Chapter 11. Configuring SSL Hosting

Table of Contents

11.1. Adding an additional IP address
11.2. Configure the site to use the new IP address
11.3. Generating an SSL certificate key and request
11.4. Purchasing a certificate
11.5. Uploading your new certificate, and optional bundle
11.6. Combining the certificate and key
11.7. Making SSL mandatory

Before you start this chapter

  1. Connect to your server via SSH (see Chapter 10, Connecting to your server via SSH).

Each time you need to add a new SSL site to your Symbiosis system you need to:

  1. Acquire an additional dedicated IP address.
  2. Configure the site to use that IP address
  3. Generate an SSL key and certificate request.
  4. Buy or generate an SSL certificate.
  5. Upload the new certificate

One IP address is needed per SSL certificate. This means that every time you wish to add an SSL certificate to an existing site, it will need to be run under its own IP address.

11.1. Adding an additional IP address

First you must have an additional IP address routed to your machine. Your ISP should be able to do this.

Once your machine has been allocated an additional IP Address, you must tell your machine to accept traffic addressed to both your original and new IP addresses

This is a standard Debian procedure rather than something specific to Symbiosis, but for convenience it’s described here.

  1. Make an SSH connection to your server as detailed in Chapter 10, Connecting to your server via SSH, connecting as admin.

  2. Run sudo nano /etc/network/interfaces, and add the following lines to the bottom of the file. You will be prompted for the admin password, and you should type it in to gain the ability to edit the file.

    auto eth0:0
    
    iface eth0:0 inet static
      address 1.2.3.4
      netmask 255.255.255.255

    You should substitute your new IP address for 1.2.3.4. If there is already an entry for eth0:0, you can use eth0:1 and so on. The netmask should always be 255.255.255.255.

  3. Save the file and leave the editor by typing ctrl+x.

  4. To activate the new interface run sudo ifup eth0:0.

11.2. Configure the site to use the new IP address

It has been assumed that the site requiring the new IP address is already configured as described in Section 3.1, “Hosting a web page using your own domain”.

  1. Use FileZilla to connect to the machine as admin.

  2. Create the file /srv/my-brilliant-site.com/config/ip with the new IP address in it. In our case it will be 1.2.3.4.

Within an hour Symbiosis will include this change in your DNS data and upload the new data to the name servers. This will ensure that the system knows that your machine should listen upon an additional IP address, and it will also ensure that the DNS entries for the domain are updated to point to the dedicated IP address, and not the default IP of your machine.

11.3. Generating an SSL certificate key and request

In order to purchase an SSL certificate, you need to generate an SSL key and a certificate request on the Symbiosis machine.

  1. Connect to your machine over SSH as admin (see Chapter 10, Connecting to your server via SSH)

  2. Change to the config/ directory of the site that needs the SSL certificate. In our example, we run cd /srv/my-brilliant-site.com/config.

  3. First we generate the key. To do this run openssl genrsa -out ssl.key 1024. This generates a 1024-bit key with no passphrase.

  4. Next we generate the certificate request. We run openssl req -new -key ssl.key -out ssl.csr. This produces a series of prompts. It is important that the correct information is entered at each prompt. In our case the exchange runs as follows.

    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or
    a DN.  There are quite a few fields but you can leave some blank For
    some fields there will be a default value, If you enter '.', the field
    will be left blank.
     -----
    Country Name (2 letter code) [AU]:GB
    State or Province Name (full name) [Some-State]:North Yorkshire
    Locality Name (eg, city) []:York
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bytemark Hosting
    Organizational Unit Name (eg, section) []:.
    Common Name (eg, YOUR name) []:www.my-brilliant-site.com 1
    Email Address []:bob@my-brilliant-site.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:                                 2
    An optional company name []:

    1

    This is the name of the website that the SSL certificate is for. This must be correct. We’ve put www.my-brilliant-site.com because that is the name of the site we’re going to advertise and use.

    2

    Do not enter a challenge password.

With that request, you can buy a new certificate. To view the request, run cat ssl.csr. It will look like

-----BEGIN CERTIFICATE REQUEST-----
AIIB4zCCAUwCAQAwgaIxCzAJBgNVBAYTAkdCMRMwEQYDVQQIEwpNYW5jaGVzdGVy
MRMwEQYDVQQHEwpNYW5jaGVzdGVyMQ0wCwYDVQQKEwRCbGFoMQ8wDQYDVQQLEwZU
aGluZ3kxHjAcBgNVBAMTFW15LWJyaWxsaWFudC1zaXRlLmNvbTEpMCcGCSqGSIb3
DQEJARYacm9vdEBteS1icmlsbGlhbnQtc2l0ZS5jb20wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAMrTIaLKyvsxDz9WHhY5xJvHVKD+dmAuzpv2HichYejJQTTl
gXdfrrZjVWm45ZJy9TEcB5DM0qsQBSqseMner7YvAJJ3PlTd7o3Rkjztt1orP1e7
hAkpKLW2dQAvnr3RtK2w8mK+OdJYPSJfzoChCKlG64Un2VmgDfAiNMS4GCi1AgMB
AAGgADANBgkqhkiG9w0BAQUFAAOBgQBx1I52EXnKRL1YfPYIA8CXUeFRZzDbuVKQ
+fwP5Ig5BANBldMnRePY29RH7yJ2YRXTWHfo6erWT4DZVkJhLpWwBTqB/kGcjEjv
zN7D78VSSQzEb2fOcRcxd9fWmiIcIWINisjBv9gBbGH7L3UosOtdzEWyzpEjb+Or
nL4UrZV3JA==
-----END CERTIFICATE REQUEST-----

The entire output (including the BEGIN and END lines) should be copied and pasted into the appropriate part of the form when purchasing.

