Table of Contents
Before you start this chapter
- Connect to your server via SSH (see Chapter 10, Connecting to your server via SSH).
Each time you need to add a new SSL site to your Symbiosis system you need to:
- Acquire an additional dedicated IP address.
- Configure the site to use that IP address
- Generate an SSL key and certificate request.
- Buy or generate an SSL certificate.
- Upload the new certificate
One IP address is needed per SSL certificate. This means that every time you wish to add an SSL certificate to an existing site, it will need to be run under its own IP address.
First you must have an additional IP address routed to your machine. Your ISP should be able to do this.
Once your machine has been allocated an additional IP Address, you must tell your machine to accept traffic addressed to both your original and new IP addresses
This is a standard Debian procedure rather than something specific to Symbiosis, but for convenience it’s described here.
Make an SSH connection to your server as detailed in Chapter 10, Connecting to your server via SSH, connecting as admin.
Run sudo nano /etc/network/interfaces, and add the following lines to the bottom of the file. You will be prompted for the admin password, and you should type it in to gain the ability to edit the file.
auto eth0:0 iface eth0:0 inet static address 1.2.3.4 netmask 255.255.255.255
You should substitute your new IP address for 1.2.3.4. If there is already an entry for eth0:0, you can use eth0:1 and so on. The netmask should always be 255.255.255.255.
Save the file and leave the editor by typing ctrl+x.
To activate the new interface run sudo ifup eth0:0.
It has been assumed that the site requiring the new IP address is already configured as described in Section 3.1, “Hosting a web page using your own domain”.
Use FileZilla to connect to the machine as admin.
Create the file
/srv/my-brilliant-site.com/config/ipwith the new IP address in it. In our case it will be 1.2.3.4.
Within an hour Symbiosis will include this change in your DNS data and upload the new data to the name servers. This will ensure that the system knows that your machine should listen upon an additional IP address, and it will also ensure that the DNS entries for the domain are updated to point to the dedicated IP address, and not the default IP of your machine.
In order to purchase an SSL certificate, you need to generate an SSL key and a certificate request on the Symbiosis machine.
Connect to your machine over SSH as admin (see Chapter 10, Connecting to your server via SSH)
Change to the
config/directory of the site that needs the SSL certificate. In our example, we run cd /srv/my-brilliant-site.com/config.First we generate the key. To do this run openssl genrsa -out ssl.key 1024. This generates a 1024-bit key with no passphrase.
Next we generate the certificate request. We run openssl req -new -key ssl.key -out ssl.csr. This produces a series of prompts. It is important that the correct information is entered at each prompt. In our case the exchange runs as follows.
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:North Yorkshire Locality Name (eg, city) []:York Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bytemark Hosting Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:www.my-brilliant-site.com
Email Address []:bob@my-brilliant-site.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 
An optional company name []: This is the name of the website that the SSL certificate is for. This must be correct. We’ve put www.my-brilliant-site.com because that is the name of the site we’re going to advertise and use. Do not enter a challenge password.
With that request, you can buy a new certificate. To view the request, run cat ssl.csr. It will look like
-----BEGIN CERTIFICATE REQUEST----- AIIB4zCCAUwCAQAwgaIxCzAJBgNVBAYTAkdCMRMwEQYDVQQIEwpNYW5jaGVzdGVy MRMwEQYDVQQHEwpNYW5jaGVzdGVyMQ0wCwYDVQQKEwRCbGFoMQ8wDQYDVQQLEwZU aGluZ3kxHjAcBgNVBAMTFW15LWJyaWxsaWFudC1zaXRlLmNvbTEpMCcGCSqGSIb3 DQEJARYacm9vdEBteS1icmlsbGlhbnQtc2l0ZS5jb20wgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBAMrTIaLKyvsxDz9WHhY5xJvHVKD+dmAuzpv2HichYejJQTTl gXdfrrZjVWm45ZJy9TEcB5DM0qsQBSqseMner7YvAJJ3PlTd7o3Rkjztt1orP1e7 hAkpKLW2dQAvnr3RtK2w8mK+OdJYPSJfzoChCKlG64Un2VmgDfAiNMS4GCi1AgMB AAGgADANBgkqhkiG9w0BAQUFAAOBgQBx1I52EXnKRL1YfPYIA8CXUeFRZzDbuVKQ +fwP5Ig5BANBldMnRePY29RH7yJ2YRXTWHfo6erWT4DZVkJhLpWwBTqB/kGcjEjv zN7D78VSSQzEb2fOcRcxd9fWmiIcIWINisjBv9gBbGH7L3UosOtdzEWyzpEjb+Or nL4UrZV3JA== -----END CERTIFICATE REQUEST-----
The entire output (including the BEGIN and END lines) should be
copied and pasted into the appropriate part of the form when
purchasing.
