Introduction
Warning |
---|
Introduction is still to be written. This is really long so consider breaking it up with a summary of steps in the beginning. Also, how can it be made more succinct? Perhaps an abridged version needs to be created. |
This tutorial shows you how to setup Apache with a new SSL Certificates for web sites. Please read Apache - Renewing SSL Certificates for the renewal process.
Table of Contents |
---|
Select SSL Certificate
SSLShopper provides an overview of the different types of SSL certificates available with pros and cons. If you are still unsure, use the SSL Shopper Wizard to guide you.
...
We used the SSL Shopper Wizard with the following criteria,
- I need to secure Secure one domain name or network name
- I just Just need it to be secure with no warning messages
- Price range per year $0-$100
From the results, we chose a free simple SSL certificate from the CA StartCom in a SSL certificate package called StartSSL Free.
Note there is a newer service (checked July 2018), a non-profit called Let's Encrypt that provides free SSL certificates. To understand what you get, you may look at their Hello World site.
SSL Setup (using openssl)
...
Server
...
Server keys must be generated for the the Certificate Signing Request (CSR). Openssl will be used to generate this CSR.
Generate Server Private Key
There are two options for generating the keyskey,
- Without Passphrase Encryption
- With Passphrase Encryption
...
Code Block | ||
---|---|---|
| ||
su bhitch # Use a sudo enabled account.
cd ~
mkdir private
chmod -R 700 ./private
cd private
openssl genrsa -out www.earth.com_server.pem.key 2048
|
The openssl command reads,
...
Generate the CSR (Certificate Signing Request) which will be submitted to the CA ,using the private key www.earth.com_server.key.
Code Block | ||
---|---|---|
| ||
openssl req -new -key www.earth.com_server.pem.key -out www.earth.com_server.pem.csr |
You will be prompted to enter information about the certificate. The values should reflect your organization.
A not so obvious prompt is Common Name (eg, YOUR Name). This value should not be your name. Instead it should be the domain name of your website. In our example, it could be earth.com or www.earth.com.
We prefer using the want to use both www in our domain name. Also we prefer using www, so we will use enter, www.earth.com.
Info |
---|
CA's such as StartSSL can have SSL support for both www and no www. This is possible because the CA issues certificates where the Certificate Subject Alt Name extension is populated by both DNS Names, www.earth.com and earth.com. To make it work, make sure to use www in the Common Name. |
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:Ontario Locality Name (eg, city) []:Toronto Organization Name (eg, company) [Internet Widgits Pty Ltd]:The Planet Earth Incorporated Organizational Unit Name (eg, section) []:Earth Defence Common Name (eg, YOUR name) []:www.earth.com Email Address []:admin@earth.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
...
Code Block | ||
---|---|---|
| ||
openssl req -in www.earth.com_server.pem.csr -noout -text |
Submit Public Key to CA
The CSR file is submitted to the CA. Every CA will have a slightly different procedure.
Warning | ||
---|---|---|
| ||
Add the exact steps for StartSSL here as a reference. Domain Validation requires an email that is listed in the Domain Management Administrative and Technical contact make sure they are using a real email or if not change it to a real email and then change it back |
This step also includes various CA specific procedures to prove your identity.
You may also be prompted for a host name underneath your domain. If you want to use both https://www.earth.com and https://earth.com then make sure both are listed here.
Download
...
Certificates
The CA will use your public key in the CSR to sign and return back your server certificate.
Warning |
---|
Provide a sub-page to explain the CA signing process as an example. |
Download Signed Server Certificate
...
No Format |
---|
www.earth.com_server.signed_cert.pem.crt |
Warning |
---|
Provide a sub-page to explain the CA signing process as an example. |
Verifying Signed Server Certificate
Warning | ||
---|---|---|
| ||
To verify your signed server certificate in Windows change the certificate file extension to crt. Then just double-click the file and you should at minimum confirm,
ADD IMAGE ... |
Warning |
---|
Q: I did not register the certificates, someone just sent me a bunch of files and I do not know what is what. A: Read the article, Certificate File Formats which explains the file types and also how to verify and validate certificate files. |
Download Chain Certificate(s)
...
