This is gonna be quite a simple tutorial that should be the same (excluding pathing and apt) across other Linux distros.
Installation
First off we’ll get Apache and mod_ssl install
sudo apt-get install apache2
SSL should be enabled by default, if not run the following
sudo a2enmod ssl
SSL certificate
There are several ways of doing this, the first you need to figure out is if you want a self signed certificate or one signed by a provider like GeoTrust, this type is not free. In this article I’ll cover both, starting with self signed.
Self signed
sudp mkdir /etc/apache2/ssl
sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
Provider signed
Please note, this type of certificate has to be paid for, prices at time of writing range from £15/year to £2,000/year.
There are actually some more options when it comes to generating a key for this CRT, the first way creates a key that does not require a passphrase, the second way requires a passphrase and, unless you make a special change to your Apache config along with a small bash script (will go through later) will ask you for the passphrase for each key every time you restart Apache.
Without a passphrase
openssl genrsa -out DOMAINNAME.key 4096
With a passphrase
openssl genrsa -des3 -out DOMAINNAME.key 4096
Replace DOMAINNAME with your domain name, I find this makes it much easier if all of my certs and keys are named accordingly, but that’s just me. I also generally use at least a 4096bit modulus, feel free to change this to whatever you wish, some signers will only take a key of a specific size.
Next up is actually generating the CSR from the key.
openssl req -new -key DOMAINNAME.key > DOMAINNAME.csr
As a note, it’s very badly wordly but COMMON NAME is the actual fully qualified domain name that you want to use SSL on, if your domain name is example.com and you want this to work on www.example.com but did not buy a wildcard certificate then put www.example.com as your Common Name.
Once generated, send this off to your signer and they will send you a CRT in return.
Once you have your CRT it’s time to put them on the server, move your key file to Debian’s SSL directory.
Put your CRT on the server and move it to Debian’s SSL directory too.
Apache configuration
First thing we need to do is check your Apache ports.conf file to make sure SSL is enabled.
It should have the following at the bottom.
<IfModule mod_ssl.c>
# SSL name based virtual hosts are not yet supported, therefore no
# NameVirtualHost statement here
Listen 443
</IfModule>
Now that’s sorted we’ll move on to your actual virtualhost.
sudo nano /etc/apache2/sites-available/DOMAINNAME.conf
We’ll use a config template I’ve always used, feel free to edit it at need.
<VirtualHost *>
ServerAdmin webmaster@DOMAINNAME
ServerName DOMAINNAME
DocumentRoot /var/www/DOMAINNAME
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/DOMAINNAME>
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@DOMAINNAME
ServerName DOMAINNAME
DocumentRoot /var/www/DOMAINNAME
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/DOMAINNAME>
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>
If you used the self signed approach then the above SSLCertificateFile will be correct, if not replace it with what is shown below.
SSLCertificateFile /etc/ssl/certs/DOMAINANE.crt
SSLCertificateKeyFile /etc/ssl/private/DOMAINNAME.key
If you received a bundle file as well as your domains CRT then copy it to /etc/ssl/certs/ on your server and add the following line after SSLCertificateKeyFile.
SSLCertificateChainFile /etc/ssl/certs/DOMAINNAME.bundle.crt
Save and exit, with that done we need to enable the site.
sudo a2ensite DOMAINNAME.conf
If you used a self signed certificate or passphrase-free key, this should be all you need to do, feel free to test your config and restart Apache and test your site.
sudo apache2ctrl configtest
sudo /etc/init.d/apache2 restart
If you used a key with a passphrase you will either have to type your passphrase in each time you restart Apache or, use this wonderful Apache supported “hack” below…
The nasty SSL passphrase hack…
sudo nano /etc/apache2/apache2.conf
Place the following at the end of the file
SSLPassPhraseDialog exec:/etc/apache2/ssl.sh
Now we need to create this bash file, so…
sudo nano /etc/apache2/ssl.sh
Place the following in it
#!/bin/bash
if [ $1 = 'DOMAINNAME:443' ]; then
echo "PASSPHRASE"
fi
This is actually supported by Apache, when it’s restarted it will call this script for every SSL virtualhost you have enabled, passing the hostname and the port through to the script as $1, so you can add multiple sites to this file.
Now save and make it only usable by root.
sudo chmod 0700 /etc/apache2/ssl.sh
sudo chown root:root /etc/apache2/ssl.sh
Now we can follow the config test and restart call from above.
sudo apache2ctl configtest
sudo /etc/init.d/apache2 restart
And that is it, we should be done!