revamp
Published in

revamp

Deploying SSL certificates on Apache Server.

Security is an important part of development when you decide to go into production. Being a backend developer, adding SSL certificated to your endpoints is the most basic thing that you can do towards securing your production API endpoints. SSL adds the end-to-end encryption to your data sent over HTTP and hence make it secure HTTP, hence called “HTTPS”.

I have had a hard time figuring out how to deploy my SSL certificates onto my Apache server that is hosted on another web host. So after trying so hard and searching for a few references on the internet, I came to a solution and so I decided to put it into a blog post. Deploying the SSL is not as hard as it sounds. The process of deploying certificates is a pretty simple two-way step.

Considering you already have a website say, http://mywebsite.com running on a web server that you have shell access to. And let’s assume that you want to secure this website endpoint via SSL and hence making the endpoint to https://mywebsite.com. You will need to purchase the SSL certificate with the subscription. DigiCert and GoDaddy are the most famous providers that you can consider. I will use GoDaddy for this blog post because I already have an SSL purchased on GoDaddy and I can use that to demonstrate the steps.

Requesting the new certificate

After purchasing the SSL, you need to request the certificate for the website domain, which is http://mywebsite.com in our case. In order to request the SSL certificate you will need CSR request generated that contains the information related to your target domain and hence will be used as a key to generating the SSL certificate. There are two ways to generate the CSR request.

  1. You can use the GoDaddy SSL wizard to request a new certificate. This wizard will also create the CSR request and a private key for your SSL.
  2. You can use the standard SSL commands to generate the CSR requests on the server console. This is done by logging into the server terminal over SSH. This method is the preferred way because this will also save the key file on the server which you might need to copy to the server later if using the first method.

Generating the CSR

I will be using the second method to generate the CSR on the server:

  1. Log into the server terminal.
  2. Considering you are configuring the SSL for the apache server. Let’s go into the apache configuration directory by:
sudo bash
cd /etc/apache2/sites-available

3. Create a configuration file for your application.

touch mywebsite.conf
nano mywebsite.conf

4. Adding your VirtualHost configuration.

<VirtualHost *:80>
ServerName www.mywebsite.com
ServerAdmin webmaster@localhost
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
ProxyPass / http://localhost:8001/
<Proxy *>
Require all granted
</Proxy>
<Location /development>
ProxyPass http://localhost:3000
ProxyPassReverse http://127.0.0.1:3000
</Location>
<Location /admin>
ProxyPass /admin http://localhost:8002
ProxyPassReverse /admin http://127.0.0.1:8002
</Location>
ErrorLog ${APACHE_LOG_DIR}/busapp/busapp-backend.log
CustomLog ${APACHE_LOG_DIR}/busapp/busapp-backend.log combined
</VirtualHost>

Creating a symlink will allow handling the deployed and un-deployed applications by creating a link of sites-available into sites-enabled, hence allowing auto-deployment of sites-enabled whenever apache is booted up.
Linking the config file with the deployed apache configurations:

ln -s /etc/apache2/sites-available/mywebsite.conf /etc/apache2/sites-enabled/

Testing the configurations:

apachectl configtest

Now restart apache to discover your website services:

apachectl restart

or

service restart apache2

5. Now in this directory, we will run the command to generate the CSR request and a private key that we will later use to configure SSL on the apache server.

openssl req -new -newkey rsa:2048 -nodes -keyout mywebsite.key -out mywebsite.csr

You have to replace “mywebsite” with the domain of your website. Say, for “Facebook.key” and “facebook.csr”

This command will generate 2 files:

  • A cryptographic private .key file. That will be needed in .conf configuration file.
  • And an .csr file that will be needed to generate the SSL certificate.

Request the certificate with existing CSR

There is an option on GoDaddy that allows you to request SSL certificates when you already have an existing CSR. That is one of the reasons we chose the second method to generate CSR because you might need to regenerate the SSL for another domain, in that case, the First method won’t work and you’ll have to follow step 2 for CSR.

  1. On the certificate Setup page, input a CSR.
  2. If you already own a certificate and doing the rekey process then select the SSL key and choose rekey and Manage option.

