Enable SSL for apache server in 5 minutes

This post describe how to quickly enable SSL for apache web server under linux. This has been done on a clouded virtual machine, the Linux distribution is Ubuntu 12.04 LTS Server, the one provided by Amazon Aws or Microsoft Azure. This procedure may not work or may differ on older or different distribution.

What need to be in place ?

You need to already have apache server running on http port 80 (or whatever) and when you try to go to your website for example http://demo.hallard.me you should have the well know page

It works!

This is the default web page for this server.

The web server software is running but no content has been added, yet.

Once this is ok, just go to your server with ssh

What do to ?

Ok let’s start where we will put the certificates (in /etc/apache2/ssl)

sudo mkdir /etc/apache2/ssl

1	sudo mkdir /etc/apache2/ssl

now we generate the certicates, for 3 years (1095 days) under the folder we created above.

sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/apache2/ssl/server.crt -keyout /etc/apache2/ssl/server.key

1	sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/apache2/ssl/server.crt -keyout /etc/apache2/ssl/server.key

that will show the following, and ask you some questions.

Generating a 2048 bit RSA private key
............................................+++
.....................+++
writing new private key to '/etc/apache2/ssl/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Poitou
Locality Name (eg, city) []:Montamise
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Internet Self CA
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:demo.hallard.me
Email Address []:mydummy@email.com

Generating a 2048 bit RSA private key

............................................+++

.....................+++

writing new private key to '/etc/apache2/ssl/server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:FR

State or Province Name (full name) [Some-State]:Poitou

Locality Name (eg, city) []:Montamise

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Internet Self CA

Organizational Unit Name (eg, section) []:IT

Common Name (e.g. server FQDN or YOUR name) []:demo.hallard.me

Email Address []:mydummy@email.com

The most important, is the Common Name, it should match the internet name FQDN (here demo.hallard.me)

Now we install the SSL mod for apache, this instruction pre configure the file /etc/apache2/ports.conf with some line and the important one that say Listen 443

sudo a2enmod ssl

1	sudo a2enmod ssl

We put the default-ssl site available creating a symbolic link

sudo ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl

1	sudo ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl

Now we edit the file default-ssl (or default-ssl.conf for new version) we have just enabled

sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf

1	sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf

Edit October 2014 : on new apache2 version, configuration files need to have .conf extension, so in this case the two previous commands are now :

sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf

1	sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf

sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf

1	sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf

End of Edit

and we change the two lines relative to SSLCertificate as follow :

SSLCertificateFile    /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

1 2	SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key

Now restart apache server

sudo /etc/init.d/apache2 restart

1	sudo /etc/init.d/apache2 restart

now you can go with your favorite browser, in my example https://demo.hallard.me, the browser will warn you because it is a self signed certificate, but if you accept it you will now have the same famous “It works!” but with encryption. To avoid warning by browser, you can add the certificate to Trusted Root Certificate Authority of your computer. The procedure to to this depends on browser and operating system, so google is your friend.

Now it is safe that you force SSL encryption on each page that require authentication.

For example, for WordPress, add the following two lines (just after the other existing define lines in the file wp-config.php (located in wordpress installation dir)

define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

1 2	define('FORCE_SSL_LOGIN', true); define('FORCE_SSL_ADMIN', true);

This will force each login to use SSL and all admin site to use SSL

You can do the same for phpmyadmin adding to the file /etc/phpmyadmin/config.inc.php

$cfg['ForceSSL'] = 'true';

1	$cfg['ForceSSL'] = 'true';

What need to be in place ?

It works!

What do to ?

Charles