This post describe how to quickly enable SSL for apache web server under linux. This has been done on a clouded virtual machine, the Linux distribution is Ubuntu 12.04 LTS Server, the one provided by Amazon Aws or Microsoft Azure. This procedure may not work or may differ on older or different distribution.
What need to be in place ?
You need to already have apache server running on http port 80 (or whatever) and when you try to go to your website for example http://demo.hallard.me you should have the well know page
This is the default web page for this server.
The web server software is running but no content has been added, yet.
Once this is ok, just go to your server with ssh
What do to ?
Ok let’s start where we will put the certificates (in /etc/apache2/ssl)
now we generate the certicates, for 3 years (1095 days) under the folder we created above.
and we change the two lines relative to SSLCertificate as follow :
Now restart apache server
now you can go with your favorite browser, in my example https://demo.hallard.me, the browser will warn you because it is a self signed certificate, but if you accept it you will now have the same famous “It works!” but with encryption. To avoid warning by browser, you can add the certificate to Trusted Root Certificate Authority of your computer. The procedure to to this depends on browser and operating system, so google is your friend.
Now it is safe that you force SSL encryption on each page that require authentication.
For example, for WordPress, add the following two lines (just after the other existing define lines in the file wp-config.php (located in wordpress installation dir)
This will force each login to use SSL and all admin site to use SSL
You can do the same for phpmyadmin adding to the file /etc/phpmyadmin/config.inc.php
Note that this enables only “self-signed” certificates. I followed these directions but invariably encountered problems that were not addressed. Running Wheezy on a Raspberrry Pi B v1.
As usual, update first.
$ sudo apt-get update
Then make sure Apache and OpenSSL is installed:
$ sudo apt-get install apache2 openssl
If it is already installed, like it was on mine, then you will see:
Reading package lists... Done
Building dependency tree
Reading state information... Done
apache2 is already the newest version.
openssl is already the newest version.
openssl set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
Your external certs are installed in /etc/ssl/certs. You won’t put these certs there.
Create a new directory for local certificates (-p means no error if existing, make parent directories as needed):
$ sudo mkdir -p /etc/ssl/localcerts
The next line starts the certificate generation. The cert is good for 365 days – you can change that.
Generating a 2048 bit RSA private key
Next, you will enter the answers to the following questions. This is where I effed up, so don’t you do it too. the FQDN name is the name of your Apache web server. For me, since I’m just running it locally, that would be the server name, like “raspberrypi” – if you kept the default. That server name is mapped to an internal IP, like 192.168.1.11 or something.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) :San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:PaynsName
Organizational Unit Name (eg, section) :SysOpsProgFest
Common Name (e.g. server FQDN or YOUR name) :raspberrypi_orwhatever
Email Address :noNeed@forrealemail.com
When that is done, you will have two new files in this directory: /etc/ssl/localcerts
Then chmod those files:
$ sudo chmod 600 /etc/ssl/localcerts/apache*
$ sudo a2ensite ssl
If you get a “not found” error, try:
sudo a2ensite default-ssl
I think my ssl file already existed in /etc/apache2/sites-available.
Now you need to edit the ssl configuration file in the /etc/apache2/sites-available directory.
The link above says to enable port 443 in /etc/apache2/ports.conf, but mine already had it enabled with these lines:
So I didn’t modify that file.
Now restart Apache:
$ sudo service apache2 restart
And what you should get is a browser error, telling you that the site is not secure. That means it’s working! Because you didn’t pay a service to generate a validated certificate, you have to take your own word for it that it’s valid.
Click on I Understand the Risks, then click on Add Exception….
Next click on Get Certificate, and finally Confirm Security Exception to bypass SSL warning in FireFox.
Note that this enables only “self-signed” certificates. I followed these directions but invariably encountered problems that were not addressed. Running Wheezy on a Raspberrry Pi B v1. …
7. Open a browser from a computer. This example uses Firefox on a Mac. Enter the HTTPS version of your custom domain name. The message of “This Connection is Untrusted” is shown because we did not pay for a SSL certificate.
Select Add Exception.
Select Confirm Security Exception.
Now a secure lock is shown at the left of the URL.
I was trying to configure SSL(443) for one of the virtual hosts configured in Linux with same domain name with diffrent port number I have used mod_ssl for the configuring the https. For virtual hosts 80 with https it is working fine.Now the problem is I have configured another virtalhosts on port number 8081 and 8082 and I want to provide the HTTPS for both 8081 and 8082 configured Virtuals Hosts.
Sites with port number 8081 and 8082 are working but I need those ports has to work with https