How To Set Up Apache with a Free Signed SSL Certificate on a VPS
Prerequisites
Before we get started, here are the web tools you need for this tutorial:
- Google Chrome browser
- Apache installed on your VPS (cloud server)
- A domain name you own
- Access to an email address at that domain, either:
- postmaster@duable.co
- hostmaster@duable.co
- webmaster@duable.co
StartSSL.com offers completely free verified (your users won't have to see those scary red screens saying "this site isn't trusted" anymore) SSL certificates that you can use on your website. This is a great deal as most companies charge $50-$60 for similar services. The free version is a bit tricky to set up, but it's well worth it.
To get started, browse to StartSSL.com and using the toolbar on the left, navigate to StartSSL Products and then to StartSSL™ Free. Choose the link for Control Panel from the top of the page.
Make sure you are using Google Chrome
- Choose the Express Signup. option
- Enter your personal information, and click continue.
- You'll get an email with a verification code inside it shortly. Copy and paste that email into the form on StartSSL's page.
- They will review your request for a certificate and then send you an email with the new info. This process might take as long as 6 hours though, so be patient.
- Once the email comes, use the link provided and the new authentication code (at the bottom of the email) to continue to the next step.
- They will ask you to Generate a private key and you will be provided with the choice of "High" or "Medium" grade. Go ahead and choose "High".
- Once your key is ready, click Install.
- Chrome will show a popdown that says that the certificate has been succesfully installed to Chrome.
This means your browser is now authenticated with your new certificate and you can log into the StartSSL authentication areas using your new certificate. Now, we need to get a properly formatted certificate set up for use on your VPS. Click on the Control panel link again, and choose the Authenticate option. Chrome will show a popup asking if you want to authenticate and will show the certificate you just installed. Go ahead and authenticate with that certificate to enter the control panel.
You will need to validate your domain name to prove that you own the domain you are setting up a certificate for. Click over to the Validations Wizard in the Control panel and set Type to Domain Name Validation. You'll be prompted to choose from an email at your domain, something like postmaster@yourdomain.com.
Check the email inbox for the email address you selected. You will get yet another verification email at that address, so like before, copy and paste the verification code into the StartSSL website.
Next, go to the Certificates Wizard tab and choose to create a Web Server SSL/TLS Certificate.
Hit continue and then enter in a secure password, leaving the other settings as is.
You will be shown a textbox that contains your private key. Copy and paste the contents into a text editor and save the data into a file called ssl.key.
When you click continue, you will be asked which domain you want to create the certificate for:
Choose your domain and proceed to the next step.
You will be asked what subdomain you want to create a certificate for. In most cases, you want to choose www here, but if you'd like to use a different subdomain with SSL, then enter that here instead:
StartSSL will provide you with your new certificate in a text box, much as it did for the private key:
Again, copy and paste into a text editor, this time saving it as ssl.crt.
You will also need the StartCom Root CA and StartSSL's Class 1 Intermediate Server CA in order to authenticate your website though, so for the final step, go over to the Toolbox pane and choose StartCom CA Certificates:
At this screen, right click and Save As two files:
- StartCom Root CA (PEM Encoded) (save to ca.pem)
- Class 1 Intermediate Server CA (save to sub.class1.server.ca.pem)
For security reasons, StartSSL encrypts your private key (the ssl.key file), but your web server needs the unencrypted version of it to handle your site's encryption. To unencrypt it, copy it onto your server, and use the following command to decrypt it into the file private.key:
openssl rsa -in ssl.key -out private.key
OpenSSL will ask you for your password, so enter it in the password you typed in on StartSSL's website.
At this point you should have five files. If you're missing any, double-check the previous steps and re-download them:
- ca.pem - StartSSL's Root certificate
- private.key - The unencrypted version of your private key (be very careful no one else has access to this file!)
- sub.class1.server.ca.pem - The intermediate certificate for StartSSL
- ssl.key - The encrypted version of your private key (does not need to be copied to server)
- ssl.crt - Your new certificate
You can discard the ssl.key file. If you haven't already copied the others onto your server you upload them there now:
scp {ca.pem,private.key,sub.class1.server.ca.pem,ssl.crt} YOURSERVER:~
Activating the certificate in Apache
Having a certificate isn't any good if you can't actually use it. This section explains how to configure Apache to use your new SSL certificate. These instructions are for Apache running on recent versions of Ubuntu VPS. For other Linux-based distros or web servers, you'll have to adjust accordingly.
First, create the folders where we'll store the keys. Enable Apache's SSL module, and restart Apache.
sudo a2enmod ssl
sudo service apache2 restart
sudo mkdir -p /etc/apache2/ssl
Copy the files you set up in the previous section into the /etc/apache2/ssl folder on your VPS.
sudo mkdir -p /etc/apache2/ssl
cp ~/{ca.pem,private.key,sub.class1.server.ca.pem,ssl.crt} /etc/apache2/ssl
Execute:
ls /etc/apache2/ssl
And it should return:
ca.pem
ssl.crt
private.key
sub.class1.server.ca.pem
Now, open your apache2 configuration file. Unless you've already modified the default configuration, input:
nano /etc/apache2/sites-enabled/000-default
It should look something like this:
<VirtualHost *:80>
ServerAdmin webmaster@localhost DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory> ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory> </VirtualHost>
Copy the entire script above (from <VirtualHost *:80> to </VirtualHost>), paste it below the existing one, and change the top line from:
<VirtualHost *:80>
to
<VirtualHost *:443>
And add the following lines after the <VirtualHost *:443> line:
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM SSLCertificateFile /etc/apache2/ssl/ssl.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
The end result should look like this:
<VirtualHost *:80>
ServerAdmin webmaster@localhost DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory> ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory> </VirtualHost> <VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM SSLCertificateFile /etc/apache2/ssl/ssl.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
ServerAdmin webmaster@localhost DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory> ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory> </VirtualHost>
Save your files and restart Apache with:
sudo service apache2 restart
You can check Apache's log files to see if there are any show stopping errors with this command:
cat /var/log/apache2/error.log
If everything looks good, try accessing your site in your web browser using an HTTPS URL (e.g. https://www.YOURSITE.com). When your site loads, you should see a little green padlock icon next to the URL. Click on it and you should see the following. The connections tab should show that the site's identity has been verified by StartCom.
