Posts Tagged SSL
Enabling Apache SSL and installing own certificates
Posted by MB in Uncategorized on April 23, 2013
This is for Ubuntu Server 12.04 64-bit.
The easiest way to activate Apache’s SSL is:
a2enmod ssl a2ensite default-ssl service apache2 restart
That’s all for the setup, now for installing the certificates. I am using certificates from StartSSL, so your installation may be slightly different.
Copy the unencrpyted SSL private key to /etc/ssl/private, chown it www-data:www-data, chmod it 700.
Find the line containing SSLCertificateKeyFile, uncomment it, and change it to point to your private key file, like so:
SSLCertificateKeyFile /etc/ssl/private/(your private key file)
Copy your public key to /etc/ssl/certs.
Change the SSLCertificateFile line to point to your public certificate, like so:
SSLCertificateFile /etc/ssl/certs/(your certificate file)
Find the following line and uncomment it:
SSLCACertificatePath /etc/ssl/certs/
That’s it.
StartSSL SSL Certificate on Synology NAS using subdomain
Posted by MB in Uncategorized on November 13, 2012
This will explain how to generate and install SSL certificates on your Synology NAS to get rid of the pesky SSL certificate errors. I’ll be explaining specifically how to generate and install from StartSSL, who gives out free SSL certificates.
First, you will need to own or control a domain name, and have a subdomain set up and CNAME pointed to your Synology NAS’s IP address. You can find a walkthrough on how to set that up by reading this article. If you are having trouble with certificate domain mismatches, make sure you have read this article first: Synology DiskStation on a subdomain with dynamic IP address.
Once that’s set up, head over to StartSSL and follow the steps outlined below to validate a domain name and generate an SSL certificate.
Validate a domain name
Select the Validations Wizard and choose type Domain Name Validation
Enter the domain name you wish to validate, and continue. You are validating only the base domain name.
Select an email address to which the validation code will be mailed to, and then continue.
Enter the validation code you received via email, and continue.
Generating your SSL certificate
After verifying your domain ownership, you can now generate the SSL certificate.
Select Certificates Wizard and choose Web Server SSL/TLS certificate, as in the image below.
Generate a private key by inputting a password of at least 10 characters, choosing your key length, and selecting SHA1.
On the next screen, you will be given your generated, encrypted, private key with instructions to save it to a file called ssl.key, and what to do with it. For now, just create a new text file on your desktop, call it “encrypted_ssl_key” (or whatever), and hang on to it for later. I’ll explain what to do with it in a few more steps.
Next, you’ll be prompted to add a verified domain to your SSL cert. Choose the previously validated base domain.
Next, you’ll be prompted to enter a subdomain to add to the certificate. This is where you enter your NAS’s subdomain. For example, if your root domain is example.com, and your NAS is accessible via myds.example.com, enter myds.
The ready processing certificate screen will show next, and should include both your base domain name and the subdomain, like this following image.
The following screen will appear, and prompt you to save the certificate, as well as the intermediate certificates, which you will need for the Synology NAS. Save the certificate in a file called ssl.crt as instructed. Hold on to both it, and the two downloaded intermediate certificates for the following steps.
Decrypt the private key
One more step before we install the certs onto the NAS box. Head over to the StartSSL toolbox and click on Decrypt Private Key.
In the top box, paste the saved encrypted private key that you generated and named “encrypted_ssl_key” (or whatever). In the Passphrase box, enter the 10-character-or-so password that you set on it, and click decrypt. Save the decrypted key to a file called ssl.key.
Installing the SSL certs
Now we’re ready to install the SSL certs onto the Synology NAS. Log in as admin and head to Control Panel > Web Services. Click the HTTP Service tab and click Import Certificate.
For each of the following select the corresponding files
Private Key: Your decrypted ssl.key file
Certificate: Your ssl.crt file
Intermediate certificate: The sub.class1.server.ca.pem intermediate certificate you downloaded.
(If you forgot to download the intermediate certificates, you can get them again by following this link.)
Click ok, and you should see Restarting Web Server, like so
Assuming all went well, you should be able to go to the subdomain and see a good SSL certificate lock icon, like so in Chrome
Questions, comments, or otherwise, please feel free to share them in the comments below. Thank you!
Ubuntu, Apache, VirtualHosts, and SSL – part 2
Posted by MB in Uncategorized on May 18, 2011
In my first post about Ubuntu, Apache, VirtualHosts, and SSL I covered generating self-signed certificates and implementing them for Apache VirtualHosts. What I didn’t cover was — if you implemented this without a correct base configuration — you’d end up with some unexpected results if you tried to visit your base domain over SSL.
It’s simple to resolve this. First, edit /etc/apache2/ports.conf and modify as follows:
# If you add NameVirtualHost *:443 here, you will also have to change # the VirtualHost statement in /etc/apache2/sites-available/default-ssl # to # Server Name Indication for SSL named virtual hosts is currently not # supported by MSIE on Windows XP. + NameVirtualHost *:443 Listen 443
If you were reading closely, you know what to do next. Modify sites-available/default-ssl file and change the directive as follows:
Now, restart apache:
/etc/init.d/apache2 reload
Your base SSL domain will now display the expected DocumentRoot, but the certificate will contain the URL localhost.localdomain. To fix this run, as root:
make-ssl-cert generate-default-snakeoil --force-overwrite
— From /usr/share/doc/apache2.2-common/README.Debian.gz
If you install the ssl-cert package, a self-signed certificate will be
automatically created using the hostname currently configured on your computer.
