...
This tutorial shows you how to setup Apache with a new SSL Certificates for web sites. Please read Apache - Renewing SSL Certificates for the renewal process.
Table of Contents |
---|
Select SSL Certificate
SSLShopper provides an overview of the different types of SSL certificates available with pros and cons. If you are still unsure, use the SSL Shopper Wizard to guide you.
...
We used the SSL Shopper Wizard with the following criteria,
- I need to secure Secure one domain name or network name
- I just Just need it to be secure with no warning messages
- Price range per year $0-$100
From the results, we chose a free simple SSL certificate from the CA StartCom in a SSL certificate package called StartSSL Free.
Note there is a newer service (checked July 2018), a non-profit called Let's Encrypt that provides free SSL certificates. To understand what you get, you may look at their Hello World site.
SSL Setup (using openssl)
Server keys must be generated for the [Certificate Signing Request (CSR)]. There is more than one utility to create keys but openssl seems to be the more straight forward and popular choice.
Openssl will create one key at a time where as utilities such as IBM's ikeyman can create both in one step. The private key is needed to complete the CSR. When it comes time for renewal, you can use your existing private key to generate the CSR and public key OR generate a new one.
necessary to create a new private key depending on Wiki Markup \[info\] There is no clear consensus on whether creating a new or using an old private key is considered best practice. It is not
Wiki Markup which web server you are using, (ie you'd need to create new private keys due to the way Microsoft IIS Web server handles storing private keys) but it seems the many sites like sslshopper.com recommends that a new private key be created as it avoids confusion and is simplest. \[info\]
Openssl will be used to generate this CSR.
Generate Server Private Key
...
Generate the CSR (Certificate Signing Request) which will be submitted to the CA using the private key www.earth.com_server.key from above.
Code Block | ||
---|---|---|
| ||
openssl req -new -key www.earth.com_server.key -out www.earth.com_server.csr |
...
The CSR file is submitted to the CA. Every CA will have a slightly different procedure.
Warning | ||
---|---|---|
| ||
Add the exact steps for StartSSL here as a reference. Domain Validation requires an email that is listed in the Domain Management Administrative and Technical contact make sure they are using a real email or if not change it to a real email and then change it back |
This step also includes various CA specific procedures to prove your identity.
You may also be prompted for a host name underneath your domain. If you want to use both https://www.earth.com and https://earth.com then make sure both are listed here.
...
No Format |
---|
www.earth.com_server.signed_cert.crt |
Verifying Signed Server Certificate
Warning | ||
---|---|---|
| ||
To verify your signed server certificate in Windows change the certificate file extension to crt. Then just double-click the file and you should at minimum confirm,
ADD IMAGE ... |
Warning |
---|
Q: I did no not register the certificates, someone just sent me a bunch of files and I do not know what is what. A: Read the article, Certificate File Formats which explains the file types and also how to verify and validate certificate files. |
...
Panel |
---|
/etc/ssl/private/ # Only view-able by root the standard location for the private keys |
However, we see some issues with this. First putting For now we will use this structure.
Warning |
---|
This needs some consideration of structure and permissions. However, are the issues with using the default Ubuntu locations.
|
...
|
...
So the BonsaiFramework will use the following directories,
Warning |
---|
This needs some consideration of structure and permissions. |
...
|
...
|
...
|
...
|
...
Store Public Key
Store the public key in the public folder,
Code Block | ||
---|---|---|
| ||
sudo cp www.earth.com_server.signed_cert.crt /etc/ssl/certs sudo chown root:root /etc/ssl/certs/www.earth.com_server.signed_cert.crt |
Note |
---|
The above chown root:root command ensure the signed public key is protected. Also, if you are using a user other than root to start Apache, then adjust the file ownership to that user. |
...
Code Block | ||
---|---|---|
| ||
ls -al /etc/ssl/ total 44 drwxr-xr-x 4 root root 4096 2011-04-07 10:15 . drwxr-xr-x 71 root root 4096 2011-06-08 14:22 .. drwxr-xr-x 2 root root 20480 2011-06-21 11:41 certs -rw-r--r-- 1 root root 9374 2010-10-06 20:51 openssl.cnf drwx--x--- 2 root ssl-cert 4096 2011-06-13 20:59 private |
Panel | |||||
---|---|---|---|---|---|
If you opt to use your own private folder makes sure to set the same permissions as /etc/ssl/private/
Again, I will stress that this is very important! |
...
