How to secure your sites through SSL and Apache for free [Linux]

DrJohnZoidberg

DrJohnZoidberg

Honorary Master
Joined
Jul 24, 2006
Messages
27,993
Reaction score
7,452
Location
Table View
Firstly, I know the competition is over, just thought this would be useful. Also note that this guide is obviously not aimed at large businesses but more for small websites or sites that are hosted by your business for internal use where there is no VPN access set up.

I find that many people don't realise how insanely insecure websites are which run over plain HTTP, every time you transmit data to and from a site it is generally sent in plain text to the other side. This makes intercepting this traffic extremely simple.

If your site requires users to login with a username and password it is essential that you secure your website.

There are reasons though why people neglect to do this, people often don't understand how to do it and it costs money to purchase SSL certificates and it is often not cheap either.

You can also create your own SSL certificates but these self-signed certificates are not really useful if you host your site to the public as you will receive certificate warnings when visiting the site, this is when getting trusted SSL certificates from a certificate authority is necessary.

Luckily you can get free SSL certificates from certain sites, in this guide I will be using StartSSL (https://www.startssl.com/). Please sign up for a free account here before continuing.

I will be using the site ssl.myhtpc.co.za in this example which is running on a Linux server (Centos) using Apache.


Part 1. Verifying your domain:

Firstly you will need to verify that you actually administer the domain you want to secure, to do this you will need to have access an admin email account like postmaster@yourdomain, webmaster@yourdomain, etc.

1. Login to your StartSSL control panel and select the "Validation Wizard" tab.

Screenshot%202014-01-26%2012.14.24.png


2. Select "Domain Name Validation" and click continue.

3. Enter your domain name and select the correct top level domain.

Screenshot%202014-01-26%2012.17.27.png


4. The next screen will ask you to select which email address it should send a validation code to, select one which you have access to and click continue.

5. An email will be sent to the address you selected, check for the email and copy the validation code it contains.

6. On the next screen paste your validation code and click Continue. Your domain is now verified, click Finish to continue.
 
Part 2. Generating your certificate

Now your domain is verified you can start creating certificates for your sites. We first need to create a certificate signing request (CSR), you will need shell access to your host. You can also do this in the StartSSL control panel but we are going to be skipping that step.

1. Login to your Linux host via ssh.
2. Make sure you installed the necessary openssl packages required (please use sudo where required),

For Debian/Ubuntu:
Code: 
apt-get install openssl

For Centos/Redhat:
Code: 
yum install openssl

3. I suggest you also create a directory somewhere for you your certificate files so you know where they are, let's just make a directory in your apache folder:

For Debian/Ubuntu:
Code: 
mkdir -p /etc/apache2/certificates

For Centos/Redhat:
Code: 
mkdir -p /etc/httpd/certificates

Now just move in to your newly created folder, e.g. cd /etc/httpd/certificates.

4. Once you have finished installing these packages and creating your folder, create the CSR file by running the following command (just adjust filenames to whatever you want):

Code: 
openssl req -nodes -newkey rsa:2048 -keyout ssl_myhtpc_co_za.key -out ssl_myhtpc_co_za.csr

It will now ask you to enter some details, fill in these as necessary and use your host name as Common Name. Here is what I typed for mine:

Code: 
Country Name (2 letter code) [XX]:ZA
State or Province Name (full name) []:Western Cape
Locality Name (eg, city) [Default City]:Cape Town
Organization Name (eg, company) [Default Company Ltd]:Private
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ssl.myhtpc.co.za
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

You can leave the challenge password blank (just press enter when prompted) otherwise you will have to enter this password each time you start up the apache service.

In your certificates folder you should have two files now (IMPORTANT: ensure you keep these files securely backed up, you don't want to lose them):

Code: 
-rw-r--r-- 1 root root 1058 Jan 26 12:43 ssl_myhtpc_co_za.csr
-rw-r--r-- 1 root root 1708 Jan 26 12:43 ssl_myhtpc_co_za.key

We need the contents of the csr file as we will use it when creating our certificate on the StartSSL site, just cat the file and copy the full text output (including the header and footer).

Code: 
cat ssl_myhtpc_co_za.csr

5. In the StartSSL control panel, select the Certificate Wizard tab and select Web Server SSL/TLS Certificate as the certificate target and click Continue.

Screenshot%202014-01-26%2012.45.30.png


6. On the next screen you will be prompted to generate a certificate key, this is the step we have already done so just click Skip.

Screenshot%202014-01-26%2012.48.57.png


7. It will now ask for the CSR we generated earlier, if you copied this to the clipboard already just paste it in the box provided and click Continue.

Screenshot%202014-01-26%2012.50.46.png


8. A screen will appear saying your request file has been received, just click Continue here.

9. You will now be asked to select the domain you want to create the certificate for, this is the one we already verified earlier. Select it and click Continue.

Screenshot%202014-01-26%2012.53.23.png


10. You will now be asked for the subdomain, enter the appropriate value here and click Continue. In my case it is ssl.myhtpc.co.za, you will probably use www here if you want to secure your main site.

