[Tutorial] How to get A+ grade for your SSL websites (Let's Encrypt key) on Virtualmin !

5 posts / 0 new
Last post
#1 Thu, 05/11/2017 - 06:31
vincen

[Tutorial] How to get A+ grade for your SSL websites (Let's Encrypt key) on Virtualmin !

PS: If this is not the correct section please move it where most appropriate ;)

This guide is based on Virtualmin installed on a brand new dedicated server with a public IP adress and using Ubuntu 16.04 64 bits as OS.

Be careful that this guide is up to date at time it has been written (things evolve quickly in SSL domains and new leaks discovered regularly !).

First thing to do is to activate and setup correctly SSL in Apache2. For that we'll need first to enable the mod_headers module. Webmin -> Servers -> Apache Webserver -> Global Configuration -> Edit config files and you'll select to edit the ssl.load file that should contain that:

# Depends: setenvif mime socache_shmcb
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so

Add that extra line under: LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so and save the file.

Now that module is activated we are going to setup Apache2 for serving SSL in a correct and secure way. Webmin -> Servers -> Apache Webserver -> Global Configuration -> Edit config files and you'll select this time the ssl.conf file. For these modifications you have to be careful and check before modifications if the directive you want to edit exists already or not ! If it exists already amend it as indicated below. If it doesn't exist you can add it ;) First we define the only cypher allowed with that directive: SSLCipherSuite EECDH+AESGCM:AES256+EECDH:DES-CBC3-SHA then we'll need these: SSLHonorCipherOrder on to force Apache2 to use cypher in the correct sequence

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

these are best settings for SSL and prevent multiple leaks SSLProtocol ALL -SSLv2 -SSLv3 We don't want these obsolete and unsafe protocols !

We are now done with general Apache2 settings for SSL. Now we are going to check settings for each virtual server. First thing for each virtual server you want in SSL, you need to add some records in the DNS zone of the domain name in this way:

yourdomainname. IN CAA 0 issue "letsencrypt.org"
yourdomainname. IN CAA 0 issuewild ";"

I have setup the Virtualmin defaut configuration for new virtual with DNS to include these two lines by default ! If you don't use SSL, no harm at all with these records that'll just be useless ! You can now generate the SSL certificates with Let's Encrypt feature in Virtualmin for your virtual server. Once done, you can check the Apache2 config file for the virtual server to be sure it includes well these lines:

SSLEngine on
SSLCertificateFile /home/orn6hon4i5ph/domains/mydomain/ssl.cert
SSLCertificateKeyFile /home/orn6hon4i5ph/domains/mydomain/ssl.key
SSLCACertificateFile /home/orn6hon4i5ph/domains/mydomain/ssl.ca
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

I would strongly advise also to let the automatic redirect created by Virtualmin when you activate SSL on a virtual server. You can now go on that website https://www.ssllabs.com/ssltest/, fill your virtual server URL and you should get result as below: SSL A Grade

Hope it helps and if you have questions, or ideas to improve, you're welcome !

Vincèn

PS: Cross-posted on my blog at: https://vincen.org/?p=72&lang=en

Thu, 05/11/2017 - 07:33
cinterpro
cinterpro's picture

Hi Vincèn. Thank you very much for taking your time to make this nice tutorial ! ! !
Very nice tutorial. Will re-install my box this weekend and will follow your steps.
Will return with my results :-)
Regards,
Paco
Ps. Check you chat aplication, when you have a moment :-)

Thu, 05/11/2017 - 07:43 (Reply to #2)
vincen

You're welcome and hope all explanations are clear ;) Please let me know when you'll have used it if anything is missing, incomplete or wrong so I can update it !

Accepted in Wire ;)

Tue, 08/15/2017 - 21:24
applejack

Do not use preload for Strict Transport Security otherwise the IP and domain will be baked into browsers and you will never be able to undo it as far as I am aware and you do not need this to get an A+ rating.

Also limiting it to just TLS 1.2 you are stopping a larger number of browsers and OSes such as IE8 to IE10 and Android 4 from being able to connect.

Sun, 10/28/2018 - 11:08
rmccain Pro Licensee

Over the past year I've enabled https sessions on a production Ununtu 16.04 LTS server hosting 40 domains without needing to rebuild the server from scratch. It's been a challenge, but I went through the process of setting everything up with Let's Encrypt. A typical domain was getting a Qualisys SSL score of B. With the information in the tutorial I've been able to get an A+ score on the same domain. I've still got some work to do getting the DNS CAA to work the way it should, but everything else is good.

This contains a lot of useful materiel, but it makes some assumptions about both the skill level and Virtualmin nuts & bolts familiarity of the reader. For example: how to modify the default config to add new settings, where to go to add specific lines of code (some code needs to be added through either "webmin/server/bind/zonename..." or "virtualmin/domainname/server configuration/DNS records" while other entries refer to "virtualmin/domainname/services/configure ssl website..."

This post is helpful to explain how to change the default: https://www.virtualmin.com/node/52146