Configuring Apache to use SSL

From Alliance Doc
Revision as of 18:05, 18 August 2016 by Cgeroux (talk | contribs) (Created page with "Transport Layer Security (TLS) and formerly Secure Sockets Layer (SSL) are both often referred to as SSL and allow encrypted communications over computer networks. This page d...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Transport Layer Security (TLS) and formerly Secure Sockets Layer (SSL) are both often referred to as SSL and allow encrypted communications over computer networks. This page describes the procedure for creating a self-signed SSL certificate as apposed to one signed by a Certificate Authority (CA) and configuring Apache to use it to encrypt communications. Having a certificate signed by a CA allows visitors of the site to verify by a third party (the CA) that the website is the expected website, avoiding man-in-the-middle-attacks. Self signed certificates should not be used for production sites.

The below steps assume you are using the Ubuntu operating system. If using another linux operating system the steps will be similar but the details will be different.

  1. Activate SSL Module
    Once Apache has been installed (see Installing Apache) the SSL module must be enabled with
    [name@server ~]$ sudo a2enmod ssl
[name@server ~]$ sudo service apache2 restart
  2. Create a Self-Signed SSL Certificate
    Question.png 
    [name@server ~]$  sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt

    This command will ask you a series of questions. Below is a list of the questions with example responses: 

     Country Name (2 letter code) [AU]:CA
 State or Province Name (full name) [Some-State]:Nova Scotia
 Locality Name (eg, city) []:Halifax
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Compute Canada
 Organizational Unit Name (eg, section) []:ACENET
 Common Name (e.g. server FQDN or YOUR name) []:206-167-185-111.cloud.computecanada.ca
 Email Address []:<your email>

    The most important question to answer is the "Common Name" question which should be the domain name of your server. In the case of a virtual machine on Compute Canada's cloud it should looks similar to the example response except that the numbers should correspond to the floating-IP associated with the virtual machine.

  3. Set Ownership and Permissions
    Set the correct ownership and permissions of the private key with: 
    [name@server ~]$ sudo chown root:ssl-cert /etc/ssl/private/server.key
[name@server ~]$ sudo chmod 640 /etc/ssl/private/server.key
  4. Configure Apache to use the Certificate
    Edit Apache's ssl configuration file with
    Question.png 
    [name@server ~]$ sudo vim /etc/apache2/sites-available/default-ssl.conf

    and change the lines 

    SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    to 

    SSLCertificateFile      /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCertificateChainFile /etc/ssl/certs/server.crt
  5. Tighten Security Force all http traffic to https, require more modern versions of SSL, and use better cipher options first by adding Redirect permanent / https://206-167-181-71.cloud.computecanada.ca ServerName 206-167-181-71.cloud.computecanada.ca ServerAlias www.206-167-181-71.cloud.computecanada.ca SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4 SSLHonorCipherOrder on to default-ssl.conf
Retrieved from "https://docs.alliancecan.ca/mediawiki/index.php?title=Configuring_Apache_to_use_SSL&oldid=2618"