Adventures With TLS

I got TLS installed last week and it wasn't the hardest thing to do. I have compiled some tips to try and smooth out your attempt.

Put a hole in your firewall

This one messed with me for a bit because I totally forgot that my firewall was set to drop everything. If you get the following error in your browser, this tip is for you.


First off, take a look at your iptables rules:

matthew@Pineapple:~$ sudo iptables -L
Chain INPUT (policy DROP)
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

What you want is to have an http and https line in your rules. If you are missing the https line, use the following command to addi it.

sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

And then you need to make sure you save it so install the iptables-persistent package and save.

sudo apt-get install iptables-persistent
sudo /etc/init.d/iptables-persistent save

Use tested configurations

Mozilla has built an awesome tool for getting your web server configured with the best security. These configurations are tested by the community and if you spot a problem, you can submit a pull request for changes.

Run a quality check

I used the SSL Server Test by Qualys to religiously test my configuration. Shoot for a score of A if your certificate is from a governing body or an If trust issues are ignored: A rating if you created the certificate yourself.

I got an A!
An A except it can't be verified