September 21, 2021

Ssl howto

Generating and using a ssl certificate in apache2 isn’t excactly straightforward for the uninitiated. Here’s how to do one in Debian/Ubuntu, it’s similar in CentOS and others, but this will give you an idea.

apache2 ssl setup

First you have to enable apache ssl support like:

a2enmod ssl

Now you have to set up apache2 to handle ssl for your site, so set up a new file like (change yourdomain and pathtositeroot to the actual values, yours will be different, also, this example has lots of extra stuff you probably don’t need, so delete whatever you want, like the custom log stuff, etc):

vi /etc/apache2/sites-available/yoursite.com.ssl
  NameVirtualHost 216.105.40.109:443
  <VirtualHost www.logicalwebhost.com:443>
  #SSL Configuration
  SSLEngine on
  SSLCertificateFile /etc/apache2/ssl/yourdomain.com.csr
  SSLCertificateKeyFile /etc/apache2/ssl/yourdomain.com.key
  #SSLCertificateChainFile /etc/apache2/ssl/logicalwebhost/sf_issuing.crt
  DocumentRoot /pathtositeroot/yourdomain.com/www/
  ScriptAlias /cgi-bin/ /pathtositeroot/yourdomain.com/cgi/
  ServerAlias yourdomain.com www.yourdomain.com *.yourdomain.com
  ServerName www.yourdomain.com
  ErrorLog /pathtositeroot/yourdomain.com/logs/error_log
  LogFormat "%h %l %u %t \"%r\" %>s %b" common
  CustomLog "|/usr/bin/cronolog /pathtositeroot/yourdomain.com/logs/%Y/%m/%d/access_log" combined
  AddType application/x-httpd-php .html
        <Directory />
                Options -Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order deny,allow
                Allow from all
        </Directory>
 
</VirtualHost>

now you have to reload apache2 and watch for errors:

/etc/init.d/apache2 reload

it shouldn’t give you any errors, if it does, you have to fix them or the rest of this won’t work right.

Next you generate the certificate for your site. Here we show a server with virtual hosts:

mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.com.key -out yourdomain.com.csr

it will ask you tons of stuff and look like:

Generating a 2048 bit RSA private key
.....................................+++
.......................+++
writing new private key to 'yourdomain.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:  <-- enter your country
State or Province Name (full name) [Some-State]: <-- enter your state
Locality Name (eg, city) []: <-- enter your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- enter your business/organization name
Organizational Unit Name (eg, section) []: <-- not required
Common Name (eg, YOUR name) []: <-- not required
Email Address []: <-- your email address
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- you don't need this, many people don't use it
An optional company name []:

now you should have 2 files in your ssl folder:

yourdomain.com.csr 
yourdomain.com.key

you need to submit the contents of yourdomain.com.csr to the entity you bought the SSL certificate from, like GoDaddy, Network Solutions or whomever. They will tell you how to do that, but usually you just cut/paste into their web portal where it prompts you.

cat yourdomain.com.csr
(copy the stuff below this line, yours will look different)
----BEGIN CERTIFICATE REQUEST-----
MIICtTCCAZ0CAQAwcDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMREwDwYDVQQH
EwhTYW5EaWVnbzEYMBYGA1UEChMPU2Vhc29ucyBpbiBUaW1lMScwJQYJKoZIh
...
... (more lines) ...
...
27rskwojTRhjrqwrikYvRaISfigRztl8rnK81jiCzGBR9nN6WnM87IyH94EC177o
B5ZjioT/fyaHQXihlXqV7IXSTtG1NLs7sA==
-----END CERTIFICATE REQUEST-----

after you submit this information to them, they will generate either a yourdomain.com.CRT file (or a bundle file). Note it’s really easy to visually confuse the .csr and the .crt file, which is why I capitalized it here. The .csr is the request you send to them, the .crt is the certificate they send back to you, which they do after verifying that if they go to your server and ask for your site’s ssl config files, what they get back matches what you cut/paste into their system. This means your server appears to be who it is, and they are therefore willing to be a third party who verifies it to shoppers/visitors to your site.

Now you have to put the .crt file they gave you back in your ssl folder and tell apache2 about it. So first, upload it (ftp, scp, whatever) to your webserver then copy it to /etc/apache2/ssl.

cp /pathtowhereyourcrtfileis/yourdomain.com.crt /etc/apache2/ssl/
chown www-data.www-data /etc/apache2/ssl/yourdomain.com.crt

Now you have to update your apache2 Virtual Host information for that site:

vi /etc/apache2/sites-available/yourdomain.com.ssl
  SSLCertificateFile /etc/apache2/ssl/yourdomain.com.csr (change this line to read like the one below with the .crt instead)
  SSLCertificateFile /etc/apache2/ssl/yourdomain.com.crt
/etc/init.d/apache2 reload

again, look for errors, you shouldn’t see any. Now go visit your site to see if it works with https/ssl:

https://www.yourdomain.com

you should see a little lock showing you that your third party has verified you have a valid SSL now that matches your information.