How to install TLS certificate on Raspberry Pi 4 by using ZeroSSL?

HTTPS
Reading Time: 6 minutes

I found ZeroSSL who provides free digital certificate.
Below is example article, you can find many articles in internet.

How to Implement ZeroSSL Certificate in Apache and Nginx?
Let's look into getting a FREE SSL/TLS certificate from ZeroSSL and implement it in Apache and Nginx web servers. Introduction You might have heard a lot

I setup HTTPS server on apache2 with ZeroSSL on Raspberry Pi 4.

If you want to do it, this post is useful!

What is ZeroSSL?

ZeroSSL is internet service which provides digital certificate.
– Certificate/Key is mandatory to establish HTTPS server.
The main advantage to Let’s Encrypt is simple operation to create certificate.

Free SSL Certificates and SSL Tools - ZeroSSL
Free SSL certificates issued instantly online, supporting ACME clients, SSL monitoring, quick validation and automated SSL renewal via Certbot or REST API.

The biggest rival is Let’s Encrypt.

Let's Encrypt - Free SSL/TLS Certificates
Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).

Let’s Encrypt is 2 years older service than ZeroSSL.
– Let’s Encrypt: 2014
– ZeroSSL: 2016
There is not much difference in the number of years since each establishment.
But Let’s Encrypt is more famous than ZeroSSL.

Someone in internet mentions that having multiple options to do something is good for user because they encourage competition and improve the quality of services.

We would be happy if Let’s Encrypt/ZeroSSL/other services work hard together to make their services more convenient, easier, and higher quality, wouldn’t we?

Is it difficult to get certificate without ZeroSSL?

In the past, almost only company or big organization can establish HTTPS servers.
The biggest reason is that digital certificates, which are essential for HTTPS, are very expensive.

Let me show you example of GlobalSign.
Even if it is cheap option, it is handreds of dollers.
In most cases, certificates expire for one year, so you have to pay them every year.
You can easily understand that there is high hurdle for those who have set up a home server.

SSL / TLS CERTIFICATES

To avoid this , there is countermeasure which is so called “self signed certificate”.
However, browser like Chrome shows warnings to server because “self signed certificate” does not reliable.
This problem is described by various sites.
This is example.

The Dangers of Self-Signed Certificates

“Encryption” is popular as a meaning to use digital certificates for HTTPS, but another important role is “you can check whether your site is trustworthy”.
– Trusted sites: No phishing or other damage to users

Typically, in HTTPS, RootCA issues certificates for HTTPS sites
. RootCA is a globally recognized and reliable.
The user (browser) trusts RootCA. Therefore, the following path of trust is established.

 User -> Trust -> RootCA -> Certificate issuance -> site

If self signed certificate is used, the trust relationship cannot be established.

RootCA(Server itself) issues a certificate for server.
Of course, users don't know RootCA because RootCA is server.
So users don't trust server.

So, the certificate was basically very expensive and it was actually very hard to buy it individually.

Let’s Encrypt

Let’s Encrypt appeared there.
As mentioned above, HTTPSization was usually limited to large-scale sites, but the hurdle was removed by Let’s Encrypt.

Let’s Encrypt: Delivering SSL/TLS Everywhere - Let's Encrypt - Free SSL/TLS Certificates
Vital personal and business information flows over the Internet more frequently than ever, and we don’t always know when it’s happening. It’s ...

The reason why free certificate service like Let’s Encrypt was required is, people who had not use PC began to access the Internet when the first iPhone was released in 2007, and the amount of data dramatically increased.

Source: https://en.wikipedia.org/api/rest_v1/page/graph/png/Internet_traffic/0/8e8a9e85b35e959b1acaf7863ed42a5be56f0b07.png

The data communication of payment transaction through online shopping has also increased, and it was not surprising that HTTPS was required more than ever.

There is an impactful service of issuing certificates for free.
It is of course that Let’s Encrypt has become widely used.

ZeroSSL was actually introduced.

Let me explain how to deploy certificate/key on apache2 running on Raspberry Pi 4.

First, create an account on the ZeroSSL site.
Select Get Free SSL.