You may download the chain certificate from your CA's website (you may need to search for it) or more conveniently download from SSLShopper's list of Chain Certificates and respective CA Installation Instructions
Note |
---|
Chain Certificates also expire. Whenever, you update your SSL certificate, you will also want to check if a new chain certificate is available. |
In this case the chain certificate was found at StartCom How to Install Apache Server webpage,
...
Code Block |
---|
mv sub.class1.server.ca.pem sub.class1.server.ca.pem.crt |
After the extension change double click on the file in Windows to inspect the certificate.
Copy the Issued to: name as this will be used to rename properly name the file,
Code Block | ||
---|---|---|
| ||
mv sub.class1.server.ca.pem StartCom_Class_1_Primary_Intermediate_Server_CA.pem.crt |
Concatenating Chain Certficates
...
In other words, you only need CA certificates on Web Servers if you intent intend to have the Browsers authenticate and identify themselves.
...
Panel |
---|
/etc/ssl/private/ # Only view-able by root the standard location for the private keys |
However, we see some issues with this. First putting For now we will use this structure.
Warning |
---|
This needs some consideration of structure and permissions. However, are the issues with using the default Ubuntu locations.
|
...
|
...
So the BonsaiFramework will use the following directories,
Warning |
---|
This needs some consideration of structure and permissions. |
...
|
...
|
...
|
...
|
...
Store Public
...
Key
Store the public key in the public folder,
Code Block | ||
---|---|---|
| ||
sudo cp www.earth.com_server.pemsigned_cert.crt /etc/ssl/certs sudo chown root:root /etc/ssl/certs/www.earth.com_server.pemsigned_cert.crt |
Note |
---|
The above chown root:root command ensure the signed public key is protected. Also, if you are using a user other than root to start Apache, then adjust the file ownership to that user. |
Storing Chain Certificates
Chain certificates can be stored in the same location as the public certificates,
Code Block | ||
---|---|---|
| ||
sudo cp StartCom_Class_1_Primary_Intermediate_Server_CA.crt /etc/ssl/certs/
sudo chown root:root /etc/ssl/certs/StartCom_Class_1_Primary_Intermediate_Server_CA.crt |
You may notice that Ubuntu itself might already have a matching chain certificate under a different file name. This chain certificate can be used instead and it may be automatically updated by the Ubuntu Operating System (however, I have not found any documentation about how this actually works).
Storing Private Keys
Ubuntu has a pre-configured location for private keys, /etc/ssl/private.
Notice the permissions on the /etc/ssl/private folder is 710 and owned by root and the group ssl-cert,
Code Block | ||
---|---|---|
| ||
ls -al /etc/ssl/ total 44 drwxr-xr-x 4 root root 4096 2011-04-07 10:15 . drwxr-xr-x 71 root root 4096 2011-06-08 14:22 .. drwxr-xr-x 2 root root 20480 2011-06-21 11:41 certs -rw-r--r-- 1 root root 9374 2010-10-06 20:51 openssl.cnf drwx--x--- 2 root ssl-cert 4096 2011-06-13 20:59 private |
Panel | |||||
---|---|---|---|---|---|
If you opt to use your own private folder makes sure to set the same permissions as /etc/ssl/private/
Again, I will stress that this is very important! |
Store the private key into the protected folder,. This process is derived from the Security Configuration Benchmark Apache HTTP Server 2.2 Version 3.0.0 p60.
Code Block | ||
---|---|---|
| ||
sudo cp www.earth.com_server.key /etc/ssl/private/ sudo chmodchown root:ssl-cert /etc/ssl/private/www.earth.com_server.key # Ensure the file is owned by the right users. sudo chmod 640 /etc/ssl/private/www.earth.com_server.key # Secure the file |
...
Building upon the work in BonsaiFramework Apache Virtual Hosting, below are the minimal recommend lines to enable SSL.
