RimuHosting: Mighty Linux Servers.  Support Worth Raving About
Plans & Pricing
Server Recommendation Tool
Server Types
  VPS
  Semi-dedicated Server
  Dedicated Server
Server Locations
  Dallas
  London
  Australia
VPS Technology
Hardware
Data Centers
Linux Distributions
Applications
Maintenance Notices
Support Ticket
Control Panel
HOWTO Articles
Forums
VPS control panel
Billing details
Receipts
Contact details
DNS
Reverse DNS
Console-over-SSH
FTP backup space
Backup mail server
About
Staff
News
Customer Testimonials
Sales Inquiry
Link To Us
Terms and Conditions
Site Map

Order VPS Hosting
Order a VPS, Semi- dedicated or Dedicated server in Dallas, London or Australia.

Get Assistance
Ask our support team about your hosting requirements.


Host where the staff takes pride in making customers happy

Thanks for the prompt response. So far my experience with RimuHosting is being awesome.

- Terry, a new cusomer (after helping out with a simple request) (#192/269)
Home > Support > HOWTO List > Web > SSL

Web howtos

Securing Your Web Traffic: Installing an SSL Certificate

If you run a e-commerce site, or will otherwise be serving web traffic that you do not want someone to intercept, then you should install an SSL certificate.

The RimuHosting staff can purchase and install an SSL on any server you host with us. Just complete an SSL support ticket type.

If you would prefer to do it yourself, here is how the SSL certificate setup goes:

Things to know:

Anyway, enough of that.  Time to get SSL running on your server:


function prepcert() {
httpdconfdir=/etc/httpd/conf
if [ -e /etc/apache2 ]; then
httpdconfdir=/etc/apache2
fi
while true; do 
if [ ! -z "$domainname" ]; then
break
fi
echo "SSL Domain Name = ? "
read domainname
done

# Create the private key and certificate signing request directories
mkdir -p $httpdconfdir/ssl.key/
mkdir -p $httpdconfdir/ssl.csr/

# Create your private key file.  You need to make sure the noone gets a copy of this.
if [ ! -e $httpdconfdir/ssl.key/$domainname.key ]; then
    openssl genrsa -out $httpdconfdir/ssl.key/$domainname.key 1024
fi
# add a -des3 option to the above command if you want to use a password with your key

if [ ! -e $httpdconfdir/ssl.key/$domainname.csr ]; then
    # Create your certificate signing request.  This is what you'll send out to get your certificate.
    openssl req -new -key $httpdconfdir/ssl.key/$domainname.key -out $httpdconfdir/ssl.csr/$domainname.csr
    # the 'common name' must match your domain name
    # Leave the challenge password blank (press Enter)
fi

# Double check your input:
openssl req -noout -text -in $httpdconfdir/ssl.csr/$domainname.csr

# save the conf settings for when we get the cert
echo "
export domainname=$domainname
export httpdconfdir=$httpdconfdir
" > /root/sslorderdetails
cat $httpdconfdir/ssl.key/$domainname.key
cat $httpdconfdir/ssl.csr/$domainname.csr
echo Common Name = $domainname
}
prepcert

Order your SSL.  There are many websites that will sell you one. e.g. http://rapidsslonline.com (currently about $15/certificate/year).  The web server type (for your order) is Apache +mod ssl.

Follow the ordering process.  Eventually you will receive your certificate via email.  You then just need to copy that file to the right location on your server:


source /root/sslorderdetails
mkdir -p $httpdconfdir/ssl.crt
cat << EOJ >> $httpdconfdir/ssl.crt/$domainname.crt

After the above you'll need to paste in your SSL cert (from -----BEGIN CERTIFICATE----- down to -----END CERTIFICATE----- inclusive) then hit enter then type EOJ then hit enter again.

Then open up your Apache httpd.conf file with a text editor like vi.  The file is usually /etc/httpd/conf/httpd.conf.  Then make sure that there is a VirtualHost for both regular traffic (port 80) and SSL traffic (port 433).  And add in the SSL options to the SSL VirtualHost directive.

To see the contents of the certificate, run: openssl x509 -in $httpdconfdir/ssl.crt/$domainname.crt -text | head -n 12


<VirtualHost *:80>
DocumentRoot "/var/www/vhosts/yourdomainname"
ServerName yourdomainname
ServerAlias *.yourdomainname
</VirtualHost>

<VirtualHost youripaddress:443>
DocumentRoot "/var/www/vhosts/yourdomainname"
ServerName yourdomainname
#ServerAlias here is not going to work without giving warnings to the user
SSLEngine On
SSLCertificateFile /etc/httpd/conf/ssl.crt/yourdomainname.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/yourdomainname.key
</VirtualHost>

The following code snippet should create the above entries: export httpdconfdir; export domainname; wget -qO - http://downloads.rimuhosting.com/addsslvhost | bash

Restart Apache: /etc/init.d/httpd restart.

You should now be able to browse to https://yourdomainname.com

When you go to browse the https page, do you get a warning about the certificate issuer not being recognised?  Then you may need to tell Apache about your SSL certificate issuer's certificate.  They should provide you this file.  Upload it to the /etc/httpd/conf/ssl.crt directory.  Then add an option like: SSLCACertificateFile /etc/httpd/conf/ssl.crt/ComodoSecurityServicesCA.crt after your SSLCertificateFile directive.

Resolving 'Server Certificate Expired' and 'Certified By an Unknown Authority' Browser Warnings

Apache comes with a default SSL host in /etc/httpd/conf.d/ssl.conf of <VirtualHost _default_:443>.  Apache may be using that VirtualHost, which has a self-signed certificate, rather than the VirtualHost you added.  Change that VirtualHost to <VirtualHost 127.0.0.1:443> so that it does not override the setting for the IP you entered and restart Apache.  The web server should now start picking up the SSL VirtualHost you added.