https, TLS upgrade
Ahah, so it seems things have changed a bit since last I looked into certificates and certificate authorities - and even then I was looking into code and email signing certs anyway.
After a short poke around I quickly became aware of the Let's Encrypt project which provides automated and free server domain certificates. It can be automated because you control the server and part of the issuing process creates temporary server resources that the signer can cross-check. And all the certs are created locally.
So after a bit of fudging around with the C-based acme client and some apache config I got it all turned on and (compatible) browsers automagically redirecting to the TLS protected url.
I didn't want to go with the offical CertBot because python isn't otherwise installed on this server and I didn't want to drag all that snot in for no other reason.
Because the acme-client is a little out of date I had to pass it a few extra parameters to make it create certificates (and had to do some small porting related changes to it using libressl rather than libopenssl).
acme-client \ -ahttps://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf \ -C/var/zedzone/acme \ -vNn \ zedzone.space www.zedzone.space code.zedzone.space
Once created a daily cron job runs it (without the -vNn options) which requests new certificates if the old ones are within a month of their expirey date (since the Let's Encrypt certificates only last for 90 days).
I then added a https server config:
<VirtualHost www.zedzone.space:443> ServerName www.zedzone.space ... SSLEngine on SSLCertificateFile /etc/ssl/acme/cert.pem SSLCertificateKeyFile /etc/ssl/acme/private/privkey.pem SSLCertificateChainFile /etc/ssl/acme/fullchain.pem SSLUseStapling on Header always set Strict-Transport-Security "max-age=31536000" Header always set Content-Security-Policy upgrade-insecure-requests <VirtualHost>
And finally another header to the main server which tells compatible clients to upgrade to use https. This can be a bit odd on the first access but thereafter it does the right thing. I hope!
<VirtualHost www.zedzone.space:80> ServerName www.zedzone.space ... Header always set Content-Security-Policy upgrade-insecure-requests <VirtualHost>
I didn't want to use a rewrite rule because at the moment I want to keep both url's active, but i might change that in the future. It seems like it might be useful - on the other hand any client anyone is likely to use will support TLS wont it?
I've left code.zedzone.space unencrypted for now (even
though it's currently the only part of the site that can be logged
into!) because I need to check things work with virtual
servers on https first and more importantly i'm too hungover to
care this fine yet overcast afternoon!
Update: For what it's worth, the server gets an A+ rating on ssllabs SSL Server Test at the time of posting. Although to get the score above B required a few mod_ssl config changes.