User Guide - Using mod_ssl (SSL Certficates)
- 02/02/2008 6:19 PM
Applicable Plans - All General VPS Plans
ALL VPS ARE BEING TRANSITIONED TO A NEW UP TO DATE SERVER, CONTACT sales@eapps.com for assistance.
User Guide - Using mod_ssl (SSL Certificates)
"mod_ssl is an optional module for the Apache HTTP Server. It provides strong cryptography for the Apache v1.3 and v2 webserver via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) cryptographic protocols by the help of the Open Source SSL/TLS toolkit OpenSSL" from http://en.wikipedia.org/wiki/Mod_sslOverview
Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communication on the Internet for web pages, and other data transfers. SSL relies on key files that are installed on the server and used in the encryption process. These key files can be created easily, but are usually issued and certified by a commercial certificate authority. The certification process helps to reassure visitors to the site that the site is owned and operated by a legitimate business.Generally, the more expensive the SSL Certificate, the more thorough the check by the SSL Certificate Authority to verify the site owners and business, and those SSL certificates have a higher level of trust by consumers. Those SSL certificates also take longer to issue.
eApps Hosting sells SSL Certificates from Globalsign and AlphaSSL. You can also install a self-signed SSL certificate, or purchase an SSL certificate from a third party vendor.
mod_ssl Installation and Requirements
Installing mod_ssl
Requirements for using mod_ssl
Using mod_ssl to secure your websites
SSL Certificates Overview
Installing a self-signed SSL certificate
Purchasing a commercial SSL certificate from eApps
Purchasing a Commercial SSL Certificate from a 3rd Party Vendor
Common Issues using SSL
Images and Graphics are not using SSL
Links to off-site content are not using SSL
Forcing site visitors to use SSL
Links to other information
mod_ssl Installation and Requirements
Installing mod_ssl
The mod_ssl module is available on all eApps General VPS hosting plans, and all operating systems (Fedora Core, CentOS 4 and CentOS 5). It is not installed by default.To check if mod_ssl is installed, go to the Control Panel, and click on the System Tab. If necessary, click on the Select Another System (Subscription) link on the left and choose the correct Virtuozzo container.
Then click on All Applications. On CentOS 5 VPSs, the mod_ssl application will be listed like this: Mod_ssl. For CentOS 4 and Fedora VPSs the mod_ssl application will be listed like this: Apache module mod_ssl.
If mod_ssl is not installed, then click on Add Application, and look for the mod_ssl application in the list of applications to install. Check the box next to the application, and then scroll down and click Next.
This takes you back to the All Applications screen. Wait for around five minutes, and then click on the Refresh link at the upper right, just under the word Parallels. The application should now show as installed. If it still shows as Scheduled, wait another five minutes, and click refresh again. If it still shows as Scheduled, or in Error, please contact eApps Technical Support.
Requirements for using mod_ssl
To use mod_ssl, each site that uses SSL must have a dedicated IP address. Each eApps VPS comes with one dedicated IP address, and that can be used to secure one site using SSL. If you have more than one site that you want to use SSL for, you will need to purchase an additional IP address for each site that will have an SSL certificate.Purchasing a new IP address
To purchase another IP address, go to the Control Panel, System tab. If necessary, click on the Select Another System (Subscription) link on the left to select the correct Virtuozzo container.Then, click on the Upgrade Center tab, and then Buy Resources. The first listing in Buy Resources is Number of Static IP addresses. The Current Limit shows how many IP addresses (units) are currently assigned to the VPS. To increase this number, put the number of IP addresses you want to purchase in New Limit, plus your existing limit. For example, if you wanted to purchase one additional IP address, put the number 2 in the New Limit box.
Scroll down and click Next, and then follow the steps to purchase the new IP address. Once the order is processed, your new IP address will be available. It make take up to an hour for your order to be processed, so please be patient if your IP address does not show up immediately.
If your subscription renewal date is close, the cost of the IP address may show as less than the normal $2 a month. In this case, you will only have a Pay Offline option, because the PBA Control Panel cannot process payments of less than one dollar. Please contact our Billing department to make the payment: billing@eapps.com or +1 770 448 2100 option 0 (zero). Have your domain name or invoice ID number ready.
