Setting up Apache Web Server with an SSL Certificate

Configure Apache to enable SSL with an SSL Certificate

“You cannot swim for new horizons until you have courage to lose sight of the shore.” ― William Faulkner

1. Introduction

The Apache Web Server is the most popular web server software. According to the January 2018 Web Server Survey, about 38.2% of domains were running the Apache Web Server. As for active sites, Apache held about 44% share followed by NGINX at 21%.

When you operate a web server, whether it is a company web site or a shopping site or a blog, you should make sure it supports the HTTPS protocol. This offers security to your customers and also improves your site ranking in Google (SEO). You can do this by obtaining and installing an SSL (Secure Sockets Layer) Certificate. Obtaining an SSL certificate involves the following steps.

  • Selecting a suitable SSL Certificate provider. This depends on the price of the certificate, features offered, reputation and browser support, etc.
  • Creating a Certificate Signing Request (CSR). An SSL certificate provider requires that you submit a CSR, which contains information that you want certified. We have previously covered the process of creating and submitting a CSR.
  • Verification: The SSL provider will verify the information provided in the CSR using whatever procedure suits them. Once the verification is complete, they will issue the SSL Certificate.
  • Installation of the SSL Certificate: Once you have obtained the SSL certificate, you need to setup your web server to start using the SSL certificate.

In this article, we cover the installation of the SSL certificate into the Apache web server. We assume that you are running a popular Linux distribution such as Ubuntu on your web server, and that you have console access to the server.

2. Directory Structure

We create and use the following directory structure for installing the SSL certificate. The reason is: the Apache web server needs access to the SSL certificate, the private key, and an intermediate CA (Certifying Authority) certificates if applicable. For modularity, it is better to separate the components into separate directories.

We start with a directory ssl, and make sub-directories under it: ssl.crt, ssl.csr, and ssl.key. Execute the following commands as root on your web server.

cd /etc/apache2
mkdir ssl
cd ssl
mkdir ssl.crt ssl.csr ssl.key
chmod go-rwx . ssl.crt ssl.csr ssl.key

The directories are:

  • ssl.crt holds the your SSL certificate, as well as any intermediate CA certificates if required.
  • ssl.csr holds the parameters of the CSR (Certificate Signing Request), including the request you sent to the SSL provider. Technically these files are not required for running the server; they are there only if you need to re-issue the SSL certificate or renew it.
  • ssl.key holds the your private key that you used to sign the CSR. Apache requires this file at runtime to validate the ownership of the SSL certificate.

Note that we removed all permissions for the group and others from the directories. These directories only need to be accessed by root, and hence, for improved security the permissions should be minimal. This is true even if your web server runs normally as another less-privileged user (such as www).

3. Remove Password from RSA Private Key

When you submitted the CSR to the SSL provider, you probably used a password-protected RSA private key file. While a password protected file is more secure, it can be inconvenient when used with an SSL certificate. This is because Apache requires you to enter the password at startup. Imagine your server rebooting at 3:00AM and the web server unable to start up because it is waiting for the password! For this reason, we remove the password from the RSA private key file, and store it as is. Again, make sure the directories are properly protected as above so no one else can get access to this file.

Assuming your private key file is named www.example.com.key, here is how you can remove the password from it and save it to www.example.com.keynopass.

openssl rsa -in www.example.com.key -out www.example.com.keynopass

If you need to, you can protect it again with a password using Triple-DES encryption:

openssl rsa -in www.example.com.keynopass -out www.example.com.key -des3

Copy this file www.example.com.keynopass to /etc/apache2/ssl/ssl.key. We will use this path for configuring Apache.

4. Install the SSL Certificate

You should now copy the SSL certificate sent by the SSL provider into the /etc/apache2/ssl/ssl.crt directory. The SSL certificate is sent as text file and looks something like this:

-----BEGIN CERTIFICATE-----
MIIGqjCCBZKgAwIBAgIQA3n+1jSOZvhK2Jp2qp+cuDANBgkqhkiG9w0BAQsFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRSYXBpZFNTTCBSU0EgQ0EgMjAxODAe
Fw0xODAyMTQwMDAwMDBaFw0yMDA1MTUxMjAwMDBaMBoxGDAWBgNVBAMTD3d3dy5u
b3ZpeHlzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANE2dKp2
...
-----END CERTIFICATE-----

5. Install the Intermediate CA Certificate

Some SSL providers may send you an additional certificate termed something like “intermediate CA certificate”. This file is required because some browsers may not trust the SSL provider directly. But they will trust one of the “root” providers such as Thawte or Verisign. So your SSL provider will ship a certificate from one of these “more trusted” providers telling your browser it is OK to trust your SSL provider.

