How to SSL your blog (and get IFTTT working)

But why?

It is a cool thing to have a secured website. Why? Because it helps being protective about the data that is sent over the net. You can access my blog via https (if you are not that tech- or abbreviation-savvy that means: Hyper Text Transfer Protocol Secure) and you can see it in your browsers url field. A small lock is located there and when you click on it, some window pops up telling you this (well, it tells you in your browsers language, so this is my browser telling me in German):

2015-09-04 17_13_18-down the rabbit hole

So what is HTTPS? I normally do not quote Wikipedia, but this is a nice and short intro into this matter:

[It] is a protocol for secure communication over a computer network, which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security or its predecessor, Secure Sockets Layer. The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data.

So HTTPS makes the internet more secure. Well, at least it makes the communication between your browser and my blog (or any other page using HTTPS) more secure. That’s rather cool, isn’t it!

Now, how to get your own blog to be more secure? I am running my blog on a Plesk server hosted by my former roomie Chris (head over to alpha-labs.net for more howto’s and info about security and tutorials – they are great!). Lately he told me that it isn’t that hard to get a SSL certificate and get it running on the Plesk for the blog. So I digged into it a bit further.

StartSSL

I headed over to startSSL and had a look. Despite that the page seems a bit overloaded with info and kind of unstructured, it is rather easy to control. Have a look at their oversight for certificates. For your own blog a class 1 certificate is sufficient.

Create an account

First you want an account, so you head over to the most right button with the picture and the keys and click on it.

2015-09-04 17_29_31-StartSSL™ Certificates & Public Key Infrastructure - StartSSL™ Home

Now, choose the „Sign-up“ button.

2015-09-04 17_30_40-Seiten-Ladefehler

Enter your credentials on the next page and hit „Continue »»“. You will be redirected to the PKI page. You will also get a verification code to the e-mail you provided. Paste it into the page and hit „Continue »»“ again.

2015-09-04 17_33_54-StartSSL™ Certificates & Public Key Infrastructure - Internet Explorer

You will get a certificate that you need for logging into startssl.com. Add it to your browser and save store it on your disk in case you need to redo your browser settings. There are tutorials on startSSL of how to add a certificate to your browser, so I will not cover this here.

The next time you want to log into startssl.com, your browser will ask you if you want to login using a provided certificate like this.

2015-09-04 17_44_41-Benutzer-Identifikationsanfrage

When you hit „OK“ you will be popped back to the PKI page.

2015-09-04 17_39_34-StartSSL™ Certificates & Public Key Infrastructure - Internet Explorer

Validate your domain

First thing you have to do is a domain name validation when you want to get a SSL certificate for a page or a blog. Head to the validation wizard and choose „Domain Name Validation“ from the dropdown menu.

2015-09-04 18_23_18-StartSSL™ Certificates & Public Key Infrastructure - Pale Moon

Enter the domain name you want to use (I will show you the way with another domain I need a SSL certificate for).

2015-09-04 17_50_49-StartSSL™ Certificates & Public Key Infrastructure - Pale Moon

Then let the wizard send a verification e-mail to one of the shown e-mail addresses. Make sure you have one of the following e-mail addresses set up: postmaster@, hostmaster@ or webmaster@ beforehand. Or just do it now in parallel so that you can get the e-mail with the verification code.

2015-09-04 17_52_43-StartSSL™ Certificates & Public Key Infrastructure - Pale Moon

Hit „Continue »»“ and enter the verification code sent by startSSL.

2015-09-04 17_49_41-StartSSL™ Certificates & Public Key Infrastructure - Pale Moon

Then again hit „Continue »»“.

2015-09-04 17_50_01-StartSSL™ Certificates & Public Key Infrastructure - Pale Moon

When you reload the whole startSSL page, on the PKI page on the right hand side menu you can see your new domain under the „Domain Validations“ section.

2015-09-04 17_51_29-StartSSL™ Certificates & Public Key Infrastructure - Pale Moon

Get certificate for validated domain

Head over to the „Certificates Wizard“. Choose „Web Server SSL / TLS Cerficiate“ in the dropdown menu. Then click „Continue »»“.

2015-09-04 17_57_43-StartSSL™ Certificates & Public Key Infrastructure - Pale Moon

If you created your own private key and certificate request (CSR), you can skip this step. Otherwise, create a password for your key and choose keysize and hash algorithm.

2015-09-04 18_02_53-StartSSL™ Certificates & Public Key Infrastructure - Pale Moon

Creating a key takes some seconds. The next page shows your private key. Save it somewhere save. HINT: you need the UNENCRYPTED key for the Plesk webpage. You can decrypt it in the startSSL toolbox or with the OpenSSL utility and the provided code.

