I always used to dread purchasing SSL certificates. Registrars typically have terrible websites, the process is full of forms and email, and since renewal happens only once a year, I would always struggle to remember the process.
All that changed when I discovered sslmate. It’s entire purpose is to sell (and renew) SSL certificates in a developer-friendly context: on the command line. Here’s how it works:
- Create an account and enter your credit card and contact information once on the sslmate website (Stripe is used to process and store the card).
- Install the sslmate command-line app on your web server that needs the certificate (any of the usual package managers will work, e.g.
sslmate buy [domain]to purchase a certificate. (Yes, it’s that easy.)
- Configure Nginx to point to the key and latest certificates, which sslmate helpfully stores (and keeps updated!) in
Simple, right? But the biggest win is the renewal step: sslmate certs auto-renew by default, and obtaining the new certs is as simple as
sslmate download --all. You can run that command as a cronjob to guarantee that your SSL certs always stay up to date. Beautiful.
If you’re a devops nerd like me, I’m sure you’re excited to try this out. Keep reading for a quick tutorial for Nginx on Ubuntu 14.04 LTS.
(Full disclosure: I am in no way affiliated with sslmate; just a happy customer.)
Visit the sslmate website to create an account. To streamline the purchasing process, sslmate collects certain information up front. By entering this information once, you’ll be able to purchase and renew as many certs as you want without any tedious forms to fill out.
Here’s the information sslmate needs to create an account:
- Username, email, and password (you’ll use these later to authorize the command-line app)
- Country and phone number (required by the certificate-issuing authorities)
- Credit card number, expiration, and CVC (processed via Stripe)
Once you have an account, sslmate provides a nice dashboard to view and download any certs you’ve purchased, access invoices, manage renewal settings, etc. Simple and straight-forward, no advertising, no nonsense.
From here I’ll assume you are installing a certificate for Nginx running on Ubuntu 14.04 LTS. For other server/OS combinations, check out the sslmate docs.
To install, run the following commands as
root on the webserver that needs the SSL certificate:
wget -P /etc/apt/sources.list.d https://sslmate.com/apt/ubuntu1404/sslmate.list
wget -P /etc/apt/trusted.gpg.d https://sslmate.com/apt/ubuntu1404/sslmate.gpg
apt-get install sslmate
Next, I recommend you “link” your sslmate account. This saves your credentials so that you can run sslmate commands without needing to enter your password every time.
You’ll be prompted to authorize with your sslmate username and password (i.e. the ones you specified in step 1).
Let’s say you need to buy a certificate for
www.example.com. Just run (again, as root):
sslmate buy www.example.com
This will buy a standard SHA256 certificate that works for securing
https://www.example.com as well as the bare
To complete the purchase, sslmate will prompt you on the command line to select an email address associated with the domain. Within a few seconds you’ll receive an email sent to that address with an approval link, to prove that you are the owner.
To prove that you are authorized to obtain a certificate for example.com,
you must respond to an email sent to one of the following addresses, or add
a DNS record to your domain.
How would you like to prove authorization?
6. Add a DNS record
Enter 1-6 (or q to quit):
And that’s it! The purchase is made with your saved credit card, and sslmate places the resulting certificates, along with the server key, into
/etc/sslmate, like this:
# ls /etc/sslmate
The last step is to configure
nginx.conf to use these freshly-purchased certificates, the relevant settings are:
To ensure Nginx is not vulnerable to known SSL attacks, I suggest following the recommendations on weakdh.org. Specifically, generate a unique DH group if you haven’t already done so:
openssl dhparam -out /etc/ssl/dhparams.pem 2048
Then enable SSL using settings like these,1 to limit the ciphers and protocols used:
listen 443 spdy default deferred;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=631138519";
Don’t forget to restart nginx for these changes to take effect.
New HTTPS security holes are discovered and made public from time to time. If you maintain a webserver it is a good idea to run security checks regularly. One service that offers free HTTPS checks with friendly letter-grade results is the Qualys SSL Server Test.
The sslmate service (accessible through the web-based dashboard) stores all the certificates you’ve purchased, and auto-renews those certificates by default.
This means that your certificates are always up to date; after an auto-renewal occurs, you just need to download the new certs to the appropriate
/etc/sslmate location and restart nginx to pick them up.
sslmate download command does exactly that, and is smart enough not to needlessly re-download certificates that are already up to date. You can run it once a day to check if a renewed cert is available; if so, it will be downloaded, and if not, nothing changes.
Here’s a script do it:
if sslmate download --all > /dev/null
service nginx restart > /dev/null
Place this script in a file called
/etc/cron.daily/sslmate (make sure it is owned and executable by
root) and you’re all set!
For more details on cron-based renewals, check out sslmate’s blog post.
I’ve only touched on the very basics of sslmate and SSL/TLS deployment. There’s also EV and wildcard certificates (sslmate supports both), and sslmate’s new DNS verification feature, which allows bypassing the email step to make the entire process scriptable. Very cool!