Domain Names and SSL Certificates

Posted on: March 12, 2022
5 min read

What is a Domain Name?

A domain name is a website’s equivalent to a physical address. It consists of a name and an extension. It helps users easily find your website and eliminates the need to memorize the site’s internet protocol (IP) address. On top of all, domain names are key to the internet infrastructure.

How does it work?

  1. When you enter a domain name in a browser, the server will search through a global server network that makes up the Domain Name System (DNS).
  2. The request is made for on DNS server and if the address is not found there, it moves to the other.
  3. The DNS server that has information about th IP address will return it to the browser.
  4. The browser will request data about the site from the domain’s hosting server. Once the hosting server sends the data back, the web browser will convert it into a web page.

Register Your Domain at NameSilo

Namesilo is a domain registrar that offers the lowest prices for domain registration, along with free domain protection and a streamlined registration process.

  1. Create an account, and verify email.
  2. Search your desired domain name, add the domain to your cart, then checkout.
  3. Enter payment method, save it to your account, and pay.

Manage DNS records in Cloudflare

Cloudflare is a service that offers a variety of features such as a content delivery network (CDN), DDoS protection, and SSL certificates. And, as part of this suite of tools is the ability to use Cloudflare to manage your DNS.

  1. Sign up for a Cloudflare account.
  2. Add your website to Cloudflare and select the Free plan.
  3. Change your nameservers. You need to log into your Registrars account and update the Nameservers to the two that Cloudflare provide.
  4. Update your DNS records and configure your Cloudflare settings.

SSL and SSL certificates

Secure Sockets Layer (SSL) and Transport Layer security (TLS ) are protocols that provide secure communications over a computer network or link. SSL/TLS provides data encryption, data integrity and authentication. This means that when using SSL/TLS you can be confident that

  • No one has read your message
  • No one has changed your message
  • You are communicating with the intended person (server)

Keys and SSL Certificates

SSL/TLS use public and private key system for data encryption and data Integrity. Public keys can be made available to anyone, hence the term public. Because of this there is a question of trust, specifically: How do you know that a particular public key belongs to the person/entity that it claims to be.

The answer is to use a digital certificate. A certificate serves the same purpose as a passport does in everyday life. A passport established a link between a photo and a person, and that link has been verified by a trusted authority (passport office).

A digital certificate provides a link between a public key and an entity (business,domain name etc) that has been verified (signed) by a trusted third party (A certificate authority). A digital certificate provides a convenient way of distributing trusted public encryption keys.

  1. Browser connects to server Using SSL (Https).
  2. Server responds with Server Certificate containing the public key of the web server.
  3. Browser verifies the certificate by checking the signature of the CA.
  4. Browser uses the Public Key to agree a session key with the server.
  5. Web Browser and server encrypt data over the connection using the session key.

ACME

ACME, or Automated Certificate Management Environment, is a protocol that makes it possible to automate the issuance and renewal of certificates, all without human interaction.

The Internet Security Research Group (ISRG) initially designed the ACME protocol for its own certificate service, Let’s Encrypt, a free and open certificate authority (CA) that provides domain validated (DV) certificates at no charge. Today, various other CAs, PKI vendors, and browsers support ACME to support different types of certificates.

Issue Let’s Encrypt certificate with acme.sh and Cloudflare DNS

Step 1 - Create a system account for acme

sudo useradd -m -d /var/acme -s /usr/sbin/nologin -r -U acme
sudo chmod 700 /var/acme

# edit sudoers file
sudo visudo
# add the following line at the end:
acme    ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl reload nginx.service

# create a directory to save certs
sudo mkdir -m 710 /etc/nginx/ssl
sudo chown acme:acme /etc/nginx/ssl

# add www-data to acme group
sudo usermod -a -G acme www-data
id www-data

Step 2 - Install acme.sh

# change to acme user
sudo su - -s /bin/bash acme

git clone --depth 1 https://github.com/acmesh-official/acme.sh.git
cd acme.sh
./acme.sh --install -m [email protected]

# set default CA to letsencrypt
acme.sh --set-default-ca --server letsencrypt

# some commands
acme.sh --list
acme.sh --upgrade
acme.sh --upgrade --auto-upgrade   # enable auto upgrade
acme.sh --upgrade --auto-upgrade 0 # disable
acme.sh --remove -d example.com [--ecc]

Step 3 - Getting Cloudflare API key

Head over to Cloudflare control panel and obtail API key. Click on the Create Token > Edit zone DNS > Use template. Make sure you set up DNS Permissions to Edit and include zone to your DNS domain name. Finally click the Continue to summary to see your Edit zone DNS API token summary.

The API token is a 40-character string that may contain uppercase letters, lowercase letters, numbers, and underscores. You must provide it to acme.sh by setting the environment variable CF_Token to its value, e.g. run

export CF_Token="Y_jpG9AnfQmuX5Ss9M_qaNab6SQwme3HWXNDzRWs"

Step 4 - Issue wildcard certificate

acme.sh --issue --dns dns_cf -d example.com -d '*.example.com' -k ec-256

# If everything went well, install your certificate
acme.sh --install-cert -d example.com \
  --key-file /etc/nginx/ssl/key.pem \
  --fullchain-file /etc/nginx/ssl/cert.pem \
  --reloadcmd "sudo /usr/bin/systemctl reload nginx.service"
websecurity