Code Block | ||||
---|---|---|---|---|
| ||||
<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin ServerAdmin webmaster@localhost ServerName ServerName www.earchearth.com ServerAlias earch ServerAlias earth.com DocumentRoot DocumentRoot /home/www.earth.com/www <Directory <Directory /> # # This prevents use of .htaccess AllowOverride None < AllowOverride None </Directory> ErrorLog ErrorLog /var/log/apache2/ssl_www.earth.com.error.log # # Possible values include: debug, info, notice, warn, error, crit, # # alert, emerg. LogLevel LogLevel warn CustomLog CustomLog /var/log/apache2/ssl_www.earth.com.access.log combined # # --------------------- # # Start Enable SSL # # ----------------- # SSL Engine Switch: # # Enable/Disable SSL for this virtual host. SSLEngine SSLEngine on # # Load the keys signed key SSLCertificateFile SSLCertificateFile /etc/ssl/certs/www.earth.com_server.signed_cert.pem.crt # Load the private key SSLCertificateKeyFile SSLCertificateKeyFile /etc/ssl/private/www.earth.com_server.pem.key # # Load the Certificate chain SSLCertificateChainFile SSLCertificateChainFile /etc/ssl/certs/StartSSLStartCom_SubClass_Class1_1_Primary_Intermediate_Server_CA.pemcrt # # Loads all Certificate Authorities in the provided path # # SSLCACertificatePath /etc/ssl/certs/ # Alternatively,SSL loadEngine theOptions specific Certificate Authority # SSLCACertificateFile /etc/ssl/certs/StartCom_Certification_Authority.pem # SSL Engine Options <FilesMatch <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions SSLOptions +StdEnvVars < </FilesMatch> <Directory <Directory /usr/lib/cgi-bin> SSLOptions SSLOptions +StdEnvVars < </Directory> # # SSL Protocol Adjustments BrowserMatch BrowserMatch "MSIE [2-6]" \ nokeepalive nokeepalive ssl-unclean-shutdown \ downgrade downgrade-1.0 force-response-1.0 # # MSIE 7 and newer should be able to use keepalive # "MSIE [17-9]" matches MSIE 7 to 9 and 10 to 19 (and 1, but that should not be a problem) BrowserMatch BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown # # ----------------- # # End Enable SSL # # --------------------- </VirtualHost> </IfModule> |
Line 35 - SSLCertificateChainFile with most modern CAs is absolutely necessary. It is on the onus of the server to provide this and also to keep it up to date.
Line 38 - 39 & 40 - Note the commented out lines, I have recently learned that SSLCACertificatePath is actually not necessary. Though most instructions sites mention this, really the OS will be providing the CA certificateanother way of loading the certificates by path the method we use is more specific but there are pros and cons that could be added in the future.
Note |
---|
It is not possible to run multiple SSL-enabled virtual hosts on a server with only one IP address. A separate IP address or port is necessary for each SSL-enabled domain. There are new modules that provide this functionality, but as of May 2011 it is not yet widely supported by browsers. |
Verify
...
SSL Certificate
Using Browser
Launch a browser and try both https://www.earth.com and https://earth.com.
...
Info | ||
---|---|---|
On the topic of having SSL support for both https://www.earth.com and http://earth.com, when inspecting the certificate, navigate to,
Under the Certificate Subject Alt Name will see both DNS entries,
|
Checking for Mixed Content
If you inline load images without using a relative path you will get mixed content which makes your page insecure. Tools to check this,
- https://www.jitbit.com/sslcheck/
- https://developers.google.com/web/tools/lighthouse/audits/mixed-content
- https://www.whynopadlock.com/check.php
And here's an example page of common mixed content errors.
Clean Up
Some CSR requests may be re-used to renew the Signed SSL Certificate. However, often most CA's will by process ask for a new CSR even if the original may be reused. To
Check with your CA to see how the CSR renewal process works. If the requirement is for a new csr, to avoid confusion it is best to delete the csr request once everything is proven to be working,
...
Warning |
---|
Expand this section with topics like, are server certs bound to the server? |
Are server certs bound to the server?
No, server certs are not bound to the server. You can simply copy/move certs around between servers. In a load balanced environment you would be using the same certs on the different web servers. In a backup scenario you can use the same certificates.
I keep getting this error after I setup SSL for my domain on the second server how do I fix it?
[Thu Jan 26 19:13:25 2012] [warn] RSA server certificate CommonName (CN) `www.domain.com' does NOT match server name!?
Check that you have not enabled the virtual host SSL instead of the just the virtual host because what is happening is with the virtual host SSL enabled its matching www.domain.com-ssl agains the common name www.domain.com.
...
References
https://help.ubuntu.com/10.04/serverguide/C/httpd.html#https-configuration - trying this one first.
...