When registering, you can only use your email address and password👍

You could now create an account.

Next, let’s create certificate.
Select New Certificate.

Enter the domain name of the certificate you want to issue.
It is good point that www is also automatically selected😀

The free version has an expiration date of 3 months.
If you want the expiration date to expand to one year, you need to choose the paid version.

On this screen, you can compare free version and paid version.
There are various paid versions, but I feel that basic is good for personal use.
This time I chose free version.

The certificate has been created so far, but it cannot be downloaded yet.
The ZeroSSL side must verify that the specified domain name exists.

With a conventional certificate authority, it takes days to weeks.
But ZeroSSL automates the verification process.
There are 3 options to verify.
(1) Email the site administrator
(2) Request special DNS query
(3) Put special file on the server

I think (3) is easiest way.
In this article, I will try (2), which will be less people who dare to implement it.

It seems that you can add a DNS CNAME record and contact ZeroSSL.

I use freenom, a free domain service. I added my own DNS record like below.
Please wait about 15 mins to reflect DNS server behavior.

Return to ZeroSSL and verify.
If it fails, it may succeed if you wait it for about 15 minutes and then try again.

You can choose the format that corresponds to your server and download it.
– This is also good point.
This time I will choose for Apache.

The downloaded zip contains the following three files.
– certificate.crt: server certificate
– private .key: server private key
– ca_bundle.crt: certificate chain

Let’s deploy certificate/key with seeing manual in below page.

ZeroSSL Help-Center
Get help by browsing our extensive Help Center ⭐ 100+ Help Articles ⭐ SSL Installation Guides ⭐ Troubleshooting Tips ⭐ Smart Contact Form

First, copy the three files to the server using SCP or FTP.
Let’s say you copy to /etc/ssl/yasufumi-yokoyama.gq/.

First, specify the copied 3 file path.

pi@raspberrypi:~ $ sudo vim /etc/apache2/sites-available/default-ssl.conf

# Specify certificate, private key
# SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateFile /etc/ssl/yasufumi-yokoyama.gq/certificate.crt
SSLCertificateKeyFile /etc/ssl/yasufumi-yokoyama.gq/private.key

# Specify certificate chain
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
SSLCertificateChainFile /etc/ssl/yasufumi-yokoyama.gq/ca_bundle.crt

Next, specify the domain name.

pi@raspberrypi:~ $ sudo vim /etc/apache2/sites-enabled/000-default.conf

# Change ServerName to domain name
#ServerName www.example.com
ServerName yasufumi-yokoyama.gq

Finally restart apache2.

Restart apache2
pi@raspberrypi:~ $ sudo systemctl restart apache2

Now you can make https as you see like this!

What is the certificate trust relationship?

Https has been made, but let’s check if you can trace relationship path from RootCA to yasufumi-yokoyama.gq server certificate.

First of all, the issuer of the server certificate is as follows.

pi@raspberrypi:~ $ openssl x509 -in certificate.crt -issuer
issuer=C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA

The certificate chain’s Subject and Issuer are as follows:

pi@raspberrypi:~ $ openssl x509 -in ca_bundle.crt -subject -issuer
subject=C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA
issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

So far, you can see that the following trust relationships are there.

 USERTrust RSA Certification Authority
 └ZeroSSL RSA Domain Secure Site CA
  └yasufumi-yokoyama.gq

So it is OK if “UserTrust RSA Certification Authority” is installed as RootCA.

In my Chromebook, it existed as follows.

We have confirmed that the certificate issued by ZeroSSL is OK to use.

There was a service called SSL Checker that inspected my site, so I tried it.

Conclusion

How was it?

Personally, Let’s Encrypt is easier for automation embedding in setup script.
I hope that this will be solved in the future.

Author
yatch

I am software engineer at foreign company in Japan.
My experience of embedded software is over 15 years.
I was in charge of designing of software which has embedded linux.
I love Raspberry Pi.
I earn 10000USD per year on the stock market.
I married Hong Konger.

Please follow me
HTTPSRaspberry PiZeroSSL
Please follow me
The World's Linux Journal

Comments

タイトルとURLをコピーしました