Screenshot%202014-01-26%2012.55.57.png


11. It will now tell you it is ready, click Continue.

Screenshot%202014-01-26%2012.56.47.png


12. It will now provide you with the certificate, copy and paste this data in to a new crt file in the certificates folder we created earlier. For me I just use nano and then paste it in and save.

Code: 
nano ssl_myhtpc_co_za.crt

Screenshot%202014-01-26%2013.02.08.png


You must also save the intermediate and root certificates which are linked underneath on that same page, you can use wget on your Linux box to grab these files. Make sure you are in your certificates folder and run the following commands:

Code: 
wget https://www.startssl.com/certs/sub.class1.server.ca.pem
Code: 
wget https://www.startssl.com/certs/ca.pem

You now have everything to secure your site.
 
Last edited:
Part 3. Installing your certificate:

We now have to configure your site to use the certificate we generated. Here I assume you have have a working site running as a vhost on your Apache install.

By default you may not have the correct Apache modules installed, Apache on Centos normally has it enabled by default but Debian and Ubuntu do not. To enable the SSL Apache mod on Debian/Ubuntu run the following command from the shell prompt (again, use sudo if needed):

Code: 
a2enmod ssl
Code: 
service apache2 restart

1. We need to edit the vhost conf file for desired site, here are the locations of mine:

Debian/Ubuntu:
Code: 
nano /etc/apache2/sites-enabled/ssl_myhtpc_co_za.conf

Centos/Redhat:
Code: 
nano /etc/httpd/conf.d/ssl_myhtpc_co_za.conf

2. Here are two examples (for Ubuntu vs Centos) of the contents of the conf files for my vhost:

Debian/Ubuntu:
Code: 
<VirtualHost *:80>
     ServerAdmin [email protected]
     DocumentRoot /var/www/ssl_site
     ServerName ssl.myhtpc.co.za

<Directory "/var/www/ssl_site">
    Options -Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

</VirtualHost>

<VirtualHost *:443>
   ServerAdmin [email protected]
   DocumentRoot /var/www/ssl_site
   ServerName ssl.myhtpc.co.za

   SSLEngine on
   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

   SSLCertificateFile /etc/apache2/certificates/ssl_myhtpc_co_za.crt
   SSLCertificateKeyFile /etc/apache2/certificates/ssl_myhtpc_co_za.key
   SSLCertificateChainFile /etc/apache2/certificates/sub.class1.server.ca.pem
   SSLCACertificateFile /etc/apache2/certificates/ca.pem

<Directory "/var/www/ssl_site">
    Options -Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

</VirtualHost>

Centos/Redhat:
Code: 
<VirtualHost *:80>
     ServerAdmin [email protected]
     DocumentRoot /var/www/ssl_site
     ServerName ssl.myhtpc.co.za

<Directory "/var/www/ssl_site">
    Options -Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

</VirtualHost>

<VirtualHost *:443>
   ServerAdmin [email protected]
   DocumentRoot /var/www/ssl_site
   ServerName ssl.myhtpc.co.za

   SSLEngine on
   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

   SSLCertificateFile /etc/httpd/certificates/ssl_myhtpc_co_za.crt
   SSLCertificateKeyFile /etc/httpd/certificates/ssl_myhtpc_co_za.key
   SSLCertificateChainFile /etc/httpd/certificates/sub.class1.server.ca.pem
   SSLCACertificateFile /etc/httpd/certificates/ca.pem

<Directory "/var/www/ssl_site">
    Options -Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

</VirtualHost>

If you are running multiple vhosts in Debian/Ubuntu make sure you have the following line in your /etc/apache2/ports.conf file:

Code: 
NameVirtualHost *:443

If this is not there ssl vhosts will not work properly.

3. Once you have saved your conf file you will have to restart the apache service.

Debian/Ubuntu:
Code: 
service apache2 restart

Centos/Redhat:
Code: 
service httpd restart

4. Once started you should be able to browse to your SSL enabled website: https://ssl.myhtpc.co.za

Firefox users: If you try and access your newly secured site in Firefox you may get and error telling you it cannot validate the site with OCSP. You may have to wait up to 24 hours for the ca to register your site here, either check back later or disable OCSP checking in Firefox if you need to view it immediately.


Part 3b. Redirecting all traffic via SSL (Optional):

If you do not want anyone using the site over regular HTTP, you can force your site to always redirect to the SSL version, to do this just adjust your vhost conf file accordingly.

Edit your conf file and adjust the port 80 VirtualHost section:

Debian/Ubuntu:
Code: 
nano /etc/apache2/sites-enabled/ssl_myhtpc_co_za.conf

Centos/Redhat:
Code: 
nano /etc/httpd/conf.d/ssl_myhtpc_co_za.conf

Code: 
<VirtualHost *:80>
     ServerAdmin [email protected]
     DocumentRoot /var/www/ssl_site
     ServerName ssl.myhtpc.co.za

     Redirect permanent / https://ssl.myhtpc.co.za/

</VirtualHost>

Restart the apache service and now all requests to ssl.myhtpc.co.za will direct to the SSL version.


NOTE: This guide may contain errors, please let me know if you spot anything out of place so I can fix it.
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X