HTTPS Traffic

This article goes through the steps required to create and install a secure certificate on a website which will allow web traffic to be encrypted over https. The article uses the default website on an Apache 2 Ubuntu web server. It also mentions what to do for multiple websites each with their own secure certificate.

It is part of my other articles on setting up an Ubuntu Linux server hosted using Amazon Web Services, but the same principals can be applied to any website on any server as the steps are the same. The starting point for this article is a server that has been setup following the examples in my previous articles and in particular, “Hosting multiple websites on a single Apache server“.

Whilst you can create a local secure certificate on your web server, this article uses a purchased one from a cheap certificate provider with the domain authentication method. A local secure certificate will warn users visiting the site that it is a “self-certified” one and they should only visit it they trust the site. Purchasing a secure certificate from an independent trusted provider will not present the warning to visitors.

However, trusted providers validate the purchaser so you need to be ready for that. In this example we are using domain authentication where the validity is verified through the domain owner or administrator. For this purpose, you will need access to the email mailbox that is registered with the domain registrar or an administration mailbox (admin, administrator, hostmaster, webmaster or postmaster).

The process

The process can be summarised as follows:

1. Create a private key on the web server
2. Create a Certificate Signing Request (CSR) for the website using the private key
3. Use the CSR to create a secure certificate at the trusted provider
4. Go through certificate payment and requestor authentication
5. Copy the new SSL certificate and provider’s Intermediate certificate to the web server
6. Move the new SSL, Intermediate certificate and private key to Apache folders
7. Edit the website configuration file to point to the cert/keys in the Apache folders
8. Enable the websites SSL configuration (if not already done)
9. Reload the website configuration
10. Test the website using HTTPS

Before you begin

Make sure you have openssl installed and enabled before you begin.

sudo apt-get install openssl

SSL Tutorial 01

sudo a2enmod ssl

SSL Tutorial 02

sudo service apache2 restart

SSL Tutorial 03

In this example, I am using the default Apache website configuration which comes in two files 001-default.conf for the normal website on port 80 using the “html” directory as I’ve not edited it and default-ssl.conf for secure traffic on port 443. I will assume that these as they would be from the previous articles and still set up this way. Before starting, if you haven’t already done so, make a copy of the SSL configuration file for the default website.

sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.orig

SSL Tutorial 01

Now we will configure the SSL configuration file using “nano”.

sudo nano /etc/apache2/sites-available/default-ssl.conf

Or, in the example, I have changed the directory and then edited the file.

sudo cd /etc/apache2/sites-available/
sudo nano default-ssl.conf

SSL Tutorial 21
SSL Tutorial 05

You can delete comments and some of the entries from the configuration file. You will need to add/replace until it reads like below. The important ones that you will need to edit for other websites are highlighted below.

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    ServerName example.com
    ServerAlias *.example.com
    ServerAdmin patrick.howe@example.com
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLEngine On
    SSLCertificateFile /etc/ssl/certs/dev-ssl.pem
    SSLCertificateFile /etc/ssl/private/dev-private.key
    SSLCACertificateFile /etc/ssl/certs/dev-intermediate.pem
    <FilesMatch “\.(cgi|shtml|phtml|php)$”>
      SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /var/www/html>
      AllowOverride All
    </Directory>
    <Directory /usr/lib/cgi-bin>
      SSLOptions +StdEnvVars
    </Directory>
    BrowserMatch “MSIE [2-6]” \
      nokeepalive ssl-unclean-shutdown \
      downgrade-1.0 forceresponse-1.0
    BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} !^(GET|POST)
    RewriteRule .* – [F]
  </VirtualHost>
</IfModule>

SSL Tutorial 06

The website secure configuration will not work until you have installed the secure certificate so if it is not already disabled, it would probably be best to disable it now.

sudo a2dissite default-ssl.conf

SSL Tutorial 07

We need to move files between the server and the local macine using FTP so make sure you are back at your ubuntu home directory so we don’t have to worry about permissions.

cd ~

Step by step instructions

1. Create a private key on the web server

sudo openssl genrsa -out buck-private.key 2048

2. Create a Certificate Signing Request (CSR) for the website using the private key

openssl req -new -key buck-private.key -out buck-cert.csr

You will be prompted to enter your country, company and domain details. In this example:

Country Name: GB
State: London
City: London
Organization Name: My Web Minder
Organizational Unit: (leave blank)
Common Name: example.com
Email Address: (leave blank)
Challenge Password: (leave blank)
Optional Company Name: (leave blank)

SSL Tutorial 08

3. Use the CSR to create a secure certificate at the trusted provider

Use FTP to copy the generated CSR file somewhere locally that you can copy the contents from your machine in the certificate generation process.

