Table of Contents
Each time you need to add a new SSL site to your Symbiosis system you need to:
One IP address is needed per SSL certificate. This means that every time you wish to add an SSL certificate to an existing site, it will need to be run under its own IP address.
First you must have an additional IP address routed to your machine. Your ISP should be able to do this. The IP address can either be IPv4 or IPv6.
Once your machine has been allocated an additional IP Address, you must tell your machine to accept traffic addressed to both your original and new IP addresses.
It has been assumed that the site requiring the new IP address is already configured as described in Section 4.1, “Hosting a web page using your own domain”.
Within an hour Symbiosis will have added this new address to your machine’s network interface, updated the domain’s DNS data and uploaded them to the name servers, as well as reconfigured the Apache web server to use the new IP for that domain.
In order to purchase an SSL certificate, you need to generate an SSL key and a certificate request on the Symbiosis machine.
Connect to your machine over SSH as admin (see Chapter 11, Connecting to your server via SSH)
Change to the config/
directory of the site that needs
the SSL certificate. In our example, we run cd
/srv/my-brilliant-site.com/config.
First we generate the key. To do this run openssl genrsa -out ssl.key 1024. This generates a 1024-bit key with no passphrase.
Next we generate the certificate request. We run openssl req -new -key ssl.key -out ssl.csr. This produces a series of prompts. It is important that the correct information is entered at each prompt. In our case the exchange runs as follows.
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:North Yorkshire Locality Name (eg, city) []:York Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bytemark Hosting Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:www.my-brilliant-site.com Email Address []:bob@my-brilliant-site.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
With that request, you can buy a new certificate. To view the request, run cat ssl.csr. It will look like
-----BEGIN CERTIFICATE REQUEST----- AIIB4zCCAUwCAQAwgaIxCzAJBgNVBAYTAkdCMRMwEQYDVQQIEwpNYW5jaGVzdGVy MRMwEQYDVQQHEwpNYW5jaGVzdGVyMQ0wCwYDVQQKEwRCbGFoMQ8wDQYDVQQLEwZU aGluZ3kxHjAcBgNVBAMTFW15LWJyaWxsaWFudC1zaXRlLmNvbTEpMCcGCSqGSIb3 DQEJARYacm9vdEBteS1icmlsbGlhbnQtc2l0ZS5jb20wgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBAMrTIaLKyvsxDz9WHhY5xJvHVKD+dmAuzpv2HichYejJQTTl gXdfrrZjVWm45ZJy9TEcB5DM0qsQBSqseMner7YvAJJ3PlTd7o3Rkjztt1orP1e7 hAkpKLW2dQAvnr3RtK2w8mK+OdJYPSJfzoChCKlG64Un2VmgDfAiNMS4GCi1AgMB AAGgADANBgkqhkiG9w0BAQUFAAOBgQBx1I52EXnKRL1YfPYIA8CXUeFRZzDbuVKQ +fwP5Ig5BANBldMnRePY29RH7yJ2YRXTWHfo6erWT4DZVkJhLpWwBTqB/kGcjEjv zN7D78VSSQzEb2fOcRcxd9fWmiIcIWINisjBv9gBbGH7L3UosOtdzEWyzpEjb+Or nL4UrZV3JA== -----END CERTIFICATE REQUEST-----
The entire output (including the BEGIN
and END
lines) should be
copied and pasted into the appropriate part of the form when
purchasing.
There are generally two types of SSL certificate: those that are self-signed, and those that are signed by a third-party. Self-signed certificates are free, but cause warnings to be produced in people’s browsers. Third-party certificates are purchased, and hopefully generate no warnings.
For an example of what a warning might look like in your browser, go to https://example.vm.bytemark.co.uk.
Purchasing a certificate is straightforward. The first part is the hardest: picking a supplier. There are many available, for example RapidSSL, Verisign, or Comodo.
During the purchase process, you will be asked for the certificate request. Instructions on how to do this are shown in Section 12.2, “Generating an SSL key and certificate request”.
Once purchased, you should end up with a new certificate, and possibly a "bundle". These should be downloaded onto your local computer. Installation of these is described in Section 12.4, “Uploading your new certificate, and optional bundle”.
Now we have our certificate, we need to upload it on to our machine. If you’ve generated the certificate on the machine, you can safely skip this procedure.
Connect to your machine using FileZilla.
Navigate to the config/
directory of your domain, using
the directory tree in the top right pane. We navigate to
/srv/my-brilliant-site.com/config/
.
Find your new certificate and bundle (if applicable) on the local machine, and upload both to the remote machine.
Once uploaded, we need to rename the files. This can be done by clicking on the filename in the lower right pane and selecting
from the menu.Once this procedure has been completed we can move on to the next section.
Once you’ve configured the SSL certificate, as described in the previous sections, you’ll find that your site is accessible to users over HTTP and HTTPS.
If you prefer to ensure that each visitor to your website uses
the SSL-protected site you can make it mandatory by creating an empty
file called config/ssl-only
. This should cause the site to be
reconfigured to redirect all traffic to the SSL-secured site.