DISCLAIMER: This is my current setup. Users with other distros beware.
I've just successfully figured out how to build trust in my website for FREE (during my 30 day trial)! I wanted to record it down for myself and hopefully relieve some of the frustration from others who may be trying to figure it out, but have no consolidated tutorial. Again - note the DISCLAIMER above. Along with that fact, this tutorial is basic and will only set it up so all pages are served via HTTPS - will figure out how to do the mix later...
Here are the basic steps we'll walk through to get this to work:
- Get an SSL certificate
- Install your SSL certificate
- Configure Apache to serve as HTTPS
- Hope for a miracle
Now... let's do this.
GET AN SSL CERTIFICATE
The first thing you'll have to do is choose where you want to get it from. I was directed to PositiveSSL from a trusted ex-Googler/friend and so that's what I went with. More specifically, because I was just playing around I decided to go with their free trial before I shelled out some ca$h-money. Here's where you'd go for that
PositiveSSL - Free SSL Certificate for 30 days
So now that we are at the page, you need to click through, then discover you'll need to copy/paste a Certificate Signing Request (CSR).
Get a CSR
I would personally make a folder to termporarily store this stuff:
mkdir ssl_stuff cd ssl_stuff
Then type the following to generate both your private key (the .key file) and public CSR (the .csr file):
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
It will then prompt you for some fields and most of them are optional...but why not:
Enter in your domain name in replacement of mydomain.com under 'Common Name.' It is also suggested that you make a backup of your myserver.key (or private key) just in case (I made mine myserver_backup.key).
Meow, copy paste the contents of your server.csr file back into the webpage and continue on to get your free certificate!
NOTE: You'll have to fill out a couple more annoying forms and hit complete!
Finally, you'll have to wait to get about 3 emails, the first will just be some rando confirmation, then a authentication email, then finally you'll get the email with the zip file of your SSL certificate!!!!!! Onward.
*Where I got my info : Comodo Support CSR Generation
INSTALL YOUR SSL CERTIFICATE
Boom! be proud you made it this far. First thing you'll have to do is unzip your SSL certificate, and use Filezilla (or your favorite FTP client) or FTP straight up from Terminal like a boss to move those files (preferably) into the same folder you kept that other ish in. So hopefully the following command will work inside the ssl_stuff folder:
ls mydomain_com.crt mydomain_com.ca-bundle myserver.key myserver_backup.key server.csr
Now you'll have to move the private key and certificates to the correct Apache folder. Depending on your distro it will still probably be in /etc/ssl/ somewhere under private and certs folders but here is what I had to do:
KK COOL. Now you're going to have to configure Apache to find and use the SSL Certificate.
You'll need to find where you have your VirtualHost stuff set up but mine was in /etc/apache2/sites-enabled/000-default. Here's what you'll have to add to the file somewhere inside the VirtualHost tags:
*Where I got my info: Comodo Support Ceritificate Installation
Now run the following to just confirm that it works.
sudo a2enmod ssl #enable SSLEngine etc. to work sudo service apache2 restart
If everything works fine and dandy you're good! If no, it's probably a spelling error...shame on you.
CONFIGURE APACHE TO SERVER AS HTTPS
Alrighty troll, we're almost there. We've got most of this set up. Now we just have a few last Apache configuration steps so stay with me.
Tell Apache to redirect all HTTP requests to HTTPS
Add the following to your Apache httpd.conf file:
And type the following in terminal to enable RewriteEngine (etc) to work and then to check for spelling errors:
sudo a2enmod rewrite sudo service apache2 restart
Tell Apache to serve through the HTTPS port
The default port being used for your pages is probably 80, which you need to switch to 443. It's as simple as just replacing 80 with 443 in your 000-default file. So it should look something like this:
Open up the HTTPS (443) port on your instance
So navigate over to your AWS Management Console and click:
- EC2 (on top toolbar)
- Instances (left toolbar) >> then read what security group it is
- Security Groups (left toolbar)
- Name of Security Group your instance was assigned
- Inbound (new loaded panel on bottom)
And now under 'Create new rule' selected 'HTTPS' and click Add Rule. Finally click Apply Rule Changes (DON'T forget this).
HOPE FOR A MIRACLE
Ah young padawan, your final task:
sudo service apache2 restart
YAY! Now if you try to navigate to any page, it should automagically load as an HTTPS url rather than HTTP and everything should work! If not then... well... let me know! I will definitely be much more helpful if your setup is the same as mine, but if not I will do my best!
FINAL_NOTE_1: If Chrome/whatever-browser is saying you have unsecure content but loads your SSL certificate, it is probably because some of the scripts (like JQuery or Webfont) you are loading are via HTTP request. Simply change those to HTTPS, re-open your browser, and it should all work!
FINAL_NOTE_2: Here are some other sites I used while making this:
- Figuring out error on RewriteEngine: http://ubuntuforums.org/showthread.php?t=605077
- Figuring out error on SSLCertificate: http://ubuntuforums.org/showthread.php?t=953607
- Figuring out the RewriteEngine stuff: http://marzoa.com/2009/03/03/redirect-from-http-to-https-ssl-on-same-server/