create an account. To streamline the purchasing process, sslmate collects certain information up front. By entering this information once, you’ll be able to purchase and renew as many certs as you want without any tedious forms to fill out.

Here’s the information sslmate needs to create an account:

• Username, email, and password (you’ll use these later to authorize the command-line app)
• Country and phone number (required by the certificate-issuing authorities)
• Credit card number, expiration, and CVC (processed via Stripe)

Once you have an account, sslmate provides a nice dashboard to view and download any certs you’ve purchased, access invoices, manage renewal settings, etc. Simple and straight-forward, no advertising, no nonsense.

2. Install and link the command-line app

From here I’ll assume you are installing a certificate for Nginx running on Ubuntu 14.04 LTS. For other server/OS combinations, check out the sslmate docs.

To install, run the following commands as root on the webserver that needs the SSL certificate:

wget -P /etc/apt/sources.list.d https://sslmate.com/apt/ubuntu1404/sslmate.list
wget -P /etc/apt/trusted.gpg.d https://sslmate.com/apt/ubuntu1404/sslmate.gpg
apt-get update
apt-get install sslmate

Next, I recommend you “link” your sslmate account. This saves your credentials so that you can run sslmate commands without needing to enter your password every time.

sslmate link

You’ll be prompted to authorize with your sslmate username and password (i.e. the ones you specified in step 1).

3. Purchase a cert

Let’s say you need to buy a certificate for www.example.com. Just run (again, as root):

sslmate buy www.example.com

This will buy a standard SHA256 certificate that works for securing https://www.example.com as well as the bare https://example.com domain.

To complete the purchase, sslmate will prompt you on the command line to select an email address associated with the domain. Within a few seconds you’ll receive an email sent to that address with an approval link, to prove that you are the owner.

To prove that you are authorized to obtain a certificate for example.com,
you must respond to an email sent to one of the following addresses, or add
a DNS record to your domain.

How would you like to prove authorization?

1. admin@example.com
2. administrator@example.com
3. hostmaster@example.com
4. postmaster@example.com
5. webmaster@example.com
6. Add a DNS record
Enter 1-6 (or q to quit):

And that’s it! The purchase is made with your saved credit card, and sslmate places the resulting certificates, along with the server key, into /etc/sslmate, like this:

# ls /etc/sslmate
-rw-r--r--  www.example.com.chain.crt
-rw-r--r--  www.example.com.chained.crt
-rw-r--r--  www.example.com.crt
-rw-------  www.example.com.key

4. Configure Nginx

The last step is to configure nginx.conf to use these freshly-purchased certificates, the relevant settings are:

ssl_certificate /etc/sslmate/www.example.com.chained.crt;
ssl_certificate_key /etc/sslmate/www.example.com.key;

To ensure Nginx is not vulnerable to known SSL attacks, I suggest following the recommendations on weakdh.org. Specifically, generate a unique DH group if you haven’t already done so:

openssl dhparam -out /etc/ssl/dhparams.pem 2048

Then enable SSL using settings like these,¹ to limit the ciphers and protocols used:

server {
  listen 443 spdy default deferred;
  ssl on;
  ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:RSA+3DES:!ADH:!AECDH:!MD5;
  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_dhparam /etc/ssl/dhparams.pem;
  ssl_certificate /etc/sslmate/www.example.com.chained.crt;
  ssl_certificate_key /etc/sslmate/www.example.com.key;
  add_header Strict-Transport-Security "max-age=631138519";
}

Don’t forget to restart nginx for these changes to take effect.

How to perform a security scan

New HTTPS security holes are discovered and made public from time to time. If you maintain a webserver it is a good idea to run security checks regularly. One service that offers free HTTPS checks with friendly letter-grade results is the Qualys SSL Server Test.

Bonus! Set up automatic renewal with cron

The sslmate service (accessible through the web-based dashboard) stores all the certificates you’ve purchased, and auto-renews those certificates by default.

This means that your certificates are always up to date; after an auto-renewal occurs, you just need to download the new certs to the appropriate /etc/sslmate location and restart nginx to pick them up.

The sslmate download command does exactly that, and is smart enough not to needlessly re-download certificates that are already up to date. You can run it once a day to check if a renewed cert is available; if so, it will be downloaded, and if not, nothing changes.

Here’s a script do it:

#!/bin/sh

if sslmate download --all > /dev/null
then
  service nginx restart > /dev/null
fi

Place this script in a file called /etc/cron.daily/sslmate (make sure it is owned and executable by root) and you’re all set!

For more details on cron-based renewals, check out sslmate’s blog post.

And there’s more…

I’ve only touched on the very basics of sslmate and SSL/TLS deployment. There’s also EV and wildcard certificates (sslmate supports both), and sslmate’s new DNS verification feature, which allows bypassing the email step to make the entire process scriptable. Very cool!

The sslmate command-line tool itself is open source, and the developer is very responsive on GitHub and open to suggestions for improving the service. I encourage you to give it a shot.