Install self signed ssl cert on ubuntu distro

Please find here step by step procedure to install self signed ssl certificate on ubuntu distro. Whether you are doing it on on premise data server or on cloud AWS, Digital Ocean, Rackspace, Linode the process will be same. I am assuming you already had apache installed on ubuntu. If not installed then please installe it using commands-


sudo apt-get update
sudo apt-get install apache2

Step by Step Instructions to install self signed ssl cert:

1. First step is to activate the SSL Module. Run below commands to enable/activate it.

sudo a2enmod ssl

After this restart your apache webserver using below command.

sudo service apache2 restart

2. Step two is to install self signed ssl certificate. First we will be creating directory to host certificate files. Use below commands to create directory where will be hosting certificate files.

sudo mkdir /etc/apache2/sslcerts

Next we will be creating key and certificate in a single step using openssl.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/sslcerts/apache2.key -out /etc/apache2/sslcerts/apache2.crt

OpenSSL is a command line tool to create and manage certificates, keys, signing requests, etc. Explanation of various parameters used with openssl are as follows:-

  • req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
  • x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
  • nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
  • days 365: This specifies that the certificate we are creating will be valid for one year.
  • newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn’t create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
  • keyout: This parameter names the output file for the private key file that is being created.
  • out: This option names the output file for the certificate that we are generating.

Once you hit enter you will be presented with a basic set of question as below-


Country Name (2 letter code) [AU]:IND
State or Province Name (full name) [Some-State]:Madhya Pradesh
Locality Name (eg, city) []:Indore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XYZ
Organizational Unit Name (eg, section) []:Department of House Keeping
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:myemail@domain.com

3. Third step is to configure apache to use ssl. Open file /etc/apache2/sites-available/default-ssl.conf through vi or nano.

sudo nano /etc/apache2/sites-available/default-ssl.conf

Remove the #’s against line (remove comments) so the file may look like this.

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Edit this file to look like below-

 

ServerAdmin admin@domain.com
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/sslcerts/apache2.crt
SSLCertificateKeyFile /etc/apache2/sslcerts/apache2.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Save and Exit the file.

4. Next step is to activate the SSL virtual Host. Activate by using below command.

sudo a2ensite default-ssl.conf

After this restart your apache.

sudo service apache2 restart

5. Last step is to test your ssl installation. Open your domain in browser https://xyz.com you will be presnted with a warning because your browser cannot verify the identity of your server because it has not been signed by one of the certificate authorities that it trusts. You can ignore it.

www to non www htaccess redirect

 Non www to www: To redirect the http requests for yourdomain.com to www.yourdomain.com, you should set the following rewrite rule. You should add the following lines at the beginning of the .htaccess file in your public_html folder or htdocs folder or whatever root folder your site is at – RewriteEngine On Options +FollowSymlinks -Multiviews RewriteCond […] Continue reading →

Mysql slow query log

 Why to enable slow query log? If your site started performing slow, then it is right time to analyse your mysql queries before situtation gets worst and your application gets down even with a minimal traffic. You can analyse queries that are performing slow and exhausting your CPU by enabling slow query logs in mysql. […] Continue reading →