DEV Community

Saif
Saif

Posted on

SSL Installation on Apache Web Server

Websites need SSL certificates to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and convey trust to users. ... HTTPS is the secure form of HTTP, which means that HTTPS websites have their traffic encrypted by SSL.

Procedure to Install SSL Certificate in Linux Instances

  1. Purchase the SSL Certitifcate from the SSL provider i.e namecheap.com

  2. Generate a CSR and KEY files from

CSR code (Certificate Signing Request) is a specific code and an essential part for the SSL activation. It contains information about website name and the company contact details. For many reasons, the code should be created on the hosting server end. On some servers, it is the obligatory condition.

Note: Many hosting providers offer CSR code generation assistance to their clients where possible. Thus, it is worth checking with the web-hosting company whether they provide such service and whether it is available on your hosting plan.

https://decoder.link/csr_generator

OR

openssl option

openssl genrsa -out domain_name.key 2048
openssl req -new -key domain_name.key  -out domain_name.csr
Enter fullscreen mode Exit fullscreen mode

CSR Information

Please ensure you fill out the CSR code details correctly. This should speed up the process of obtaining the SSL. Furthermore, the validation process for OV and EV SSL certificates requires that business details be entered accurately.

-Common Name (the domain name the Certificate will be issued for)

-For example - example.com

-Note! For Wildcard certificates, the Common Name should be represented with an asterisk in front (e.g. *.example.com).

-Country (two-letter code)

-Country (C) – the two-letter code of the country where the company or applicant is located (for example, GB for Great Britain or US for the United States; you can check your country code here.)

-State (or province)

-State (S) – the state, county or region the company or applicant is located in (e.g. California).

-Locality (or city)

-Locality (L) – the city where the company or applicant is located (e.g. Los Angeles). This parameter should not be abbreviated.

-Organization (your company name. Feel free to put "NA" here for any Domain Validated certificate)

-Organization (O) – the officially registered name of the organization that is applying for a certificate (e.g. Namecheap Inc.). For Organization and Extended Validation certificates, Certificate Authorities will be verifying the submitted organization. For Domain Validation SSLs, this field is not critical and the details will not be listed on the issued certificate; however, it should at least be filled in with "NA".

-Organizational Unit (department. Feel free to put "NA" here for any any Domain Validated certificate)

-Organization Unit (OU) – the name of the department or division within the submitted organization (e.g. SSL Support).

-Email address (put a valid email address here)

-Email Address – an email address of the company or the applicant. This field is optional.

-Note! This email address won’t be used during the verification process, unless a mistake is found with any of the submitted details. However, this email will be considered an admin contact, unless you change it during the activation process. The SSL will be issued to the admin contact email address once it is activated.

-Challenge Password and Optional Company Name - please do not use challenge password and leave Optional Company Name field empty too. These values are now obsolete and may cause issues with getting the SSL certificate.

  1. Paste the CSR certificate file in namecheap DV authentication

newact1

Select the domain control validation method among CNAME, File uploading and Email-based options:

Click Submit to confirm the domain control validation method and submit the order

Approve the certificate issuance. If you chose Email validation, an approver email is to be delivered to a chosen approver address shortly after you finish the activation process. If you do not receive an email within 2 hours, please refer to the instructions provided in the What should I do if approval email was not delivered? article. When you confirm the issuance by following the link in the approver email, you should receive a signed certificate to the administrative email address you indicated during activation.
For HTTP-based validation, you need to upload a text file into into a particular directory of your website (/.well-known/pki-validation/). If the domain is the primary one in your cPanel account, the document root is usually the public_html folder. The validation file can be downloaded from the page with the certificate details after it was activated.

Note: If you have activated the certificate with domain.com or www.domain.com indicated as FQDN in your CSR code, please make sure that the file is available via http://domain.com/.well-known/pki-validation/file.txt . In this case, www.domain.com is considered to be under your control as well
Content of the file shouldn't be changed in any way, as Comodo (now Sectigo) validation system is case sensitive.

