www.bonsaiframework.com
Page tree

Versions Compared

Old Version 155

changes.mady.by.user Tin Pham

Saved on

compared with

New Version Current

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

Warning

Introduction is still to be written. This is really long so consider breaking it up with a summary of steps in the beginning. Also, how can it be made more succinct? Perhaps an abridged version needs to be created.

This tutorial shows you how to setup Apache with a new SSL Certificates for web sites. Please read Apache - Renewing SSL Certificates for the renewal process.

Table of Contents

Select SSL Certificate

SSLShopper provides an overview of the different types of SSL certificates available with pros and cons. If you are still unsure, use the SSL Shopper Wizard to guide you.

...

We used the SSL Shopper Wizard with the following criteria,

  • I need to secure Secure one domain name or network name
  • I just Just need it to be secure with no warning messages
  • Price range per year $0-$100

From the results, we chose a free simple SSL certificate from the CA StartCom in a SSL certificate package called StartSSL Free.

Note there is a newer service (checked July 2018), a non-profit called Let's Encrypt that provides free SSL certificates. To understand what you get, you may look at their Hello World site.

SSL Setup (using openssl)

...

Server

...

Server keys must be generated for the the Certificate Signing Request (CSR). Openssl will be used to generate this CSR.

Generate Server Private Key

There are two options for generating the keyskey,

  1. Without Passphrase Encryption
  2. With Passphrase Encryption

...

Code Block
languagebash
su bhitch # Use a sudo enabled account.
cd ~
mkdir private
chmod -R 700 ./private
cd private
openssl genrsa -out www.earth.com_server.pem.key 2048

The openssl command reads,

...

Generate the CSR (Certificate Signing Request) which will be submitted to the CA ,using the private key www.earth.com_server.key.

Code Block
languagebash
openssl req -new -key www.earth.com_server.pem.key -out www.earth.com_server.pem.csr

You will be prompted to enter information about the certificate. The values should reflect your organization.

...

Code Block
languagebash
openssl req -in www.earth.com_server.pem.csr -noout -text

Submit Public Key to CA

The CSR file is submitted to the CA. Every CA will have a slightly different procedure.

Warning
titleHelp Improve the Article

Add the exact steps for StartSSL here as a reference.

Domain Validation requires an email that is listed in the Domain Management Administrative and Technical contact make sure they are using a real email or if not change it to a real email and then change it back

This step also includes various CA specific procedures to prove your identity.
You may also be prompted for a host name underneath your domain. If you want to use both https://www.earth.com and https://earth.com then make sure both are listed here.

Download

...

Certificates

The CA will use your public key in the CSR to sign and return back your server certificate.

Warning

Provide a sub-page to explain the CA signing process as an example.

Download Signed Server Certificate

...

No Format
www.earth.com_server.signed_cert.pem.crt
Warning

Provide a sub-page to explain the CA signing process as an example.

Verifying Signed Server Certificate

Warning
titlesection to be completed by Roderick

To verify your signed server certificate in Windows change the certificate file extension to crt. Then just double-click the file and you should at minimum confirm,

  1. The DN (Distinguished Name) matches your existing request.
  2. Bit size of the certificate matches your request.
  3. Expiry date of the certificate and record that in a calender to remind you for renewal.

ADD IMAGE

...

Warning

Q: I did not register the certificates, someone just sent me a bunch of files and I do not know what is what.

A: Read the article, Certificate File Formats which explains the file types and also how to verify and validate certificate files.

Download Chain Certificate(s)

...

You may download the chain certificate from your CA's website (you may need to search for it) or more conveniently download from SSLShopper's list of Chain Certificates and respective CA Installation Instructions

Note

Chain Certificates also expire. Whenever, you update your SSL certificate, you will also want to check if a new chain certificate is available.

In this case the chain certificate was found at StartCom How to Install Apache Server webpage,

...

Code Block
mv sub.class1.server.ca.pem sub.class1.server.ca.pem.crt

After the extension change double click on the file in Windows to inspect the certificate.

Copy the Issued to: name as this will be used to rename properly name the file,

Code Block
languagebash
mv sub.class1.server.ca.pem StartCom_Class_1_Primary_Intermediate_Server_CA.pem.crt

Concatenating Chain Certficates

...

