Free SSL certificate for a Cyrillic domain. Refusal of SSL certificates for local domains and IP addresses

Print

How to get a free SSL certificate for a Russian domain using CloudFlare? + CDN bonuses.

(60 ratings, average: 5,00 out of 5)

By using the free CloudFlare CDN service you will get at least two advantages:

1. free SSL certificate from a trusted certification service trusted by Mozilla Firefox, Google Chrome and others;
2. a free content delivery network for your website (CDN - Content Delivery Network), which will increase the loading speed of its pages.

Read the article for detailed instructions on how to obtain it. SSL certificate for a Cyrillic domain. In addition, I will explain the impact of problematic certificates (red lock) on the conversion of a website, blog or online store.

Warning in Google Chrome for a site using the https protocol.

In connection with the recent release of the new version of Chrome 57 (starting with Chrome 56) - sites with certificates WoSign or StartSSL— have become partially inaccessible.

There is no longer a green padlock in the browser address bar.

Is the freebie over? Actually no - you will find the answer in the article.

Why did the freebie end? WoSign and StartSSL.

It was previously reported (autumn 2016) that these certification centers do not comply with security requirements.

Firefox, Chrome and others will no longer show a green padlock in the address bar. I’ll say more, now it’s more difficult to access resources with these certificates.

Google Chrome, for example, warns about a bad certificate and shows this to the user when opening any page on the domain.

Attackers I can try kidnap your data from the site.

But it does it in such a way that the person who opens the site may be scared. Without understanding the true reason for such a message, a person will leave the “dangerous” site.

It looks something like this:

Google Chrome: Your connection is not secure (NET::ERR_CERT_AUTHORITY_INVALID)

And to gain access to such a site, you still need to get smart and click “Advanced” (apparently there are translation difficulties) and find there “go to site xxx”.

Google Chrome: The server cannot verify the connection with the domain - go to the site (unsafe)

And after confirming the transition to the site, everything in the address bar is red:

To such a site sharply trust is falling users and they immediately leave it. Although I doubt that they will not close it at the previous stage.

Ps. In general, this applies to sites not included in the first million according to Alexa, but I can’t check this.

Question: how to make a green padlock in the browser address bar?

Google Chrome and a green padlock in the address bar are a reliable site.

Answer: You need a valid SSL certificate from a certification authority (Symantec, Comodo, GlobalSign, etc.) trusted by major browser manufacturers.

• Buy a certificate with IDN support (internationalized domain names: .рф, . moskva - in general, non-Latin domains). Not all certificates have an IDN and usually cost more.
• Using CloudFlare services for free means cheating.

How can I make a green padlock in the address bar for a Cyrillic domain for free?

In order for our site to have a good SSL certificate that is trusted by Google Chrome, Mozilla Firefox, Opera and others, we will use the CDN service CloudFlare.

This service is trusted by such large companies as Zendesk, Eurovision, DigitalOcean and others. The entire list can be found at: cloudflare.com/case-studies/.

Brief instructions. 4 steps.

Instructions for enabling an SSL certificate in Cloudflare:

1. Register in the service;
2. Select a domain and follow the assistant's instructions;
3. Change the DNS server for the domain, in the domain control panel - where the domain was registered;
4. Enable the desired SSL mode in the Cloudflare panel. Ready!

Now let's take a closer look at each step. You can handle some of them without this article, but at some steps you may have problems the first time.

Detailed instructions with screenshots for setting up Cloudflare and connecting a free SSL certificate to your domain.

Register with Cloudflare.

It all starts with registration in the Cloudflare service.

We added our site to the cloudflare panel and at the last step we are asked to change the DNS servers to those offered by the service. In my case it's duke.ns.cloudflare.com And olga.ns.cloudflare.com. We go to the control panel of the hosting or registrar and change the current name servers to new ones.

Please note that this procedure may take time. The DNS zone can extend from six to 48 hours. Well, lately this has been happening much faster.

Checking NS servers for a domain using Google Dig.

It is important that the site has a new IP. This will be an indicator of a DNS change.