You can recreate that certificate (e.g. after you have changed /etc/hosts or
DNS to give the correct hostname) as user root with:
make-ssl-cert generate-default-snakeoil –force-overwrite
—
Questions, comments, and feedback regarding this guide and welcome!
Forcing SSL for phpMyAdmin
Posted by MB in Uncategorized on May 16, 2011
After configuring WordPress to force SSL in the administration area, I was in phpMyAdmin and realized that it’s also not configured to do the same by default.
From the phpMyAdmin Wiki, add the following line at the end of your /etc/phpmyadmin/config.inc.php file
$cfg['ForceSSL'] = TRUE;
This will cause sessions to force SSL.
If you’re having issues making this work for you, check out my article involving Apache and SSL.
Questions, comments, and feedback are welcome.
Forcing the WordPress administration over SSL
Posted by MB in Uncategorized on May 14, 2011
From the WordPress administration over SSL guide, add the following directive to your wp-config.php file:
define('FORCE_SSL_ADMIN', true);
This will cause logins and admin pages to force SSL sessions.
If you’re having issues making this work for you, check out my article involving Apache and SSL.
Questions, comments, and feedback are welcome.
Ubuntu, Apache, VirtualHosts, and SSL
Posted by MB in Uncategorized on May 4, 2011
The goal of this guide is to provide you with an Apache SSL configuration with a unique self-signed certificate for each VirtualHost.
These self-signed certificates are not intended for e-commerce or public-facing web sites. Rather, they are intended for SSL encryption of administration areas on personal websites or administration programs that have HTTP interfaces. Of course, if you have a commercially-signed certificate, you can skip the certificate-generation part of the guide, and proceed to implementing it in a VirtualHost configuration.
Written for Apache on Ubuntu Server 10.04.
First, install the base Apache SSL certificate and enable the Apache SSL module
sudo apt-get install ssl-cert
a2enmod ssl
This installs a base SSL certificate and a generic ‘default-ssl’ site configuration. We will be generating per-domain self-signed certificates later. We will also not be using the ‘default-ssl’ site configuration.
Generating Certificates
Generate a hostname-specfic SSL certificate by following these instructions quoted
— From /usr/share/doc/apache2.2-common/README.Debian.gz
To create more certificates with different host names, you can use
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /path/to/cert-file.crt
This will ask you for the hostname and place both SSL key and certificate in
the file /path/to/cert-file.crt . Use this file with the SSLCertificateFile
directive in the apache config (you don’t need the SSLCertificateKeyFile in
this case as it also contains the key). The file /path/to/cert-file.crt should
only be readable by root. A good directory to use for the additional
certificates/keys is /etc/ssl/private .
—
Example:
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/example.com.crt
Implementation
Now that the key is generated, we’re going to create an Apache VirtualHost configuration for SSL connection. Chdir to /etc/apache2/sites-available and copy (for example) example.com.conf to example.com-ssl.conf
Next, edit the example.com-ssl.conf file and make the following changes:
Example:
...
* Change the defined port number in the tag from 80 to 443
Example:
... ...
* At the end of the file, after the tag, add
...
* Within the tag, add the following directives:
SSLEngine On # The following should point to your SSL cert file in /etc/ssl/private SSLCertificateFile /etc/ssl/private/example.com.crt
— From /etc/apache2/sites-available/default-ssl
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
—
* Add the SSL workaround for MSIE in your section as follows:
BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
— /usr/share/doc/apache2.2-common/README.Debian.gz
SSL workaround for MSIE
———————–
The SSL workaround for MS Internet Explorer needs to be added to your SSL
VirtualHost section (it was previously in ssl.conf but caused keepalive to be
disabled even for non-SSL connections):
BrowserMatch “MSIE [2-6]”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown
The default SSL virtual host in /etc/apache2/sites-available/default-ssl
already contains this workaround.
—
Lastly, enable the newly-created site and reload apache:
a2ensite example.com-ssl.conf
Enabling site example.com-ssl.conf.
Run '/etc/init.d/apache2 reload' to activate new configuration!
(This creates the symlink from /etc/apache2/sites-enabled to your config file in /etc/apache2/sites-available – you can also create it manually if your configuration requires it)
/etc/init.d/apache2 reload
* Reloading web server config apache2 [ OK ]
Of course, make sure after all of this that your firewall isn’t blocking port 443.
Questions, comments, and feedback regarding this guide and welcome!
PGP/GPG Keys in Ubuntu Gnome the easy way – Part 2
Posted by MB in Uncategorized on April 27, 2011
In part 1, I explained how to generate and manage your encryption keys in GNOME. Now I’ll explain how to use your keys to easily encrypt your email. I’m going to only address doing this in Evolution (the default email manager in GNOME). You can access the Evolution email account settings by going to System > Preferences > Email settings [Natty/Unity: System Settings > Email], and I’ll assume that Evolution is already set up for your email account.
Integration into Evolution is painlessly simple: You just need the Key ID of your key.
Go to System > Preferences > Passwords and Encryption Keys and look in the column under Key ID. The Key ID is hex, so it only uses the characters 0-9 and A-F.
Once you have the Key ID, start Evolution and go to Edit > Preferences > Mail Accounts and click your mail account and click edit. Then, go to the Security tab and enter your Key ID in the PGP/GPG Key ID field.
That’s it. Now whenever you compose a message, you’ll see the PGP menu which will allow you to sign and/or encrypt your email messages, and in the reading pane you will see the status of signed/encrypted messages sent to you.
Questions, comments, and feedback to this are welcome, as always.