11.4. Purchasing a certificate

There are generally two types of SSL certificate: those that are self-signed, and those that are signed by a third-party. Self-signed certificates are free, but cause warnings to be produced in people’s browsers. Third-party certificates are purchased, and hopefully generate no warnings.

For an example of what a warning might look like in your browser, go to https://example.vm.bytemark.co.uk.

Purchasing a certificate is straightforward. The first part is the hardest: picking a supplier. There are many available, for example RapidSSL, Verisign, or Comodo.

During the purchase process, you will be asked for the certificate request. Instructions on how to do this are shown in Section 11.3, “Generating an SSL certificate key and request”.

Once purchased, you should end up with a new certificate, and possibly a "bundle". These should be downloaded onto your local computer. Installation of these is described in Section 11.5, “Uploading your new certificate, and optional bundle”.

11.5. Uploading your new certificate, and optional bundle

Now we have our certificate, we need to upload it on to our machine. If you’ve generated the certificate on the machine, you can safely skip this procedure.

  1. Connect to your machine using FileZilla.

  2. Navigate to the config/ directory of your domain, using the directory tree in the top right pane. We navigate to /srv/my-brilliant-site.com/config.

  3. Find your new certificate and bundle (if applicable) on the local machine, and upload both to the remote machine.

  4. Once uploaded, we need to rename the files. This can be done by clicking on the filename in the lower right pane and selecting Rename from the menu.

    • The certificate should be renamed to ssl.crt.
    • The bundle (if applicable) should be renamed to ssl.bundle.

Once this procedure has been completed we can move on to the next section.

11.6. Combining the certificate and key

The final step is to combine our certificate and key, such that Apache can used them.

  1. Log on to your machine as admin over SSH.

  2. Change directory to the config/ directory of your site. We run cd /srv/my-brilliant-site.com/config to do this.

  3. To combine the two files into one, run the following

    symbiosis-combine-ssl
    

    This generates the file ssl.combined, which where Apache will look for the SSL certificate.

Line-endings

It is very important to be consistent with line-endings when joining files. The method documented above looks strange, but ensures that the line-endings are consistent.

This file ssl.combined will now contain something like this.

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDK0yGiysr7MQ8/Vh4WOcSbx1Sg/nZgLs6b9h4nIWHoyUE05YF3
X662Y1VpuOWScvUxHAeQzNKrEAUqrHjJ3q+2LwCSdz5U3e6N0ZI87bdaKz9Xu4QJ
KSi1tnUAL5690bStsPJivjnSWD0iX86AoQipRuuFJ9lZoA3wIjTEuBgotQIDAQAB
AoGAF7jD2VdgkCp3vw+iazUMcq/IjR/V1oAC+Ci79BWqbuCC+N3S25RcScaqabgP
hQesn6hnQZ8MZl7b4Lv1585mjwmf+Sw7PAa09EiArpy3cg2Em6LpBBekPZs+aPIU
StLQnEZ1pCb1E1TVeWECQQCrM4BrdC4FymXSuANe5YXYhNPksNcWeujdLKVdgGjs
uXdLGWRgiAGqJo4teB1HjvbEWxYadZ6Zspvvc5qd4d6s
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICvTCCAiYCCQDKfqq7e9IUIzANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMC
R0IxEzARBgNVBAgTCk1hbmNoZXN0ZXIxEzARBgNVBAcTCk1hbmNoZXN0ZXIxDTAL
BgNVBAoTBEJsYWgxDzANBgNVBAsTBlRoaW5neTEeMBwGA1UEAxMVbXktYnJpbGxp
MQ8/Vh4WOcSbx1Sg/nZgLs6b9h4nIWHoyUE05YF3X662Y1VpuOWScvUxHAeQzNKr
EAUqrHjJ3q+2LwCSdz5U3e6N0ZI87bdaKz9Xu4QJKSi1tnUAL5690bStsPJivjnS
WD0iX86AoQipRuuFJ9lZoA3wIjTEuBgotQIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
ABWXBGPKldcqJsVzB6KYIEv8jLa7iYIsB5rdhP5zviC1d4rT6U0jsCsCt/H/UQtf
6Y2Jl6nRKNBkvROVT28TfZjEe3AiBoB5MTt9P0hfxYzKoxUwaBLzClLUfaeWY/qT
GAt5kCtYlBgNxMIXkNPj2weODunfpELBJ7ARKAa3+uIu
-----END CERTIFICATE-----

11.7. Making SSL mandatory

Once you’ve configured the SSL certificate, as described in the previous sections, you’ll find that your site is accessible to users over HTTP and HTTPS.

If you prefer to ensure that each visitor to your website uses the SSL-protected site you can make it mandatory by creating a .htaccess file inside your web directory root.

Continuing our example you might create the file /srv/my-brilliant-site.com/public/htdocs/.htaccess with the following contents:

RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

These contents use Apache’s .htaccess file in combination with mod_rewrite to ensure that all visitors will be redirected to the secure version of your site.