This article describes what needs to be done to have a SSL ( HTTPS) enabled site on CentOS 4.5. This should work on other distro’s as well but i have not tested.
Apache 2 Webserver
OpenSSL is installed and functional
In possession of Domain Name. If not obtain one from many Domain Name sellers like GoDaddy
- Generate a RSA Private Key
sudo openssl genrsa -out my.key 1024
- Generate a CSR ( Certificate Signing Request ). The CSR must be signed by private key “my.key” generated in the step 1. Please note you must enter at least your domain name as highlighted below in bold.
openssl req -new -key my.key -out mysite.csr
Country Name (2 letter code) [GB]:SG
State or Province Name (full name) [Berkshire]:Singapore
Locality Name (eg, city) [Newbury]:Singapore
Organization Name (eg, company) [My Company Ltd]:NA
Organizational Unit Name (eg, section) :NA
Common Name (eg, your name or your server’s hostname) :your.domain.com
Email Address :firstname.lastname@example.org
Now you need to take mysite.csr to a Certificate signing authority to get your SSL Certificate.
I used a free Certificate authority named CAcert.org . Very highly recommended by open source community. But the issue is that many mainstream browsers do not automatically recognize CAcert. So for first time visitors, a warning will pop up. Just accept it permanently. After this, the pop up wont show when ever you visit from the same browser.
- First signup with CACert. Once done, then go to the next step.
- Then click on “Domains->Add” as shown below
- Then add your domain in the provided textbox
- Cacert will do a domain verification by sending an email to your registered email address. Open your email and click on the link sent to you by the CAcert.
- Then Click on “Server Certificate ->New” to get a new certificate for your site.
- Open the CSR file “mysite.csr” you created above and cut and paste the content of the file into the provided text box and click submit
- CAcert will show the certificate file. Copy and store it on a file named mysite.crt. (filename can be anything )
- Configure SSL options in httpd.conf file.
An example SSL enabled virtual host configuration is shown below for your reference
Ubuntu Feisty has a bug where the command apache2-ssl-certificate is missing. This is a well documented bug. Here is the file you need to download to overcome this defect to create a self signed certificate. After you download, follow the notes below to copy the downloaded files to the location where they are supposed to be present.
- Extract the package
- put ssleay.cnf to /usr/share/apache2/
- put apache2-ssl-certificate to /usr/sbin.
- Create /etc/apache2/ssl directory.
Now apache2-ssl-certificate script should work. Please follow this link if you want to know how to use it.
First Get Open SSL installed on the server
sudo apt-get install openssl
This will install the latest openssl library that is been tested on the Ubuntu server version you are using. For example, if your are using 7.07, the above command will install openssl0.98 version. If you want to install any other version then you have to specify the exact version name while you install
Creating a Self-Signed ( Private) Root Certificate
A brief primer on certificates in Layman terms.
Suppose let us say that a Client C wants to access a Server S for some transaction. Now Client C wants to make sure that it is indeed connecting to Server S. There are many ways to do it but most common way is through Digital Certificates. I dont want to get into details of the theory behind the technologies behind Digital Certificates. Let us assume that Server S and Client C has a digital certificate. Now Client C connects to the Server S and Server S sends its certificate. But the catch here is that how can Client C trust that Server S is indeed what it claims to be. If Client C and Server S are known to each other, then there is trust established. In a scenario, where Client C and Server S do not know each other, a third party ( Certificate Authority CA) who is trusted by both Client C and Server S will establish the trust.
Difference Between Self-signed Certificates and Authorized Certifiers
The main difference is that in self-signed Certificates, there is no third party involved. So if you are connecting to a Server that you do not trust, you are at risk. There is absolutely no difference in the Certificates you privately sign and the one signed by authorized certifiers like Verizone. (Note: Assuming that you create the certificates properly )
Continue Reading »
Note:This write up describes how i wished to run my Home server and how i did it. Hence the description heavily focuses on settings that are very specific to my requirements. However, you can find bits and pieces that may be usefult to you.
How i want to Run My Homeserver
Homeserver Shall Serve the Following
- Have three virtual hosts, each of them serving different audiences. One of the three is purely https host for server admin remotely.
- Redirect to a SSL connection and with a Basic User/Group authentication system when anyone access the File Respositry and Image Gallery link on my home page
- Home server Adminstration will be allowed only with in the Local Internet. Like PhpMyAdmin and Blog Configuration.
How i went about setting up the Home Server to achieve my Goal?
- Installing the LAMP stack
I installed Ubuntu Server Edition. Ubuntu Server edition provides an option to install LAMP stact during the installation phase. Choose this option as it saves you the trouble of configuring later.
2. Setting up the Root password for MYSQL database
The default installation of LAMP stack will not set the Root password for the MYSQL Database. It is essential that you set the Root password or you will not be able to create any database or create databases from PHPMYADMIN.
3. Installing PhpMyAdmin
Ubuntu has a nice way of installing new packages. All i did was:
sudo apt-get update
sudo apt-get install phpmyadmin
Voila!! PhpMyAdmin was downloaded from ubuntu site and installed automatically. Automatic installation has one limitation though. PhpMyAdmin is linked to your DocumentRoot of Apache.
That is if the Document Root is /var/www. then a symbolic link to PhpMyAdmin is created in /var/www.
So if a anyone can access php just by typing www.yourdomain.com/phpmyadmin. The phpmyadmin user interface shows up. Hence you need to be careful. Please read further down how i am handling the phpmyadmin feature.
4. Creating Directory structures
Continue Reading »