Configuring Apache to use SSL

Parent page: Creating a Webserver on CC-Cloud

Transport Layer Security (TLS) and formerly Secure Sockets Layer (SSL) are both often referred to as SSL and allow encrypted communications over computer networks. This page describes the procedure for creating a self-signed SSL certificate as apposed to one signed by a Certificate Authority (CA) and configuring Apache to use it to encrypt communications. Having a certificate signed by a CA allows visitors of the site to verify by a third party (the CA) that the website is the expected website, avoiding man-in-the-middle-attacks. Self signed certificates should not be used for production sites, though they are useful for small locally used sites and for testing as they are free, as apposed to getting a certificate signed by a CA which usually coats something like $100 a year.

The below steps assume you are using the Ubuntu operating system. If using another Linux operating system the steps will be similar but the details will likely be different such as slightly different commands or different locations and names of configuration files.

1. Activate SSL Module
   Once Apache has been installed (see Installing Apache) the SSL module must be enabled with

   [name@server ~]$ sudo a2enmod ssl
   [name@server ~]$ sudo service apache2 restart
   

2. Create a Self-Signed SSL Certificate
   

   [name@server ~]$  sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt
   

   If you are asked for a pass phrase this likely means you missed the -node option, please reissue the command checking it carefully against the above. This command will ask you a series of questions. Below is a list of the questions with example responses:

    Country Name (2 letter code) [AU]:CA
    State or Province Name (full name) [Some-State]:Nova Scotia
    Locality Name (eg, city) []:Halifax
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Compute Canada
    Organizational Unit Name (eg, section) []:ACENET
    Common Name (e.g. server FQDN or YOUR name) []:XXX-XXX-XXX-XXX.cloud.computecanada.ca
    Email Address []:<your email>
   

   The most important question to answer is the "Common Name" question which should be the domain name of your server. In the case of a virtual machine on Compute Canada's cloud it should looks similar to the example response except that the X's should be replace with the floating-IP associated with the virtual machine.

3. Set Ownership and Permissions
   Set the correct ownership and permissions of the private key with:

   [name@server ~]$ sudo chown root:ssl-cert /etc/ssl/private/server.key
   [name@server ~]$ sudo chmod 640 /etc/ssl/private/server.key
   

4. Configure Apache to use the Certificate
   Edit Apache's ssl configuration file with
   

   [name@server ~]$ sudo vim /etc/apache2/sites-available/default-ssl.conf
   

   and change the lines

   SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
   SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
   

   to

   SSLCertificateFile      /etc/ssl/certs/server.crt
   SSLCertificateKeyFile /etc/ssl/private/server.key
   SSLCertificateChainFile /etc/ssl/certs/server.crt
   

Also ensure that the DocumentRoot path matches that set in your /etc/apache2/sites-available/000-default.conf file provided that is the site you wish to apply the SSL to.
5. Tighten Security
   Force all http traffic to https, require more modern versions of SSL, and use better cipher options first by editing the file with
   

   [name@server ~]$ sudo vim /etc/apache2/sites-available/default-ssl.conf
   

   and adding

    ServerName XXX-XXX-XXX-XXX.cloud.computecanada.ca
    ServerAlias www.XXX-XXX-XXX-XXX.cloud.computecanada.ca
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4
    SSLHonorCipherOrder on
   

   at the bottom of the entry inside the <VirtualHost> tag replacing the XXX-XXX-XXX-XXX with your VM's IPs (note the '-' are needed in place of '.'). Also put a redirect directive on our virtual host by editing the default website configuration file with:

   

   [name@server ~]$  sudo vim /etc/apache2/sites-available/000-default.conf
   

   and adding the line

   Redirect permanent / https://XXX-XXX-XXX-XXX.cloud.computecanada.ca
   

   inside the <VirtualHost> tag.

6. Enable the SSL-enabled website
   

   [name@server ~]$ sudo a2ensite default-ssl.conf
   [name@server ~]$ sudo service apache2 restart