You can check it periodically using the Dig utility from Google. Located at //toolbox.googleapps.com/apps/dig/. In addition to the DNS servers, you can check the mail server and other parameters there.

All. Now that the DNS zone has spread, cloudflyer sees this and changes the site status to Activ.

Obtaining a free SSL certificate in 2017 from CloudFlare.

Now about the most important thing - inclusion https protocol for the site.

CloudFlare SSL mode: Full - default.

Cloudflare SSL Mode - Full

By default, after adding a site, the SSL certificate is connected to the domain in Full mode.

If your site already has access via HTTPS, then you don’t have to do anything. The site's SSL certificate will be valid for browsers.

But if you haven’t had an SSL certificate before or don’t want to bother with one, then read on.

Enable Flexible mode in CloudFlare.

Go to the tab Crypto and enable Flexible on the page cloudflare.com/a/crypto/your_domain. There are 4 cloudflare modes available, but more on them another time.

Cloudflare warns us that it may take up to a day to create an SSL certificate. And for a while we will see the error ERR_SSL_PROTOCOL_ERROR.

And now that our site is accessible via the Https protocol, you can safely congratulate yourself - you did it!

ps. If your website opens, but shows “mixed content” in the Security Overview of the Google Chrome developer console, then you need to add a rule to CloudFlare.

Mixed content on the site via HTTPS. CloudFlare Page Rules.

To prevent mixed content on the site, you need to go to the Page Rules tab and configure the rule. Click Create Page Rule and write the following:

//*your_domain/*

And add the setting (Then the settings are: -> Add a Setting) Always Use HTTPS.

Create a rule to always use HTTPS - CloudFlare

Click Save and Deploy- and the problem will be solved.

It is impossible to obtain an SSL certificate for a Cyrillic domain (.рф, .рус) in the VESTA control panel

By the way, yes. It is impossible to obtain an SSL certificate for the domains .рф, .рус.
The Vesta control panel (which is free) currently has problems with Cyrillic domains (IDN domains, national) and automatically obtaining SSL certificates from Let’s Encrypt for them.
In this regard, it is problematic to obtain a free SSL certificate in VestaCP from Let’s Encrypt.

This bug is known and is currently still at the discussion stage. In the future, the solution will be in the next update. Well, for now you'll have to use CloudFlare and their Flexible&Full modes.

FirstVDS clients with the ISPmanager panel on a virtual server can install free Let's Encrypt certificates for any number of sites. Let's Encrypt is a regular SSL certificate with domain verification (DV), which is issued for an unlimited period.

How to install a certificate?

1. Log into the ISPmanager panel with superuser (root) rights.

2. Go to Integration → Modules, install the free Let’s Encrypt plugin

3. Go to Web server settings → SSL certificates, select Let’s Encrypt

4. Select the user and domain to which you want to install the certificate. The domain must be delegated, i.e. it must open the site - otherwise the certificate will not be issued. Complete the rest of the form.

5. The certificate will be automatically installed on the site with the selected domain. First, a self-signed certificate is installed on the site, which is replaced with a full certificate after the process is completed. Wait for the certificate to be issued - the type should change to " Existing».

6. Done! Your site is protected by a signed Let's Encrypt certificate - there should be a green padlock in the address bar. The certificate is valid for an indefinite period.

What is it suitable for?

Let's Encrypt certificates are suitable to protect websites. The certificate cannot be used for code signing and email encryption.

What types of checks are performed?

Only domain verification(DV, domain validation). Support for OV and EV checks is not available and is not planned.

How quickly is it released?

Let's Encrypt certificate is issued and starts working within a few minutes. The main condition is that the domain to which the certificate is bound must be delegated. It’s easy to check: write the site’s domain name in the address bar of your browser and press Enter. If you see your site, then everything is in order - you can start obtaining the certificate.

How long is the certificate valid?