If you have such an Intermediate CA Certificate, you should install it in the /etc/apache2/ssl/ssl.crt directory.

6. Store the CSR

As mentioned above, you can also store the CSR and the config file used in generating the CSR in the /etc/apache2/ssl/ssl.csr directory. This helps in keeping all SSL certificate stuff in one place, and you can easily use the config file for re-issue or renewal. Since this information is public anyway, there is no security downside to storing it on the web server.

7. Configuring Apache

Let us now get into the details of configuring Apache. We store these Apache directives in a file called /etc/apache2/sites-available/www.example.com-ssl. The file may also contain other directives for proper operating of the web site, but this does not interfere with the SSL configuration.

The directives are enclosed within Apache conditionals as follows:

<IfModule mod_ssl.c>
<VirtualHost _default_:443>

...

</VirtualHost>
</IfModule>

7.1. Enable SSL

First step is to turn on SSL for the web site. As indicated above, the SSL part of the site runs on port 443, which is a standard and where browser look for HTTPS requests.

        SSLEngine on

7.2. Turn TLS On and SSL Off

Both SSL and TLS are protocols that provide the authentication and data encryption as a part of HTTPS. SSL is an older protocol has gone through three versions: SSL 1.0 was internal to Netscape who developed it, SSL 2.0 in 1995 and SSL v3 in 1996. TLS 1.0 was based on SSL 3.0 and is currently in use. SSLv2 was deprecated in 2011 and SSLv3 in 2015 as they contained vulnerabilities. This means you need to turn of usage of these protocols in Apache, leaving on TLS on the table.

        SSLProtocol all -SSLv3 -SSLv2

7.3. Setup SSL Certificate and RSA Key File

Apache needs to be aware of where your SSL certificate and the associated private key file are located. You can use these two directives to inform Apache of the paths.

        SSLCertificateFile /etc/apache2/ssl/ssl.crt/www.example.com.crt
        SSLCertificateKeyFile /etc/apache2/ssl/ssl.key/www.example.com.keynopass

7.4. Intermediate CA Certificate

In some cases, you need to use an “intermediate CA certificate” as explained above. If your SSL provider has sent you such a file, you need to tell Apache where to find it. Below, the intermediate CA file is named CACertificate-INTERMEDIATE.cer.

        SSLCACertificateFile /etc/apache2/ssl/ssl.crt/CACertificate-INTERMEDIATE.cer

7.5. Special IE Configuration

The implementation of SSL in Internet Explorer (IE) is broken in some versions. For these versions to work properly, and protect your server from the effects of these broken implementations, you need the following directives.

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

This is basically turning off Keep-Alive for IE versions 2 through 6, and properly shutting down the SSL subsystem when one of these browsers happen to connect to your server.

And that’s it folks. With these settings, your web server should be as secure as Fort Knox 🙂

Let us now restart the server and check the configuration.

7.6. Verifying SSL

Restart the server now as follows:

service apache2 restart

Now verify that SSL is working by checking with the browser. At this point, you can also check the details in the certificate from the browser. It should be the same information as you submitted in the CSR.

You can also check that all parts of the SSL are working correctly by using these online tools.

Conclusion

In this article, we discussed how to configure Apache Web Server with the SSL certificate that was obtained in the previous step. After you follow this procedure, your website should be secured properly with SSL.

How To Add an SSL Certificate to your Web Server

Enhance the security of your website with an SSL certificate.

“If my doctor told me I had only six minutes to live, I wouldn’t brood. I’d type a little faster.” ― Isaac Asimov

1. Introduction

Do you currently run a web server? If so, you need to support HTTPS by adding an SSL (Secure Sockets Layer) certificate to your server. Not only is it good for the security of your customers, it is also good for your website’s positioning in Google (SEO).