To see if your new IP address is available for use, go back to the System tab for that subscription, and click on Server Info. All the IP addresses for that VPS will show in the IP Addresses section.
Installing a new IP address on a site
Once the new IP address is provisioned, click on the Site tab, and if necessary click on Select Another Site, and choose the site you want to add the new IP address to.Click on Website Settings, then scroll down and click on Configure. In the General Settings section, click on the drop down menu for IP Address and choose the new IP address for this site. Make sure that the box for Share IP addresses with other websites is unchecked. Scroll down and then click on Update to change the IP address for the site.
At this point, the PBA Control Panel software will start the process of changing the IP address for the A record for the domain in the System Tab, All My Domains, as well as changing the DNS records for the site. Please allow about 10 minutes for the Control Panel to complete this task, and allow several hours for the DNS changes to propagate across the Internet. During that time, the site may appear to be visible at both IP addresses, but this is a temporary issue and will be resolved as soon as all the DNS propagation is complete.
If you do not start to see the site showing the correct IP address within two hours, please contact eApps Support so that we can verify that the correct Control Panel changes took place.
Using mod_ssl to secure your websites
Once mod_ssl is installed, you can begin using it to secure your sites. This is done by installing an SSL Certificate - either one that is self-signed, or purchased from a commercial Certificate Authority.SSL Certificates Overview
Self-Signed SSL Certificate
For small websites which are mostly used by a group of employees or a specific group (such as a web mail application) you can choose to install a self-signed SSL certificate.A self-signed SSL certificate is not signed or issued by an actual Certificate Authority, it is signed with your own site details. The advantage of this is that self-signed SSL certificates are free. The disadvantage is that a warning will always be displayed to the end user that their data is encrypted, but that the SSL certificate being used has not been independently verified. This is a red flag to any visitor, and a self-signed SSL certificate should never be used for any public facing application such as an e-commerce site.
Using a self-signed SSL certificate for your website will guarantee a secure connection between your computer and the website. However, since the SSL certificate is self-signed, it can be forged and there is no guarantee that the site is genuine, or if the site is the subject of what is called a man-in-the-middle attack - http://en.wikipedia.org/wiki/Man-in-the-middle_attack If the applications and data you are trying to secure contain very sensitive data, we strongly recommend that you purchase a commercial SSL certificate from a Certificate Authority.
Instructions on how to install a self-signed SSL certificate are found here.
Commercial SSL Certificate
For any website that is doing actual customer facing business, such as an e-commerce site, you need a commercial SSL certificate. These SSL certificates require that you submit business information to the Certificate Authority, and provide a greater degree of trust for the consumer that you are who you say you are, and that your business is legitimate.With commercial SSL certificates, it truly is a matter of "you get what you pay for". The more expensive the SSL certificate, the more validation is done by the Certificate Authority, which can translate into a higher degree of trust by the consumer.
Information on how to purchase a Globalsign or AlphaSSL certificate from eApps are found here. If you purchase a commercial SSL certificate from eApps, we will install it as part of the service.
Information on installing a third party SSL certificate is found here. Please be aware that no support is offered for SSL certificates that are not purchased through eApps.
Installing a self-signed SSL certificate
Before installing a self-signed SSL certificate, make sure you have installed the mod_ssl module and met the requirements.Log in to the Control Panel, and click on the Site tab. If necessary, click on the Select Another Site link on the left, and choose the correct site.
Click on Website Settings. There should be a tab at the right for Secure Website. If the Secure Website tab is not visible, and you only have one IP address (assuming you have mod_ssl installed and met the requirements) then check to make sure SSL is not enabled on another site on the same subscription.
In the Secure Website tab, click on the Generate a request button. Fill out the form as follows. For a self-signed SSL certificate, only items with red asterisks (*) are required. If you are creating a CSR for a third party commercial SSL certificate, all fields are required.
