Monday, November 22, 2010

Lock Down! Enable SSL on Apache2 with Signed Certificates

Ssl_login

Enabling SSL on Apache2 is actually pretty easy and out of the box will enable self-signed certificates.  This will suffice for testing but if your goal is to lock down sensitive information and be trusted by users, getting an SSL certificate for your domain will be key.  When I setup my FedOne server about a year ago, I had to go through getting certificates for federation to work with the Google's Sandbox.

Enable SSL in Apache2:

I am assuming you already have Apache2 installed and own a domain name with postmaster/webmaster access.  Here are the steps to get the SSL module of Apache2 running:

1 - Enable ssl:

$: a2enmod ssl

Out of the box this will use self-signed certiicates which will light up most broswers with a red "This site's security certificate is not trusted!".  The self-signed certificates are great for testing especially since Ubuntu 10.04 which contains it's own SSL conf file. 

2 -  Once the SSL is enabled, restart Apache:

$: sudo /etc/init.d/apache2 restart

Now that SSL is enabled and https://yourdomain.com is using the self signed certs, we need to generate a certificate request file and a private key from our server and use a 3rd party signer to get our certificate.  

 

Generate CSR and Server Key:

1 - I used the same script to generate both the private key and certificate request.

$: sudo nano make-csr.sh

2 - Enter the following code:

#!/bin/bash

NAME=$1

if [ "$NAME" == '' ]

then

echo "$0 " 1>&2

  exit 1

fi

openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -out $NAME.key

openssl req -new -nodes -sha1 -days 365 -key $NAME.key -out $NAME.csr

3 - Make the script executible:

er$: sudo chmod a+x make-csr.sh

3 - Run the script, adding the name you want on the end.  I choose "server":

$: sudo ./make-csr.sh server

This generated two files:

server.key
server.csr 

StartSSL™

 

 

 

Validate Domain with StartSSL:

I choose StartSSL since I used them during my FedOne setup and it was rather easy and free to boot.  Here are the steps:

1 - Go to http://www.startssl.com and create an account.  You will need to have a registered domain and access to the postmaster or webmaster of the domain in order to establish a certified connection.

2 - Click on "Sign-up" to begin the registration process.  This will have you fill out some information and will have you verify with an email.  Once verified a certificate will be installed in your browser (doesn't work on Chrome in my tests).

3 - Click on "Validations Wizard" and select "Domain Name Validation" (Continue)

4 - Type in your domain name (Continue).  An email verification will be sent and you will paste in the validation code to get your domain validated.

Request Certificate from StartSSL:

1 - Click on "Certificates Wizard" and for Certificate Target select "Web Server SSL/TLS Certificate (Continue)

2 - Click on Skip since we are going to use our own CSR from the above step (Skip)

3 - Copy the contents of the "server.csr" generated above by typing:

$: cat server.csr

* Make sure the contents of the certificate request includes the header and footers of the CSR with all the dashes! (Continue)

4 - The screen will appear with the contents of the newly generated SSL certificate.  Copy the contents and add it to a new file called "server.crt" on the server.

$: sudo nano server.crt

Configure Apache2 to use Signed Certificates:

I decided to create a directory to place my certificates in the Apache2 directory. You can place them anywhere you like.

1 - Make a directory in Apache2

$: sudo mkdir /etc/apache2/ssl

2 - Copy the certificate (server.csr) and private key (server.key) to the new directory

$: sudo cp server.crt /etc/apache2/ssl
$: sudo cp server.key /etc/apache2/ssl

3 - Point Apache to use your new files in the default-ssl file:

$: sudo nano /etc/apache2/sites-available/default-ssl

Make sure the SSL Engine is on and the proper paths are reflected:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

4 - Restart Apache

$: sudo /etc/init.d/apache2 restart

Once restarted, Apache will now sign with your new certificates and users will see the green "https" in their browser bar.  Depending on what setup you require, you may need to still set your document root for your website and do a mod-rewrite in your .htaccess file to forward all your http traffic to https.

In my case, I was running my StatusNet instance with mixed mode SSL, protecting only sensitive pages since Meteor doesn't post via https yet without an unsupported proxy setup. ~Lou