Continue reading “How To Add an SSL Certificate to your Web Server”

Python How to Check if File can be Read or Written

Collection of Checks for Readable and Writable Files.

“Education is the most powerful weapon which you can use to change the world.” ― Nelson Mandela

1. Introduction

It can be a bit cumbersome at times to check for read or write permission on a file. The check might succeed but the actual operation could fail. Also, quite a few edge cases need to be covered to get a reasonable answer from such a check. In this article, we cover some issues with regards to checking read and write permission on a file.

Continue reading “Python How to Check if File can be Read or Written”

Using AES for Encryption and Decryption in Python Pycrypto

Easily incorporate strong AES encryption into your programs.

“Believe in your infinite potential. Your only limitations are those you set upon yourself.” ― Roy T. Bennett, The Light in the Heart

1. Introduction

Pycrypto is a python module that provides cryptographic services. Pycrypto is somewhat similar to JCE (Java Cryptography Extension) for Java. In our experience JCE is more extensive and complete, and the documentation for JCE is also more complete. That being said, pycrypto is a pretty good module covering many aspects of cryptography.

Continue reading “Using AES for Encryption and Decryption in Python Pycrypto”

Python itertools – ifilter, islice, imap, izip

Make your life easier with these itertools when dealing with iterables

“A lie gets halfway around the world before the truth has a chance to get its pants on.” ― Anonymous

1. Introduction

Python provides the itertools package which provides convenience functions for many common iterator operations. We have covered count(), cycle() and chain() in the first part of this series, and compress(), dropwhile(), and groupby() in the second part. In this article, we present a few examples of ifilter(), islice(), imap() and izip().

Continue reading “Python itertools – ifilter, islice, imap, izip”

Python HTTP Client using urllib2

More on downloading HTTP URLs using urllib2.

“I like the night. Without the dark, we’d never see the stars.” ― Stephenie Meyer, Twilight

1. Introduction

Python provides the well-regarded urllib2 module for opening URLs. Let us investigate some of the capabilities of this module, shall we? Note that most use cases are better served by using the higher level Requests module. However, you should know about the available options.

Continue reading “Python HTTP Client using urllib2”

Python String Formatting Examples

Learn about all the facilities available with python string formatting

“The saddest aspect of life right now is that science gathers knowledge faster than society gathers wisdom.” ― Isaac Asimov

 

1. Introduction

String formatting in python is somewhat complicated by the fact that there are a lot of flags and options. Let us learn about them.

Continue reading “Python String Formatting Examples”

Python – More List Methods and Recipes

Remove items from a List and more.

“Happiness is a perfume you cannot pour on others without getting some on yourself.” ― Ralph Waldo Emerson

1. Introduction

In a previous article, we covered some python list methods related to adding items. Let us now continue the review of more list methods.

Continue reading “Python – More List Methods and Recipes”

Python List Methods: Adding Items

Check out this refresher on ways to add items to python lists

“Share your knowledge. It is a way to achieve immortality.” ― Dalai Lama XIV

1. Introduction

Python offers the list data type which is similar to an array in C/C++ or Javascript or a List in Java. Of course, there are differences between the list in python and these languages. Sigh, wouldn’t it have been nice if all the common languages offered such data types with the same methods – same name, parameters, everything? Then you could have concentrated on mastering one and you would have it all. At the very least, this could have been done for common programming entities such as strings, list/array, characters, integer and float numbers, booleans, etc.

Continue reading “Python List Methods: Adding Items”

How to Avoid Deadlock when Calling External Command from Python

Use pipes from multiple threads for bidirectional communication.

“The truth will set you free, but first it will piss you off.” ― Joe Klaas, Twelve Steps to Happiness

1. Introduction

Invoking an external process from python and interacting with it can be quite tricky. This is especially true if the interaction is duplex i.e. involving both reading and writing to it. Such an interaction can cause deadlocks since both processes can end up waiting for output from the other. One way to avoid such deadlocks is to separate the reader and writer parts to different threads. We demonstrate such an approach in this article.

Continue reading “How to Avoid Deadlock when Calling External Command from Python”