Congratulations! You are all set!
Reference Links:
Here are some of the other posts I consulted when putting this together. If you run into any problems they might be a source of inspiration on how to fix them:
原文:
https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-with-a-free-signed-ssl-certificate-on-a-vps
How To Set Up Apache with a Free Signed SSL Certificate on a VPS的更多相关文章
- Apache 配置HTTPS协议搭载SSL配置
在设置Apache + SSL之前, 需要做: 安装Apache, 请参见: Windows环境下Apache的安装与虚拟目录的配置, 下载安装Apache时请下载带有ssl版本的Apache ...
- How To Create a SSL Certificate on Apache for CentOS 6
About Self-Signed Certificates 自签证书.一个SSL证书,是加密网站的信息,并创建更安全的链接的一种方式.附加地,证书可以给网站浏览者显示VPS的的身份证明信息.如果一个 ...
- How to Move SSL certificate from Apache to Tomcat
https://www.sslsupportdesk.com/how-to-move-ssl-certificate-from-apache-to-tomcat/ Apache uses x509 p ...
- windows Apache 配置支持HTTPS的SSL证书
在设置Apache + SSL之前, 需要做: 安装Apache, 下载安装Apache时请下载带有ssl版本的Apache安装程序. 并且ssl需要的文件在如下的位置: [Apache安装目录]/m ...
- Apache配置HTTPS协议搭载SSl配置全过程
1.首先要开启相应的扩展和辅助的dll(ssleay32.dll,libeay32.dll)到system32下 2.生成服务器证书 安装好在bin目录下有一个openssl.exe文件,用来生成证书 ...
- Apache配置腾讯云SSL证书指引
一.安装Apache 1) 使用yum安装Apache # yum install httpd 2) 修改测试页面 # vim /var/www/html/index.heml PS:修改为测试内容, ...
- How to ignore SSL certificate errors in Apache HttpClient 4.4
public static CloseableHttpClient acceptsUntrustedCertsHttpClient() throws KeyStoreException, NoSuch ...
- Ubuntu 16.04 LAMP server tutorial with Apache 2.4, PHP 7 and MariaDB (instead of MySQL)
https://www.howtoforge.com/tutorial/install-apache-with-php-and-mysql-on-ubuntu-16-04-lamp/ This tut ...
- Ubuntu下配置apache开启https
一.HTTPS简述随着网络的日常,信息安全越来越重要,传统的网站都是http协议明文传输,而HTTPS协议是由SSL+HTTP协议构建的可进行加密传输.身份认证的网络协议,比http协议安全. 那ht ...
随机推荐
- BZOJ3249 : [ioi2013]game
线段树套Treap 外层的线段树需要动态开节点 内层Treap需要注意的是,相同y坐标的点不一定是同一个点,所以需要再次离散 空间$O(n\log n)$ 时间$O(n\log^2n)$ #inclu ...
- ubuntu下新建用户的终端不显示当前路径,不能用上下光标键得到使用过的命名解决办法
这几天我装ubuntu10.10,xubuntu12.04创建新用户的时候,总会遇到这个问题 就是打开终端的时候,没有路径了,即:xxx@xxx:~$ 找了很久,最后找到了(http://www.os ...
- 利用Oracle的row_number() over函数消除重复的记录
.select d.id,d.outer_code from dict_depts_source d order by outer_code(查看重复数据) .select d.id,d.outer_ ...
- Html - Footer
通用的Footer代码片段 <style> #footer { padding: 20px; text-align: center; background-color: #666; bor ...
- 【液晶模块系列基础视频】2.虚拟U盘
[液晶模块系列基础视频]2.虚拟U盘 ============================== 技术论坛:http://www.eeschool.org 博客地址:http://xiaomagee ...
- NOJ 1651 Red packet(二分)
[1651] Red packet 时间限制: 1000 ms 内存限制: 65535 K 问题描述 New Year is coming! Our big boss Wine93 will dist ...
- CSS权威指南 - 基础视觉格式化 2
行内元素 em a 非替换元素 img 替换元素 两者在内联内容处理方式不一样. inline有时候被翻译成内联,比如inline content,有时候被翻译成行内 inline box. 行布局 ...
- [办公自动化]无法使用江南天安usbkey 无法使用视频网站
同事打来电话说,无法使用江南天安开发的usbkey. 修复基本步骤记录如下: 1.卸载一切设备管理器中与之相关的驱动.拔出key. 2.重启计算机. 3.前往业务公开网站安装驱动. 4.插入key测试 ...
- [ZZ] Adventures with Gamma-Correct Rendering
http://renderwonk.com/blog/index.php/archive/adventures-with-gamma-correct-rendering/ Adventures wit ...
- Linux 计划任务 Crontab 笔记与总结(1)
Linux 版本:CentOS 6.6 应用场景,例如: ① 每分钟执行一个程序检查系统运行状态 ② 每天凌晨需要对过去一天的业务数据进行统计 ③ 每个星期需要把日志文件备份 ④ 每个月把数据库进行备 ...