If you run a e-commerce site, or will otherwise be serving web traffic that you do not want someone to intercept, then you should install an SSL certificate for the affected domain.
RimuHosting staff can purchase and install an SSL certificate on any server you host with us. Just complete an SSL support ticket type.
$20 per SSL certificate install ticket (for SSL CSR creation and install).
LetsEncrypt's auto-renewing certificates no extra cost.
Regular certificates +$20 per domain per year.
Wildcard certificates and EV certificates are +$150 per year.
Prices are USD. GST will be added for NZ-based customers.
If you would prefer to do it yourself, here is a quick outline of how the SSL certificate setup goes:
To get SSL running on your server we have created a helper script that simplifies the key and csr creation process. Run the script as root or with root privilege or using sudo, and follow the the instructions.
wget -q -O ./prepcert.sh http://proj.ri.mu/prepcert.sh ; bash ./prepcert.sh
Make sure the 'Common name' is the domain you want secured. At the end of the script it will suggest web server directives that can be added on your existing apache config file. The output will be something like this
You may need to add these lines to your SSL-enabled VirtualHost:
--------------------- APACHE START HERE --------------------------------
SSLEngine On
SSLCertificateFile /etc/pki/rhcerts/example.com/example.com.2048.crt
SSLCertificateKeyFile /etc/pki/rhcerts/example.com/example.com.2048.key
SSLCACertificateFile /etc/pki/rhcerts//RapidSSL_CA_bundle.pem
---------------------- APACHE END HERE ---------------------------------
ref https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
To check the contents of a csr run (for example):
openssl req -text -noout -in /etc/pki/rhcerts/example.com/example.com.2048.csr-1469066519 -textUse the CSR t purchase the SSL cert from your supplier. , then replace the .crt file generated earlier with the one the SSL company gives you (and any chain certs if they differ from the one you have)
To check the contents of a certificate, run (for example):
openssl x509 -text -noout -in /etc/pki/rhcerts/example.com/example.com.2048.crtSetup the SSL vhost for your domain if you havent already, and configure the certificates lines to match your newly issued files.
You should now be able to browse to https://domainname.com
Sometimes its us useful to make sure a new certificate matches what you expect. This might come about if a certificate was ordered using a different (eg older) key by mistake. Or if the certificate was generated on a different server and you want to make sure all the parts are consistent. The below commands should help...
Check the hash of the public key, CSR, or private key to make sure they match...
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5
Check a Certificate Signing Request (CSR) for expected values
openssl req -text -noout -verify -in CSR.csr
Check a private key for configuration details
openssl rsa -in privateKey.key -check
Check a certificate reports everything that is expected (and nothing extra)
openssl x509 -in certificate.crt -text -noout
Check a PKCS#12 file (.pfx or .p12)
openssl pkcs12 -info -in keyStore.p12
When you go to browse the https page, you get a warning about the certificate issuer not being recognised. You may need to tell Apache about your SSL certificate issuer's certificate. They should provide you this file. Upload it to the web server if it is not there already, and add a line to the virtualhost configuration like...
SSLCACertificateFile /etc/pki/rhcerts//RapidSSL_CA_bundle.pem
Some people prefer to pay for 1 certificate and they have several domain names aliased to that one domain. Visitors to one of the aliased domains will see a warning in their browsers that the certificate doesnt match the domain. This is expected.
Some certificates can be issued to cover multiple domains. This costs more than multiple regular certificates. But can be useful in reducing the web server configurations required, and overhead from managing the extra certificates.
You may want visitors to be directed to a primary domain or a specific URL. In the apache config where you have configured your port 80 Virtualhost add the following rules
RewriteEngine On
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} !^domain.com [NC]
RewriteRule ^/(.*) http://domain.com/$1 [L,R=301]
If you want entire domains to be pointed to ssl one you can do something like this instead
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This will ensure all domains redirect to the one with the SSL certificate.
Some hosting control panels will automatically provision SSL certificates for domains. If you are planning on doing a lot of website hosting and feel this might be useful feature we recomend installing VirtualminGPL when you order your server, as a stable and free option.
Specifically for Virtualmin, we have written the following guide
Apache comes with a default SSL vhost configuration, for example on Centos that may be configured in in /etc/httpd/conf.d/ssl.conf. Apache may be using that VirtualHost, which has a self-signed certificate, rather than the VirtualHost you added. Change that to look like <VirtualHost 127.0.0.1:443> so that it does not override the setting for the IP you entered and restart Apache. The web server should now start picking up the SSL VirtualHost you added.
There is a good guide on how to do that on the Apache wiki
Something like the following...
openssl pkcs12 -export -in <crtfile> -out <pks21file> -name "<certificate domain name>" -inkey <keyfile>openssl pkcs12 -export -in /etc/httpd/conf/ssl.crt/promotionalway.com.crt -out /root/sslcert/promotionalway.com.pkcs12 -name "promotionalway.com" -inkey /etc
/httpd/conf/ssl.key/promotionalway.com.key
Then in /usr/local/tomcat/conf/server.xml do something like the following...
<Connector port="8443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200" maxHttpHeaderSize="8192"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/usr/local/tomcat/promotionalway.com.pkcs12" keystorePass="developer"
keystoreType="PKCS12"
clientAuth="false" sslProtocol="TLS"/>
There are a few tools out there you can use to test SSL connections. The main one is openssl itself, there are also scripts that can provide a quick report to help highlight any concerns. For example the open source sslyze seems to work quite well and is being actively developed. These online resources are also very useful...
Configurations: https://ssl-config.mozilla.org/
Testing: https://www.ssllabs.com/ssltest/
RimuHosting : Server hosting service. A Rimu Hosting Ltd business. RimuHosting services include:
© RimuHosting Ltd 2002-2024. Rimuhosting, Launchtime and the Rimuhosting logo are RimuHosting™ trademarks.
