Linux
Apache: TLS & Let's Encrypt
23 flashcards · answers and review in the app — launching soon
A site serves data over plain HTTP and browsers flag it as insecure. What does switching to HTTPS actually add, and why is a CA-issued certificate still needed on top of that?
In TLS, which key encrypts and which decrypts, and how do client and server end up sharing one session key without ever transmitting a private key?
Online banking data is transmitted perfectly tap-proof but arrives at a fraudster's server instead of the bank. Which security property did the encryption fail to provide?
When juggling TLS files, what do the extensions .key, .csr, .pem, and .crt each hold?
What single command generates a private RSA server key with openssl, and what one permission mistake makes the whole certificate worthless?
Encrypting the server key with a passphrase sounds strictly safer. Why does Apache in practice get an unencrypted copy of the key instead?
You generate a cert with Common Name a-company.com but the site is served at www.a-company.com. What breaks, and what does that tell you about the Common Name field in a CSR?
With openssl, what is the difference between generating a certificate signing request and producing a self-signed certificate — and who does the equivalent signing step for a real cert?
To turn on HTTPS in Apache, which module must be active and what are the two essential directives inside the port-443 VirtualHost?
You switch a site from HTTP-only to SSL for the first time, run a config reload, and the SSL module still isn't active. What did you do wrong?
acme.sh has no distro package. What does its setup actually do to your system, and what one precaution should you take before running the downloaded script?
When acme.sh --issue requests a certificate with -w pointing at your web root, what does it place there, and what is that mechanism proving?
You want one certificate covering every subdomain via a wildcard. Why is a wildcard cert more painful to renew than a normal one, and what removes that pain?
Certs issued by acme.sh sit in /root/.acme.sh, which the web server can't reach. Why is manually copying them the wrong fix, and what does --install-cert do differently?
acme.sh's cron job auto-renews certificates — at what age does it renew, and how do you test the renewal without waiting?
You want all plain HTTP requests to land on HTTPS. What Apache construct in the port-80 VirtualHost handles this, and what is the redirect target?
Even with a valid cert, TLS negotiation can fall back to weak protocols. Which two Apache directives lock this down, and how do you get correct values without guessing?
You paste in HSTS and HTTP/2 directives from the Mozilla generator but Apache errors or ignores them. Which modules must be enabled first?
After configuring TLS, how can you independently verify your site's HTTPS security and find weak spots?
A browser throws a security warning on your self-signed certificate. Does that mean the connection's encryption is weak, and is such a cert ever good enough to use?
On a fresh Debian/Ubuntu Apache install, HTTPS already works with some default certificate. What is that certificate called, where does it live, and how do you regenerate it after a hostname change?
Let's Encrypt certs are free — what two limitations come with that, and what does domain validation actually prove (and not prove) about the site?
What is the official Let's Encrypt client, who maintains it, and why might you reach for acme.sh instead?