Translate this page :

Using Let's Encrypt SSL certificate with Pound

:: Let's Encrypt certificates have a particular advantage over its competitors – it can be #automatically renewed. When you manage a lot of servers, this can be a serious time-saving feature.

Pound is a very lightweight reverse-proxy software, which can also act as a SSL endpoint. Means that it will accept the encrypted (HTTPS) traffic, decrypt it, and then forward the result to the webserver at the backend. It's quite helpful to offload this from the webserver.

Here's how to do both (auto-renew Let's Encrypt SSL certificate on Pound), starting from a configuration snippet for /etc/pound/pound.cfg :

=========
ListenHTTPS
Address 0.0.0.0
Port 443
AddHeader ""X-Forwarded-Proto: https""
HeadRemove ""X-Forwarded-Proto""
HeadRemove ""X-Forwarded-For""

Cert "/etc/letsencrypt/live/mywebsite.com/mywebsite.pem"

### avoid poodle security attack
Disable SSLv3
Disable SSLv2

### hardening SSL with strong ciphers, disabling weak ones
Ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:-RC4:EECDH+aRSA+RC4:EECDH+RC4:EDH+aRSA+RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:RC4+SHA"

SSLAllowClientRenegotiation 0
SSLHonorCipherOrder 1

End
========

That config should be able to score (at least an) A from Qualys SSL Labs' website : https://www.ssllabs.com/ssltest/

Here's the script to do the auto-renewal, don't forget to set the cronjob so this is run twice every day on off-peak times :

=========
#!/bin/bash

# renew certificate
/root/tools/certbot/certbot-auto renew

# merge private key with certificate
# to make it readable by Pound

cp /etc/letsencrypt/live/mywebsite.com/privkey.pem /etc/letsencrypt/live/mywebsite.com/mywebsite.pem

cat /etc/letsencrypt/live/mywebsite.com/cert.pem >> /etc/letsencrypt/live/mywebsite.com/mywebsite.pem

# restart Pound
/etc/init.d/pound restart
=========

Have fun with these !

Credits:

(1) Eko Juniarto for suggesting to restart Pound after the renewal process.

(2) Fahri Reza for informing that Let's Encrypt advocates running auto-renewal not once – but twice a day. Eg: in case of an emergency, etc

Post imported by Google+Blog for WordPress.

4 Responses to “Using Let's Encrypt SSL certificate with Pound

Leave a Reply

 

Subscribe without commenting

            








SEObox: Web Hosting Murah Unlimited Komik Indonesia Homeschooling Indonesia