Forever, if there is an ISPmanager control panel on the server. If there is no panel the certificate will not be renewed! Why is that? Let's Encrypt certificates are issued for 3 months. The ISPmanager plugin renews the certificate automatically 7 days before the end of the next period. If you remove the panel, then at the end of the next 3 months the certificate will not be renewed and will no longer be detected by browsers - a crossed out HTTPS icon will appear and a warning about insecure connection. In this case, you will have to update the certificate manually every 3 months, or configure auto-renewal yourself using third-party software.

Will the certificate be recognized by browsers as trusted?

Yes it will. Most modern browsers are supported. Detailed compatibility information can be found on the official support forum.

Can it be used for commercial purposes?

Yes you can. It is for these purposes that the certificate was created.

Are Country Code Names (IDN) supported?

Let's Encrypt certificates support IDN- domain names using characters from national alphabets. You can use a certificate for Cyrillic domains like moisite.rf.

Are subdomains (wildcard) supported?

Let's Encrypt certificates support wildcard. Such certificates are verified only through DNS records.

Is multi-domain (SAN) supported?

No. The certificate itself supports SANs of up to 100 different domains, but the automated binding process in the panel precludes this feature. Each domain will have to be configured separately.

How to set up automatic redirect to HTTPS?

Even if a certificate is installed on the site, the visitor can type the address in the browser via http://..., or follow the old link in the search engine. In this case, his connection will not be secure, and he will not know that the site uses an SSL certificate to encrypt the transmitted data. To ensure that all requests from site visitors are encrypted with a certificate, you need to configure the HTTP → HTTPS redirect.

Redirect using Apache+Nginx combination

1. In the ISPmanager control panel, go to Domains → WWW domains, select the domain with the certificate and click Edit.

2. In the settings, check the Redirect HTTP requests to HTTPS checkbox and apply the changes.

3. Done! All requests to the site now go through a secure HTTPS connection.

Redirect on pure Apache

Attention! All changes to the Apache configuration file you make at one's own risk! The settings described below will work for most cases, but may cause problems on specific configurations. Trust the experts if you are not sure about the results of the changes being made.

1. In the ISPmanager control panel, go to Domains → WWW domains, select a domain with a certificate and click Config.

Quite often we receive requests about how to obtain an SSL certificate for a local domain (.local) or for an IP address. If previously separate types of SSL certificates could be obtained for an IP address or internal domain, now, unfortunately, this is no longer possible. Ordering internal certificates like Comodo IntranetSSL is no longer possible, and multi-domain certificates supporting local .local domains will only be valid until October 31, 2015. As for previously issued SSL certificates for internal domains and IP addresses, on October 1, 2016 they will be revoked or blocked by browsers.

Why were SSL certificates canceled for IP and local domains?

The decision to stop issuing SSL certificates for .local domains and for IP addresses was made at the Certification Authorities and Browsers Forum (CA/B Forum).

The most important goal of certificate authorities when issuing SSL certificates is to ensure reliability and trust by associating cryptographic public key data with a verified individual or company. SSL certificates identify computers as servers that offer one or more protocols (usually HTTP for web traffic, but also SMTP, POP, IMAP, FTP, XMPP, RDP, and others) over SSL/TLS.

The server can be reached by a number of names or addresses. A server connected to the Internet typically has its own name in the Domain Name System (DNS), which allows any other system on the Internet to resolve that name to an IP address and access the server. For example, let’s take a server with the domain name “server1234.site”. This system has a routable IP address on the Internet - IPv4 or IPv6, or both.

However, servers may have additional names and addresses that are valid only in the context of the local network and not across the entire Internet. Thus, the same server from the example above can be accessed by other computers on the local network under the names “mail” or “mail.local”.

The local domain name can be converted to a routable IP address on the Internet or to an IP address accessible only over the local network. The "192.168.*.*" IP address space that many home Internet gateways use is perhaps the best known series of personal network addresses. But there are also many IPv4 and IPv6 IP address spaces reserved for private or other uses.

The key difference between these two types of domain names and IP addresses is their uniqueness. P A fully qualified domain name (FQDN), such as “www.site,” represents a unique and easily distinguishable entity on the Internet (even if multiple servers respond to that domain name, only one person can manage it). At the same time, thousands of systems on public and private (local) networks can respond to an undefined domain name “mail”. On the Internet, only one communication node has the IP address “5.63.155.56”, while tens of thousands of home Internet gateways have the address “192.168.0.1”.

