Prerequisites

Before we get started, here are the web tools you need for this tutorial:

  1. Google Chrome browser
  2. Apache installed on your VPS (cloud server)
  3. A domain name you own
  4. Access to an email address at that domain, either:
    1. postmaster@duable.co
    2. hostmaster@duable.co
    3. webmaster@duable.co

StartSSL.com offers completely free verified (your users won't have to see those scary red screens saying "this site isn't trusted" anymore) SSL certificates that you can use on your website. This is a great deal as most companies charge $50-$60 for similar services. The free version is a bit tricky to set up, but it's well worth it.

To get started, browse to StartSSL.com and using the toolbar on the left, navigate to StartSSL Products and then to StartSSL™ Free. Choose the link for Control Panel from the top of the page.

Make sure you are using Google Chrome

  1. Choose the Express Signup. option
  2. Enter your personal information, and click continue.
  3. You'll get an email with a verification code inside it shortly. Copy and paste that email into the form on StartSSL's page.
  4. They will review your request for a certificate and then send you an email with the new info. This process might take as long as 6 hours though, so be patient.
  5. Once the email comes, use the link provided and the new authentication code (at the bottom of the email) to continue to the next step.
  6. They will ask you to Generate a private key and you will be provided with the choice of "High" or "Medium" grade. Go ahead and choose "High".
  7. Once your key is ready, click Install.
  8. Chrome will show a popdown that says that the certificate has been succesfully installed to Chrome.

This means your browser is now authenticated with your new certificate and you can log into the StartSSL authentication areas using your new certificate. Now, we need to get a properly formatted certificate set up for use on your VPS. Click on the Control panel link again, and choose the Authenticate option. Chrome will show a popup asking if you want to authenticate and will show the certificate you just installed. Go ahead and authenticate with that certificate to enter the control panel.

You will need to validate your domain name to prove that you own the domain you are setting up a certificate for. Click over to the Validations Wizard in the Control panel and set Type to Domain Name Validation. You'll be prompted to choose from an email at your domain, something like postmaster@yourdomain.com.

Check the email inbox for the email address you selected. You will get yet another verification email at that address, so like before, copy and paste the verification code into the StartSSL website.

Next, go to the Certificates Wizard tab and choose to create a Web Server SSL/TLS Certificate.

Hit continue and then enter in a secure password, leaving the other settings as is.

You will be shown a textbox that contains your private key. Copy and paste the contents into a text editor and save the data into a file called ssl.key.

When you click continue, you will be asked which domain you want to create the certificate for:

Choose your domain and proceed to the next step.

You will be asked what subdomain you want to create a certificate for. In most cases, you want to choose www here, but if you'd like to use a different subdomain with SSL, then enter that here instead:

StartSSL will provide you with your new certificate in a text box, much as it did for the private key:

Again, copy and paste into a text editor, this time saving it as ssl.crt.

You will also need the StartCom Root CA and StartSSL's Class 1 Intermediate Server CA in order to authenticate your website though, so for the final step, go over to the Toolbox pane and choose StartCom CA Certificates:

At this screen, right click and Save As two files:

  • StartCom Root CA (PEM Encoded) (save to ca.pem)
  • Class 1 Intermediate Server CA (save to sub.class1.server.ca.pem)

For security reasons, StartSSL encrypts your private key (the ssl.key file), but your web server needs the unencrypted version of it to handle your site's encryption. To unencrypt it, copy it onto your server, and use the following command to decrypt it into the file private.key:

openssl rsa -in ssl.key -out private.key

OpenSSL will ask you for your password, so enter it in the password you typed in on StartSSL's website.

At this point you should have five files. If you're missing any, double-check the previous steps and re-download them:

  • ca.pem - StartSSL's Root certificate
  • private.key - The unencrypted version of your private key (be very careful no one else has access to this file!)
  • sub.class1.server.ca.pem - The intermediate certificate for StartSSL
  • ssl.key - The encrypted version of your private key (does not need to be copied to server)
  • ssl.crt - Your new certificate

You can discard the ssl.key file. If you haven't already copied the others onto your server you upload them there now:

scp {ca.pem,private.key,sub.class1.server.ca.pem,ssl.crt} YOURSERVER:~
 

Activating the certificate in Apache

Having a certificate isn't any good if you can't actually use it. This section explains how to configure Apache to use your new SSL certificate. These instructions are for Apache running on recent versions of Ubuntu VPS. For other Linux-based distros or web servers, you'll have to adjust accordingly.

