This post describe how to quickly enable SSL for apache web server under linux. This has been done on a clouded virtual machine, the Linux distribution is Ubuntu 12.04 LTS Server, the one provided by Amazon Aws or Microsoft Azure. This procedure may not work or may differ on older or different distribution.
What need to be in place ?
You need to already have apache server running on http port 80 (or whatever) and when you try to go to your website for example http://demo.hallard.me you should have the well know page
It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet.
Once this is ok, just go to your server with ssh
What do to ?
Ok let’s start where we will put the certificates (in /etc/apache2/ssl)
|
1 |
sudo mkdir /etc/apache2/ssl |
now we generate the certicates, for 3 years (1095 days) under the folder we created above.
|
1 |
sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/apache2/ssl/server.crt -keyout /etc/apache2/ssl/server.key |
that will show the following, and ask you some questions.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
Generating a 2048 bit RSA private key ............................................+++ .....................+++ writing new private key to '/etc/apache2/ssl/server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:Poitou Locality Name (eg, city) []:Montamise Organization Name (eg, company) [Internet Widgits Pty Ltd]:Internet Self CA Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:demo.hallard.me Email Address []:mydummy@email.com |
The most important, is the Common Name, it should match the internet name FQDN (here demo.hallard.me)
Now we install the SSL mod for apache, this instruction pre configure the file /etc/apache2/ports.conf with some line and the important one that say Listen 443
|
1 |
sudo a2enmod ssl |
We put the default-ssl site available creating a symbolic link
|
1 |
sudo ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl |
Now we edit the file default-ssl (or default-ssl.conf for new version) we have just enabled
|
1 |
sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf |
Edit October 2014 : on new apache2 version, configuration files need to have .conf extension, so in this case the two previous commands are now :
|
1 |
sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf |
|
1 |
sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf |
End of Edit
and we change the two lines relative to SSLCertificate as follow :
|
1 2 |
SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key |
Now restart apache server
|
1 |
sudo /etc/init.d/apache2 restart |
now you can go with your favorite browser, in my example https://demo.hallard.me, the browser will warn you because it is a self signed certificate, but if you accept it you will now have the same famous “It works!” but with encryption. To avoid warning by browser, you can add the certificate to Trusted Root Certificate Authority of your computer. The procedure to to this depends on browser and operating system, so google is your friend.
Now it is safe that you force SSL encryption on each page that require authentication.
For example, for WordPress, add the following two lines (just after the other existing define lines in the file wp-config.php (located in wordpress installation dir)
|
1 2 |
define('FORCE_SSL_LOGIN', true); define('FORCE_SSL_ADMIN', true); |
This will force each login to use SSL and all admin site to use SSL
You can do the same for phpmyadmin adding to the file /etc/phpmyadmin/config.inc.php
|
1 |
$cfg['ForceSSL'] = 'true'; |
Good day very nice blog!! Man .. Beautiful .. Superb .. I will bookmark your blog and take the feeds additionally
Hey,
Just saw your message, thank’s
Charles
Worked for me – thanks mate!
Cheers,
Lutz
Excellent blog, thanks it worked with me. Just one thing, I
have a password protected folder in my apache2 server. When I point
my browser to that folder using the https it opens the folder
without authentication, but when I access it with http only, it
asks me for username and password. So do you have any idea why this
basic authentication doesn’t work with https? Thanks
Hi Zari,
If you followed this tutorial, I think you need to enable authentication into the file
sudo nano /etc/apache2/sites-enabled/000-default-sslhas you have done into
sudo nano /etc/apache2/sites-enabled/000-defaultbecause SSL sites use another config file. If can be different dependings on the config file you used, but this tip should do the trick.
Charles
Great article, Thanks !
What about if your running on localhost? What would the FQDN be? Currently I use this to access my webpages -> http://localhost:8080/my_web_page/search_query
John,
May be you can use a FQDN (ie mycomputer.com) and generate the certificate for it then in the host file add
127.0.0.1 mycomputer.com
Did not tried but could work
Also trying certificate generation for localhost might work.
Good to test, let me Know
Charles
Great post. Just the essentials.
Thanks!
Thanks a lot !!!!
Nico,
You’re welcome
Charles
I’m afraid it didn’t work for me. http:// is fine but https:// brings “This webpage is not available”.
It may have had something to do with the edited Oct 2014 symbolic links as I wasn’t sure what Apache2 was loaded on my RPi. I ended up doing both and when it didn’t work I deleted the .conf. This seemed to work but I got a message about FQDN. I solved that by creating a local.conf in conf.d with servername localhost.
Any help would be mightily appreciated
TIA
John
Great post, completed this in few minutes for a mini raspberry, no problems.
Tolga,
Thanks, I’m glad it worked for you 😉
Charles
Thanks a lot, Charles Henri, it works for me, fine. BUT : something I do not understand, I can access to my site with http:// and with https:// ! is it normal ? I redirect 443 external to 443 internal on my Live box, and I cannot redirect 80 external to 443 internal.
Thanks for your help.
If I check on your demo, it is the same, http: works and https: also. It is a normal behaviour ? how does the visitor knows he should use https: ?
Sebastien,
Yes for the demo it’s normal, both are working but of course you can just remove simple http but it’s not the best solution. Instead, do a redirect, this mean that every http requests will be redirected to https by the web server. sometimes applications can also do this like wordpress or phpadmin.
I don’t know live box redirection but may be for 80 -> 443 it’s more under port mapping than redirection. Anyway just close 80 on your livebox and just let 443, then from external you just have https and from your internal network you can use http and https.
Charles
Thanks CH for your answer. I am going to study all this. Your page about https is the best one of google’s ! you cannot imagine ! with yours ? 5 minutes ! thanks again.
I found :
in my /etc/apache2/sites-available/default :
<VirtualHost *:80>
Redirect permanent / https://exemple.com/
and it works ! of course, service apache2 restart !
Excellent,
good to have the trick, thanks
Charles
Thanks. Simple and to the point.
Hello Charles.
Now, I dont know what to do ! I went on http://cacert.com in order to have a free certificat.
I have them : file.cer, file.crt and an ascii very long file supposed to be loaded in my browser !
You say this :
pico /etc/apache2/sites-enabled/000-default-ssl
SSLCertificateKeyFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
But I do not have that .key file ? what do I have to do with the files Cacert gave me ?
Thanks again.
Sebastien,
Depending on how you requested your certificate to cacert. did you done it using CSR ? if so your private key certificate should be on the computer from which you generated your CSR file to provide to cacert. What does CACERT procedure says about that ?
Sorry Charles, I have not red your answer until today 🙁
But I found a very good information there, in french unfortunately : http://blog.zenmail.biz/creez-un-certificat-gratuit-avec-cacert-org-pour-apache/
I have followed it respectfully, and it seems to work as described. And I think it complete your information perfectly. Except it is in french 🙂
Thanks for your help.
Nice and simple, thanx!