SSL certificates from trusted certificate authorities are issued to ensure security and trust for domain names throughout the Internet. Non-unique domain names, by their very nature, cannot be identified outside their local context, so SSL certificates issued for local domains are potentially dangerous because they can be used for fraudulent purposes.

It is for this reason that certificate authorities refuse to issue SSL certificates for non-unique domains and IP addresses, such as “mail”, “mail.local” or “192.168.0.1”.

Why is it dangerous to use SSL certificates for local domains and IP addresses?

For example, let's take a company that has deployed an email system at “https://mail/”. The system is not accessible via the World Wide Web, but only via a local corporate network or via VPN. Is it safe?

Not necessary if you have an SSL certificate for the “mail” domain name from a trusted certification authority. The domain name “mail” is not unique, so almost anyone can get an SSL certificate for “https://mail/”. If an attacker uses such a certificate on a corporate LAN along with local name spoofing, he can easily spoof the real corporate email server and obtain user login credentials and other sensitive information. Moreover, the fraudster does not even have to be on the corporate network to successfully carry out an attack. If a user connects their company laptop to a public WiFi network, the email client may automatically try to connect to “https://mail/” before a VPN connection is established. At this point, an attacker can make a substitution and steal user data.

It should be noted here that it does not matter whether the SSL certificate was used from a well-known trusted certificate authority (like Comdo, Thawte, Symantec and others), or a self-signed SSL certificate from a private corporate certificate authority. If the SSL certificate used by the scammer is chained to a certificate authority in the browser or operating system's storage, the certificate will be accepted by all clients, creating a vulnerability even on the private key infrastructure (PKI) user side.

Due to the fact that it is impossible to conduct a full check of local domains and IP addresses, as well as the high possibility of using such SSL certificates for fraudulent purposes, the CA and Browser Forum decided to stop issuing them.

What are the alternatives?

1. Use fully qualified domain names (FQDN) and DNS lookup of the domain suffix.

Many sites reachable by a local domain name can also be reached and correctly identified by an FQDN because DNS client software uses a process called suffix lookup, where configured suffixes are added to the local name and the result is a fully qualified FQDN domain. Typically, this happens automatically for the domains of which the system is a part. For example, a system named “client.example.com” uses “example.com” as its search suffix. When attempting to establish a connection with the name "server", this system will automatically try to find "server.example.com" through a DNS lookup. You can configure the DNS search for a domain suffix yourself.

If you use the .local domain for your internal network, this method will not suit you; we recommend that you consider the following.

When an attacker tries to access your site, it can be spoofed even if the user entered the domain name correctly.

SSL certificates eliminate the possibility of such substitution - by viewing the certificate, the user can make sure that the domain hosts exactly the site that should be there, and not a duplicate of it.

Additionally, an SSL certificate allows the user to verify who the owner of the site is. This means that the user can make sure that he has visited the website of the organization he needs, and not the website of its double.

Another important function of SSL certificates is to encrypt the Internet connection. An encrypted connection is necessary to prevent the possible theft of confidential data while being transmitted over the network.

We recommend installing SSL certificates in the section of the site where users enter confidential data, for example, on the authorization and payment pages. The presence of a certificate on a website protects it from possible counterfeits, since the user can always make sure that the website is genuine and check who it belongs to.

For security reasons, the SSL certificate is not transferable to another contract.

You can check the ownership of the domain in the certificate order through the email specified for the domain in the Whois service. To do this, you need to contact the domain registrar and register any email for it in the Whois service. If the domain is registered in RU-CENTER, then to do this, enter your email in your personal account:

1. Select Services → My domains.
2. Click on the domain name as an active link.
3. In line Description in Whois click link Change.
4. Enter your email and click the button Save changes. After this, notify us of the actions taken at .

