HomeHowTo › Enabling SSL On Your Webserver

Enabling SSL On Your Webserver

In this tutorial I will describe how to enable SSL on an Apache2 webserver running on an Ubuntu 12.04 machine. The use of SSL is necessary if the communication between client and webserver needs to be encrypted.

 

1. Certificate and private key creation

You may use Ubuntu’s pre-generated certificate and key to get started quickly, but it is better to create your own pair. This can be done manually as described in my article Creating a Certification Authority and a Server Certificate on Ubuntu. Or you can use TinyCA, which is a nice graphical interface for easy certificate creation. Since using TinyCA is my preferred method now I’m going to use it for this tutorial:

  • Set a secure password for root and login as root then
    1
    2
    sudo passwd
    su - root
  • Install and run TinyCA
    1
    2
    apt-get install tinyca
    tinyca2
  • Set up a new CA
  • Go to the “Certificates” tab, click the right + icon and then “Create Key and Certificate (Server)”
    –> Use your webserver’s DNS name as the CN (Common Name)
  • Select your newly created certificate and click the Export button
    –> Export as PEM (i.e. apache2-cert.pem)
    –> Do not include the key
  • Go to the “Keys” tab, select the corresponding key and click the Export button
    –> Export as PEM (i.e. apache2-key.pem)
    –> If you save the key encrypted (with passphrase) you will have to enter your passphrase everytime you restart Apache. To avoid this you can save it unencrypted (without passphrase). Be careful and make sure to keep your key private if you do this!
  • Go to the “CA” tab and click the left Export button to export the CA certificate. This is the one that can be installed in the client’s webbrowser in order to automatically trust all certificates that have been signed by your CA.
    –> Export as PEM or DER (i.e. cacert.pem)
    –> In Firefox certificates can be installed automatically by clicking on a link that leads to a PEM or DER file. Opera can do this with DER files. Internet Explorer and Chrome can’t do either of those so the file has to be downloaded and imported manually.
  • Close TinyCA

Note: For security reasons you should not store your CA on the webserver. An extra machine without network connection should be used instead.

 

2. Webserver configuration

Check if the server listens on port 443 when SSL is enabled. This is configured in the “/etc/apache2/ports.conf” file, which should contain the following statement by default:

1
2
3
<IfModule mod_ssl.c>
Listen 443
</IfModule>

Enable the SSL mod:

1
a2enmod ssl

Enable the SSL site. You can find all available sites in “/etc/apache2/sites-available”. By default there are “default” and “default-ssl”. The currently enabled ones reside in “/etc/apache2/sites-enabled” as symbolic links. By default “default” is enabled as “000-default” containing the configuration for usual connections on port 80. You can either create your own new ssl site or you can just enable “default-ssl”:

1
a2ensite default-ssl

Restart the webserver:

1
service apache2 restart

Now you can access the webserver via HTTP (unencrypted) and HTTPS (encrypted). But the server isn’t using the custom certificate yet. To use this instead, edit the corresponding options in the “/etc/apache2/sites-enabled/default-ssl” file:

1
2
SSLCertificateFile     /etc/ssl/certs/apache2-cert.pem
SSLCertificateKeyFile  /etc/ssl/private/apache2-key.pem

Move your exported files into the corresponding directories and set the correct permissions:

1
2
3
chmod 644 /etc/ssl/certs/apache2-cert.pem
chown root:ssl-cert /etc/ssl/private/apache2-key.pem
chmod 640 /etc/ssl/private/apache2-key.pem

After another restart the server will be using your own certificate. If you import the cacert.pem/cacert.der file into your browser you won’t get any warning messages.

 

3. Optional webserver configuration

Remember that the server is still accessible via both protocols, HTTP and HTTPS, at this point, which might not be desired. There are some things you can do to enforce HTTPS.

3.1 Disable the default site

The easiest way would be to disable the default site:

1
a2dissite 000-default

Now the server will not listen on port 80 and only accept HTTPS connections.

3.2 Require SSL for particular folders

If you want to leave your default site (“/etc/apache2/sites-enabled/000-default”) enabled, you can configure it to require SSL for particular folders:

1
2
3
<Directory /var/www/sensitivedata>
SSLRequireSSL
</Directory>

If you try to open /sensitivedata via HTTP you will get a “Forbidden” error, but with HTTPS it will work.

3.3 Manual forward

You can create an “index.php” in your root directory (“/var/www”) with the following content:

1
2
3
<?php
header("Location: https://yourserver.com/sensitivedata");
?>

If someone accesses the root folder now (via HTTP or HTTPS), he will be forwarded to /sensitivedata in HTTPS mode. However, if he accesses /sensitivedata directly in HTTP mode, he will not be forwarded.

3.4 Mod_Rewrite

By using mod_rewrite it is possible to define a rule that substitutes the HTTP in every request by HTTPS.

Enable the mod:

1
a2enmod rewrite

Then add this to “/etc/apache2/sites-enabled/000-default”:

1
2
3
4
5
6
7
8
9
<IfModule mod_ssl.c>
<IfModule mod_rewrite.c>
<Location />
RewriteEngine On
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]
</Location>
</IfModule>
</IfModule>

If you only want to perform this automatic substitution for a particular folder you can edit the path in the Location tag accordingly. This does not work if SSLRequireSSL (see 3.2) is configured.

Leave a Comment