SSL installation configuration tutorial in lamp environment

HTTPS (full name: Hyper Text Transfer Protocol over secure Socket Layer), is a security-targeted HTTP channel, simply speaking, the safe version of HTTP. The SSL layer is added to HTTP, and the security basis for HTTPS is SSL, so the details of the encryption require SSL. In each Linux distribution, SSL is generally implemented as a OpenSSL suite.
By default, LAMP does not have SSL turned on and needs to be manually configured. This tutorial is mainly to summarize the process of manual configuration.
The next step is to deploy SSL step-by-step, starting with the request for a CSR.

1. Generate Certificate Request CSR file

Here you need to use the OpenSSL command, and you need to install OpenSSL.
CentOS under:

Yum Install-y OpenSSL Openssl-devel
Under Debian or Ubuntu:

Apt-get install-y OpenSSL
For an example of the RSA 2048 private key, the command is as follows:

OpenSSL req-new-nodes-newkey rsa:2048-sha256-keyout server.pem-out SERVER.CSR
For example, the ECC 256 private key has the following command:

OpenSSL ecparam-out server.pem-name Prime256v1-genkey
OpenSSL Req-new-key server.pem-out SERVER.CSR
The above command will have an interaction when the CSR is generated, as follows:

Are about to is asked to enter information that would be incorporated
into your certificate request.
What you are about to enter the What is called a distinguished Name or a DN.
There are quite a few fields but you can L Eave some blank
for some fields there would be a default value,
If you enter '. ', the field would be left blank.
-----
Country Name (2 letter code) [xx]:cn //Country code
State or province name (full name) []:shanghai // Province
Locality name (eg, city) [Default city]:shanghai //town
Organization name (eg, company) [Default company LTD ]:teddysun//organization or company name (just fill in)
Organizational unit name (eg, section) []: /Department, can not fill
Common name (eg, your name or Your server ' s hostname) []:teddysun.com//* is the wildcard domain name, the General Certificate release will bring the WWW sub domain name
Email address []:admin@teddysun.com /Email Address (must have a domain name mailbox to verify domain name ownership)

Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []://No Fill
An optional company name []://No Fill
Attention:
Here the SERVER.PEM is the private key, need to save well, the best you apply for the certificate in the configuration, need to use this private key, once the private key is lost, the certificate will be abolished, can only reapply.
In general, a certificate for RSA 2048 is sufficient.

When all the above steps are completed, two files are generated:
Server.pem
Server.csr

Download it back to the local and keep it properly. Use any text editor to open SERVER.CSR, and use the contents of the inside to apply for a certificate.

Of course, it is best to rename these 2 files to your own domain name for easy identification, such as:
Teddysun_com.pem
Teddysun_com.csr

2. Application Certificate

There should already be 5 kinds of free SSL (DV) providers on the market, respectively:
1) letsencrypt (Https://github.com/certbot/certbot)
2) Startssl (https://www.startssl.com/)
3) wosign (https://buy.wosign.com/free/)
4) Comodo
5) Alphassl
The first 3 are easier to apply, and the latter 2 are available for free.

Pay is a variety of, and here is no longer to repeat.

The application process is omitted.

Finally you will get a certificate file (general suffix named CRT).
Attention:
Some certificates (such as Comodo and ALPHASSL) also need to merge the certificate chain, merging the certificates you have obtained and the root certificates into the same file for use.
Each certificate chain is not the same, if you are using Letsencrypt application, the default is already have a complete certificate chain certificate.
/etc/letsencrypt/live/<domain>/fullchain.pem

Tips: How do I combine a certificate chain?
Open your certificate file with any text editor (name: TEDDYSUN_COM.CRT), add the entire contents of the root certificate (teddysun_com.ca-bundle) to the end of the text, and save it.

3. Deployment Certificate

After installing the LAMP environment, the SSL configuration is not loaded by default.
1 need to modify the configuration file here
/usr/local/apache/conf/httpd.conf
Find the following line
#Include conf/extra/httpd-ssl.conf
Remove the previous # annotation and save it.

2 Copy the merged certificates, such as TEDDYSUN_COM.CRT and private key Teddysun_com.pem, to the path/usr/local/apache/conf/.

3) Modify the configuration file/usr/local/apache/conf/extra/httpd-ssl.conf, which reads as follows:

Listen 443
Sslpassphrasedialog Builtin
Sslsessioncache "Shmcb:/usr/local/apache/logs/ssl_scache (512000)"
Sslsessioncachetimeout 300

<virtualhost *:443>
documentroot/data/www/default/
ServerName teddysun.com
Serveralias www.teddysun.com
ErrorLog "/usr/local/apache/logs/teddysun_com_error_log"
Transferlog "/usr/local/apache/logs/teddysun_com_access_log"

Sslengine on
Sslprotocol All-sslv2-sslv3
Sslhonorcipherorder on
Sslciphersuite all:!anull:!enull:! export:! Des:! rc4:! md5:! psk:!aecdh:! edh-dss-des-cbc3-sha:! edh-rsa-des-cbc3-sha:! Krb5-des-cbc3-sha

Sslcertificatefile/usr/local/apache/conf/teddysun_com.crt
Sslcertificatekeyfile/usr/local/apache/conf/teddysun_com.pem

Customlog "/usr/local/apache/logs/teddysun_com_request_log" \
"%t%h%{ssl_protocol}x%{ssl_cipher}x \%r\"%b \ "%{referer}i\" \ "%{user-agent}i\" "

Browsermatch "MSIE [2-5]" \
Nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

<Directory/data/www/default/>
Options-indexes +followsymlinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
Attention:
The configuration file is based on Apache 2.4.
The configuration in the VirtualHost virtual host can be changed.
1 If you want to specify a fixed IP to the VirtualHost, change the <virtualhost *:443> to <virtualhost 12.34.56.78:443&gt, where the 12.34.56.78 is an example IP
2 DocumentRoot is the site root directory, designated as your own directory
3 ServerName is the site's main domain name, designated for your own
4 Serveralias is the other domain name of the website, can define many lines, also can not define. If not defined, delete the line
5) ErrorLog is the error log, specify the specific path
6) Transferlog is the access log, specify the specific path
7) Sslengine must be on
8 Sslprotocol is the specified SSL connection mode, does not contain SSLv2 and SSLv3, both of which are unsafe
9) Sslhonorcipherorder must be on
Sslciphersuite is a cryptographic kit that eliminates some of the ways that are no longer secure
Sslcertificatefile is the certificate file that specifies the specific path
Sslcertificatekeyfile is the private key file for the certificate, specifying the specific path
Customlog is the format of the custom log
Browsermatch is a browser match, this is mainly to Microsoft IE old version 2-5 is defined
Directory is consistent with DocumentRoot, is the definition of some properties of the folder

Reference Links:
Https://httpd.apache.org/docs/current/mod/mod_ssl.html
Https://httpd.apache.org/docs/current/mod/mod_setenvif.html
Https://httpd.apache.org/docs/current/mod/core.html#directory

4. Confirm entry into force

After you confirm that the steps are complete and correct, restart Apache to take effect.

/ETC/INIT.D/HTTPD restart
To see the httpd listening port, there should be 443

NETSTAT-ANP | Grep-v grep | grep httpd
After the domain resolution is good, use the Chrome browser to visit, you will see your website to have a lovely little green lock before.

5, evaluation

Here's how you can evaluate your SSL deployment score.
Visit the following Web site:
Https://www.ssllabs.com/ssltest/index.html

Enter your site domain name, consistent with the ServerName value in the configuration above.