Deploying SSL certificates on Apache Server.
Security is an important part of development when you decide to go into production. Being a backend developer, adding SSL certificated to your endpoints is the most basic thing that you can do towards securing your production API endpoints. SSL adds the end-to-end encryption to your data sent over HTTP and hence make it secure HTTP, hence called “HTTPS”.
I have had a hard time figuring out how to deploy my SSL certificates onto my Apache server that is hosted on another web host. So after trying so hard and searching for a few references on the internet, I came to a solution and so I decided to put it into a blog post. Deploying the SSL is not as hard as it sounds. The process of deploying certificates is a pretty simple two-way step.
Considering you already have a website say, http://mywebsite.com running on a web server that you have shell access to. And let’s assume that you want to secure this website endpoint via SSL and hence making the endpoint to https://mywebsite.com. You will need to purchase the SSL certificate with the subscription. DigiCert and GoDaddy are the most famous providers that you can consider. I will use GoDaddy for this blog post because I already have an SSL purchased on GoDaddy and I can use that to demonstrate the steps.
Requesting the new certificate
After purchasing the SSL, you need to request the certificate for the website domain, which is http://mywebsite.com in our case. In order to request the SSL certificate you will need CSR request generated that contains the information related to your target domain and hence will be used as a key to generating the SSL certificate. There are two ways to generate the CSR request.
- You can use the GoDaddy SSL wizard to request a new certificate. This wizard will also create the CSR request and a private key for your SSL.
- You can use the standard SSL commands to generate the CSR requests on the server console. This is done by logging into the server terminal over SSH. This method is the preferred way because this will also save the key file on the server which you might need to copy to the server later if using the first method.
Generating the CSR
I will be using the second method to generate the CSR on the server:
- Log into the server terminal.
- Considering you are configuring the SSL for the apache server. Let’s go into the apache configuration directory by:
sudo bash
cd /etc/apache2/sites-available3. Create a configuration file for your application.
touch mywebsite.conf
nano mywebsite.conf4. Adding your VirtualHost configuration.
<VirtualHost *:80>
ServerName www.mywebsite.com
ServerAdmin webmaster@localhost ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
ProxyPass / http://localhost:8001/
<Proxy *>
Require all granted
</Proxy> <Location /development>
ProxyPass http://localhost:3000
ProxyPassReverse http://127.0.0.1:3000
</Location>
<Location /admin> ProxyPass /admin http://localhost:8002
ProxyPassReverse /admin http://127.0.0.1:8002
</Location> ErrorLog ${APACHE_LOG_DIR}/busapp/busapp-backend.log
CustomLog ${APACHE_LOG_DIR}/busapp/busapp-backend.log combined</VirtualHost>
Creating a symlink will allow handling the deployed and un-deployed applications by creating a link of sites-available into sites-enabled, hence allowing auto-deployment of sites-enabled whenever apache is booted up.
Linking the config file with the deployed apache configurations:
ln -s /etc/apache2/sites-available/mywebsite.conf /etc/apache2/sites-enabled/Testing the configurations:
apachectl configtestNow restart apache to discover your website services:
apachectl restartor
service restart apache25. Now in this directory, we will run the command to generate the CSR request and a private key that we will later use to configure SSL on the apache server.
openssl req -new -newkey rsa:2048 -nodes -keyout mywebsite.key -out mywebsite.csrYou have to replace “mywebsite” with the domain of your website. Say, for “Facebook.key” and “facebook.csr”
This command will generate 2 files:
- A cryptographic private
.keyfile. That will be needed in.confconfiguration file. - And an
.csrfile that will be needed to generate the SSL certificate.
Request the certificate with existing CSR
There is an option on GoDaddy that allows you to request SSL certificates when you already have an existing CSR. That is one of the reasons we chose the second method to generate CSR because you might need to regenerate the SSL for another domain, in that case, the First method won’t work and you’ll have to follow step 2 for CSR.
- On the certificate Setup page, input a CSR.
- If you already own a certificate and doing the rekey process then select the SSL key and choose rekey and Manage option.
3. Input the generated CSR and click Save. After this process, you might need to perform the domain verification process (If not done already). This process. simply requires you to verify that you are the actual owner of the domain that you are requesting SSL for. This is typically done by adding a verification id to the domain name record and provide the value generated by GoDaddy. Set the minimum TTL i.e. 600 seconds and wait until GoDaddy automatically verifies the domain. After the verification is done, GoDaddy will allow you to download the SSL certificates which as distributed as .zip file.
4. On extracting the zip file, you will find 3 files:
*.crtfile provided by the GoDaddy.*.bundle.crtfile provided by GoDaddy.*.pemkey file.
You will need both of the *.crt files in the configuration file and the .key file that you’ve got after generating the CSR request.
Renaming and Moving the file to the server
After downloading, we move the .crt files to the server. I will use the scp command to copy files to the server over SSH.
renaming the files to:
mywebsite.com.crtmywebiste.bundle.crtfor*.bundle.crtfile.
moving the files to the server folder:
sudo scp *.crt root@host:/etc/apache2/sites-available/You will need the
rootpermission in ssh to move files to /etc/apache2/sites-abailable/ directory. Replace host with your server host name andscpwill also prompt for password in the next step.
This will copy the .crt files to the /etc/apache2/sites-available/directory on server.
SSL configurations for the apache config file
Finally, we will configure the apache configuration file to enable the SSL in the Virtual host.
nano /etc/apache2/sites-available/mywebsite.confand now your configuration will look like:
<VirtualHost *:80>
ServerName www.mywebsite.com
Redirect permanent / https://mywebsite.com
</VirtualHost>
<VirtualHost *:443>
ServerName www.mywebsite.com
ServerAdmin webmaster@localhostSSLEngine on
SSLCertificateFile sites-available/mywebsite.com.crt
SSLCertificateKeyFile sites-available/mywebsite.key
SSLCertificateChainFile sites-available/mywebsite.bundle.crtProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
ProxyPass / http://localhost:8001/
<Proxy *>
Require all granted
</Proxy> <Location /development>
ProxyPass http://localhost:3000
ProxyPassReverse http://127.0.0.1:3000
</Location>
<Location /admin> ProxyPass /admin http://localhost:8002
ProxyPassReverse /admin http://127.0.0.1:8002
</Location> ErrorLog ${APACHE_LOG_DIR}/busapp/busapp-backend.log
CustomLog ${APACHE_LOG_DIR}/busapp/busapp-backend.log combined</VirtualHost>
Restart the server
Use the following command to restart the apache server
apachectl restartor
service restart apache2You’ll see that now not even https://mywebsite.com will start working, also, visiting http://mywebsite.com will redirect you directly to https://mywebsite.com. Also, you’ll start seeing the fancy security lock on top of your web browser.
If you have any doubts, do let me know in comments section. I would be happy to help you out. Also if you need help related to any other web server, say nginx, tomcat, etc. Let me know in the comments. I will help you out or create another post for that. Till then, Happy coding and happy security.
