Tag Archives: dreamhost

DreamHost Private Key Format

When renewing my SSL/TLS certificate for my DreamHost shared hosting account, I generated a new 4096-bit RSA Private Key using OpenSSL 1.0.1e. I was surprised and confused when DreamHost reported "Invalid private key". I initially thought it was a problem with the 4096-bit key but found documentation indicating 4096 is a supported option.

I checked the that my key was PEM formatted as expected, and finally realized it was an incompatibility between the "-----BEGIN RSA PRIVATE KEY-----" and the "-----BEGIN PRIVATE KEY-----" variants of the PEM format when I couldn’t create a self-signed cert using OpenSSL 0.9.8za and my brand new key. Once I realized this, it was a simple conversion using the command 

openssl rsa -in private.key -inform PEM -out outfile.key -outform PEM

with OpenSSL 1.0.1. The in/out forms aren’t strictly necessary, but make the command a little clearer to read.

Updated Dreamhost Ciphers

Dreamhost offers free SSL/TLS through SNI for their shared hosting accounts. When this service was first released, it was limited to an RC4 ciphersuite and TLSv1.0. For most applications, RC4 is no longer a preferred cipher within the cryptographic community (Matthew Green’s blog post).

I haven’t seen an announcement, but I’d guess it was in the early November upgrade from Debian to Ubuntu that updated the security.

Dreamhost now supports TLSv1.0, TLSv1.1, and TLSv1.2 with the following cipher suites:

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

Other than Triple-DES being a little on the weak side, this is now a very solid and modern list of ciphers.

Backing up WordPress on Dreamhost

I had the following criteria when configuring the backup for my WordPress installation:

  1. Shell Script
  2. Protected from the webserver user
  3. Works with Dreamhost Enhanced User Security

This approach is based on the script from the WordPress Backup Guide at theme.fm.

In addition to your webserver_user, create a backup_user account. The backup_user will have read access to the website files; however, the webserver_user will not have read access to the backups.

Configure the Accounts

Login as backup_user and run ssh-keygen -t rsa -b <keysize>. Keysize should be 2048 or 4096 (pick the bigger size for more security). Accept all of the defaults. Run cat ~/.ssh/id_rsa.pub and copy the output. Create ~/backup and ~/scripts. Run chmod go-rw ~/backup.

Login as webserver_user and edit/create ~/.ssh/authorized_keys. Add the key copied from id_rsa.pub.

Script Files

Create the following files and make the *.sh files executable:

/home/webserver_user/scripts/opts

[client]
host=<mysql_server>
user=<mysql_username>
password=<mysql_password>

/home/webserver_user/scripts/save.sh

#!/bin/bash

# Make sure we're working in the scripts directory
cd /home/webserver_user/scripts

# Backup the datbase
mysqldump --defaults-file=/home/webserver_user/scripts/opts <wp_datbase> > db.sql

# tar the database backup and all of the WordPress files
# --transform is not necessary, but removes home/webserver_user from the path when extracting
tar czf website-$(date +%Y-%m-%d).tar.gz --transform s,^home/webserver_user/www,www, db.sql /home/webserver_user/www

# Cleanup by removing the uncompressed database backup
rm db.sql

/home/backup_user/scripts/backup.sh

#!/bin/bash

# Set the working directory
cd /home/backup_user/backup

# Run the save.sh script as the webserver_user
ssh webserver_user@webhost.com /home/webserver_user/scripts/save.sh

# Copy the backup to the backup_user account
scp webserver_user@webhost.com:/home/webserver_user/scripts/*.tar.gz ./

# Remove the copy of the backup from the webserver_user
ssh webserver_user@webhost.com 'rm /home/webserver_user/scripts/*.tar.gz'

# cleanup the backup directory and only keep the 3 most recent backups
while [ "$(ls -1t | wc -l)" -gt 3 ]; do
   rm "$(ls -t1r | head -n 1)"
done

Panel Configuration

  1. Go to you Dreamhost Web Panel
  2. Login
  3. Go to Main menu → Goodies → Cron Jobs
  4. Click "Add New Cron Job"
    • Select User backup_user
    • Title: backup
    • Email address if you want notification of the script running
    • Command to run: /home/backup_user/scripts/backup.sh
    • When to run: daily or weekly

Secure DreamHost Mail Settings

Even though the settings aren’t listed on http://wiki.dreamhost.com/POP3_Accounts, DreamHost supports secure POP3, IMAP, SNMP, and webmail access.

  • Server: mail.dreamhost.com – use this, because the mailserver’s certificate is issued for this domain name. This works even though DreamHost says to use mail.<yourdomain.com>
  • POP3 using SSL/TLS: Port 993
  • IMAP using SSL/TLS: Port 995
  • SMTP using STARTTLS: Port 587 or 25
  • Webmail: https://webmail.dreamhost.com – Make sure you enter “https:”, because DreamHost does not automatically upgrade a http connection to https.
  • Username: <username>@<yourdomain.com>

If you want to use STARTTLS for POP3 or IMAP, use the following ports:

  • POP3: Port 110
  • IMAP: Port 143

I recommend using SSL/TLS when possible. Since a STARTTLS session begins as plaintext, because it just adds one (admittedly minor) point of attack. You have to perform a SSL/TLS handshake anyway, why expose yourself to the risk of a STARTTLS upgrade failure too?

