Linux Tutorials & Things generate

How to generate a Free SSL cert using Lets encrypt [nginx]

STEP1

Clone letsencrypt git repo;

git clone https://github.com/letsencrypt/letsencrypt

cd letsencrypt

sudo ./letsencrypt-auto --help  

Ensure your webserver is not running
For my case - Nginx

sudo service nginx stop

STEP2

Run the script - Change the YOUR_DOMAIN.COM to your own domain before running. Also make sure to include the www. subdomain for one of the entries as shown;

./letsencrypt-auto certonly --standalone --standalone-supported-challenges http-01 -d www.YOUR_DOMAIN.com,YOUR_DOMAIN.com --renew-by-default

If successfull the Cert files will be stored in the following directory;

sudo ls /etc/letsencrypt/live/www.DOMAINNAME.com

Check if files have been created


FIX PERMISIONS

sudo chown root:www-data /etc/letsencrypt/live /etc/letsencrypt/archive/
sudo chmod 750 /etc/letsencrypt/live/ /etc/letsencrypt/archive/

Generate SSH Key file and Configure OpenSSH

STEP 1:

Tip: Replace USERNAME with your systems user name.

Generate an Ed25519 key, and save the file as USERNAME_ssh;

ssh-keygen -t ed25519

ssh keygeneration example

Alternative - Generate a 8192bit rsa key;

ssh-keygen -t rsa -b 8192

STEP 2:

USERNAME_ssh= private key ( keep it secret, keep it safe )

USERNAME_ssh.pub= public key ( is seen by all )

Make a hidden directory in user home folder;

mkdir /home/USERNAME/.ssh

Move Public key file into the .ssh directory and name it as authorized_keys;

mv USERNAME_ssh.pub /home/USERNAME/.ssh/authorized_keys

Copy private key from current location to the users home folder ready for download;

cp USERNAME_ssh /home/USERNAME

Set owner permissions for the private key file;

chown USERNAME:USERNAME /home/USERNAME/USERNAME_ssh

Download private key file to your local machine;

SFTP COPY (run on local Linux Machine)

Copy private key to local machine;

sftp USERNAME@DOMAIN

get USERNAME_ssh

sftp login and get keyfile example

Note - Delete the private key file from the server after download;


SSH SERVER CONFIG:

We will disable root SSH logins, disable password only SSH access and define an alternative port number. Please change the port number to a random number between 20000 - 50000;

sudo nano /etc/ssh/sshd_config
  • Port XXXX
  • Protocol 2
  • RSAAuthentication yes
  • PubkeyAuthentication yes
  • PasswordAuthentication no
  • PermitRootLogin no
  • AllowUsers USERNAME
  • X11Forwarding no
  • PrintMotd yes
  • UsePAM no

These setting will not take effect until the sshd service is restarted

TEST SSH LOGON (run on local Linux Machine)

SSH Successful Login example

ssh -i PATHTOKEY USERNAME@DOMAIN -p PORTNUMBER

If logon is succesfull run;

service sshd restart