LetsEncrypt for the lazy and/or extremely in a hurry
Quick note so I don't forget whenever I need to do this again :-) . Let's Encrypt is an incredible initiative to enhance the security of web users by issuing free TLS certificates to website owners.
Generating a certificate is as simple as using Certbot:
certbot certonly -w /var/www/html/frangarcia.me \
-d frangarcia.me -w /var/www/html/frangarcia.me \
-d www.frangarcia.me -w /var/www/html/frangarcia.me
That will generate your required certificate files in /etc/letsencrypt/live/frangarcia.me
.
If you are using Apache, the virtual host configuration can be as simple as the one shown below. If you every worried about SNI or having multiple TLS certificates in the same IP/port combination, Apache 2.4 automatically handles that for you - provided you are using an SNI-compatible client.
<Virtualhost *:80>
ServerName frangarcia.me
ServerAlias www.frangarcia.me
DocumentRoot /var/www/html/frangarcia.me
</Virtualhost>
<Virtualhost *:443>
ServerName frangarcia.me
ServerAlias www.frangarcia.me
DocumentRoot /var/www/html/frangarcia.me
ErrorLog logs/frangarcia.me_error_log
TransferLog logs/frangarcia.me_ssl_access_log
CustomLog logs/frangarcia.me_ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile /etc/letsencrypt/live/frangarcia.me/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/frangarcia.me/privkey.pem
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</Virtualhost>
It's one of those things I wish I'd done a long time ago ;-) . By the way, do not forget to run your domain via the great SSLLabs utility to check your SSL config, you'll find minor issues for sure.
Happy hacking!