Friday, September 1, 2017
Setup Web Server with free StartSSL certificate
Setup Web Server with free StartSSL certificate
You can easily setup a Ubuntu Web Server with SSL (not self-signed) using free SSL certificate. This post will show you step wise process to implement it.
The setup starts assuming you have installed LAMP or apache
So Lets Start
Enabling mod_ssl
To enable apaches SSL module, run...
a2enmod ssl
... and restart Apache:
/etc/init.d/apache2 restart
Apache should now be listening on port 443 (HTTPS):
netstat -tap | grep https
root@server1:~# netstat -tap | grep https
tcp6 0 0 [::]:https [::]:* LISTEN 1238/apache2
root@server1:~#
Setting Up The Vhost
I will now create the vhost www.example.com with the document root /var/www/www.example.com.
First I create that directory:
mkdir /var/www/www.example.com
Apache comes with a default SSL vhost configuration in the file /etc/apache2/sites-available/default-ssl.
We use that file as a template for the www.example.com vhost
cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/www.example.com-ssl
... and open /etc/apache2/sites-available/www.example.com-ssl:
vi /etc/apache2/sites-available/www.example.com-ssl
Make sure you use the correct IP address in the <virtualhost xxx.xxx.xxx.xxx:443> line (* in this example); Also fill in the correct ServerAdmin email address and add the ServerName line. Adjust the paths in the DocumentRoot line and in the <directory> directives
As you see, this vhost uses the default self-signed snakeoil certificate that comes with Ubuntu/Debian:
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Now disable the default SSL vhost (if it is enabled), enable the www.example.com vhost and reload apache:
a2dissite default-ssl
a2ensite www.example.com-ssl
/etc/init.d/apache2 reload
Now open a browser and go to your new SSL vhost (https://www.example.com in this case). Because we are using Debians/Ubuntus default self-signed certificates, we should get a warning that the connection is untrusted
Setting it all up I run Debian stable on my servers. At the time of writing this is Debian Lenny with Apache 2.2.9. Substitute example.com for your domain name where applicable.
Authenticating with StartSSL
Note: As of the time of writing, Chrome has some issues with SSL client certificates which will cause you problems. I recommend using Safari (or Firefox if thats your thing).If this is your first time using StartSSL, youll need to create an account. Click on Control Panel and then on Sign-up. Fill out all the details and youll get an SSL client certificate which you use to authenticate with the website.
The client certificate expires after a year so youll have to create a new one when it comes time to renew your server certificate. StartSSL will send you an email when both are coming up for renewal. To create a new client certificate, first reverify your email address under Validations Wizard: Email Address Validation and then create a new certificate under Certificates Wizard
Requesting a server certificate Validations Wizard: Domain Name Validation Certificates Wizard: Web Server SSL/TLS Certificate
openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout example.com.key -out example.com.csrPick the CSR option when prompted and upload the contents of example.com.csr. You will also be prompted for a hostname underneath your domain. I run a no-www shop so I used my servers hostname (host.example.com). If you want to run www.example.com, enter www here.
As of this point the .csr file is no longer required and can be removed. Alternatively you could generate a CSR with a longer expiry and reuse it next year.
And now we wait for certificate to be issued. This usually happens within the half hour. When you receive the certificate signing confirmation email, download the following certificates:
Toolbox > Retrieve Certificate: You will see your newly created certificate. Save it as example.com.crt.
Toolbox > StartCom CA Certificates: Download "StartCom Root CA (PEM encoded)" (ca.pem)
Toolbox > StartCom CA Certificates: Download "Class 1 Intermediate Server CA" (sub.class1.server.ca.pem).
Configuring server certificate
Copy the .crt, .key and .pem files to /etc/apache2/ssl on your server.
sudo mkdir /etc/apache2/ssl
sudo cp ca.pem /etc/apache2/ssl
sudo cp example.com.crt /etc/apache2/ssl
sudo cp example.com.key /etc/apache2/ssl
Configuring Apache Run the following commands as root:
cd /etc/apache2/ssl
mv ca.pem startssl.ca.crt
mv sub.class1.server.ca.pem startssl.sub.class1.server.ca.crt
cat startssl.sub.class1.server.ca.crt startssl.ca.crt > startssl.chain.class1.server.crt
cat example.com.{key,crt} startssl.chain.class1.server.crt > example.com.pem
ln -sf example.com.pem apache.pem
chown root:ssl *.crt *.key *.pem
chmod 640 *.key *.pem
Edit /etc/apache2/sites-available/ssl and add the following within the <virtualhost> block:
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.com.key
SSLCertificateChainFile /etc/apache2/ssl/startssl.chain.class1.server.crt
At this point youll want to configure the rest of Apache for SSL if you havent already.
Check that your Apache config parses as valid:
apache2ctl -t
And then restart Apache with the new config:
/etc/init.d/apache2 reload
Verifying everything worked Run the following after restarting Apache to check the certificate chain:
echo HEAD / | openssl s_client -connect localhost:443 -quiet > /dev/null
You should see something like:
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification AuthorityThats it you successfully configured an SSL Web Server!!
verify error_num=19:self signed certificate in certificate chain
verify return:0
download file now
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.