...
From the results, we chose a free simple SSL certificate from the CA StartCom in a SSL certificate package called StartSSL Free.
Note there is a newer service (checked July 2018), a non-profit called Let's Encrypt that provides free SSL certificates. To understand what you get, you may look at their Hello World site.
SSL Setup (using openssl)
Server keys must be generated for the Certificate Signing Request (CSR). Openssl will be used to generate this CSR.
...
Warning | ||
---|---|---|
| ||
To verify your signed server certificate in Windows make sure change the certificate has a crt file extensionfile extension to crt. Then just double-click the file and you should at minimum confirm,
ADD IMAGE ... |
Warning |
---|
Q: I did not register the certificates, someone just sent me a bunch of files and I do not know what is what. A: Read the article, Certificate File Formats which explains the file types and also how to verify and validate certificate files. |
...
Panel |
---|
/etc/ssl/private/ # Only view-able by root the standard location for the private keys |
However, we see some issues with this. First putting For now we will use this structure.
Warning |
---|
This needs some consideration of structure and permissions. However, are the issues with using the default Ubuntu locations.
|
...
|
...
So the BonsaiFramework will use the following directories,
Warning |
---|
This needs some consideration of structure and permissions. |
...
|
...
|
...
|
...
Store Public Key
Store the public key in the public folder,
...
Panel | |||||
---|---|---|---|---|---|
If you opt to use your own private folder makes sure to set the same permissions as /etc/ssl/private/
Again, I will stress that this is very important! |
...
Code Block | ||||
---|---|---|---|---|
| ||||
<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@localhost ServerName www.earth.com ServerAlias earth.com DocumentRoot /home/www.earth.com/www <Directory /> # This prevents use of .htaccess AllowOverride None </Directory> ErrorLog /var/log/apache2/ssl_www.earth.com.error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/ssl_www.earth.com.access.log combined # --------------------- # Start Enable SSL # ----------------- # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # Load the keys signed key SSLCertificateFile cd /etc/ssl/certs/www.earth.com_server.signed_cert.crt # Load the private key SSLCertificateKeyFile /etc/ssl/private/www.earth.com_server.key # Load the Certificate chain SSLCertificateChainFile /etc/ssl/certs/StartCom_Class_1_Primary_Intermediate_Server_CA.crt # Loads all Certificate Authorities in the provided path # SSLCACertificatePath /etc/ssl/certs/ # Alternatively, load the specific Certificate Authority # SSLCACertificateFile /etc/ssl/certs/StartCom_Certification_Authority.pem # SSL Engine Options <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive # "MSIE [17-9]" matches MSIE 7 to 9 and 10 to 19 (and 1, but that should not be a problem) BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown # ----------------- # End Enable SSL # --------------------- </VirtualHost> </IfModule> |
Line 35 - SSLCertificateChainFile with most modern CAs is absolutely necessary. It is on the onus of the server to provide this and also to keep it up to date.
Line 38 - 39 & 40 - Note the commented out lines, I have recently learned that SSLCACertificatePath is actually not necessary. Though most instructions sites mention this, really the OS will be providing the CA certificateanother way of loading the certificates by path the method we use is more specific but there are pros and cons that could be added in the future.
Note |
---|
It is not possible to run multiple SSL-enabled virtual hosts on a server with only one IP address. A separate IP address or port is necessary for each SSL-enabled domain. There are new modules that provide this functionality, but as of May 2011 it is not yet widely supported by browsers. |
...
Info | ||
---|---|---|
On the topic of having SSL support for both https://www.earth.com and http://earth.com, when inspecting the certificate, navigate to,
Under the Certificate Subject Alt Name will see both DNS entries,
|
Checking for Mixed Content
If you inline load images without using a relative path you will get mixed content which makes your page insecure. Tools to check this,
- https://www.jitbit.com/sslcheck/
- https://developers.google.com/web/tools/lighthouse/audits/mixed-content
- https://www.whynopadlock.com/check.php
And here's an example page of common mixed content errors.
Clean Up
Some CSR requests may be re-used to renew the Signed SSL Certificate. However, often most CA's will by process ask for a new CSR even if the original may be reused. To
Check with your CA to see how the CSR renewal process works. If the requirement is for a new csr, to avoid confusion it is best to delete the csr request once everything is proven to be working,
...
No, server certs are not bound to the server. You can simply copy/move certs around between servers. In a load balanced environment you would be using the same certs on the different web servers. In a backup scenario you can use the same certificates.
I keep getting this error after I setup SSL for my domain on the second server how do I fix it?
[Thu Jan 26 19:13:25 2012] [warn] RSA server certificate CommonName (CN) `www.domain.com' does NOT match server name!?
Check that you have not enabled the virtual host SSL instead of the just the virtual host because what is happening is with the virtual host SSL enabled its matching www.domain.com-ssl agains the common name www.domain.com.
...
References
https://help.ubuntu.com/10.04/serverguide/C/httpd.html#https-configuration - trying this one first.
...