In other words, you only need CA certificates on Web Servers if you intent intend to have the Browsers authenticate and identify themselves.

...

Panel

/etc/ssl/private/ # Only view-able by root the standard location for the private keys
/etc/ssl/certs/ # Standard location for CA keys with symbolic links pointing to /usr/share/ca-certificates/

However, we see some issues with this. First putting For now we will use this structure.

Warning

This needs some consideration of structure and permissions.

However, are the issues with using the default Ubuntu locations.

  • Putting chain certificates in the same directory as CA certificates does not make sense if SSLCACertificatePath is used.

...

  • Developing a portable BonsaiFramework version of Apache Web Server and keeping certificates with the service makes more sense

...

So the BonsaiFramework will use the following directories,

Warning

This needs some consideration of structure and permissions.

...

  • .
  • One other alternative is to use Debian's apparent standard,

...

  • /etc/apache/ssl

...

  • but I

...

  • noticed there is no consideration for protecting the private key.

...

Store Public

...

Key

Store the public key in the public folder,

Code Block
languagebash
sudo cp www.earth.com_server.pemsigned_cert.crt /etc/ssl/certs
sudo chown root:root /etc/ssl/certs/www.earth.com_server.pemsigned_cert.crt
Note

The above chown root:root command ensure the signed public key is protected. Also, if you are using a user other than root to start Apache, then adjust the file ownership to that user.

Storing Chain Certificates

Chain certificates can be stored in the same location as the public certificates,

Code Block
languagebash
sudo cp StartCom_Class_1_Primary_Intermediate_Server_CA.crt /etc/ssl/certs/
sudo chown root:root /etc/ssl/certs/StartCom_Class_1_Primary_Intermediate_Server_CA.crt

You may notice that Ubuntu itself might already have a matching chain certificate under a different file name. This chain certificate can be used instead and it may be automatically updated by the Ubuntu Operating System (however, I have not found any documentation about how this actually works).

Storing Private Keys

Ubuntu has a pre-configured location for private keys, /etc/ssl/private.

Notice the permissions on the /etc/ssl/private folder is 710 and owned by root and the group ssl-cert,

Code Block
languagebash
ls -al /etc/ssl/
total 44
drwxr-xr-x  4 root root      4096 2011-04-07 10:15 .
drwxr-xr-x 71 root root      4096 2011-06-08 14:22 ..
drwxr-xr-x  2 root root     20480 2011-06-21 11:41 certs
-rw-r--r--  1 root root      9374 2010-10-06 20:51 openssl.cnf
drwx--x---  2 root ssl-cert  4096 2011-06-13 20:59 private



Panel

If you opt to use your own private folder makes sure to set the same permissions as /etc/ssl/private/

Code Block
languagebash
sudo chown -R root:ssl-cert /opt/apache/httpd/ssl/private/* # Make the user starting Apache the owner, in this case it is root.
sudo chownchmod 710 /opt/apache/httpd/ssl/private/

Again, I will stress that this is very important!

...

Code Block
languagebash
sudo cp www.earth.com_server.key /etc/ssl/private/
sudo chmodchown root:ssl-cert /etc/ssl/private/www.earth.com_server.key # Ensure the file is owned by the right users.
sudo chmod 640 /etc/ssl/private/www.earth.com_server.key # Secure the file

...

Building upon the work in BonsaiFramework Apache Virtual Hosting, below are the minimal recommend lines to enable SSL.

Code Block
languagexml
linenumberstrue
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin   ServerAdmin webmaster@localhost

    ServerName   ServerName www.earchearth.com
    ServerAlias earch  ServerAlias earth.com

    DocumentRoot   DocumentRoot /home/www.earth.com/www
    <Directory   <Directory />
        #      # This prevents use of .htaccess
        AllowOverride None         <   AllowOverride None
    </Directory>

    ErrorLog   ErrorLog /var/log/apache2/ssl_www.earth.com.error.log

    #   # Possible values include: debug, info, notice, warn, error, crit,
    #   # alert, emerg.
    LogLevel   LogLevel warn