First, create the folders where we'll store the keys. Enable Apache's SSL module, and restart Apache.

sudo a2enmod ssl

sudo service apache2 restart

sudo mkdir -p /etc/apache2/ssl

Copy the files you set up in the previous section into the /etc/apache2/ssl folder on your VPS.

sudo mkdir -p /etc/apache2/ssl

cp ~/{ca.pem,private.key,sub.class1.server.ca.pem,ssl.crt} /etc/apache2/ssl

Execute:

ls /etc/apache2/ssl

And it should return:

ca.pem

ssl.crt

private.key

sub.class1.server.ca.pem

Now, open your apache2 configuration file. Unless you've already modified the default configuration, input:

nano /etc/apache2/sites-enabled/000-default

It should look something like this:

<VirtualHost *:80>

    ServerAdmin webmaster@localhost

    DocumentRoot /var/www

    <Directory />

        Options FollowSymLinks

        AllowOverride None

    </Directory>

    <Directory /var/www/>

        Options Indexes FollowSymLinks MultiViews

        AllowOverride None

        Order allow,deny

        allow from all

    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

    <Directory "/usr/lib/cgi-bin">

        AllowOverride None

        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

        Order allow,deny

        Allow from all

    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,

    # alert, emerg.

    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"

    <Directory "/usr/share/doc/">

        Options Indexes MultiViews FollowSymLinks

        AllowOverride None

        Order deny,allow

        Deny from all

        Allow from 127.0.0.0/255.0.0.0 ::1/128

    </Directory>

</VirtualHost>

Copy the entire script above (from <VirtualHost *:80> to </VirtualHost>), paste it below the existing one, and change the top line from:

<VirtualHost *:80>

to

<VirtualHost *:443>

And add the following lines after the <VirtualHost *:443> line:

SSLEngine on

SSLProtocol all -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM                

SSLCertificateFile /etc/apache2/ssl/ssl.crt

SSLCertificateKeyFile /etc/apache2/ssl/private.key

SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem

The end result should look like this:

<VirtualHost *:80>

    ServerAdmin webmaster@localhost

    DocumentRoot /var/www

    <Directory />

        Options FollowSymLinks

        AllowOverride None

    </Directory>

    <Directory /var/www/>

        Options Indexes FollowSymLinks MultiViews

        AllowOverride None

        Order allow,deny

        allow from all

    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

    <Directory "/usr/lib/cgi-bin">

        AllowOverride None

        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

        Order allow,deny

        Allow from all

    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,

    # alert, emerg.

    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"

    <Directory "/usr/share/doc/">

        Options Indexes MultiViews FollowSymLinks

        AllowOverride None

        Order deny,allow

        Deny from all

        Allow from 127.0.0.0/255.0.0.0 ::1/128

    </Directory>

</VirtualHost>

<VirtualHost *:443>

    SSLEngine on

    SSLProtocol all -SSLv2

    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM                

    SSLCertificateFile /etc/apache2/ssl/ssl.crt

    SSLCertificateKeyFile /etc/apache2/ssl/private.key

    SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem

    ServerAdmin webmaster@localhost

    DocumentRoot /var/www

    <Directory />

        Options FollowSymLinks

        AllowOverride None

    </Directory>

    <Directory /var/www/>

        Options Indexes FollowSymLinks MultiViews

        AllowOverride None

        Order allow,deny

        allow from all

    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

    <Directory "/usr/lib/cgi-bin">

        AllowOverride None

        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

        Order allow,deny

        Allow from all

    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,

    # alert, emerg.

    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"

    <Directory "/usr/share/doc/">

        Options Indexes MultiViews FollowSymLinks

        AllowOverride None

        Order deny,allow

        Deny from all

        Allow from 127.0.0.0/255.0.0.0 ::1/128

    </Directory>

</VirtualHost>

Save your files and restart Apache with:

sudo service apache2 restart

You can check Apache's log files to see if there are any show stopping errors with this command:

cat /var/log/apache2/error.log

If everything looks good, try accessing your site in your web browser using an HTTPS URL (e.g. https://www.YOURSITE.com). When your site loads, you should see a little green padlock icon next to the URL. Click on it and you should see the following. The connections tab should show that the site's identity has been verified by StartCom.

Congratulations! You are all set!

Reference Links:

Here are some of the other posts I consulted when putting this together. If you run into any problems they might be a source of inspiration on how to fix them:

Submitted by: Nik van der Ploeg

原文:

https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-with-a-free-signed-ssl-certificate-on-a-vps

How To Set Up Apache with a Free Signed SSL Certificate on a VPS的更多相关文章

  1. Apache 配置HTTPS协议搭载SSL配置

    在设置Apache + SSL之前, 需要做:     安装Apache, 请参见: Windows环境下Apache的安装与虚拟目录的配置, 下载安装Apache时请下载带有ssl版本的Apache ...

