{"id":44,"date":"2012-09-18T13:05:49","date_gmt":"2012-09-18T07:35:49","guid":{"rendered":"http:\/\/prasadk.com\/my-press\/?p=44"},"modified":"2012-10-07T20:28:44","modified_gmt":"2012-10-07T14:58:44","slug":"configuring-ssl-and-https-for-your-website-amazon-ec2","status":"publish","type":"post","link":"https:\/\/www.prasadk.com\/my-press\/configuring-ssl-and-https-for-your-website-amazon-ec2\/","title":{"rendered":"Configuring SSL and HTTPS for your website (Amazon EC2)"},"content":{"rendered":"<p>A lot of effort had gone into making our website into a HTTPS enabled website. I literally had to screw my ass out. Really a tough job as i had little guidance in setting up the HTTPS on Apache which was running on Amazon EC2. Its actually pretty easy, it was just that I was making a few mistakes which i couldn\u2019t figure out easily. Here it goes<br \/>\nFirst of all I had bought an SSL certificate from PositiveSSL. I got it for $9 from namecheap.com. It\u2019s worth it. The process as a whole is not very tough. It all depends on the amount of system administration experience that you have.<br \/>\nComing to the configuration. Am going to assume that you are going to set it up on your Amazon EC2 instance. Anyway that doesn\u2019t make a big difference as the same applies to the web server that you would be configuring.<br \/>\nSet up Apache on your instance.<br \/>\n1. Install apache and mod-ssl<br \/>\nyum install httpd mod_ssl<br \/>\n2. Enable the ports 22 and 443 on your Amazon EC2 instance. Open up the ports for access for 0.0.0.0\/0 under security credentials.<br \/>\nFollow the instructions in this post to get your SSL certificate from an SSL provider.<br \/>\nhttp:\/\/wp.me\/p1yWAu-3C.<br \/>\n3. Installing the certificate on to your Apache Web server.<br \/>\n3.1 : Copy your certificate file<br \/>\nYou will receive an email from your SSL provider (yourdomainname.crt). Open you certificate in some text editor and  your certificate will look something like:<br \/>\n\u2014\u2013BEGIN CERTIFICATE\u2014\u2013<br \/>\nMIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAAhAF<br \/>\nUbM77e50M63v1Z2A\/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNlVTMSAw<br \/>\n(\u2026\u2026.)<br \/>\nE+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6<br \/>\nK99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS\/16S36ITclu4AADEAAAAAAAAA<br \/>\n\u2014\u2013END CERTIFICATE\u2014\u2013<br \/>\nCopy your Certificate into the directory that you will be using to hold your certificates. In this example we will use \/etc\/ssl\/crt\/. Both the public and private key files will already be in this directory. The private key used in the example will be labeled private.key and the public key will be yourdomainname.crt.<br \/>\nMake sure that it\u2019s readable only by root.<br \/>\n3.2 : Install the Intermediate Certificate<br \/>\nYou will need to install the chain certificate (intermediates) in order for browsers to trust your certificate. As well as your SSL certificate (yourdomainname.crt) .If you are using  Apache you\u2019ll need the following files AddTrustUTNServerCA.crt and PositiveSSLCA.crt certificates and then your key file as well.<br \/>\nYou need a bundle file.Create a file say bundle.txt. To do this you will need to open the certificates with a text editor and add both of the certificate texts to that file, first the PositiveSSLCA.crt then the AddTrustUTNServerCA.crt and save this file as bundle.txt<br \/>\nCopy the bundle.txt file to the directory that consists of  httpd.conf (\/etc\/httpd\/conf\/) (this contains all of the CA certificates in the chain).<br \/>\n4. Configure virtual hosts in httpd.conf<br \/>\nNameVirtualHost 23.21.221.101:443<br \/>\n<virtualhost x.x.x.x:443><br \/>\nServerAdmin webmaster@dummy-host.example.com<br \/>\nDocumentRoot \/var\/www\/html<br \/>\nServerName www.myexample.com<br \/>\nSSLEngine on<br \/>\nSSLProtocol all -SSLv2<br \/>\nSSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM<br \/>\n# ErrorLog logs\/errorlogs<br \/>\n# CustomLog logs\/custom<br \/>\nSSLCertificateFile \/etc\/ssl\/certs\/lets\/certificate.crt<br \/>\nSSLCertificateKeyFile \/home\/ec2-user\/private.key<br \/>\n# SSLCertificateChainFile \/home\/ec2-user\/PositiveSSLCA2.crt<br \/>\nSSLCACertificateFile \/etc\/httpd\/conf\/bundle.txt<br \/>\nSetEnvIf User-Agent \u201c.*MSIE.