    CustomLog   CustomLog /var/log/apache2/ssl_www.earth.com.access.log combined

    #   # ---------------------
    #   # Start Enable SSL
    #   # -----------------

       # SSL Engine Switch:
    #   # Enable/Disable SSL for this virtual host.
    SSLEngine   SSLEngine on

    #   # Load the keys signed key
    SSLCertificateFile      SSLCertificateFile /etc/ssl/certs/www.earth.com_server.signed_cert.pem.crt

    # Load the private key
    SSLCertificateKeyFile   SSLCertificateKeyFile /etc/ssl/private/www.earth.com_server.pem.key

    #   # Load the Certificate chain
    SSLCertificateChainFile   SSLCertificateChainFile /etc/ssl/certs/StartSSLStartCom_SubClass_Class1_1_Primary_Intermediate_Server_CA.pemcrt

    #   # Loads all Certificate Authorities in the provided path
    #   # SSLCACertificatePath /etc/ssl/certs/

    # Alternatively,SSL loadEngine theOptions
specific Certificate Authority     # SSLCACertificateFile /etc/ssl/certs/StartCom_Certification_Authority.pem

    # SSL Engine Options
    <FilesMatch <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions      SSLOptions +StdEnvVars
    <   </FilesMatch>
    <Directory   <Directory /usr/lib/cgi-bin>
        SSLOptions      SSLOptions +StdEnvVars
    <   </Directory>

    #   # SSL Protocol Adjustments
    BrowserMatch   BrowserMatch "MSIE [2-6]" \
        nokeepalive      nokeepalive ssl-unclean-shutdown \
        downgrade       downgrade-1.0 force-response-1.0
    #   # MSIE 7 and newer should be able to use keepalive
    # "MSIE [17-9]" matches MSIE 7 to 9 and 10 to 19 (and 1, but that should not be a problem)
    BrowserMatch   BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    #   # -----------------
    #   # End Enable SSL
    #   # ---------------------

</VirtualHost>
</IfModule>

Line 35 - SSLCertificateChainFile with most modern CAs is absolutely necessary. It is on the onus of the server to provide this and also to keep it up to date.

Line 38 - 39 & 40 - Note the commented out lines, I have recently learned that SSLCACertificatePath is actually not necessary. Though most instructions sites mention this, really the OS will be providing the CA certificateanother way of loading the certificates by path the method we use is more specific but there are pros and cons that could be added in the future.

Note

It is not possible to run multiple SSL-enabled virtual hosts on a server with only one IP address. A separate IP address or port is necessary for each SSL-enabled domain. There are new modules that provide this functionality, but as of May 2011 it is not yet widely supported by browsers.

Verify

...

SSL Certificate

Using Browser

Launch a browser and try both https://www.earth.com and https://earth.com.

...

Info

On the topic of having SSL support for both https://www.earth.com and http://earth.com, when inspecting the certificate, navigate to,

  1. www.earth.com
  2. Certificate
  3. Extensions
  4. Certificate Subject Alt Name

Under the Certificate Subject Alt Name will see both DNS entries,

No Format
Not Critical
DNS Name: www.earth.com
DNS Name: earth.com

Checking for Mixed Content

If you inline load images without using a relative path you will get mixed content which makes your page insecure. Tools to check this,

And here's an example page of common mixed content errors.

Clean Up

Some CSR requests may be re-used to renew the Signed SSL Certificate. However, often most CA's will by process ask for a new CSR even if the original may be reused. To

Check with your CA to see how the CSR renewal process works. If the requirement is for a new csr, to avoid confusion it is best to delete the csr request once everything is proven to be working,

...

Warning

Expand this section with topics like, are server certs bound to the server?

Are server certs bound to the server?

No, server certs are not bound to the server. You can simply copy/move certs around between servers. In a load balanced environment you would be using the same certs on the different web servers. In a backup scenario you can use the same certificates.

I keep getting this error after I setup SSL for my domain on the second server how do I fix it?

[Thu Jan 26 19:13:25 2012] [warn] RSA server certificate CommonName (CN) `www.domain.com' does NOT match server name!?

Check that you have not enabled the virtual host SSL instead of the just the virtual host because what is happening is with the virtual host SSL enabled its matching www.domain.com-ssl agains the common name www.domain.com.

...


References

https://help.ubuntu.com/10.04/serverguide/C/httpd.html#https-configuration - trying this one first.

...