  2. How To Create a SSL Certificate on Apache for CentOS 6

    About Self-Signed Certificates 自签证书.一个SSL证书,是加密网站的信息,并创建更安全的链接的一种方式.附加地,证书可以给网站浏览者显示VPS的的身份证明信息.如果一个 ...

  3. How to Move SSL certificate from Apache to Tomcat

    https://www.sslsupportdesk.com/how-to-move-ssl-certificate-from-apache-to-tomcat/ Apache uses x509 p ...

  4. windows Apache 配置支持HTTPS的SSL证书

    在设置Apache + SSL之前, 需要做: 安装Apache, 下载安装Apache时请下载带有ssl版本的Apache安装程序. 并且ssl需要的文件在如下的位置: [Apache安装目录]/m ...

  5. Apache配置HTTPS协议搭载SSl配置全过程

    1.首先要开启相应的扩展和辅助的dll(ssleay32.dll,libeay32.dll)到system32下 2.生成服务器证书 安装好在bin目录下有一个openssl.exe文件,用来生成证书 ...

  6. Apache配置腾讯云SSL证书指引

    一.安装Apache 1) 使用yum安装Apache # yum install httpd 2) 修改测试页面 # vim /var/www/html/index.heml PS:修改为测试内容, ...

  7. How to ignore SSL certificate errors in Apache HttpClient 4.4

    public static CloseableHttpClient acceptsUntrustedCertsHttpClient() throws KeyStoreException, NoSuch ...

  8. Ubuntu 16.04 LAMP server tutorial with Apache 2.4, PHP 7 and MariaDB (instead of MySQL)

    https://www.howtoforge.com/tutorial/install-apache-with-php-and-mysql-on-ubuntu-16-04-lamp/ This tut ...

  9. Ubuntu下配置apache开启https

    一.HTTPS简述随着网络的日常,信息安全越来越重要,传统的网站都是http协议明文传输,而HTTPS协议是由SSL+HTTP协议构建的可进行加密传输.身份认证的网络协议,比http协议安全. 那ht ...

随机推荐

  1. Edmond_Karp算法

    核心思想:通过bfs不断在网络中寻找最短的增广路,从而求得最大流.时间复杂度O(VE^) 算法模板: int Edmond_Karp(int s,int t) { ; memset(flow,,siz ...

  2. Designing CSS Layouts With Flexbox Is As Easy As Pie

    This article is an updated excerpt of the chapter “Restyle, Recode, Reimagine With CSS3″ from our Sm ...

  3. redis API使用说明

    List相关: LPOP key : 删除并取得LIST头部一个元素 RPOP key : 删除并取得LIST尾部一个元素 BLPOP key [key ...] timeout : 删除并取得LIS ...

  4. winform学习之-----关于按键操作的一些小知识(如何获取焦点所在的当前控件)20160623

    1.设置整个窗体keydown事件的时候,要设置keyPreview=true; 2.获取当前拥有焦点的控件: 关于这个问题,自己也是纠结死了,在网上搜了好多相关的问题答案,搜出的结果是: //API ...

  5. poi读写word模板 / java生成word文档

    有一word文档表格 形如: 姓名 ${name} 电话 ${tel} 从数据库读取记录替换上述变量 import java.io.FileOutputStream; import java.util ...

  6. SVN 中trunk、branches、tags

    SVN 中trunk.branches.tags   我们在一些著名开源项目的版本库中,通常可以看到trunk, branches, tags等三个目录.由于SVN固有的特点,目录在SVN中并没有特别 ...

  7. shell if判断语句

    测试脚本是否有语法错误: sh  -n  脚本名 一.if语句: 二.逻辑运算解析: -f  判断文件是否存在 -d 判断目录是否存在 -eq 判断是否相等 -ne 判断是否不相等 -lt 小于 -g ...

  8. lightning mdb 源代码分析(1)

    lighting mdb(lmdb) 是一个高性能mmap kv数据库,基本介绍和文档参见symas官网,本文将尝试分析其源代码结构以理解数据库设计的关键技术. 本系列文章将尝试从以下几个方面进行分析 ...

  9. 使用本函式处理后的字串会沿续到PHP程式而转入eval函数

    html码放在数据库里,通过php文件调用,经过一系列处理后,用eval函数 将希望的变量带入生成所需要的动态页.这样,我就没再看vbb源码,而转入eval函数了. 星空浪子的php中文手册是这样介绍 ...

  10. HTML&CSS布局练习---360导航页面

    一共分为7个部分:由HTML和CSS外部样式表做成 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" ...