- Country* - select your country from the drop down menu (choose the country where you are located, not where the VPS is located)
- State (US or Canada) - if you are in the US or Canada, choose your state or province from the drop down menu
- State (other countries) - enter the state or province or administrative region of your location
- Locality* - enter the name of your city or town
- Organization name* - enter the name of your company or organization
- Organization unit name - enter the name of your organizational unit
- Site name* - enter the name of the site to be secured. If you are going to use the "www" alias for the site, make sure to specify that here. If you only enter domain.com, then www.domain.com will not be encrypted.
Click on Submit to create the Certificate request. If you make a mistake, just click on Generate a request again and start over.
To see the results of the Certificate request, click on the SSL certificate request details link.
At this point, the self-signed SSL certificate is ready. Just click on the Enable SSL button to install it. Now you will be able to access your site using https as well as http.
Remember that you and your site visitors will be shown a warning when you connect because this is not a commercial SSL certificate from a recognized Certificate Authority. Self-signed SSL certificates should never be used for actual public facing sites, and especially not for any kind of e-commerce site.
Purchasing a commercial SSL certificate from eApps
eApps Hosting sells commercial SSL certificates from Globalsign and AlphaSSL. If you purchase an SSL certificate from eApps, we will order and install the SSL certificate for you. However, you will be required to answer some questions to start the order process, and possibly reply to e-mails from the Certificate Authority as they try to verify your business details.To start the process, go the eApps Hosting main site at http://eapps.com and click on the Store link at the top of the page.
In the Products Overview section near the middle of the page, click on SSL Certificates.
Choose the SSL Certificate that is right for your needs. Read the descriptions carefully to fully understand the benefits of each type of SSL certificate. Remember, the more expensive the SSL certificate, the more validation is required by the Certificate Authority, and the longer the certificate will take to be issued. Also, the more expensive SSL certificates have a higher degree of trust by the consumer.
Once you have chosen the SSL certificate you wish to purchase, click on Buy Now and follow the process to complete the order. You will be required to fill out a questionnaire in the Configuration section of the order process.
The answers to this questionnaire are crucial to the order process, because these are the answers that eApps provides to the Certificate Authority to order the SSL certificate. Please answer these questions carefully. Incomplete or incorrect answers could delay the order process.
If you realize that you have made any errors with the information given during the SSL certification process, contact eApps immediately. If the SSL certificate has already been issued, there may be a small fee from the Certificate Authority to reissue the SSL certificate with the new information.
SSL Certificate Questionnaire
URL to be encrypted, in the form of domain.com (if you specify domain.com, the www.domain.com form will also be eligible for encryption unless you specifically state otherwise):Enter the domain name that will use the SSL certificate, in the form of domain.com or www.domain.com. If you use just domain.com, then www.domain.com will also be encrypted. If you use www.domain.com, then only www.domain.com will be encrypted. Also note that subdomains and direct links are not valid - you cannot enter domain.com/subdomain or domain.com/path/to/link for an SSL certificate. Only actual Fully Qualified Domain Names are valid.
Organization or Company Name:
Enter the name of your organization or company
Organizational Unit (enter NA if not applicable):
If you are part of an organizational unit, enter that here. Otherwise, enter NA
Street Address (cannot be a P.O. Box, and should be verifiable through the phone book):
Enter the physical street address for your company or organization. P.O. boxes are not allowed, and the address should be verifiable through your local phone directory.
City:
Enter the name of your city
State/Province:
Enter the name of your state, province, or administrative region
Country (full name and two letter code):
Enter the full name of your country, as well as its two letter code. The two letter codes for all countries can be found here - http://www.theodora.com/country_digraphs.html
Zip Code/Postal Code:
Enter the postal code for your location
Corporate/Organization Contact:
Enter the contact person for your organization. This needs to be someone who can answer authoritatively for your organization should the Certificate Authority have questions during the issuing process.
Title of Contact:
Enter the title of the person listed in the Corporate/Organization Contact section.
Phone Number, with area/country code:
Enter the phone number for your organization. Give the full country code and area code in case someone from the Certificate Authority needs to contact you.
Fax Number, with area/country code (enter NA if not available):
If you have a fax number, enter it here. If not, enter NA.
