SSL and websites - advice please

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
User avatar
jimimaseye
Moderator
Moderator
Posts: 7860
Joined: 2011-09-08 17:48

SSL and websites - advice please

Post by jimimaseye » 2018-06-17 10:21

Let me be clear I know little about writing/hosting websites. However our company has a website that I inherited that was previously written by another provider. It is built with and relies on PHP scripts and a MYSQL database. And it is hosted by our web space service provider. That's all there is.

However I now need to add an SSL certificate so that when viewers connect they automatically connect through using SSL. I have no idea how to do this.

Can anybody tell me if I was to buy an SSL certificate for our domain how would I then implement it? Or give me any pointers on where to start.

(If i can do this myself then the work will get done otherwise the website will remain on unprotected port 80. I have already removed all 'contact us' links making it a 'browse only' site to stop them sending in information as i can't figure out where or how to put a gdpr 'terms and conditions' page. )

A subsequent question would be if I have an SSL certificate for the website that is installed on the web server for SSL connection, how do I also use that same certificate if i want to use it on our hmailserver server (hosted locally)? Or, indeed, can I?

Hope this makes sense any advice will be welcome.

Thanks.

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
Dravion
Senior user
Senior user
Posts: 1268
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: SSL and websites - advice please

Post by Dravion » 2018-06-17 11:38

If it comes to SSL there is basicly no diffrence between securing hMailServer's SMTP/IMAP or POP3 or HTTP (Webserver) because all comes down to OpenSSL (except Microsofts IIS).

The process works as follows:
1)
You have to generate a Signing Request file for your domain (for example: www.mydomain.com)

2)
Upload your signing Requedt File to the Certification Authority (CA) Website.

3)
If everything is ok, you receive your *.crt and *.key
File

4)
Copy your new certfiles to Linux main SSL-Folder
(In most cases /etc/ssl/)

5)
Let your Webserver point to your newly installed
Certuficates.

Or you can use the "certbot" script from Letsencrypt to automate the above steps to a bare minimum.

How ever:
We need a bit more details about the Operating System where your Website is running (if its Linux, which distro is it?) or is it a Root/VPS-Server mainained by SSH or is it a Hostinpackage with
CPanel/Plesk like Webinterface?
You should also know which Webserver Software
is running (for example Apache or NGINX or Windows IIS).
64-Bit builds of hMailserver

hMailServer-5.6.+ (HCD) https://github.com/hMailServer-ComDevs/hmailserver
hMailServer-5.6.+ (LTS) https://github.com/Dravion/hMailServer/releases

User avatar
jimimaseye
Moderator
Moderator
Posts: 7860
Joined: 2011-09-08 17:48

Re: SSL and websites - advice please

Post by jimimaseye » 2018-06-17 12:29

Thanks Dravion. So reading your post I started to onvestigate by logging on to the Web host portal.

As a webshost I now see it provides ability to either buy SSL certs from them (and have them automatically installed by them) or provide them with a LetsEncrypt or 3rd Party certificate (for them to install).

I do get somewhat confused by this world. What I cannot determine is whether they will provide a certificate and install it themselves or whether they will also 'give' my the certificate (private key and the other stuff) in order that I can put it on my HMS server too.

Also: 'LetsEncrypt' (which they also claim to handle) - is it true that they always expire after 3 months? Do they not do a long term expiration (even if paid)?

Im thinking at the minute that a simply payment of choice to the hosts will get the website behind SSL (and minimum fuss to me) - or do I somehow need to do something with redirects if someone tries to connect by http/port 80 (presumably this redirect is maintained in the DNS settings for my hosted site?)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
Dravion
Senior user
Senior user
Posts: 1268
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: SSL and websites - advice please

Post by Dravion » 2018-06-17 14:30

Yeah, it first it can be a bit confusing.

As you allready mentioned, you running your Website as part of a Hosting Package with a easy to use Webinterface, this will take away the burden from your shoulders to logon remotely by Console SSH-Client and configuring your Linuxserver manually.(By the Way, in a Linux System, there is no Registry COM, ActiveX and there are also no Driveletters like C:\ D:\ E:\ ect. Instead of Driveletters you have just a Rootfolder and many Subfolders. For example:In any Linux or Unix System, System settings can only be found and changed by editing the files in the /etc/ folder. Logfiles are allways placed in the Folder /var/log. In Linux basicly athing is just a file and your Linux works exactly how you configured the params inside the configfiles by Texteditor of your choice)

However:
Regarding your SSL-Situation. You can buy a SSL-Certificate by your Hostingprovider and it will run just fine. But keep in Mind. All SSL-Certificates expiring after a specific date, regardles if you buy a Certificate or just obtain a Letsencrypt free SSL-Certificate. While for example Compayns like
Thawte, Verisign or Comodo do have diffrent procedures.

Letsencrypt:
I bet your Webinterfacer has an option to autorenrew your SSL-Certificate after 90 Days automatically or you can restart the renewal Process
by simply Mouseclick in your Hosting-Webinterface, this should not be the problem.

