Rob’s Ramblings

Setting up HTTPS on your Ubuntu Server

June 5, 2008 – 9:27 pm

One of my duties as a sysadmin for Wikimedia is to install our ssl keys for our https servers. Now, this is something that is fairly easy to do, and once you do it once, doing it later is simple. However, I found the first time I did this to be painful, as different instructions were outdated, incorrect, or just did not specify things for my versions of the software. Thus, I am writing down how I did this for the masses on the following:

• Ubuntu 7.10
• Apache 2.2
• OpenSSL 0.9.8e

You will want both apache and openssl installed. You can do this by:

apt-get install apache2 openss

This walkthrough will NOT walk you through getting apache working, sorry. It will let you generate private keys, the CSR to submit to an SSL signer and/or generate your own SSL signature.

To make it encrypted with a password (This requires user entry upon apache restart):

openssl genrsa -des3 -out domainname.key 1024

To make it without the password:

openssl genrsa -out domainname.key 1024

Now, you need to generate the CSR. If you made the key with a password, be prepared to type it in when prompted. You also get to type in that password whenever you restart apache (good times). When you create the CSR, the stuff you put in here isn’t all that important, EXCEPT for the common name. If the website you are making a ssl certificate for is for say, blog.robhalsell.com, then that is what I would put in for the common name.

openssl req -new -key domainname.key -out domainname.csr

If you want to verify the contents of the CSR:

openssl req -noout -text -in domainname.csr

Now, when the SSL vendor asks for your CSR, just do the following:

cat domainname.csr

Then copy and paste the entirety of the file to the vendor.

Now, perhaps you want to enable HTTPS on your server just for the secure back and forth of your information. That is fine, then you really may not need to pay someone to generate/assign you a SSL Certificate. The drawback of not doing it with a vendor is the browsers that folks use to hit your site may give them all kinds of warnings about the certificate being unverified. If that is not a big deal, and you really only want the SSL enabled to secure the transactions of data (like say folks logging into your blog or whatever) you can sign your own key, and generate your own certificate as follows:

openssl x509 -req -days 365 -in domainname.csr -signkey domainname.key -out domainname.crt

This generates a certificate good for 365 days. You can of course make that longer or shorter.

If you used a vendor, they will email you with your certificate. Make sure you create a server.crt on your server, and paste the contents of the certificate EXACTLY including all the dashes before and after it. If you fail to do this, well, you get to deal with it.

You will want to move your certificate file and your key file into their new homes on your server. Some folks choose to put these in the same file, I am not one of those folks. With my install of openssl, it made /etc/ssl. In /etc/ssl/ there is certs/ and private/.

Put your domainname.crt in the /etc/ssl/certs/ directory. Put your private key file (domainname.key) in /etc/ssl/private/. Also, at this juncture, BACKUP YOUR PRIVATE KEY AND YOUR CERTIFICATE FILE OR YOU WILL BE SORRY WHEN YOUR HDD CRASHES IN THE SERVER. Seriously, back that crap up. If you signed your own keys, its not that big a deal, you can just reissue them. If you paid someone to sign them, well, they may charge you (you can get reissue insurance with many vendors, which is a nice way of saying ‘I want to pay you for this because I am too foolish to backup my own crap.’)

Once you move the files, you get to play in the apache virtual host files. Again, this is not about how to setup Apache, just add HTTPS to it.

First, enable the ssl.conf and ssl.load. Go into your /etc/apache2/mods-enabled. Check and see if they are there (hint, the command is ls). If they are not, do the following (which worked on my server, your results may vary):

cd /etc/apache2/mods-enabled
ln -s ../mods-available/ssl.conf ssl.conf
ln -s ../mods-available/ssl.load ssl.load

That tells apache to load the SSL module when you restart it. (I am honestly not sure if you just need the .load or the .load and .conf. I put both, but I am wrong an awful lot. ;)

Now, time to edit /etc/apache/ports.conf. Make sure it has Listen 443. You can be fancy and have it only enable port 443 if you have the ssl module loaded. Here is my file:

Listen 80

<IfModule mod_ssl.c>
Listen 443
</IfModule>

Of course, by ‘my file’ I mean the default one that was installed when I installed Apache.

Now, time to edit your Virtual Hosts files, you will want to add in all the virtual host goodness you already have, plus the following:

<VirtualHost www.yourdomain.com:443>
All the crap that was in my original VH file and I put the SSL crap after the DocumentRoot declaration.
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
All the other crap in my original VH file following the DocumentRoot declaration.
</VirtualHost>

Now, just restart Apache. You can do this with whatever means you like:

apache2ctl restart

-or-

/etc/init.d/apache2 restart

-or-

Whatever, reboot your damned server if you are too lazy to use the two above examples.

Now, when you go to https://domainname.whatever, you will load up with HTTPS/SSL, yay! This will ensure security and whatnot for password and other client/server transactions.

If this even helps one damned person setup HTTPS on their server, then it was worth it. All the instructions I see out there tend to overlook something, and mine is no exception to that fact. I am quite certain that my instructions will not work for everyone. Like so many other things on the web, its about collating the data and using what you find.