E-mail Address (This MUST match the e-mail address in the "WHOIS" Domain Record):
Enter the e-mail address that is associated with the actual domain registration.
Using the wrong e-mail address is the most common problem encountered in the SSL Certificate process. If you enter the incorrect e-mail address, or if you have domain privacy enabled, then your SSL certificate order will be delayed, sometimes by several days. If you use a generic free e-mail address like hotmail or yahoo, that can also delay the SSL certification order process. |
If you host your e-mail through eApps, then we will try a known workaround in order to process your SSL certificate that involves creating an e-mail address for ssladmin@domain.com on your VPS. If you host your e-mail off of eApps Hosting, you will need to create this e-mail address yourself and monitor it for the SSL certificate confirmation messages.
At all points during the SSL certificate ordering process, you will need to monitor the e-mail address that was used to place the order, as well as the e-mail address that matches the domain registration (if possible). Requests for more information from eApps or the Certificate Authority will need to be responded to as soon as possible, because the SSL certificate order will be on hold while waiting for your reply.
After the order is placed, and the SSL certificate issued, eApps Support will install and test the SSL certificate on your site. Then we will reply to you with the status of the SSL certificate and the link to add the Secure Seal to your site.
Purchasing a Commercial SSL Certificate from a 3rd Party Vendor
You can choose to purchase an SSL certificate from a third party vendor instead of eApps. There are many vendors who sell SSL certificates across all price ranges.eApps Hosting offers no support or assistance for SSL certificates that are purchased from third party vendors. If you need assistance installing or configuring a third party SSL certificate, you will need to contact the vendor support for assistance. Any assistance requested from eApps may be billable at our standard rate of $90 an hour, or $15 per 10 minute increment. |
To issue the SSL certificate, the third party vendor will need a CSR (Certificate Signing Request). They may also need other information. Please consult the SSL vendor to determine what information they need and how they expect you to obtain it.
To generate a CSR, follow the steps to generate a self-signed SSL certificate. After generating the request, click on the link for SSL certificate request details. The CSR will look similar to this:
-----BEGIN CERTIFICATE REQUEST-----
MIIBrjCCARcCAQAwbjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0dlb3JnaWExETAP
BgNVBAcTCE5vcmNyb3NzMRowGAYDVQQKExFlQXBwcyBXZWIgSG9zdGluZzEeMBwG
A1UEAxMVd3d3LmVhcHBzLABCDEFGHIJKLMNtMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDOLOUrKeLYbE7tBtfvnY4l6gMvD+C3zNn2rH49GpMXVXvXpGwzsR9d
9XACLYMUbGGxbEumW0CdkmXEvBogfAqtN9VqIdYWWt126IYM4OJuAMrhRjoyFX6j
Of4WoHPhWIRAA1B2C3D4E5f6j7D91GARSmEOMZn87qlwdDUAqyeEsQIDAQABoAAw
DQYJKoZIhvcNAQEFBQADgYEAdO0r4S2d28xQwfzJuc5Ku6ROcVF6qZZshgj1PWNz
VloE6dmyrFEJ3yMYhD2ih5yLF/J5lBxBQEGBwtiPvQAlnlWtXK78Uj/eetFdXL9x
PgvVjv+T4BbavKSgsENewzmGhgBnBQrQ9uV3l42Jnnu5kHR6zbIwDimn2ceDcTcN
YRY=
-----END CERTIFICATE REQUEST-----
Copy and paste the entire block, starting with the line for -----BEGIN CERTIFICATE REQUEST----- and ending with the line for
-----END CERTIFICATE REQUEST----- and send that to your SSL certificate vendor. Generally, the SSL certificate vendor will have more detailed instructions as to what they want you to provide, and in what format. If asked, request the certificate for Apache/mod_ssl.
Once the SSL Certificate is generated, you will usually be given two files - the SSL certificate itself, and a private key. To install these files, go back to the Secure Website tab for that site in the Control Panel, and click on the Install the SSL files button under Special Actions. Here you will install the SSL Private Key first, either by uploading the file from your local computer or using copy and paste. Then you will install the SSL Certificate in the same manner.
