Very old server, is there a manual way that doesn't require any installs on server?


#1

I have a very old server running that were are phasing out, but I need to create a wildcard certificate for this domain that the server is hosting.

I don’t want to install anything new on the server as it is from 2010 and don’t want to touch it as we are phasing it out.

Is there a way for me to request a cert and simply add the files to the server so it can respond to any verification tests?

I can add/remove files, and update the nginx conf to point to the necessary files, but I can’t install any certbot tools as I am not sure it will even work as it is a very old server (Ubuntu 8.x)


#2

Hi @whateverssl

do you have another server with an installed Certbot?

If yes, use there something like

certbot certonly --manual -d *.yourdomain.com -d yourdomain.com

to create a certificate with a wildcard.


#3

If you are installing SSL on this server for the first time, you will likely need to compile OpenSSL and your web server from source, since the version of OpenSSL that ships with Ubuntu Hardy would not be compatible with a very large proportion of modern browsers.

To that end, it might be more useful to terminate SSL for this server from a different, more modern server. That would also solve your installation problem.


#4

Depends on:

So, if you truly can’t install any client, then that only leaves online verification methods and since it is a wildcard cert you seek, DNS authentication will be required.
You can try: https://www.sslforfree.com/
[I would always recommend that you generate your own private key offline]

Unless you have another system available to “assist”, then you could do as @JuergenAuer suggests and use a separate system to generate the cert and then transfer it to this system.

[edit]
But as @_az points out, the ciphers and protocols supported by the existing OpenSSL (if it hasn’t been manually updated/compiled recently) may not be compatible with any modern browser.
So, I would check that first.
Review the output of:
openssl version
openssl ciphers


#5

I’m pretty sure this is very outdated!

OpenSSL 0.9.8g 19 Oct 2007
and
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5


#6

maybe you can try acme.sh
it can run on very old system.


#7

So that will create the certificate, save it to the “other” server. I then make the txt for DNS validation. Once it is validated I can then copy the cert files to my “real” server?


#8

Yes. Keep in mind that Let’s Encrypt certificates are only valid for 90 days.

Though it would be a kindness to decommission the server before then anyway.


#9

Yes, this is very outdated - but you might be able to still get some use out of it…
If possible I would first try to update OpenSSL:
apt update or apt-get update
then (using apt or apt-get - whichever worked)
apt install openssl
or
apt install openssl --update
[whichever works]

In any case, you might get some use (long enough to get you to the next system) out of using these ciphers:
AES256-SHA:AES128-SHA
or (if needed) even these:
AES256-SHA:AES128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA

I would highly recommend disabling all the rest ASAP.