There are generally two types of SSL certificate: those that are self-signed, and those that are signed by a third-party. Self-signed certificates are free, but cause warnings to be produced in people’s browsers. Third-party certificates are purchased, and hopefully generate no warnings.
For an example of what a warning might look like in your browser, go to https://example.vm.bytemark.co.uk.
Purchasing a certificate is straightforward. The first part is the hardest: picking a supplier. There are many available, for example RapidSSL, Verisign, or Comodo.
During the purchase process, you will be asked for the certificate request. Instructions on how to do this are shown in Section 11.3, “Generating an SSL certificate key and request”.
Once purchased, you should end up with a new certificate, and possibly a "bundle". These should be downloaded onto your local computer. Installation of these is described in Section 11.5, “Uploading your new certificate, and optional bundle”.
Now we have our certificate, we need to upload it on to our machine. If you’ve generated the certificate on the machine, you can safely skip this procedure.
Connect to your machine using FileZilla.
Navigate to the
config/directory of your domain, using the directory tree in the top right pane. We navigate to/srv/my-brilliant-site.com/config.Find your new certificate and bundle (if applicable) on the local machine, and upload both to the remote machine.
Once uploaded, we need to rename the files. This can be done by clicking on the filename in the lower right pane and selecting from the menu.
-
The certificate should be renamed to
ssl.crt. -
The bundle (if applicable) should be renamed to
ssl.bundle.
-
The certificate should be renamed to
Once this procedure has been completed we can move on to the next section.
The final step is to combine our certificate and key, such that Apache can used them.
Log on to your machine as admin over SSH.
Change directory to the
config/directory of your site. We run cd /srv/my-brilliant-site.com/config to do this.To combine the two files into one, run the following
symbiosis-combine-ssl
This generates the file ssl.combined, which where Apache will look for the SSL certificate.
Line-endings
It is very important to be consistent with line-endings when joining files. The method documented above looks strange, but ensures that the line-endings are consistent.
This file ssl.combined will now contain something like this.
-----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDK0yGiysr7MQ8/Vh4WOcSbx1Sg/nZgLs6b9h4nIWHoyUE05YF3 X662Y1VpuOWScvUxHAeQzNKrEAUqrHjJ3q+2LwCSdz5U3e6N0ZI87bdaKz9Xu4QJ KSi1tnUAL5690bStsPJivjnSWD0iX86AoQipRuuFJ9lZoA3wIjTEuBgotQIDAQAB AoGAF7jD2VdgkCp3vw+iazUMcq/IjR/V1oAC+Ci79BWqbuCC+N3S25RcScaqabgP hQesn6hnQZ8MZl7b4Lv1585mjwmf+Sw7PAa09EiArpy3cg2Em6LpBBekPZs+aPIU StLQnEZ1pCb1E1TVeWECQQCrM4BrdC4FymXSuANe5YXYhNPksNcWeujdLKVdgGjs uXdLGWRgiAGqJo4teB1HjvbEWxYadZ6Zspvvc5qd4d6s -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIICvTCCAiYCCQDKfqq7e9IUIzANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMC R0IxEzARBgNVBAgTCk1hbmNoZXN0ZXIxEzARBgNVBAcTCk1hbmNoZXN0ZXIxDTAL BgNVBAoTBEJsYWgxDzANBgNVBAsTBlRoaW5neTEeMBwGA1UEAxMVbXktYnJpbGxp MQ8/Vh4WOcSbx1Sg/nZgLs6b9h4nIWHoyUE05YF3X662Y1VpuOWScvUxHAeQzNKr EAUqrHjJ3q+2LwCSdz5U3e6N0ZI87bdaKz9Xu4QJKSi1tnUAL5690bStsPJivjnS WD0iX86AoQipRuuFJ9lZoA3wIjTEuBgotQIDAQABMA0GCSqGSIb3DQEBBQUAA4GB ABWXBGPKldcqJsVzB6KYIEv8jLa7iYIsB5rdhP5zviC1d4rT6U0jsCsCt/H/UQtf 6Y2Jl6nRKNBkvROVT28TfZjEe3AiBoB5MTt9P0hfxYzKoxUwaBLzClLUfaeWY/qT GAt5kCtYlBgNxMIXkNPj2weODunfpELBJ7ARKAa3+uIu -----END CERTIFICATE-----
Once you’ve configured the SSL certificate, as described in the previous sections, you’ll find that your site is accessible to users over HTTP and HTTPS.
If you prefer to ensure that each visitor to your website uses
the SSL-protected site you can make it mandatory by creating
a .htaccess file inside your web directory root.
Continuing our example you might create the file
/srv/my-brilliant-site.com/public/htdocs/.htaccess with the following
contents:
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]These contents use Apache’s .htaccess file in combination with mod_rewrite to ensure that all visitors will be redirected to the secure version of your site.