Once you have done this, click on the Enable SSL button in the Secure Website tab. At this point, your SSL Certificate should be enabled and working. Remember, if you have any issues or questions on installing your third party SSL certificate, you will need to contact the support team from the SSL certificate vendor for assistance. Any assistance from eApps support may be billable.
There are also some instructions on the eApps Community Forum about installing third party SSL certificates: http://community.eapps.com/showthread.php?82-Installing-a-3rd-Party-SSL-Certificate
Those instructions reference a $25 flat fee for eApps support to install the SSL certificate for you. This is still valid, but remember that we cannot guarantee that every SSL certificate will work, and eApps support is under no obligation to make a third party unsupported SSL certificate work.
If the basic installation process does not work, then any continued work will be billable at our standard rate of $15 per 10 minute increment. Depending on the nature of any issues encountered, you may have to go back to the SSL vendor support for assistance.
Creating a 2048 bit CSR for a 3rd party commercial SSL vendor
Some commercial SSL vendors require that you provide a 2048 bit CSR (Certificate Signing Request) in order to purchase an SSL certificate. Currently, the PBA Control Panel only generates 1024 bit CSRs. In this case, you will need to create a 2048 bit CSR from the command line, as well as generate a private key to use with the third party SSL certificate.Creating the 2048 bit CSR and new private key will require you to connect to the VPS via SSH, and work as the root user. If you cannot do this, eApps Support can create the 2048 bit CSR and private key for you, but this is considered billable work. The charge for this is $25. |
Once you have connected to the VPS, you will need to become the root user and then make a new directory to create the CSR and private key in. See the User Guide - Connecting to your Virtual Private Server using SSH - http://support.eapps.com/hsp/ssh for more information on connecting to the VPS from the command line.
[webadmin@eapps-example ~]$ su - Password: password [root@eapps-example ~]# mkdir certs/ [root@eapps-example ~]# cd certs/ [root@eapps-example certs]# pwd /root/certs [root@eapps-example certs]# |
First, generate the private key. Remember to substitute your domain name for eapps-example.com:
[root@eapps-example certs]# openssl genrsa -out www.eapps-example.com.key 2048 Generating RSA private key, 2048 bit long modulus ............+++ ............................................................+++ e is 65537 (0x10001) [root@eapps-example certs]# ll total 4 -rw-r--r-- 1 root root 1679 May 12 14:28 www.eapps-example.com.key [root@eapps-example certs]# |
Next, generate the CSR using this private key. You will need to answer the questions for the CSR:
[root@eapps-example certs]# openssl req -new -key www.eapps-example.com.key -out www.eapps-example.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Georgia Locality Name (eg, city) [Newbury]:Norcross Organization Name (eg, company) [My Company Ltd]:eApps Web Hosting Organizational Unit Name (eg, section) []:.(enter a period [.] and press return) Common Name (eg, your name or your server's hostname) []:www.eapps-example.com Email Address []:ssl_user@eapps-example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:(press return) An optional company name []:(press return) [root@eapps-example certs]# |
You will now have the private key and the new 2048 bit CSR in the /root/certs/ directory. Use the cat command to read the CSR file, and give that to the third party SSL vendor (usually by copying and pasting the text into their form or e-mail).
