How to Set up Apache + a free signed SSL Certificate on a VPS

 Prerequisites

Before we get started, here is the Web tools need for this tutorial:

1. Google Chrome Browser
2. Apache installed on your VPS (cloud server)
3. A Domain name you own
4. Access to a email address at this domain, either:
   1. [Email protected]
   2. [Email protected]
   3. [Email protected]

Startssl.com offers completely free verified (your users won ' t has to see those scary red screens saying "this site isn ' t Trusted "Anymore") SSL certificates that's can use on your website. This was a great deal as most companies charge $50-$60 for similar services. The free version was a bit tricky to set up, but it's well worth it.

To get started, browse to startssl.com and using the toolbar on the left, navigate to Startssl products and then to starts Sl™free. Choose the link for Control Panel from the top of the page.

Make sure is using Google Chrome

1. Choose the express signup. option
2. Enter Your personal information, and click Continue.
3. you'll get an e-mail with a verification code inside it shortly. Copy and paste that email to the form on Startssl ' s page.
4. they would review your request for a certificate and then send a mail with the new info. This process is might take as long as 6 hours though and so is patient.
5. Once The email comes, use the link provided and the new authentication code (at the bottom of the e-mail) to continue T o the next step.
6. They'll ask you to Generate a private key and you'll be provided with the choice of "high" or "Medium" grade. Go ahead and choose "High".
7. Once Your key is ready, click Install.
8. Chrome would show a popdown that says, the certificate have been succesfully installed to Chrome.

This means your browser are now authenticated with your new certificate and you can log into the STARTSSL authentication ar EAS using your new certificate. Now, we need to get a properly formatted certificate set up for use on your VPS. Click on the Control panel link again, and choose the Authenticate option. Chrome would show a popup asking if you want to authenticate and would show the certificate you just installed. Go ahead and authenticate with, certificate to enter the control Panel.

You'll need to validate your domain name to prove so you own the domain is setting up a certificate for. Click on the validations Wizard in the Control panel and set Type to Domain Name Validation. You'll be prompted to choose from a email at your domain, something like [email protected]

Check the email inbox for the e-mail address you selected. You'll get yet another verification email at this address, so-like before, copy and paste the verification code into the STARTSSL website.

Next, go to the Certificates Wizard tab and choose to create a WEB Server SSL/TLS Certificate.

Hit continue and then enter in a secure password, leaving the other settings as is.

You'll be shown a textbox, that contains your private key. Copy and paste the contents into a text editor and save the data into a file called Ssl.key.

When you click on continue, you'll be asked which domain you want to create the certificate for:

Choose your domain and proceed to the next step.

You'll be asked-subdomain you want to create a certificate for. In the most cases, you want to choose WWW here, but if you're ' d like-to-use a-different subdomain with SSL and then-enter that's here instead

Startssl would provide you and your new certificate in a text box, much as it does for the private key:

Again, copy and paste to a text editor, this time saving it as SSL.CRT.

You'll also need the startcom Root CA and Startssl ' s Class 1 intermediate Server CA in order to authenticate your websit E though, so for the final step, go through to the Toolbox pane and choose startcom CA certificates:

At the This screens, right click and Save as the files:

• StartCom Root CA (PEM encoded) (Save to Ca.pem)
• Class 1 Intermediate Server CA (save to SUB.CLASS1.SERVER.CA.PEM)

For security reasons, Startssl encrypts your private key (the Ssl.key file), but your Web server needs the unencrypted ver Sion of it to handle your site ' s encryption. To unencrypt it, copy it onto your server, and use the following command to decrypt it into the file Private.key:

OpenSSL rsa-in ssl.key-out Private.key

OpenSSL would ask you to your password, so enter it in the password to typed in on Startssl ' s website.

At this point you should has five files. If you ' re missing any, double-check the previous steps and re-download them:

• Ca.pem-startssl ' s Root certificate
• Private.key-the unencrypted version of your private key (be very careful no one else have access to this file!)
• Sub.class1.server.ca.pem-the Intermediate Certificate for Startssl
• Ssl.key-the encrypted version of your private key (does not need to BES copied to server)
• Ssl.crt-your New Certificate

You can discard the Ssl.key file. If you haven ' t already copied the others onto your server you upload them there now:

Activating the certificate in Apache

Having a certificate isn ' t good if you can ' t actually use it. This section explains the Configure Apache to use your new SSL certificate. These instructions is for Apache running on recent versions of Ubuntu VPS. For the linux-based distros or Web servers, you'll have the to adjust accordingly.