Regarding your hMailServer SSL-Question:
In the case you choose to use Letsencrypt SSL-Certificates make sure you dont issue a certificate request for smtp.yourdomain.com or mail.yourdomain.com (or simply the A Redord for your Domains MX-Record). Just prepare your Website with all needed Letsencrypt SSl-Certificate within your Webhosting Webinterface and make sure the Autorenewal option is enabled.

ps: You can also mix SSL-Certificates with Letsencrypt or a Thirdparty Certificate. You are not forced for example to use Letsencrypt or for
instance Comodo to secure all your DNS-Hostnames (www.yourdomain.com, mail.yourdomain.com, imap.yourdomain.com, ect).

For securing hMailServer use one of the Tutorials in the hMailServer Forum Tuturial (for example Winsimple) for securing hMailServer seperately.
Again: Its important that you DONT request a Letsencrypt for smtp.yourdomain.com or mail.yourdomain.com (or simply, your MX-Record
Hostname)! Because if a SSL-Certificate is allready issued from your Webhosting Package for your MX Record DNS-Hostname, your Letsencrypt
signing request wont work.
64-Bit builds of hMailserver

hMailServer-5.6.+ (HCD) https://github.com/hMailServer-ComDevs/hmailserver
hMailServer-5.6.+ (LTS) https://github.com/Dravion/hMailServer/releases

User avatar
mattg
Moderator
Moderator
Posts: 19630
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL and websites - advice please

Post by mattg » 2018-06-18 01:00

LetsEncrypt works best with Schedule task or Cron jobs in the background, checking every week to see if new certs can be obtained, (within 1 month of renewal), and if so, create and download, and replace

It just works.

Do you know what webserver serves the pages? Is it Apache or Nginx or IIS. There is a lets encrypt script for each.
Do you know the operating system of the web server?

I have a valid url that points to mx.example.com, which displays my webmail.
I get a lets encrypt certificate for it.
I use that same lets encrypt certificate in my hMailserver.

I actually share my cert folder on my webserver with my hMailserver, and it uses the latest certificate available. All I need to do is restart my hMailserver each month, and the newest cert is loaded each restart.

It just works
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 7860
Joined: 2011-09-08 17:48

Re: SSL and websites - advice please

Post by jimimaseye » 2018-06-18 08:58

mattg wrote:
2018-06-18 01:00
LetsEncrypt works best with Schedule task or Cron jobs in the background, checking every week to see if new certs can be obtained, (within 1 month of renewal), and if so, create and download, and replace

Do you know what webserver serves the pages? Is it Apache or Nginx or IIS. There is a lets encrypt script for each.
Do you know the operating system of the web server?
The 'package' is called a "Linux Home Pro" package. Therefore it is run on a Linux box (probably ;-) ). However, this isnt a VM box that I have control of - it is simply a webserver (and associated MySQL database). Therefore, all I have access/control of is a "public_html" folder which under it is the 'root' of the website address (ie, where the index.php lives). I dont have access to OS operations so cannot install or run own scripts from cron etc. - its purely a hosted website.

(If you click on the hyper-links in my first reply post you will see their 'help' pages from their knowledgebase and hopefully will give you guys a clearer idea of what I have to work with (in particular this one.... and the restrictions.)

Ive been giving it some thought. And based on the following :

a, Ive removed all transactinoal links from the website (so there is no 'contact us' and it isnt an eCommerce site)
b, therefore it is now a 'Browsing' only website
c, (and there are no cookies involved)

I thinking Im not going to bother with the SSL connection. I know that Google is tending to favour SSL protected sites nowadays but we dont seems to suffer at the moment (most customers know where we are and look for us directly anyway. In any case I still havent figured out how to force a redirect for those that would have come in on port 80 and needs to go to SSL port 8080).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
Dravion
Senior user
Senior user
Posts: 1268
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: SSL and websites - advice please

Post by Dravion » 2018-06-18 09:48

https Standard port is 443

You can redirect by uploading a simple textfile with .htaccess into yout /public_html/

Before uploading the .htaccess file open it in a text editor and put something like this in it

Redirect 301 / https://www.yourcompany.com

Save the file and upload it with Filezilla or any other FTP-Client.

Reload Webiste after upload, it just should work.
64-Bit builds of hMailserver

hMailServer-5.6.+ (HCD) https://github.com/hMailServer-ComDevs/hmailserver
hMailServer-5.6.+ (LTS) https://github.com/Dravion/hMailServer/releases

User avatar
jimimaseye
Moderator
Moderator
Posts: 7860
Joined: 2011-09-08 17:48

Re: SSL and websites - advice please

Post by jimimaseye » 2018-06-18 10:07

Dravion wrote:
2018-06-18 09:48
https Standard port is 443
Ah yes, indeed, sorry. I was rushing to get to work. :roll:

.htaccess - it already has one of those. Thanks, Ill look at its contents.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

AidySmith
New user
New user
Posts: 2
Joined: 2018-07-07 13:01
Contact:

Re: SSL and websites - advice please

Post by AidySmith » 2018-07-07 13:05

I would suggest letsencrypt with a full guide on how to add it to your website at https://web-hosting-uk.com/get-a-free-ssl-certificate/

Alternatively a hosting company with cPanel can issue you with a free SSL certificate either from Comodo or LetsEncrypt.

Post Reply