Chapter 12. Configuring SSL Hosting

Table of Contents

12.1. Adding an additional IP address
12.2. Generating an SSL key and certificate request
12.3. Purchasing a certificate
12.4. Uploading your new certificate, and optional bundle
12.5. Making SSL mandatory

Before you start this chapter

  1. Connect to your server via SSH (see Chapter 11, Connecting to your server via SSH).

Each time you need to add a new SSL site to your Symbiosis system you need to:

  1. Acquire an additional dedicated IP address.
  2. Configure the site to use that IP address
  3. Generate an SSL key and certificate request.
  4. Buy or generate an SSL certificate.
  5. Upload the new certificate

One IP address is needed per SSL certificate. This means that every time you wish to add an SSL certificate to an existing site, it will need to be run under its own IP address.

12.1. Adding an additional IP address

First you must have an additional IP address routed to your machine. Your ISP should be able to do this. The IP address can either be IPv4 or IPv6.

Once your machine has been allocated an additional IP Address, you must tell your machine to accept traffic addressed to both your original and new IP addresses.

It has been assumed that the site requiring the new IP address is already configured as described in Section 4.1, “Hosting a web page using your own domain”.

  1. Use FileZilla to connect to the machine as admin.

  2. Create the file /srv/my-brilliant-site.com/config/ip with the new IP address in it.

Within an hour Symbiosis will have added this new address to your machine’s network interface, updated the domain’s DNS data and uploaded them to the name servers, as well as reconfigured the Apache web server to use the new IP for that domain.

12.2. Generating an SSL key and certificate request

In order to purchase an SSL certificate, you need to generate an SSL key and a certificate request on the Symbiosis machine.

  1. Connect to your machine over SSH as admin (see Chapter 11, Connecting to your server via SSH)

  2. Change to the config/ directory of the site that needs the SSL certificate. In our example, we run cd /srv/my-brilliant-site.com/config.

  3. First we generate the key. To do this run openssl genrsa -out ssl.key 1024. This generates a 1024-bit key with no passphrase.

  4. Next we generate the certificate request. We run openssl req -new -key ssl.key -out ssl.csr. This produces a series of prompts. It is important that the correct information is entered at each prompt. In our case the exchange runs as follows.

    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or
    a DN.  There are quite a few fields but you can leave some blank For
    some fields there will be a default value, If you enter '.', the field
    will be left blank.
     -----
    Country Name (2 letter code) [AU]:GB
    State or Province Name (full name) [Some-State]:North Yorkshire
    Locality Name (eg, city) []:York
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bytemark Hosting
    Organizational Unit Name (eg, section) []:.
    Common Name (eg, YOUR name) []:www.my-brilliant-site.com 1
    Email Address []:bob@my-brilliant-site.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:                                 2
    An optional company name []:

    1

    This is the name of the website that the SSL certificate is for. This must be correct. We’ve put www.my-brilliant-site.com because that is the name of the site we’re going to advertise and use.

    2

    Do not enter a challenge password.

With that request, you can buy a new certificate. To view the request, run cat ssl.csr. It will look like

-----BEGIN CERTIFICATE REQUEST-----
AIIB4zCCAUwCAQAwgaIxCzAJBgNVBAYTAkdCMRMwEQYDVQQIEwpNYW5jaGVzdGVy
MRMwEQYDVQQHEwpNYW5jaGVzdGVyMQ0wCwYDVQQKEwRCbGFoMQ8wDQYDVQQLEwZU
aGluZ3kxHjAcBgNVBAMTFW15LWJyaWxsaWFudC1zaXRlLmNvbTEpMCcGCSqGSIb3
DQEJARYacm9vdEBteS1icmlsbGlhbnQtc2l0ZS5jb20wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAMrTIaLKyvsxDz9WHhY5xJvHVKD+dmAuzpv2HichYejJQTTl
gXdfrrZjVWm45ZJy9TEcB5DM0qsQBSqseMner7YvAJJ3PlTd7o3Rkjztt1orP1e7
hAkpKLW2dQAvnr3RtK2w8mK+OdJYPSJfzoChCKlG64Un2VmgDfAiNMS4GCi1AgMB
AAGgADANBgkqhkiG9w0BAQUFAAOBgQBx1I52EXnKRL1YfPYIA8CXUeFRZzDbuVKQ
+fwP5Ig5BANBldMnRePY29RH7yJ2YRXTWHfo6erWT4DZVkJhLpWwBTqB/kGcjEjv
zN7D78VSSQzEb2fOcRcxd9fWmiIcIWINisjBv9gBbGH7L3UosOtdzEWyzpEjb+Or
nL4UrZV3JA==
-----END CERTIFICATE REQUEST-----

The entire output (including the BEGIN and END lines) should be copied and pasted into the appropriate part of the form when purchasing.

12.3. Purchasing a certificate

There are generally two types of SSL certificate: those that are self-signed, and those that are signed by a third-party. Self-signed certificates are free, but cause warnings to be produced in people’s browsers. Third-party certificates are purchased, and hopefully generate no warnings.

For an example of what a warning might look like in your browser, go to https://example.vm.bytemark.co.uk.

Purchasing a certificate is straightforward. The first part is the hardest: picking a supplier. There are many available, for example RapidSSL, Verisign, or Comodo.

During the purchase process, you will be asked for the certificate request. Instructions on how to do this are shown in Section 12.2, “Generating an SSL key and certificate request”.

Once purchased, you should end up with a new certificate, and possibly a "bundle". These should be downloaded onto your local computer. Installation of these is described in Section 12.4, “Uploading your new certificate, and optional bundle”.

12.4. Uploading your new certificate, and optional bundle

Now we have our certificate, we need to upload it on to our machine. If you’ve generated the certificate on the machine, you can safely skip this procedure.

  1. Connect to your machine using FileZilla.

  2. Navigate to the config/ directory of your domain, using the directory tree in the top right pane. We navigate to /srv/my-brilliant-site.com/config/.

  3. Find your new certificate and bundle (if applicable) on the local machine, and upload both to the remote machine.

  4. Once uploaded, we need to rename the files. This can be done by clicking on the filename in the lower right pane and selecting Rename from the menu.

    • The certificate should be renamed to ssl.crt.
    • The bundle (if applicable) should be renamed to ssl.bundle.

Once this procedure has been completed we can move on to the next section.

12.5. Making SSL mandatory

Once you’ve configured the SSL certificate, as described in the previous sections, you’ll find that your site is accessible to users over HTTP and HTTPS.

If you prefer to ensure that each visitor to your website uses the SSL-protected site you can make it mandatory by creating an empty file called config/ssl-only. This should cause the site to be reconfigured to redirect all traffic to the SSL-secured site.