Free SSL Certificates from StartCom

Here’s a quick tutorial on how to obtain and setup a certificate from StartCom.

https

StartCom offers free personal certificates, these aren’t the fake certs where you have to setup your own CA and it only works when people have your CA cert installed.  These are real certs that work out of the box in just about every OS / browser I’ve tried (OSX, XP SP3 to Windows 8, IE, Firefox, Safari, Chrome, iOS, Android, Windows 8 Phone, etc.).

Validate Your Ownership of the Domain

1. Select Domain Name Validation

startcom_1_validation

2. Enter the domain name you want to validate.

startcom_2_domain

3. Select an address you can receive email at, the final address comes from your whois record which should be the domain owner’s email address.  StartCom will send you a validation code, once entered you have verified domain ownership and can create certificates for 30 days.

startcom_3_verification_email

startcom_4_validation

4. Generate Certificate Request.  SSH into your server and create a new key and CSR, it is of extreme importance that “Common Name” should be your fully qualified domain name.  StartCom won’t let you enter a naked domain (e.g. b3n.org) here, you must enter a sub-domain (such as www.b3n.org)  or in the example below I used reader.  The cert will also be good for your naked domain.

startcom_5_generate_key

Skip the generate cert option (since you’ve already generated it) and paste the contents of the CSR file you create into the certificate request form.

startcom_6_skip_generate_private_key  

startcom_7_paste_csr

startcom_8_cert_request_received

5. Here you select the domain the certificate will fall under, then the subdomain for your certificate (must be the same as your certificate request).

startcom_9_select_domain

startcom_10_subdomain

startcom_11_cert_ready

6. StartCom will give you your certificate, paste it into a .crt file.  Also BE SURE to download the intermediate and root certs.

startcom_12_save_cert

7.  Now you have a SSL Certificate (.csr) and Key (.key)

startcom_13_save_cert 

8. Configure Apache2.  …this goes below the directory directive in your site config: (e.g. /etc/apache2/sites_available/reader.gondolin.us)  be sure to reference your certificate and key as well as StartCom’s root certificate, and chain (this will help out older browers).  Note that the certificate can be used for just about any purpose including (IMAP, SMTPS, Mumble server, etc.)

 

403 Forbidden on Ubuntu LAMP

403 forbidden errorOver the last few days some of you noticed a 403 forbidden error from time to time.  So I’d login, check the Apache error logs and see this entry “(13)Permission denied: /home/benjamin/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable.”  Well the permissions were set, I had the executable +x bit for www-data set on all the parent folders.  I would login and restart apache2 or chmod 755 my /home/benjamin directory again and it seemed to work for awhile…

This morning I saw the 403 error again.  I log in, refresh the page and it works.  So it appears to be an intermittent issue… wait a minute!  It starts working when I login!  I logout, and the 403 error is back.  Login again, and it’s back to normal.  Turns out I enabled home directory encryption on my account!  I moved my wordpress folder to a location outside my home directory and now all should be good.