[root@eapps-example certs]# ll total 8 -rw-r--r-- 1 root root 1074 May 12 14:32 www.eapps-example.com.csr -rw-r--r-- 1 root root 1679 May 12 14:28 www.eapps-example.com.key [root@eapps-example certs]# [root@eapps-example certs]# cat www.eapps-example.com.csr -----BEGIN CERTIFICATE REQUEST----- MIIC3zCCAccCAQAwgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdHZW9yZ2lhMREw DwYDVQQHEwhOb3Jjcm9zczEaMBgGA1UEChMRZUFwcHMgV2ViIEhvc3RpbmcxHjAc BgNVBAMTFXd3dy5lYXBwcy1leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYac3Ns X3VzZXJAZWFwcHMtZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDTHjFKZP68eqWuiYpR5xEeMtZniHtPyl761IlmidOl3vBcW02vDWQC Df0dK70Re7hjDUWJKaQwFD/XoyYuaqzHnj5aKs5KZZfS4KSSESuHnVns5AA6U67C llYQfTUnbFIN+ABCDEFGHIJKLMNOPQRSTUVWXYZ4r/leapqbd0MGoBciAKQZw0Wz ZCWojAGnddbZgEBHIzbanACj1u7RQAab02RbPbzD4lyjjrmTpIrX+5OqgDWwBfnE 0fSyBA2ZWrT8qo/G+NBcuUqrV3rVT8S9huC63pOXLSmwFYCuBBQZkxwSVKSuej9B dY3FeDW36et5igN4LqAnD00vvWp6PqrbZxazUGVgYJNAgMBAAGgADANBgkqhkiG9 AQEAqtrXS4m41n5cr33NTurN0ncKYEpzyxwvutsrqponmlkjihgfedcbals/nFVe qNI4qOwmeDs1m6D/cFlL0qx6xf0ir+UaGdY+nfKgUav686xCkuxC2QcxAjlHEiLj stLob411Y0vrB45e4r3Be10n6ToUsD0Ild5123456789aBcDeFgHiJkLmNoPqRsT 3rmiPSWDevXJfhbhpLCeg3J1biaqyXTH27JylOgF9aL9pqsutflmEfnTsIoZNkqA xUkFoNZt8uck36r9KlPyJKQce+s+Mm0EYaqvQcGSR+6u/QFqQsQu1SksjepFFCHn iN2PrDr4Uv0PE/oS76CPFk8Dlg== -----END CERTIFICATE REQUEST----- [root@eapps-example certs]# |
Remember that any and all assistance with a commercial SSL certificate purchased from a 3rd party vendor could be considered billable, and no support is provided for third party commercial SSL certificates. Only SSL certificates purchased through eApps are supported.
Common Issues using SSL
The SSL certificate will let you encrypt all content under the DocumentRoot for the site. For example, this means that all content under /home/webadmin/eapps-example.com/html (the DocumentRoot for http://www.eapps-example.com) can be served using https.This also means that any content you want to serve using https has to be under the DocumentRoot for the site that is using SSL - all graphics, all images and video, all text content, any sound files, etc. If your HTML code links to directories or web forms outside the DocumentRoot of the site using SSL, you will need to move those directories or forms into the DocumentRoot for the site, and change your HTML code to point to the new locations. If your site uses CSS, you will need to make sure any external CSS stylesheets are also in the DocumentRoot of the site using SSL, and change your HTML to point to their new locations.
Images and Graphics are not using SSL
Many sites use shared graphics and images, such as header and footer images or common icon images. If these images are not in the same domain directory that belongs to the site that is using SSL, some browsers will issue a warning that the site is not secure. Make sure that all the images and graphics for the site that is using SSL are in the same directory as the site itself.Links to off-site content are not using SSL
It is common to link to off-site content, such as information from a third party vendor, or even to Youtube videos or various social networking sites. If those links to off-site content do not point to SSL https links, some browsers will issue warnings that the site content is not encrypted.Forcing site visitors to use SSL
In some cases, you may want to force the visitors to your site to use SSL (https). You can use mod_rewrite to force site visitors to use https, even if they typed in http.The mod_rewrite directives have to be entered in the Custom Settings tab of the web site that is using SSL. To access Custom Settings, go to the Control Panel, and click on the Site tab. If necessary, click on the Select Another Site link on the left, and choose the correct site.
Click on Website Settings, and then on the Custom Settings tab. Click on Edit, and add these lines, making sure to substitute eapps-example.com for your actual domain name.
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.eapps-example.com/$1 [R,L]
Click Update to save your changes. Now any visitor that goes to http://www.eapps-example.com will be redirected to https://www.eapps-example.com
Links to other information
Official Apache mod_ssl documentation - http://httpd.apache.org/docs/2.0/mod/mod_ssl.htmlOfficial Apache mod_rewrite guide - http://httpd.apache.org/docs/2.0/misc/rewriteguide.html