Open the CSR locally (in Notepad) and copy all of the contents (Ctrl+A and Ctrl+C) to the clipboard.

Visit a certificate reseller. I’ve used Trustico. The QuickSSL Basic domain authenticated option is a domain validated certificate from GeoTrust. It is a very quick process as they just email the domain owner (or admin contact), it’s very cheap (at the time of writing it costs £39+VAT for 1 year), it can be installed on multiple servers and the single www.example.com name also serves example.com (some provers you would have needed two certs for this).

Go through the screens after selecting QuickSSL Basic and then to Buy New and then 1 year (or more) and filling in your details which need to be correct, especially your email and phone number. Make sure you make a note of the memorable date that you enter as you’ll need it if you need to revisit the site to get your invoice and the details of the PEM files.

Select a “Submit Newly Generated Certificate Signing Request” and paste (Ctrl+V) in the contents of your CSR file. It will read these and if correct you can proceed to verification.

SSL Tutorial 09

4. Go through certificate payment and requestor authentication

Email verification can be done using the contact information from WhoIs if that is available or from a general administrative email address at that domain. Whichever you choose you will need access to that mailbox or at the very least have some sort of forwarding in place (that’s been tested) on that mailbox redirecting email to a mailbox you do have access to.

SSL Tutorial 10

Pay for the certificate.

SSL Tutorial 11

Once paid for, an approver email is generated to the email address you chose. Click the link.

SSL Tutorial 12

Approve.

SSL Tutorial 13
SSL Tutorial 14

Once approved, you’ll have to wait a few minutes before the final email from Trustico comes through with the tracking link (as before) but also with your certificate details at the end of the email.

SSL Tutorial 15

I use the tracking link with my order number and memorable date to get my certificate and intermediate certificate and also get a copy of my invoice.

SSL Tutorial 16

When you are at this stage, copy the contents of your SSL Certificate and Intermediate Certificate into two text files and name them with PEM extensions.

SSL Tutorial 17

5. Copy the new SSL certificate and provider’s Intermediate certificate to the web server

Copy the PEM files to the server in the ubuntu home directory using your FTP client software.

6. Move the new SSL, Intermediate certificate and private key to Apache folders

Now from the CLI copy them to the appropriate places that you specified in default-ssl.conf. Copy the private key to /etc/ssl/private and the two certificates to /etc/ssl/certs using the following:/

sudo cp buck-private.key /etc/ssl/private/
sudo cp buck-ssl.pem /etc/ssl/certs/
sudo cp buck-intermediate.pem /etc/ssl/certs/

SSL Tutorial 18

7. Edit the website configuration file to point to the cert/keys in the Apache folders

You will not need to do anything here if you already followed the instructions in the “Before you begin” section. If not refer back to that section to edit the default-ssl.conf file using “nano”.

SSL Tutorial 05

8. Enable the websites SSL configuration (if not already done)

sudo a2ensite default-ssl.conf
sudo service apache2 reload

9. Reload the website configuration

SSL Tutorial 19

10. Test the website using HTTPS

Finally test the site on https from your web browser.

SSL Tutorial 20

Redirect http traffic to https in configuration file

If you want to redirect all traffic for your website to https, then you just need to add a redirect command to the configuration for port 80. Using the same website as above this command will be added 001-default.conf.

SSL Tutorial 21
SSL Tutorial 22

The command to add is:

Redirect permanent / https://www.example.com/

SSL Tutorial 23

If you want to redirect all port 80 traffic to port 443 then you actually don’t need a lot in the configuration file other than the domain and the redirection.

If you don’t already have the configuration enabled you will need to do that.

SSL Tutorial 24

After any changes remember to reload the Apache configurations. You shouldn’t forget as Apache will remind you after you made any site configuration changes.

SSL Tutorial 25

Other notes

For any other secure websites on the same Apache server, you can copy the default-ssl.conf and use the steps above, although you could reuse the private key if you wanted or create a new one.

This is part of a series of short articles covering setting up and maintaining a multiple domain web hosting environment using an Ubuntu Linux server. You can find an up-to-date list of those from the Hosting – Ubuntu category.

That’s all for today – I hope you found it useful.

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz