This should have been one of the first posts of this blog, because deals with the actual setup of the blog.
To install a secure Blog is not an easy task. You can take the easy route and host your blog on a blogging site and hope that they will do a good pro bono job, or you can take the bull by its horns and host it yourself.
First you need to install WordPress on your server, in may case a Fedora 21 Linux Server.
A very simple and good tutorial for this first step is the one from IT’zGeek.
After you have installed WordPress and played a little bit around with different themes and perhaps a test post is time to secure the installation.
Now is time to obtain the SSL certificates needed for a secure site. You can create a self signed certificate at this point and go straight to the installation of the HTTPS support for WordPress and obtain some official certificates latter.
I decided to get an official certificate to avoid the annoying “certificate not Trusted” error the new browser will present to your visitors. There is not a good marketing strategy to have on your entry page a “Do Not Enter” sign.
Luckily for the common Joe there is a nice site StartSSL that offers trusted certificates for home users like me that want to have a secure web page.
The registration process is quite easy and in a relative short time (under 24 hours) after your identity and ownership of the domain is verified, you can get a trusted certificate for your site: blog.voina.org in my case.
Make sure that you save your private key in a file. During the registration process a private key and a set of client certificates (used to access your account on StartSSL) are generated on your machine. You have the possibility to save them in a secure keystore outside the browser. I exported my key and client certificates in a pfx file named “voina.org.pfx”. Keep this file safe you will need the private key in the Apache SSL configuration.
After you get the confirmation mail from StartSSL that your server certificate was generated, go to the StartSSL site -> Tool Box -> Retrieve Certificate and download your server certificate. I saved mine in a file named “blog.voina.org.cert”. Keep this file safe as you need it in the Apache SSL configuration.
Because we are dealing here with a trusted certificate we also need the trust chain certificates. Go to the StartSSL site -> Tool Box -> StartCom CA Certificates and download “Class One Intermediate Server CA” PEM format certificate file “sub.class1.server.ca.pem”. Keep this file safe as you need it in the Apache SSL configuration.
Copy voina.org.pfx, blog.voina.org.cert and sub.class1.server.ca.pem to /etc/ssl/certs
VERY IMPORTANT. I lost one hour with this. After the first try my Apache was not starting with the exception:
[Sat Feb 14 15:35:56.792393 2015] [ssl:emerg] [pid 28521] AH02561: Failed to configure certificate blog.voina.org:443:0, check /etc/ssl/certs/blog.voina.org.crt
[Sat Feb 14 15:35:56.792420 2015] [ssl:emerg] [pid 28521] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: CERTIFICATE) — Bad file contents or format – or even just a forgotten SSLCertificateKeyFile?
[Sat Feb 14 15:35:56.792445 2015] [ssl:emerg] [pid 28521] SSL Library Error: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
This was due to the fact I saved my certificates on a windows machine. The dreadful “^M” end of line character Windows is adding to text files. Make sure you run the following to clean the garbage:
To obtain a copy of the private key from the voina.org.pfx file do:
#openssl pkcs12 -in voina.org.pfx -nocerts -nodes -out blog.voina.org.key
To strip the password from the server certificate file, in order to avoid being asked every time you restart the Apache server do:
# mv blog.voina.org.key pass.blog.voina.org.key
#openssl rsa -in pass.blog.voina.org.key -out blog.voina.org.key
If you do not want this you can add a directive that will ask you for the password to the Apache configuration file.
The only remaining part is to define the Virtual Host associated with the blog.
Create the configuration file /etc/httpd/conf.d/blog.conf
SSLEngine On SSLHonorCipherOrder on SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile /etc/ssl/certs/blog.voina.org.cert SSLCertificateKeyFile /etc/ssl/certs/blog.voina.org.key SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem ServerName "blog.voina.org" DocumentRoot "/media/storage/www/html/wordpress" CustomLog "/var/log/httpd/home-blog-access.log" combined ErrorLog "/var/log/httpd/home-blog-error.log" Options Indexes FollowSymLinks MultiViews AllowOverride All Require all granted Satisfy Any
I will explain next the SSL related settings:
This turns SSL On
Specifies that we prefer the server’s cipher preference order.
Specifies the cipher Suite available for negotiation in SSL handshake.
There was a careful selection of what chipers to allow in order to avoid the week ones. A good guide for this is Strong SSL Security on Apache2.
SSLProtocol all -SSLv2 -SSLv3
This directive disables SSLv2 and SSLv3 due to security issues.There was a lot of talk in begging of 2015 about the vulnerabilities of this options so I choose to disable them completely.
With this directives we inform the server what certificate files should be used for the server certificate, server key and certificate chain. Here we add the files we obtained from StartSSL.
This directive sets the server name. It is important to mention that this should be the same as the server name for which the server certificate was issued. Otherwise you will get a certificate error in any client browser that will access the blog, informing you that the server certificate was not issued for the current server.
Maybe is it worth mentioning here that at this point you need to create also an entry in your DNS server (or your registrar name server) for blog.voina.org to point to the IP of your server. Note that you can have multiple A record subdomain names pointing to the same IP so you are not jeopardizing any existing DNS settings.
DO NOT restart the Apache server. We need to add to WordPress HTTPS support.
Luckily for us there is the WordPress HTTPS (SSL) plugin that will take care of the https support for WordPress. You simply have to follow the installation instructions from the plugin page.
In the WordPress Dashboard you will have a new menu entry “HTTPS”. Under that menu you can configure further setting to the plugin. Make sure that “SSL Host” will point to the real name of the blog : blog.voina.org in my case and check “Force SSL Administration”.
It is a very tricky process here. If you are not careful you can lock yourself out of the WordPress instance. If this happen do the following:
Open your wp-config.php file in a text editor and comment the following 2 lines:
Before restarting Apache to switch WordPress instance from http to https make sure again that the proper certificates and Apache directives are created and configured.
To test the setup of your site pass it to the SSLLabs tester.
You should get an A classification for the site like blog.voina.org. I do not get currently an A+ rating because of “Incorrect certificate because this client doesn’t support SNI”. There is a big debate about this one. Why should your rating be lowered because you deny unsafe clients to connect to you. SSLLabs considers that an A+ site should offer support also for old Android and old Windows XP machines. I do not agree with it so I am perfectly happy with A.
Pingback: A+ Security for WordPress Blog – HTTP Strict Transport Security | blog.voina.org