3. Input the generated CSR and click Save. After this process, you might need to perform the domain verification process (If not done already). This process. simply requires you to verify that you are the actual owner of the domain that you are requesting SSL for. This is typically done by adding a verification id to the domain name record and provide the value generated by GoDaddy. Set the minimum TTL i.e. 600 seconds and wait until GoDaddy automatically verifies the domain. After the verification is done, GoDaddy will allow you to download the SSL certificates which as distributed as .zip file.

4. On extracting the zip file, you will find 3 files:

  • *.crt file provided by the GoDaddy.
  • *.bundle.crt file provided by GoDaddy.
  • *.pem key file.

You will need both of the *.crt files in the configuration file and the .key file that you’ve got after generating the CSR request.

Renaming and Moving the file to the server

After downloading, we move the .crt files to the server. I will use the scp command to copy files to the server over SSH.

renaming the files to:

  • mywebsite.com.crt
  • mywebiste.bundle.crt for *.bundle.crt file.

moving the files to the server folder:

sudo scp *.crt root@host:/etc/apache2/sites-available/

You will need the root permission in ssh to move files to /etc/apache2/sites-abailable/ directory. Replace host with your server host name and scp will also prompt for password in the next step.

This will copy the .crt files to the /etc/apache2/sites-available/directory on server.

SSL configurations for the apache config file

Finally, we will configure the apache configuration file to enable the SSL in the Virtual host.

nano /etc/apache2/sites-available/mywebsite.conf

and now your configuration will look like:

<VirtualHost *:80>
ServerName www.mywebsite.com
Redirect permanent / https://mywebsite.com
</VirtualHost>
<VirtualHost *:443>
ServerName www.mywebsite.com
ServerAdmin webmaster@localhost
SSLEngine on
SSLCertificateFile sites-available/mywebsite.com.crt
SSLCertificateKeyFile sites-available/mywebsite.key
SSLCertificateChainFile sites-available/mywebsite.bundle.crt
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
ProxyPass / http://localhost:8001/
<Proxy *>
Require all granted
</Proxy>
<Location /development>
ProxyPass http://localhost:3000
ProxyPassReverse http://127.0.0.1:3000
</Location>
<Location /admin>
ProxyPass /admin http://localhost:8002
ProxyPassReverse /admin http://127.0.0.1:8002
</Location>
ErrorLog ${APACHE_LOG_DIR}/busapp/busapp-backend.log
CustomLog ${APACHE_LOG_DIR}/busapp/busapp-backend.log combined
</VirtualHost>

Restart the server

Use the following command to restart the apache server

apachectl restart

or

service restart apache2

You’ll see that now not even https://mywebsite.com will start working, also, visiting http://mywebsite.com will redirect you directly to https://mywebsite.com. Also, you’ll start seeing the fancy security lock on top of your web browser.

If you have any doubts, do let me know in comments section. I would be happy to help you out. Also if you need help related to any other web server, say nginx, tomcat, etc. Let me know in the comments. I will help you out or create another post for that. Till then, Happy coding and happy security.

References

  1. https://linuxize.com/post/how-to-set-up-apache-virtual-hosts-on-ubuntu-18-04/
  2. Apache Redirect to HTTPS — How to Redirect to HTTPS on Apache — Namecheap
  3. https://serverfault.com/a/478048

--

--

--

We are a team for passionate people working curiously towards better code. Wekeep trying new stuff to improve the development process and optimize the existing code base. Using the best coding practices by trial and error and research. Let us share it all with you.

Recommended from Medium

English, Latin and Greek Roots Cheat Sheet

English, Latin and Greek Roots Cheat Sheet

How a Quadcopter Works — Flight Mechanics, Components, & Sensors (2)

Register Generic Classes in ASP.NET Core DI

The Data Playbook for Every Executive Leader in a Financial Services Organization— Announcing the…

About Selenium Automation Certifications

NEW YEAR OLD CODE

Understanding Objects in Ruby through FanFiction

Android Application Development — Reaching more customers through mobile technology

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
gaurav sharma

gaurav sharma

The mass of men leads a life of quiet desperation. I just want to live deep and suck out all the marrow of life. https://www.lifeinmybackpack.in

More from Medium

It Works On My Machine

Automate HTTPS Certificates with Ansible Roles ft. Let’s Encrypt & CloudFlare

Setup Container Redis, run commands, and publish/subscribe messages

REDIS Installation on Linux Server