Go to the profile of Tinus Wagner
Tinus Wagner
Developer, Producer, Drummer, Synth lover.

SSL Certificates & Deployment Options

TLDR: Just run your DNS through cloudflare and turn SSL on…could have used that knowledge a few hours ago…

NOTE: THIS ARTICLE ASSUMES YOU ALREADY HAVE A SERVER SET UP AND YOU HAVE SUDO SSH ACCESS.

If you’ve got what I assume is a pretty generic ubuntu/apache server setup, and you want to get this done quick, just pay attention to Option 2.

As a Developer you eventually get thrown into territory that distinctively feel like it shouldn’t be your territory but nonetheless. If you’re going through hell, keep going!

Today I got charged with renewing an SSL certificate for a staging environment and installing it on an existing Apache/Ubuntu box. Here follows the journey.

SSL Certificates

Option 1 — Go Legit

Let’s look into buying a new certificate, here’s a breakdown of prices from some of the worlds most popular suppliers:

Pricey no? And for a staging server that will probably only have a lifespan of 3 months, not very practical.

Option 2 — letsencrypt.org

Well say no more friend, and with major sponsors like Mozilla, Cisco and Facebook. It doesn’t seem like you can go wrong. These are obviously the droids you’re looking for.

Installing Your Certificate

Option 1 — Continued

Let’s say you forked out for the real deal, sweet, check your mail. Thanks trusted company xyz. Let’s cd to the folder containing our certificates.

Let’s get them onto our server (assuming once again this is an ubuntu/apache box)

scp *.crt server@server:/etc/apache2/ssl/siteToCertify

Now that our certificates are in the right place (or wherever you’d like to keep your certificates), we simply rename them new to replace the existing certificates (it would be wise to keep a backup).

Now it’s time to get your VIM on to update the .config file associated with the site your updating. You’ll probably see two virtual host blocks in the config file, one for PORT 80 (Unsecured Connections), and another for PORT 443 (SSL secured connections).

It’ll follow the format of

<VirtualHost x.x.x.x:PORT></VirtualHost>

SSL specific code will only appear under PORT 443, that’s what we’re interested in.

Yours might look a bit different I basically copy/pasta’d this off the web

Adjust the SSL portion with details from your new certificate:

  • SSLCertificateFile: Your certificate file (yourdomain.crt)
  • SSLCertificateKeyFile: Your key file(generated during CSR-creation)
  • SSLCertificateChainFile: The intermediate certificate file (CA.crt)

Once that’s done, it’s time to test the config and restart the server:

$ apachectl configtest
$ apachectl stop
$ apachectl start

Assuming all went well head over to your SSL checker of choice, or check the certificate in chrome. Congrats you’re done.

Option 2— Continued

Head over to LetsEncrypt getting started page (I hope for your sake you have SUDO SSH access!), which will almost instantaneously send you to a page describing an amazing tool called CertBot.

Words simply cannot describe how simple this tool is in my opinion, I barely scratched the surface of what it’s capable of but give the docs a read if your interested.

Pick your Webserver and OS, and you’re basically off. SSH into your server and get installing.

Install it, and run it. If you’re existing available site names were set up correctly it’ll give you a nice list of sites to select

Hopefully all your site names

Select the names you’d like certificates for and to make a long story short, you should have your certificates generated and free of charge! Bash through the rest of the setup process.

Basically you specify a few more options, most of important of which is wether you’d like to allow secured and unsecured connections, or only secured connections.

And that’s it

CertBot automatically applies the correct config to your .config file which to my eyes simply strips out the SSL config under port 443’s virtualHost, and replaces it with something that resembles an environment variable pointed at /etc/letsencrypt/keys/

It’ll look something like this:

Yours might look a bit different I basically copy/pasta’d this off the web

So that was it, I got a free SSL certificate (that’ll last a year), configured it on a server, and thanks to a few friends learn’t a few things about a topic I found pretty intimidating :)

Thanks for reading and I hope someone gleaned some value from my struggles!

P.S. Please get in touch if you believe I’ve made any mistakes in this piece, I’m only human you know.