2015-09-04 18_07_06-StartSSL™ Certificates & Public Key Infrastructure - Pale Moon

Click „Continue »»“ then add the validated Domain you want the certificate to be used with.

2015-09-04 18_07_50-StartSSL™ Certificates & Public Key Infrastructure - Pale Moon

You need to add a subdomain. If you don’t have a subdomain at hand, don’t search your brainzzz for it. Just type „www“ (yes, this is a valid subdomain for startSSL!) and hit „Continue »»“ once more.

2015-09-04 18_09_04-StartSSL™ Certificates & Public Key Infrastructure - Pale Moon

The wizard is now ready to process your certificate.

2015-09-04 18_09_23-StartSSL™ Certificates & Public Key Infrastructure - Pale Moon

Click „Continue »»“ and in the next page save your PEM encoded certificate. BEFORE you do anything else:

  • Save the PEM encoded certificate
  • Save the intermediate certificate (right click the bold printed „intermediate“ at the bottom of the page and save the link source)
  • Save the root certificate (right click the bold printed „root“ at the bottom of the page and save the link source)

Now, click „Finish »»“ aaaand you are done here! 🙂

Decrypt your private key for use with Plesk

Go to the startSSL Tool box.

2015-09-04 18_29_16-StartSSL™ Certificates & Public Key Infrastructure - Pale Moon

Choose „Decrypt Private Key“. Enter the ssl.key you saved earlier and enter the password you chose and hit „Decrypt »»“.

2015-09-04 18_32_57-StartSSL™ Certificates & Public Key Infrastructure - Pale Moon

Save the decrypted key (to avoid confusion I named mine „ssl-decrypted.key“). You can spot the difference in the second line.

2015-09-04 18_31_14-StartSSL™ Certificates & Public Key Infrastructure - Pale Moon

Your encrypted key will say:

Your decrypted key will only say:

How to add the certificate to Plesk

You need your decrypted ssl.key (I named mine „ssl-decrypted.key“ to avoid confusion) and ssl.crt from startSSL at hand. Also create a new file and copy both the intermediate and root certificates into it. Name this file something like „combined-ca_root_and_intermediate.pem“.

The next screenshots will be in German. The naming of the different parts are not 1:1 translations German «-» English (because Plesk did not do that!). But the icons are the same in both languages! So just have a look for the icons, not for the translation.

Log into your Plesk and choose the webpage you want to add the SSL certificate to.

2015-09-04 18_49_31-Websites & Domains - Plesk 12.0.18

Now, click on the „Certificates“ icon (yeah, called „Webseites sichern“ in German and something completely different in English).

2015-09-04 18_52_14-Plesk 12.0.18

Click „Add SSL-certificate“. DO NOT search for a certificate to add on this page! I tried to add a certificate here for hours before getting on the right track. 😉

2015-09-04 18_52_49-SSL-Zertifikate - Plesk 12.0.18

Now, add a name for your certificate. Head to the second section where you can upload the certificates and such. REMEMBER that you need to upload the DEcrypted key, not the ENcrypted one!

2015-09-04 19_05_36-SSL-Zertifikat hinzufügen - Plesk 12.0.18

Hit „Send files“ button and everything should be okay; signed by a green bubble at the top of the page. At the bottom you can see the newly added certificate.

2015-09-04 19_06_16-SSL-Zertifikate - Plesk 12.0.18

Now, head back to the „Websites & Domains“ page and choose the domain you want to add the SSL certificate to. Click the „Hosting“ („Hosting-Einstellungen“ in German) icon.

2015-09-04 19_07_18-Plesk 12.0.18

Head to the „Security“ section. Check the „SSL“ box and choose the certificate you just added from the dropdown menu.

2015-09-04 19_09_03-Hosting-Einstellungen für DownTheRabbitHole.nrw - Plesk 12.0.18

Hit „OK“ at the bottom of the page and you are done!

When you clear caches and cookies in your browser and now call your website with a https:// before the url, you will also have a lock in the browser bar.

Congrats, you secured a tiny place of the net! 🙂

IF This Then That (IFTTT)

Funnily enough my IFTTT recipe worked only after I added SSL to my page. 😉 And I ranted about IFTTT heavily before, as I read forums and tried to get it running but it just didn’t fire off.

But first: IFTTT is a page (also available as an app for the smartphones), which helps with rather simple recipes (that’s how they call their tiny work-loads) to get stuff from A to B. Every recipe follows a simple call: IF (a prerequisite is fulfilled) THEN (do something).