After the Domain Validation happens the Certificates bundles files have been issued

Initially, all the certificates purchased through Namecheap are sent by a Certificate Authority to the administrative email address provided during activation. In case you have not received a validated Certificate for any reason, you can download the certificate into your account following the steps below.

  1. Sign in to your Namecheap account >> navigate to the Dashboard and open the SSL Certificates tab.
  2. Find the SSL certificate in question and click Download over on the right, see the picture below:

The ZIP file with your certificate will be downloaded to your computer. Once it is unzipped, you will see three files: *.crt, *.ca-bundle and *.p7b .
*.crt and *.ca-bundle are the files for Apache, Nginx, cPanel, etc.
*.crt is a file with your server certificate, and the *ca-bundle is a file with the Certificate Authority Chain which should be installed on your server with your domain certificate.
*.ca-bundle is necessary for the browser to be able to check the CA signature of the certificate. If the bundle is missing, incomplete or broken, the browser might mark the website as untrusted or even restrict the connection, depending on a browser version and security settings.
*.p7b file is a certificate and CA Bundle combined into one file. The file is suitable for the certificate installation on Microsoft IIS and Tomcat servers.

Configuring in the Apache Web Server

Installation check

First, we will check the exact location of the current configuration file for HTTP websites. For that, run the following command:

sudo apachectl -S

We can see the website configuration file (the one for non-secured HTTP connections via port 80) in the output. It is usually called "000-default.conf" or” domain_name.conf".

The default folder for such a file location is `/etc/apache2/sites-available.

In this guide, we will show in detail how to add the settings for HTTPS port 443 into the same configuration file. However, we also recommend reviewing all possible ways to proceed - like separate configuration file creation in the /etc/apache2/sites-available or /etc/apache2/sites-enabled folder - here in the 'Tips and troubleshootings' part of this guide.

Before we proceed any further, we will need to make sure that SSL/TLS support is enabled on the webserver. For that, we will need to run the following command:

sudo a2enmod ssl

sudo service apache2 restart
Enter fullscreen mode Exit fullscreen mode

Configuring the webserver

Now, configure the website to work with the SSL certificate.

  • If there were no SSLs installed on the webserver previously, check the configuration file name for the HTTP port 80 and open it in your text editor of choice (nano, vi, etc.).

Note: If you are following another way from these ones, then keep in mind that your file name will be different, and you need to open your configuration file instead of the default one.

<VirtualHost *:80>
        ServerAdmin webmaster@example.com
        ServerName example.com
        DocumentRoot /var/www/html/
        Redirect / "https://example.com/"
</VirtualHost>

<VirtualHost *:443>

        ServerAdmin webmaster@example.com
        ServerName example.com
        DocumentRoot /var/www/html
        SSLEngine on
        SSLCertificateFile "/etc/apache2/ssl/example.com/__example.com.crt"
        SSLCertificateKeyFile "/etc/apache2/ssl/example.com/example.com.key"
        SSLCACertificateFile "/etc/apache2/ssl/example.com/__example.com.ca-bundle"
        ErrorLog /etc/apache2/ssl/example.com/error_ssl.log
        CustomLog /etc/apache2/ssl/example.com/access_ssl.log combined

</VirtualHost>


<Directory /var/www/html/>
     Order allow,deny
     AllowOverride All
     Allow from All
     Require all granted         
</Directory>
Enter fullscreen mode Exit fullscreen mode

Then, make sure to replace the paths of the certificate files in the following sections:

SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile

Checking the configuration file and restarting the webserver

Now, make sure to check the file syntax by running this command:

apachectl -t

If the command responds with “Syntax OK”, you can reboot the webserver. To do that, run the command:

sudo service apache2 restart
Enter fullscreen mode Exit fullscreen mode

The configuration file should be listed in the Apache configuration files list (it can be checked by running apachectl -S once again):

Done! The website is now secured. The installation can be checked here.

Top comments (0)