First, create the folders where we ' ll store the keys. Enable Apache ' s SSL module, and restart Apache.

sudo a2enmod sslsudo service apache2 Restartsudo mkdir-p/etc/apache2/ssl

Copy The files you set up in the previous section to The/etc/apache2/ssl folder on your VPS.

sudo mkdir-p/ETC/APACHE2/SSLCP ~/{ca.pem,private.key,sub.class1.server.ca.pem,ssl.crt}/etc/apache2/ssl

Execute:

Ls/etc/apache2/ssl

And it should return:

Ca.pemssl.crtprivate.keysub.class1.server.ca.pem

Now, open your apache2 configuration file. Unless you ' ve already modified the default configuration, input:

Nano/etc/apache2/sites-enabled/000-default

It should look something like this:

<VirtualHost *:80>
    ServerAdmin [email protected]

    DocumentRoot /var/www
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

Copy the entire script above (from <virtualhost *:80> to </VirtualHost>), paste it below the existing one, and Change the top line from:

<virtualhost *:80>

To

<virtualhost *:443>

and add the following lines after the <virtualhost *:443> line:

Sslengine on                                                                sslprotocol all-sslv2                                                      sslciphersuite all:! Adh:! export:! Sslv2:rc4+rsa:+high:+medium                sslcertificatefile/etc/apache2/ssl/ssl.crt                           sslcertificatekeyfile/etc/ Apache2/ssl/private.key                        

The end result should look like this:

<virtualhost *:80> ServerAdmin [email protected] documentroot/var/www <directory/> Opti ONS followsymlinks allowoverride None </Directory> <Directory/var/www/> Options Indexes F    Ollowsymlinks multiviews allowoverride None Order allow,deny allow from all </Directory> scriptalias/cgi-bin//usr/lib/cgi-bin/<directory "/usr/lib/cgi-bin" > allowoverride None Options + Execcgi-multiviews +symlinksifownermatch Order Allow,deny allow from all </Directory> errorlog    ${apache_log_dir}/error.log # Possible Values Include:debug, info, notice, warn, error, crit, # Alert, Emerg. LogLevel warn Customlog ${apache_log_dir}/access.log combined alias/doc/"/usr/share/doc/" <directory "/usr/s hare/doc/"> Options Indexes multiviews followsymlinks allowoverride None Order deny,allow D Eny from all to allowFrom 127.0.0.0/255.0.0.0:: 1/128 </directory></virtualhost><virtualhost *:443> SSLEngine on                                                          Sslprotocol All-sslv2 Sslciphersuite all:! Adh:! export:! Sslv2:rc4+rsa:+high:+medium SSLCERTIFICATEFILE/ETC/APACHE2/SSL/SSL.CRT S Slcertificatekeyfile/etc/apache2/ssl/private.key sslcertificatechainfile/etc/apache2/ssl/sub.  Class1.server.ca.pem ServerAdmin [email protected] documentroot/var/www <directory/> Options FollowSymLinks allowoverride None </Directory> <Directory/var/www/> Options Indexes Foll Owsymlinks multiviews allowoverride None Order allow,deny allow from all </Directory> SCR iptalias/cgi-bin//usr/lib/cgi-bin/<directory "/usr/lib/cgi-bin" > AllowoverrIDE None Options +execcgi-multiviews +symlinksifownermatch Order allow,deny allow from all </d     irectory> errorlog ${apache_log_dir}/error.log # Possible values Include:debug, info, notice, warn, error, crit,    # Alert, Emerg. LogLevel warn Customlog ${apache_log_dir}/access.log combined alias/doc/"/usr/share/doc/" <directory "/usr/s hare/doc/"> Options Indexes multiviews followsymlinks allowoverride None Order deny,allow D Eny from all to allow from 127.0.0.0/255.0.0.0:: 1/128 </Directory></VirtualHost>

Save your files and restart Apache with:

sudo service apache2 restart

You can check Apache's log files to the see if there is any show stopping errors with the This command:

Cat/var/log/apache2/error.log

If everything looks good, try accessing your site in your the Web browser using an HTTPS URL (e.g. https://www. yoursite.com). When your site loads, you should see a little green padlock icon next to the URL. Click on it and you should see the following. The Connections tab should show that the site's identity has a been verified by startcom.

congratulations! All set!

Reference Links:

Here is some of the other posts I consulted if putting this together. If you run into any problems they might is a source of inspiration on what to fix them:

• Apache SSL Configuration
• Startssl Apache Guides

Submitted By:nik van der Ploeg

Original:

Https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-with-a-free-signed-ssl-certificate-on-a-vps

How to Set up Apache + a free signed SSL Certificate on a VPS