Home | Servers | Hosting | Support | Control Panel | RimuHosting

Plans & Pricing

Server Recommendation Tool

Server Types

  VPS

  Semi-dedicated Server

  Dedicated Server

Server Locations

  Dallas

  London

  Australia

VPS Technology

Hardware

Data Centers

Linux Distributions

Applications

Maintenance Notices

Support Ticket

Control Panel

HOWTO Articles

Forums

VPS control panel

Billing details

Receipts

Contact details

DNS

Reverse DNS

Console-over-SSH

FTP backup space

Backup mail server

About

Staff

News

Customer Testimonials

Sales Inquiry

Link To Us

Terms and Conditions

Site Map

Order a VPS, Semi- dedicated or Dedicated server in Dallas, London or Australia.

Ask our support team about your hosting requirements.

Support

• Control Panel
• Support Ticket
• Sales Inquiry
• Forums
• Maintenance Notices
• Howto Articles

Host where the staff takes pride in making customers happy

Thanks for the prompt response. So far my experience with RimuHosting is being awesome.

- Terry, a new cusomer (after helping out with a simple request) (#192/269)

Web howtos

• Host multiple domains: setting up virtual hosts with Webmin
• Upload files and serve up HTML pages
• Password protecting your web pages: htaccess
• Securing your web traffic: installing an SSL certificate
• Who's looking at what: web statistics
• Using PHP: PHP Hello World, common problems and solutions

Securing Your Web Traffic: Installing an SSL Certificate

If you run a e-commerce site, or will otherwise be serving web traffic that you do not want someone to intercept, then you should install an SSL certificate.

The RimuHosting staff can purchase and install an SSL on any server you host with us. Just complete an SSL support ticket type.

If you would prefer to do it yourself, here is how the SSL certificate setup goes:

• You create a private key for your server.  Only you should ever see this key (a file). 
• You create a certificate signing request (CSR) using this private key.   The CSR includes information about you or your organization and about the domain you want to protect with SSL. 
• The certifying authority creates a certificate for you based on this CSR.  This certificate will only work when your private key is present.   And your browser will only accept the certificate (without warnings) if the certificate was signed by a certifying authority recognized by your browser. 
• Your browser will negotiate a secure (i.e. encrypted) connection to your server.  Anyone between your browser and the web server who intercepts this traffic will be unable to decrypt the content (well, that is the theory).

Things to know:

• SSL will require an IP address per domain.  (Actually, it is possible to put multiple domains on one IP but you would need to use non-standard port numbers).
• SSL works on a particular domain.  E.g. domain.com.  It will not work, without warnings, on other domains.  E.g. www.domain.com.
• SSL certificates are usually issued for a particular duration, and have to be renewed after that.
• If a certificate expires, a browser can still use it (i.e. the certificate will still ensure traffic is encrypted), but the browser will probably issue a warning to its user.

Anyway, enough of that.  Time to get SSL running on your server:

function prepcert() {
httpdconfdir=/etc/httpd/conf
if [ -e /etc/apache2 ]; then
httpdconfdir=/etc/apache2
fi
while true; do 
if [ ! -z "$domainname" ]; then
break
fi
echo "SSL Domain Name = ? "
read domainname
done

# Create the private key and certificate signing request directories
mkdir -p $httpdconfdir/ssl.key/
mkdir -p $httpdconfdir/ssl.csr/

# Create your private key file.  You need to make sure the noone gets a copy of this.
if [ ! -e $httpdconfdir/ssl.key/$domainname.key ]; then
    openssl genrsa -out $httpdconfdir/ssl.key/$domainname.key 1024
fi
# add a -des3 option to the above command if you want to use a password with your key

if [ ! -e $httpdconfdir/ssl.key/$domainname.csr ]; then
    # Create your certificate signing request.  This is what you'll send out to get your certificate.
    openssl req -new -key $httpdconfdir/ssl.key/$domainname.key -out $httpdconfdir/ssl.csr/$domainname.csr
    # the 'common name' must match your domain name
    # Leave the challenge password blank (press Enter)
fi

# Double check your input:
openssl req -noout -text -in $httpdconfdir/ssl.csr/$domainname.csr

# save the conf settings for when we get the cert
echo "
export domainname=$domainname
export httpdconfdir=$httpdconfdir
" > /root/sslorderdetails
cat $httpdconfdir/ssl.key/$domainname.key
cat $httpdconfdir/ssl.csr/$domainname.csr
echo Common Name = $domainname
}
prepcert

Order your SSL.  There are many websites that will sell you one. e.g. http://rapidsslonline.com (currently about $15/certificate/year).  The web server type (for your order) is Apache +mod ssl.

Follow the ordering process.  Eventually you will receive your certificate via email.  You then just need to copy that file to the right location on your server:

source /root/sslorderdetails

mkdir -p $httpdconfdir/ssl.crt

cat << EOJ >> $httpdconfdir/ssl.crt/$domainname.crt

After the above you'll need to paste in your SSL cert (from -----BEGIN CERTIFICATE----- down to -----END CERTIFICATE----- inclusive) then hit enter then type EOJ then hit enter again.

Then open up your Apache httpd.conf file with a text editor like vi.  The file is usually /etc/httpd/conf/httpd.conf.  Then make sure that there is a VirtualHost for both regular traffic (port 80) and SSL traffic (port 433).  And add in the SSL options to the SSL VirtualHost directive.

To see the contents of the certificate, run: openssl x509 -in $httpdconfdir/ssl.crt/$domainname.crt -text | head -n 12

<VirtualHost *:80>
DocumentRoot "/var/www/vhosts/yourdomainname"
ServerName yourdomainname
ServerAlias *.yourdomainname
</VirtualHost>

<VirtualHost youripaddress:443>
DocumentRoot "/var/www/vhosts/yourdomainname"
ServerName yourdomainname
#ServerAlias here is not going to work without giving warnings to the user
SSLEngine On
SSLCertificateFile /etc/httpd/conf/ssl.crt/yourdomainname.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/yourdomainname.key
</VirtualHost>

The following code snippet should create the above entries: export httpdconfdir; export domainname; wget -qO - http://downloads.rimuhosting.com/addsslvhost | bash

Restart Apache: /etc/init.d/httpd restart.

You should now be able to browse to https://yourdomainname.com

When you go to browse the https page, do you get a warning about the certificate issuer not being recognised?  Then you may need to tell Apache about your SSL certificate issuer's certificate.  They should provide you this file.  Upload it to the /etc/httpd/conf/ssl.crt directory.  Then add an option like: SSLCACertificateFile /etc/httpd/conf/ssl.crt/ComodoSecurityServicesCA.crt after your SSLCertificateFile directive.

Resolving 'Server Certificate Expired' and 'Certified By an Unknown Authority' Browser Warnings

Apache comes with a default SSL host in /etc/httpd/conf.d/ssl.conf of <VirtualHost _default_:443>.  Apache may be using that VirtualHost, which has a self-signed certificate, rather than the VirtualHost you added.  Change that VirtualHost to <VirtualHost 127.0.0.1:443> so that it does not override the setting for the IP you entered and restart Apache.  The web server should now start picking up the SSL VirtualHost you added.

Home · VPSs · Support · About · © RimuHosting™ 2003-2008