So I wanted something like: IF (I publish a wordpress blog entry) THEN (post a short note on Twitter).

I opened up an account on IFTTT. It looks a bit strange on PC webbrowser, as the page seems to be optimized for tablets or smartphones, but as I am doing my blog stuff at the PC this doesn’t matter for me. Now, when logged in, I choose the „Channels“ link on the top bar of the page.

An oversight of all the pages, channels, programmes you can connect to IFTTT is shown. I chose WordPress and added login credentials and the url where my blog is located.

2015-09-04 19_25_14-Connect the WordPress channel - IFTTT

I also did this for Twitter (as I want my blog posts to be send to Twitter). I am already logged into Twitter on this browser, so that Twitter asks if IFTTT can do stuff in my name. I say „authorize this app“ and now IFTTT and Twitter are connected.

2015-09-04 19_42_12-Twitter _ Autorisiere eine Applikation

Now, head to „My recipes“ in the top bar and then click on „Create a recipe“.

2015-09-04 19_38_37-IF Recipes - IFTTT

It starts with the first step. I want a trigger to be a new blog post on WordPress. So I click „this“:

2015-09-04 19_39_47-Create Recipe - IFTTT

Then the wizard takes me to the trigger channel. I search for WordPress and click the icon.

2015-09-04 19_40_17-Create Recipe - IFTTT

It now asks me which trigger I want to use; if it should fire with any new post or just with posts, which are in a certain category. I choose „any new post“.

2015-09-04 19_40_31-Create Recipe - IFTTT

Then I complete the trigger by clicking „Create Trigger“.

2015-09-04 19_40_45-Create Recipe - IFTTT

Now, to the thing, which will happen when the WordPress trigger fires. I do click on „that“:

2015-09-04 19_40_56-Create Recipe - IFTTT

Then I search for Twitter and click on the icon.

2015-09-04 19_45_39-Create Recipe - IFTTT

More actions can be choosen from here. But I just want a tweet about the new blog post, soooo:

2015-09-04 19_45_58-Create Recipe - IFTTT

You now can define the tweets message with an easy ruleset. Just write some intro and then add maybe the title of the blog post or the url (which might come in handy ;-)).

2015-09-04 19_46_39-Create Recipe - IFTTT

If you want to add more tags into the tweets text, just click on the „ingredients“ icon in the upper right corner.

2015-09-04 19_46_50-Create Recipe - IFTTT

When you are done, just click „Create“. The final step shows you a quick oversight of your recipe.

2015-09-04 19_47_04-Create Recipe - IFTTT

After you clicked „Create Recipe“ and move back to „My recipes“ on the top bar, you can find your newly created recipe there.

2015-09-04 19_47_15-IF Recipes - IFTTT

Only thing that you need now is to create a blog post and publish it. If the trigger will not fire, you can have a look in its log (second icon from the right) or rerun it (second icon from the left).

Happy twittering. 🙂

petra Verfasst von:

2 Kommentare

  1. 10. September 2015
    Antworten

    Umm,

    that’s actually incorrect. The AVAST WebShield is just a benefactor’ish mitm attack (man in the middle attack). Avast intercepts all outgoing and ingoing encryption requests, and in laymen’s terms, decrypts it.

    So when you visit your own blog you browser sends an http/1.x request with SNI to *cough* your hosting server. What actually happens is that your „Protection“ intercepts this and sets up an encrypted session between itself and the browser. On the other end it starts up an SNI/TLS request to the real server. This ways the encryption between your browser and your local virus scanner is secure and the connection between your virus scanner and *cough* your server is secure.

    That’s why you are actually seing „Avast Secured“ instead of StartCom. Your browser thinks its speaking to the end server, displaying an „all ok“. In technical terms you have been a victim to mitm.

    This is in many, many ways really, really bad. Do not allow anything to listen in between your traffic and the destination. You can never guarantee you’re talking to the right person. And normal folks might actually mistake the browsers „all OK“ for a real „all OK“ message…

    -Chris.

  2. 10. September 2015
    Antworten

    And on a second note:

    Never EVER let anyone else, not even trusted CAs generate your private key for you. The whole idea is that you and ONLY YOU ever(!) had (and has) access to the private key part. I know it is comfy using these generators everywhere; but the main point of securing the site is to… securing the site. And when you do install a SSL certificate you take responsibility of all your users- it makes YOU the weakest link in the chain.

    Generate the key always local: „openssl genrsa -out $CERT.key 4096 -batch“. I create mine in an encrypted vm on a host system that’s on my local lan only.

    -Chris.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.