SSL/TLS makes your website secure by ensuring that data travels to and from your website encrypted. Good thing there is Let’s Encrypt to make things easier (no more pesky CRSs) and free!
I will also cover here how to get an “A” grade rating for your SSL where we do not have weak cipher suites, we have forward secrecy and we do not susceptible to attacks like POODLE.
This will be useful for people who host their own sites using Webmin + Virtualmin.
For this I have my WordPress website (frostfenix.com) hosted on an Ubuntu 14.04.4 with latest version Virtualmin, standard configuration minus Bind DNS server and FTP.
Install Let’s Encrypt
Run the following commands to install Let’s Encrypt:
$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt
$ ./letsencrypt-auto –help
You should see something like this:
Optionally you may want to move lets encrypt to another location, I moved mine to /usr/local/bin
Add Let’s Encrypt to Webmin
Sign in to your Webmin Console
Go to Webmin > Webmin Configuration > SSL Encryption > Let’s Encrypt
Click on Module Configuration
Add the path of where letsencrypt-auto script in the text field given like so
With that Webmin can now call letsencrypt-auto script from your web GUI.
Create and Install Certificates
Go to Virtualmin then select your virtual server where you want to install a certificate from Let’s Encrypt.
After that, proceed to Server Configuration > Manage SSL Certificate > Let’s Encrypt then click on Request Certificate
That’s it! Your website should now be protected with an SSL certificate from Let’s Encrypt.
For testing our SSL/TLS configuration, we will be using Qualys’ SSL Test. You can use that tool and it will grade your SSL/TLS configuration for your website free of charge.
If you use it now, you will get a grade of “C”. This is because you have weaker cipher suites enabled, SSL Compession enabled, or you have older versions of SSL (version 2 and 3) enabled, these are configurations will make you susceptible to vulnerabilities like CRIME, HEARTBLEED, POODLE and many more.
Disable Older Versions of SSL/TLS
For frostfenix.com I will only enable TLS (all versions) and disable all versions of SSL (v2 and v3).
To do so, go to Services > Configure Website for SSL > SSL Options > tick TLSv1, TLSv1.1 and TLS1.2
Disable Weaker Ciphersuites and Disable SSL Compression
We will now disable weaker cipher suites and SSL Compression
Go to Services > Configure Website for SSL > Edit Directives
Then add or edit the the following directives
Test your TLS Configuration
As I have previously mentioned we will use Qualys’ SSL Testing tool. Here are the results of frostfenix.com where we got a score of “A”.
There we go, we have used a free certificate from Let’s Encrypt for a website that is hosted using Virtualmin on Ubuntu 14.04.4. If you have questions, comments or violent reactions. Please leave them on the comment box below.