Setting up SSL - Part One

My notes documenting how I moved my site to from http to https.

I hope this help if you are planning to move your site to a secure host. I’ll keep this article concise and will assume you already own a domain and have a hosting company. Each hosting company and server operating system has its own way to setup a site from http to https so my notes may not help your particular situation.

Digital Ocean

My personal site is hosted at digitalocean.com. Digital Ocean lets me spin up droplets which is a cute name for your own private virtual server. Running my own server gives me ample opportunities to practice server admin tasks because it is my responsibility to manage it. That means I get to install custom configure my box for my own needs as well as install security updates. The operating system is Ubuntu 14.04, codename trusty. My server has 1GB RAM, 30GB SSD Disk, 1 core processor and 2TB transfer per month, all for $10 per month.

Steps

These are the steps required in order to successfully secure your website with an SSL certificate:

  1. Purchase the SSL certificate
  2. Configure and submit the SSL certificate
  3. Validate and approve the SSL certificate
  4. Download and install the SSL certificate

My domain, scottgruber.me, is registered at hover.com. They are a good company. You can call them and a human being answers the phone which is amazing these days in the United States. All the domains I buy are through them and I highly recommend giving them a try. However their business model is focused on domain registration and email. Hover doesn’t SSL certificates. So I setup an account at DNSimple. Both offer great support and offer good value for the price.

DNSimple

After I created an account at DNSimple I then was able to purchase a SSL certificate for my domain. They have a straightforward interface to help you and you can email them if you have any questions. Here is a link to their how-to articles that explain the process step by step. Like a good recipe it’s a good idea to read the entire recipe before starting to cook.

Skipping through those steps, you’ll wind up with three files to download. I need to then copy them to my server and configure them properly. It isn’t as hard as I thought, but I had help from the Indieweb community. Jeremy Keith wrote up his process and because he has the same server host I was able to follow along to install the files on my server.

  • www_scottgruber_me.crt
  • www_scottgruber_me_bundle.pem
  • www_scottgruber_me.key

Next step

  • Login to my server
  • Switch to root

Copy private key to my server Move the Private Key that was generated earlier to the ssl.key directory, which is typically found in /etc/ssl/. This must be a directory which Apache can access.

  • create file nano /etc/ssl/private/www_scottgruber_me.key
  • paste contents of my RSA key found in the key file into this then save and close that file.

Install your certificate on your server

  • nano /etc/ssl/certs/www_scottgruber_me_bundle.pem
  • paste contents of downloaded file of same name and save
  • nano /etc/ssl/certs/www_scottgruber_me.crt
  • paste contents of downloaded file of same name and save

Switch back to user scott

  • exit, does the trick to switch from root to scott

Set up https on Apache

enable ssl module
a2enmod ssl
service apache2 restart

Configure two files pasted the following to configure server to these files

ServerName scottgruber.me
ServerAdmin scott@scottgruber.me
ServerAlias www.scottgruber.me
DocumentRoot /var/www/html
  • sudo nano /etc/apache2/sites-available/000-default.conf
  • sudo nano /etc/apache2/sites-available/default-ssl.conf

In default-ssl.conf commented out these two lines and replaced them with my two files

`# SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem`
`# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key`

`SSLCertificateFile      /etc/ssl/certs/www_scottgruber_me.crt`
`SSLCertificateKeyFile   /etc/ssl/private/www_scottgruber_me.key`

Next up was adding the bundle like this

SSLCertificateChainFile /etc/ssl/certs/yourdomain_com.ca-bundle

SSLCertificateChainFile /etc/ssl/certs/www_scottgruber_me_bundle.pem

Then use ctl+v to go down to bottom of file and paste this in above closing </VirtualHost> tag

SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCompression off SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

That line beginning with SSLCipherSuite needs to be all one line so watch out for line breaks if you’re copying and pasting. It’s quite an impressive bit of unintelligible gibberish, isn’t it?

Test

service apache2 reload

View apache log files

sudo cat /var/log/apache2/error.log

Redirect http to https

Once I was happy, then I set http to redirect to https. I did this by doing the following

  • nano /etc/apache2/sites-available/000-default.conf
  • Added the following line below DocumentRoot Redirect / https://scottgruber.me/
  • Then stop and start Apache service apache2 restart
  • Then test by going to scottgruber.me and see its automatically redirected to https://scottgruber.me

Tagged with


← Previous Number 1: Notes on Week 19 Number 2: Notes on Week 20 Next →