Apache : Manually Adding SSL bindings

If you require an SSL certificate for your website, that obviously will be running on Apache, if you have an externally facing website, I would highly recommend you use Certbot - this will automatically renew the certificate with the let encrypt certificate of authority.

However, like this example sometimes we need to use specific certificate authorities on the Internet that don’t support automated certificate renewal, however, that list will be quite short in today’s technological age, or you need to generate a certificate from your in internal certificate authorities.

Firstly, We need to get the understanding of what you need to do to get the certificate working, this will contain binding the SSL certificate and redirecting non-SSL traffic to the SSL website.

Generate Certificates

I accomplish this particular goal using windows as our certificate Authorities run windows, so it’s easier to use the management console or Digicert to the certificate.

If you are using the Windows management console, it will do the whole process for you by generating the CSR on the information you give it sending that to the server and then merging the response so you get a complete certificate.

Note : If you use Digicert Or any other utility that gives you a CSR (Certificate signing request) Remember that the private key for that certificate remains on the server you generated it from, so you need to remember to export that CA response to the same server.

Copy over certificates

Site Certificate: /etc/ssl/certs/sitex.crt

Sure Private Key: /etc/ssl/certs/sitex.key

Certificate Authority's Certificate: /etc/ssl/certs/cachain.crt

Enable  SSL Module

a2enmod ssl

Create VirtualHosts HTTPS file 

Note : This file will be stored in /etc/apache2/sites-available and I have called this sitex-ssl.conf

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerAdmin skeletor@bythepowerofgreyskull.com
    ServerName bythepowerofgreyskull.com
    ServerAlias sitex.bythepowerofgreyskull.com
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/sitex.crt
    SSLCertificateKeyFile /etc/ssl/private/sitex.key
    SSLCertificateChainFile /etc/ssl/certs/cachain.crt

<Directory /var/www/html/>
          Options FollowSymlinks
          AllowOverride All
          Require all granted
     </Directory>

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>

    LogLevel warn
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
  </VirtualHost>
</IfModule>

Create VirtualHosts HTTP file

Note : This file will be stored in /etc/apache2/sites-available and I have called this sitex-http.conf

<VirtualHost *:80>
    ServerAdmin skeletor@bythepowerofgreyskull.com
    ServerName bythepowerofgreyskull.com
    ServerAlias sitex.bythepowerofgreyskull.com
    DocumentRoot /var/www/html

  LogLevel warn
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Enable site config

We now need to enable the configuration files we have just created like this:

a2ensite sitex-ssl.conf
a2ensite sitex-http.conf

Enable SSL Module

If you do this and you have no TCP:443 binding that means usually you have not enabled SSL in Apache, so complete that use this command:

a2enmod ssl

Reload Apache

Restart Apache to make the changes live and active with this:

systemctl reload apache2

Add re-direct to HTTPS to HTTP configuration file

Note : This file will be stored in /etc/apache2/sites-available and I have called this sitex-http.conf and you need to add the line in bold.

<VirtualHost *:80>
    ServerAdmin skeletor@bythepowerofgreyskull.com
    ServerName bythepowerofgreyskull.com
    ServerAlias sitex.bythepowerofgreyskull.com
    DocumentRoot /var/www/html

  Redirect "/" "https://sitex.bythepowerofgreyskull.com/"

  LogLevel warn
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

PKCS8 issues (possible you need a PKCS1 coversion)

If you have issues with your certificate binding to Apache then you may wish to check out the contents of your private key with the command:

cat /etc/ssl/certs/server.key

If your private key begins with -----BEGIN PRIVATE KEY-----, it is likely in PKCS#8 format, which is a more modern and general-purpose format and may cause you issues with certain bindings.

You may need to convert these to the traditional PKCS#1 format, which begins with -----BEGIN RSA PRIVATE KEY----- if not you may get binding errors, to convert this key to RSA you can use this command:

openssl rsa -in /etc/ssl/private/server.key -out /etc/ssl/private/server_rsa.key

This will the give you the RSA key with "_rsa" in the name, from there you can keep the original file or override it with this command:

mv /etc/ssl/private/server_rsa.key -out /etc/ssl/private/server.key
Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„