If you generated a request for a CSR certificate in your RU-CENTER personal account (the “create CSR” option was selected), then the private key was automatically saved on your computer with the file name privatekey.txt. Try searching on your computer. Without saving the file, you would not be able to proceed to the next step when submitting your certificate order. If the request for a CSR certificate was generated on your server or from a third-party hosting provider, then the private key is located on the server or the provider, respectively. If the private key is lost, then you need to do it - it's free.

1. Visit the website https://www.upik.de.
2. Choose language English.
3. Click the link UPIKR-Search with D-U-N-SR number.
4. In field D&B D-U-N-SR Number enter the DUNS number.
5. In field Select country Choose the country.
6. On the company card that opens, you can check the presence of a phone number in the field Telephone number.

If the telephone number is indicated incorrectly or is missing, contact the Russian representative office of DUN&BRADSTREET - Interfax company, and enter or correct the telephone number in the company card. After making changes, the phone number on your DUNS will only appear after 7-30 calendar days.

To change the list of domains covered by the certificate, you must re-create the CSR and go through the procedure of re-issuing the certificate:

1. In section For clients → SSL certificates and select the desired certificate.

3. If you want to create a CSR during the order process - click Continue.If you will use your CSR, enter it in the field that appears. Creating a CSR to install a certificate on Microsoft IIS is described in separate instructions - they will open when you select this option.

4. Make changes to the list of domains and click Continue.

5. Enter your contact information and click Continue.

6. Save the private key - you will need it to install the certificate on the web server. Click Continue.

7. Check the correctness and click send an order.

SSL certificates are issued for a period of 1-2 years.

If an organization orders a certificate for a domain that does not belong to it, then it must provide a letter from the domain owner with permission to issue a certificate. The letter template will be sent by the certification center to the contact email address of the certificate customer.

The certificate can confirm the presence of domain management rights, that is, it can certify only the domain. Such certificates belong to the category. By viewing the DV certificate, the user can make sure that he is really on the site whose address was entered in the browser line, that is, that when accessing the site, the user was not redirected by attackers to a fake web resource. However, the certificate does not contain information about who owns the site - the certificate will not contain information about its owner. This is due to the fact that in order to obtain a certificate, the customer does not need to provide documentary evidence of his identification data. Therefore, they may be fictitious (for example, the person requesting the certificate may impersonate another person).

A certificate can confirm the existence of rights to manage a domain name and the existence of an organization that has these rights, that is, it can certify the domain and its owner. Such certificates belong to the category. By viewing the OV certificate, the user can verify that he is really on the site whose address is entered in the browser line, and also determine who owns this site. To issue this certificate, the customer must document his identification data.

An SSL certificate (from the English Secure Sockets Layer) is a protocol for encoding data that goes from the user to the server and back.

How does an SSL certificate work?

The server has a key with which any data exchanged with the user is encrypted. The user's browser receives a unique key (which is known only to it) and thus a situation arises where only the server and the user can decrypt the information. A hacker can certainly intercept the data, but it is almost impossible to decrypt it.

Why does a website owner need an SSL certificate?

If your site requires registration for users, online purchases, etc., then an SSL certificate will be a good signal to the user that your site can be trusted. Today, many users do not know about this, and without hesitation they transfer their credit card information to various sites. But in the future there will be fewer and fewer such people, because... after the first loss of money from a card, a person immediately thinks “what needs to be done so that the money does not disappear?”, “which sites can be trusted?”. As a result, a secure connection is indicated by the presence of the https:// protocol in the site address or this type of address bar in the browser.

How to get an SSL certificate?

SSL certificates are issued by special certification authorities; the most popular in the world are Thawte, Comodo, and Symantec. But they all have an English-language interface, which creates certain inconveniences for domestic users. Therefore, now there are a lot of companies that act as intermediaries and sell SSL certificates. Large hosting companies and domain registrars do the same. We recommend purchasing certificates from high-quality hosters or domain registrars. Better yet, buy them from the company with which you registered your domain. As a rule, these companies cooperate with certification centers and, due to volume, have a significant discount. Therefore, the final price for you most likely will not change.

