Friendica Communications Platform (please note that this is a clone of the repository at github, issues are handled there)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

106 lines
4.8 KiB

9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
  1. Using SSL with Friendica
  2. =====================================
  3. * [Home](help)
  4. Disclaimer
  5. ---
  6. **This document has been updated in November 2015.
  7. SSL encryption is relevant for security.
  8. This means that recommended settings change fast.
  9. Keep your setup up to date and do not rely on this document being updated as fast as technologies change!**
  10. Intro
  11. ---
  12. If you are running your own Friendica site, you may want to use SSL (https) to encrypt communication between servers and between yourself and your server.
  13. There are basically two sorts of SSL certificates: Self-signed certificates and certificates signed by a certificate authority (CA).
  14. Technically, both provide the same valid encryption.
  15. There is a problem with self-signed certificates though:
  16. They are neither installed in browsers nor on other servers.
  17. That is why they provoke warnings about "mistrusted certificates".
  18. This is confusing and disturbing.
  19. For this reason, we recommend to get a certificate signed by a CA.
  20. Normally, you have to pay for them - and they are valid for a limited period of time (e.g. a year or two).
  21. There are ways to get a trusted certificate for free.
  22. Chose your domain name
  23. ---
  24. Your SSL certificate will be valid for a domain or even only for a subdomain.
  25. Make your final decision about your domain resp. subdomain *before* ordering the certificate.
  26. Once you have it, changing the domain name means getting a new certificate.
  27. Shared hosts
  28. ---
  29. If your Friendica instance is running on a shared hosting platform, you should first check with your hosting provider.
  30. They have instructions for you on how to do it there.
  31. You can always order a paid certificate with your provider.
  32. They will either install it for you or provide an easy way to upload the certificate and the key via a web interface.
  33. It might be worth asking if your provider would install a certificate you provide yourself, to save money.
  34. If so, read on.
  35. Getting a free StartSSL certificate
  36. ---
  37. StartSSL is a certificate authority that issues certificates for free.
  38. They are valid for a year and are sufficient for our purposes.
  39. ### Step 1: Create a client certificate
  40. When you initially sign up with StartSSL, you receive a certificate that is installed in your browser.
  41. You need it for the login on, also when coming back to the site later.
  42. It has nothing to do with the SSL certificate for your server.
  43. ### Step 2: Validate your email address and your domain
  44. To continue you have to prove that you own the email address you specified and the domain that you want a certificate for.
  45. Specify your email address, request a validation link via email from the "validations wizard".
  46. Same procedure for the domain validation.
  47. ### Step 3: Request the certificate
  48. Go to the "certificates wizard".
  49. Choose the target web server.
  50. When you are first prompted for a domain to certify, you need to enter your main domain, e.g.
  51. In the next step, you will be able to specify a subdomain for Friendica, if needed.
  52. Example: If you have, you first enter, then specify the subdomain friendica later.
  53. If you know how to generate an openssl key and a certificate signing request (csr) yourself, do so.
  54. Paste the csr into your browser to get it signed by StartSSL.
  55. If you do not know how to generate a key and a csr, accept StartSSL's offer to generate it for you.
  56. This means: StartSSL has the key to your encryption but it is better than no certificate at all.
  57. Download your certificate from the website.
  58. (Or in the second case: Download your certificate and your key.)
  59. To install your certificate on a server, you need one or two extra files: and ca.pem, delivered by
  60. Go to the "Tool box" section and download "Class 1 Intermediate Server CA" and "StartCom Root CA (PEM encoded)".
  61. If you want to send your certificate to your hosting provider, they need the certificate, the key and probably at least the intermediate server CA.
  62. To be sure, send those three and the ca.pem file.
  63. **You should send them to your provider via an encrypted channel!**
  64. If you run your own server, upload the files and check out the Mozilla wiki link below.
  65. Let's encrypt
  66. ---
  67. If you run your own server and you control your name server, the "Let's encrypt" initiative might become an interesting alternative.
  68. Their offer is not ready, yet.
  69. Check out [their website]( for status updates.
  70. Web server settings
  71. ---
  72. Visit the [Mozilla's wiki]( for instructions on how to configure a secure webserver.
  73. They provide recommendations for [different web servers](
  74. Test you server SSL settings
  75. ---
  76. When you are done, visit the test site [SSL Labs]( to have them check if you succeeded.