Installing an SSL certificate on Apache2 on Centos5

If you have not generated a certificate then suggest you jump to that section first then scroll back up.

Checks to be made in

/etc/httpd/conf.d/ssl.conf
under <VirtualHost _default_:443>

1. ServerName www.<mysite.com>:443

(Failure to set this will result in SSL_ERROR_RX_RECORD_TOO_LONG or “unsupported proxy” by Firefox)

2. In ssl.conf: SSLCertificateFile  <path to> /www.<mysite.com>.crt
This is the file sent by the SSL certificate provider.

3. In ssl.conf: Ensure SSLCertificateKeyFile is set to valid path to key

4. In ssl.conf: SSLCertificateChainFile  <path to> gd_intermediate_bundle.crt
The bundle file comes with the certificate (at least with DoDaddy).

5. Check iptables, port 443 should be enabled.

6. Check ssl is installed (yum list | grep ssl)

7. Check router port forwarding is enabled for port 443.

8. If you are testing a web server on the same net as the machine there is a chance the router is resolving the external facing ISP issued IP in such a way that it is impossible to test a your own website from the internet. intranet.  Some routers don’t permit it at all, e.g. netgear DG814 with recent firmware v 4.10 or below.

The fix is to use a proxy server like www.turbohide.com for testing or even install (read warning before buying) HideMyIP from www.hide-my-ip.com to fake the ip of the machine used to test.  You get a 3 day trial or buy for £16 ish. Warning: HideMyIp will reduce your bandwidth very noticeably unless you upgrade to the premium service this is probably because of the proxies used as the free ones suffer also – though there are other products – I’ve not tried them.

9. Restart web server

# /usr/sbin/apachectl graceful
httpd not running, trying to start
Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server www.<my site>.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.

If you don’t get the above information the first time when you start then your cert is not installed properly.

10. Protect your pages. For example (and there are many on the net)

if ($_SERVER['SERVER_PORT'] != 443)
{
header(“Location: https://www.mysite.com/”); // ssl site now
exit;
}

and/or setup a location rewrite in ssl.conf:

<Location /mywebfolder>
RewriteEngine on
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^.*/mywebfolder(.*)$ https://%{SERVER_NAME}:443/mywebfolder$1 [R]
</Location>

or .htaccess in the web folder – here we are challenged for a password and its said where the .htpasswd file is:


AuthUserFile /var/www/html/.htpasswd
AuthName "Secret stuff going on here - you need a password"
AuthType Basic
Require valid-user
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L]

Any of this not working then check the error_log (in /etc/httpd/logs). Not forgetting to apachectl graceful and clear the browser session info between tests (for the password challenge bit).

Generate Certificate

Execute this:

openssl genrsa -des3 -out www.<my site.com>.key 1024

Use the outfile and execute this:

openssl req -new -key www.<my site.com>.key -out <my site.com>.csr

The resulting file is <my site.com>.csr

`cat` the file to copy the content and past it into the browser with prompted by the ssl issuer.