Free SSL on Dreamhost

Dreamhost supports SNI to enable SSH/TLS on their shared hosting offerings. While I wanted to enable SSL/TLS on my site, I thought I would have to buy a certificate from one of the major Root Certificate Authorities. I was happily surprised when I found StartSSL.com which offers free SSL Certificates. StartSSL.com is a trusted root CA on MacOS, Windows, and Mozilla; so compatibility is not a major concern. StartSSL.com is located in Israel, so I feel more comfortable with this free offering than say a Russian company.

Generating a CSR

The first step is to generate a Certificate Signing Request (CSR). You need a computer with OpenSSL to follow these steps. All files below should be located in the same folder and all commands should be run from within this folder.

  1. DigiCert has a very nice CSR Creation Tool. Fill in the required fields, click ‘Generate’, and copy the generated command. StartSSL only supports RSA keys.
  2. (optional) Gather additional entropy.
    1. Go to a number of entropy providing sites or password generating sites. Copy the output into text files in the folder you will be generating your CSR in. The exact format of the text isn’t important, as OpenSSL will just add the data to the entropy pool. For the examples later, I’ll assume you’ve named your file(s) entropy1.txt, entropy2.txt, etc./li>
    2. Some sites to gather entropy from are:
    3. Add -rand entropy1.txt:entropy2.txt:entropy3.txt to the command from Step 1.
  3. (optional) Use a stronger hash algorithm
    1. If you’re using RSA add -sha256 to the command from Step 1. You can use -sha512; however, sha512 is not commonly used with certificates and might not be supported by all servers and clients. sha256 might not be supported by older clients. Currently OpenSSL only supports SHA-1 with DSA and ECDSA certificates.
  4. Run the command from Step 1 with any optional adjustments, for example:
    • openssl req -new -newkey rsa:2048 -nodes -out www_tidgubi_com.csr -keyout www_tidgubi_com.key -sha256 -rand entropy1.txt:entropy2.txt -subj "/C=US/ST=California/L=San Luis Obispo/O=Kenji Yoshino/CN=www.tidgubi.com"
  5. The .key and .csr files will be used later.

Get your CSR Signed

Begin by registering with StartSSL.com. Make sure you do this from a private computer, because StartSSL.com will generate an identification certificate and install it in your browser. This certificate will be used to identify you on subsequent visits to StartSSL.com.

  1. Click ‘Validations Wizard’
  2. Select ‘Domain Name Validation’
  3. Enter your domain without any prefixes (e.g. www)
  4. You will need to specify an email address associated with your domain to verify domain ownership. Another verification code will be sent to this email address.
  5. Enter the verification code in StartSSL.
  6. Click ‘Certificates Wizard’
  7. Select ‘Web Server SSL/TLS Certificate’
  8. Skip having StartSSL generate a CSR for you.
  9. Copy and paste the entire CSR including the “—–BEGIN CERTIFICATE REQUEST—–” and “—–END CERTIFICATE REQUEST—–“
  10. Select your domain and click ‘Next’
  11. Add the “www” subdomain (Startssl requires you to add one) and click ‘Continue’
  12. Copy the entire certificate text including the “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“. Save the text to a .crt file.
  13. Download the intermediate CA file and optionally the root CA file.
  14. If you downloaded the root CA, combine the two files by running cat sub.class1.server.ca.pem ca.pem > chain.pem. The root CA provides browsers with the full certificate chain. Most browsers do not need the root CA to be included to trust the intermediate CA, so it is up to you if you want to include the root CA.

Configure SSL on Dreamhost

  1. Login ot your panel at panel.dreamhost.com
  2. Click ‘Manage Domains’
  3. Click ‘Add’ or ‘Certificates’ in the Secure Hosting column. If adding, leave unique IP as none and click ‘Add Now’, and then ‘Edit’.
  4. Select ‘Manual Configuration’
    • Delete or replace the CSR text (it is just informational)
    • Copy the text from your certificate including “—–BEGIN CERTIFICATE REQUEST—–” and “—–END CERTIFICATE REQUEST—–“
    • Copy our your private key including “—–BEGIN RSA PRIVATE KEY—–” and “—–END RSA PRIVATE KEY—–“
    • Copy the certificate chain, either the intermediate CA certificate or the intermediate and root CA certificate concatenated together.
    • Click ‘Save Changes Now!’
  5. It too about 4 minutes for changes on tidgubi.com to take effect.

Now your Dreamhost site allows SSL. Dreamhost only uses the TLS_RSA_WITH_RC4_128_SHA cipher suite with TLSv1.0 or SSLv3.0, so while it doesn’t provide great security, it’s better than nothing. I’m now tunneling my administrative traffic through TLS and SSH. From Securing Administration of Shared Hosting, I just changed 80:www.tidgubi.com:80 to 443:www.tidgubi.com:443 to specify the HTTPS port (443) instead of the standard HTTP port (80).