Building upon the work in BonsaiFramework Apache Virtual Hosting, below are the minimal recommend lines to enable SSL.
Code Block | ||||
---|---|---|---|---|
| ||||
<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@localhost ServerName www.earth.com ServerAlias earth.com DocumentRoot /home/www.earth.com/www <Directory /> # This prevents use of .htaccess AllowOverride None </Directory> ErrorLog /var/log/apache2/ssl_www.earth.com.error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/ssl_www.earth.com.access.log combined # --------------------- # Start Enable SSL # ----------------- # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # Load the keys signed key SSLCertificateFile cd /etc/ssl/certs/www.earth.com_server.signed_cert.crt # Load the private key SSLCertificateKeyFile /etc/ssl/private/www.earth.com_server.key # Load the Certificate chain SSLCertificateChainFile /etc/ssl/certs/StartCom_Class_1_Primary_Intermediate_Server_CA.crt # Loads all Certificate Authorities in the provided path # SSLCACertificatePath /etc/ssl/certs/ # Alternatively, load the specific Certificate Authority # SSLCACertificateFile /etc/ssl/certs/StartCom_Certification_Authority.pem # SSL Engine Options <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive # "MSIE [17-9]" matches MSIE 7 to 9 and 10 to 19 (and 1, but that should not be a problem) BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown # ----------------- # End Enable SSL # --------------------- </VirtualHost> </IfModule> |
Line 35 - SSLCertificateChainFile with most modern CAs is absolutely necessary. It is on the onus of the server to provide this and also to keep it up to date.
Line 38 - 39 & 40 - Note the commented out lines, I have recently learned that SSLCACertificatePath is actually not necessary. Though most instructions sites mention this, really the OS will be providing the CA certificateanother way of loading the certificates by path the method we use is more specific but there are pros and cons that could be added in the future.
Note |
---|
It is not possible to run multiple SSL-enabled virtual hosts on a server with only one IP address. A separate IP address or port is necessary for each SSL-enabled domain. There are new modules that provide this functionality, but as of May 2011 it is not yet widely supported by browsers. |
Verify
...
SSL Certificate
Using Browser
Launch a browser and try both https://www.earth.com and https://earth.com.
...
Info | ||
---|---|---|
On the topic of having SSL support for both https://www.earth.com and http://earth.com, when inspecting the certificate, navigate to,
Under the Certificate Subject Alt Name will see both DNS entries,
|
Checking for Mixed Content
If you inline load images without using a relative path you will get mixed content which makes your page insecure. Tools to check this,
- https://www.jitbit.com/sslcheck/
- https://developers.google.com/web/tools/lighthouse/audits/mixed-content
- https://www.whynopadlock.com/check.php
And here's an example page of common mixed content errors.
Clean Up
Some CSR requests may be re-used to renew the Signed SSL Certificate. However, often most CA's will by process ask for a new CSR even if the original may be reused. To
Check with your CA to see how the CSR renewal process works. If the requirement is for a new csr, to avoid confusion it is best to delete the csr request once everything is proven to be working,
...
Warning |
---|
Expand this section with topics like, are server certs bound to the server? |
Are server certs bound to the server?
No, server certs are not bound to the server. You can simply copy/move certs around between servers. In a load balanced environment you would be using the same certs on the different web servers. In a backup scenario you can use the same certificates.
I keep getting this error after I setup SSL for my domain on the second server how do I fix it?
[Thu Jan 26 19:13:25 2012] [warn] RSA server certificate CommonName (CN) `www.domain.com' does NOT match server name!?
Check that you have not enabled the virtual host SSL instead of the just the virtual host because what is happening is with the virtual host SSL enabled its matching www.domain.com-ssl agains the common name www.domain.com.
...
References
https://help.ubuntu.com/10.04/serverguide/C/httpd.html#https-configuration - trying this one first.
...