Intro

SSL/TLS makes your website secure by ensuring that data travels to and from your website encrypted.  Good thing there is Let’s Encrypt to make things easier (no more pesky CRSs) and free!

I will also cover here how to get an “A” grade rating for your SSL where we do not have weak cipher suites, we have forward secrecy and we do not susceptible to attacks like POODLE.

This will be useful for people who host their own sites using Webmin + Virtualmin.

 

Getting Started

For this I have my WordPress website (frostfenix.com) hosted on an Ubuntu 14.04.4 with latest version Virtualmin, standard configuration minus Bind DNS server and FTP.

 

Install Let’s Encrypt

Run the following commands to install Let’s Encrypt:

$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt
$ ./letsencrypt-auto –help

You should see something like this:

Optionally you may want to move lets encrypt to another location, I moved mine to /usr/local/bin

 

Add Let’s Encrypt to Webmin

Sign in to your Webmin Console

Go to Webmin > Webmin Configuration > SSL Encryption > Let’s Encrypt

Click on Module Configuration

Add the path of where letsencrypt-auto script in the text field given like so

 

With that Webmin can now call letsencrypt-auto script from your web GUI.

 

Create and Install Certificates

Go to Virtualmin then select your virtual server where you want to install a certificate from Let’s Encrypt.

After that, proceed to Server Configuration > Manage SSL Certificate > Let’s Encrypt then click on Request Certificate

That’s it! Your website should now be protected with an SSL certificate from Let’s Encrypt.

 

Improving Security

For testing our SSL/TLS configuration, we will be using Qualys’ SSL Test. You can use that tool and it will grade your SSL/TLS configuration for your website free of charge.

If you use it now, you will get a grade of “C”. This is because you have weaker cipher suites enabled, SSL Compession enabled, or you have older versions of SSL (version 2 and 3) enabled, these are configurations will make you susceptible to vulnerabilities like CRIME, HEARTBLEED, POODLE and many more.

 

Disable Older Versions of SSL/TLS

For frostfenix.com I will only enable TLS (all versions) and disable all versions of SSL (v2 and v3).

To do so, go to Services > Configure Website for SSL > SSL Options > tick TLSv1, TLSv1.1 and TLS1.2

 

Disable Weaker Ciphersuites and Disable SSL Compression

We will now disable weaker cipher suites and SSL Compression

Go to Services > Configure Website for SSL > Edit Directives

Then add or edit the the following directives

SSLCompression off
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

 

 

Test your TLS Configuration

As I have previously mentioned we will use Qualys’ SSL Testing tool. Here are the results of frostfenix.com where we got a score of “A”.

 

There we go, we have used a free certificate from Let’s Encrypt for a website that is hosted using Virtualmin on Ubuntu 14.04.4. If you have questions, comments or violent reactions. Please leave them on the comment box below.