*\u201d nokeepalive ssl-unclean-shutdown<br \/>\n# CustomLog \/usr\/local\/apache\/logs\/ssl_request_log \\<br \/>\n# \u201c%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \\\u201d%r\\\u201d %b\u201d<br \/>\n<\/virtualhost><br \/>\n5.  Since I have given the name of the files make sure you configure it according to the above configuration file. For readers convenience i\u2019ll list out what each configuration means.<br \/>\n\u2022\tSSLCertificateFile  is the certificate you received through email from SSL provider<br \/>\n\u2022\tSSLCertificateKeyFile is the private key<br \/>\n\u2022\tSSLCACertificateFile is the bundle you created<br \/>\n6. Save your httpd.conf file and restart Apache.<br \/>\n7. Pray to God that it must work. I had to figure out so many things. I\u2019ll post them once i recollect these things. It\u2019s been a while since I did this.<br \/>\n8. Make sure mod_ssl is installed. Reflect the changes in \/etc\/httpd\/conf.d\/ssl.conf file as well. I mean the path of the configuration of the above parameters.(SSLCertificateFile ,SSLCertificateKeyFile ,SSLCACertificateFile )<br \/>\nA few tips: (Common issues)<br \/>\n1. Make sure hostname configuration is fine<br \/>\n2. Check for iptable rules that may be blocking access<br \/>\n3. Check Amazon security credentials for any denial of access<br \/>\n4. Update your instance. (yum update)<br \/>\n5. Check for resolv.conf, \/etc\/hosts configuration, \/proc\/sys\/kernel\/hostname parameter.<br \/>\n6. check nmap localhost, check if ports 443 and 80 are open.<\/p>\n<p>Getting a new certificate from SSL provider<\/p>\n<p>First of all you need to generate an CSR ( Certificate Signing Request) and a private key for  your own Apache Web Server.<br \/>\nThe steps to get you SSL certificate are as follows.<br \/>\nopenssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr<br \/>\nIt\u2019ll ask for the following fields make sure you give the details correctly especially the hostname must be of the format myexample.com<br \/>\nCountry Name (2 letter code) [AU]: US<br \/>\nState or Province Name (full name) [Some-State]: Washington<br \/>\nLocality Name (eg, city) []: Seattle<br \/>\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]: Herp and Co<br \/>\nOrganizational Unit Name (eg, section) []: Herping<br \/>\nCommon Name (eg, YOUR name) []: mydomain.com<br \/>\nEmail Address []:<br \/>\nA challenge password[]:<br \/>\nAn optional company name[]:<br \/>\nThis will create a .csr file and a .key file. In this example myserver.key is your private key and server.csr is the Certificate Signing Request file.<br \/>\nNow go to the site where you want to get the SSL certificate from. I chose PositiveSSL. Got one for $9.<br \/>\nNow open the server.csr file and copy its contents. Make sure you copy the entire contents. (including the dashes).<br \/>\nPaste it when you are prompted. Ask the web admin to approve the certificate request when its prompted. You\u2019ll receive the mail and you\u2019ll be getting the certificate, the root certificate and intermediate server certificate as well.<br \/>\nIn my next post I\u2019ll talk about installing SSL certificate on to your web server.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A lot of effort had gone into making our website into a HTTPS enabled website. I literally had to screw my ass out. Really a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0},"categories":[7],"tags":[],"_links":{"self":[{"href":"https:\/\/www.prasadk.com\/my-press\/wp-json\/wp\/v2\/posts\/44"}],"collection":[{"href":"https:\/\/www.prasadk.com\/my-press\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.prasadk.com\/my-press\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.prasadk.com\/my-press\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.prasadk.com\/my-press\/wp-json\/wp\/v2\/comments?post=44"}],"version-history":[{"count":2,"href":"https:\/\/www.prasadk.com\/my-press\/wp-json\/wp\/v2\/posts\/44\/revisions"}],"predecessor-version":[{"id":71,"href":"https:\/\/www.prasadk.com\/my-press\/wp-json\/wp\/v2\/posts\/44\/revisions\/71"}],"wp:attachment":[{"href":"https:\/\/www.prasadk.com\/my-press\/wp-json\/wp\/v2\/media?parent=44"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.prasadk.com\/my-press\/wp-json\/wp\/v2\/categories?post=44"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.prasadk.com\/my-press\/wp-json\/wp\/v2\/tags?post=44"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}