What types of SSL certificates are there?

First level

As a rule, such certificates are purchased if there is no need to confirm a company (or there is no company at all, and the site belongs to a private person), but only a secure connection is needed.

• The cheapest
• Delivery time: several hours
• They confirm the rights to the domain, but do not confirm the company
• For legal entities, individuals and individuals
• No documents needed

Average level

Such certificates can already confirm the company of the domain owner, which creates more trust among site visitors. After all, the company’s documents are checked by a certification center, which should inspire maximum user confidence. In this case, the site address in the browser is highlighted in green.

• average cost
• Delivery time: within a week
• Verify the company that owns the domain
• Only for legal entities
• Documents confirming your company and its address are required

high level

These certificates have all the indicators of the Average level, but their price is more expensive due to the marketing game of certification centers. So, for example, you can use them not only on the main domain, but also on subdomains (for example, forum.mysite.com, etc.), or users with outdated browsers will be able to use a secure connection. The maximum certificate registration period also depends on the certificate level. As a rule, it is 1-4 years from the date of issue.

How much does an SSL certificate cost?

The price ranges from 30 to 1200 US dollars per year. But there are also free options, in the form of free options, although their use is not entirely convenient.

What do you need to get?

For low level certificates

• e-mail (it must belong to your site, for example, for the site mysite.com the email can be [email protected]
• Name or organization
• Address

For higher level certificates

This is where the organization is checked, so to what is listed above you will have to add:

• Telephone
• Documents confirming the organization (company registration number or similar documents). In general, for each country the list
• The documents are different, but be prepared for a serious check, to the point that you will have to send a copy of the contract for the provision of communication services in order to confirm the phone number. Sending scanned copies of documents is possible by fax and email.

Also, to obtain an SSL certificate, the domain must have WHOIS-Protect (hiding domain data) disabled. Today this rule does not apply only to domains.ru and.рф. And yet, CSR generation is mandatory.

What is CSR?

CSR (Certificate Signing Request) is an encrypted request that must be attached to the application sent to the certification authority. This request must be generated on the server on which your site is located. The CSR generation process depends on the server, or more precisely on the software that is installed on it. If you buy a certificate through the hosting company where your site is located, then most likely you will be presented with a convenient interface for generating CSR. If it is not there, then we will tell you how to do it for the most common server software (Linux\Apache).

How to generate CSR?

1. Connect to the server via SSH connection

We use the PuTTY program. At the command line enter:

openssl genrsa -out myprivate.key 2048

This way we generate a private private key for the CSR. In this case, two questions will be asked: “Enter pass phrase for private.key” and “Verifying - Enter pass phrase for myprivate.key” - this is a request to enter the password for the key twice. It is important that you remember it, because... will be needed in the next step. As a result, the myprivate.key file will be generated.

2. Generate CSR

Enter the command:

openssl req -new -key myprivate.key -out domain-name.csr

Just change domain-name to your domain name. Then, in response to the question “Enter pass phrase for myprivate.key,” enter the password that we set in the previous step.

After that, fill in only in English letters:

Country Name - Country code in ISO-3166 format (we need a two-letter code, take it from the Alpha-2 column);
State or Province Name: Region or region\state;
Locality Name: City;
Organization Name: Organization;
Organizational Unit Name: Department (optional);
Common Name: domain name;
Email Address: your email (optional field);
A challenge password: (no need to fill in);
An optional company name: Another name of the organization (does not need to be filled in).

All data entered must be truthful and match those that you filled in when registering the domain (you can check them through WHOIS services). As a result of these operations, a domain-name.csr file will be created on the server. It must be saved and then attached to the application for an SSL certificate, which is submitted to the certification authority.

What to do after receiving an SSL certificate?

After receiving the certificate, you need to install it on the server. The installation process is quite simple, but varies greatly depending on the server software. Therefore, look for instructions on the hosting provider’s website, or even better, contact technical support to set everything up correctly.

What to do if the organization’s data has changed or the hosting has changed?

In such cases, you need to reissue the SSL certificate, but this should be done at no cost to you.