Applicable Plans - eApps Cloud Hosting Plans (eApps templates only)

User Guide - Configuring mod_ssl (SSL Certificates and https)

Overview

"mod_ssl is an optional module for the Apache HTTP Server. It provides strong cryptography for the Apache v1.3 and v2 webserver via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) cryptographic protocols by the help of the Open Source SSL/TLS toolkit OpenSSL" from http://en.wikipedia.org/wiki/Mod_ssl

Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communication on the Internet for web pages, and other data transfers. SSL relies on key files that are installed on the server and used in the encryption process. These key files can be created easily, but are usually issued and certified by a commercial certificate authority. The certification process helps to reassure visitors to the site that the site is owned and operated by a legitimate business.

eApps Hosting sells several brands of SSL Certificates from Symantec. You can also install a free certificate by the Let's Encrypt project, a self-signed SSL certificate, or purchase an SSL certificate from a third party vendor. Installation is included for certificates purchased from eApps. Assistance for all other types of certificates requires a modest fee.

Generally, the more expensive the SSL Certificate, the more thorough the check by the SSL Certificate Authority to verify the site owners and business, and those SSL certificates have a higher level of trust by consumers.

If you have any questions on the SSL certificate ordering process, please contact eApps Sales for more information. Instructions on how to purchase an SSL certificate are provided in the Purchasing a Commercial SSL Certificate from eApps section of this User Guide.

Prerequisites

SSL Certificates Overview
Commercial SSL Certificate
Self-Signed SSL Certificate
Third Party SSL Certificates

Purchasing a Commercial SSL Certificate from eApps

Installing a Self-Signed SSL Certificate
Creating a web site on port 443 (https)
Creating the self-signed SSL certificate

Installing a Third Party SSL Certificate
Overview
Creating the web site and generating the CSR
Installing the SSL certificate
Installing a root or intermediate certificate file

Forcing web site visitors to use SSL

Common Issues using SSL
Images and Graphics are not using SSL
Links to off-site content are not using SSL

Links to other information

Prerequisites

Each web site that uses SSL must have a dedicated IP address. If only one web site on the Virtual Machine using SSL, you only need to have one IP address for all the sites. However, if you have multiple web sites using SSL on a Virtual Machine, each site using SSL must have its own IP address.

See the User Guide: Managing IP Addresses - http://support.eapps.com/portal/ip-address for more information on adding additional IP addresses.

You will need to install the mod_ssl application. See the User Guide: Installing and Managing Applications - http://support.eapps.com/webmin/installing-apps for more information if needed.

SSL Certificates Overview

Commercial SSL Certificate

For any web site that is doing actual customer facing business, such as an e-commerce site, you need a commercial SSL certificate. These SSL certificates require that you submit business information to the Certificate Authority, and provide a greater degree of trust for the consumer that you are who you say you are, and that your business is legitimate.

With commercial SSL certificates, it truly is a matter of "you get what you pay for". The more expensive the SSL certificate, the more validation is done by the Certificate Authority, which can translate into a higher degree of trust by the consumer.

Information on how to purchase a GlobalSign, AlphaSSL or Symantec certificate from eApps are found in the Purchasing a commercial SSL Certificate section of this User Guide.

Self-Signed SSL Certificate

For small websites which are mostly used by a group of employees or a small team (such as a web mail application) you can choose to install a self-signed SSL certificate.

A self-signed SSL certificate is not signed or issued by an actual Certificate Authority, it is signed with your own site details. The advantage of this is that self-signed SSL certificates are free. The disadvantage is that a warning will always be displayed to the end user that their data is encrypted, but that the SSL certificate being used has not been independently verified. This is a red flag to any visitor, and a self-signed SSL certificate should never be used for any public facing application such as an e-commerce site.

Using a self-signed SSL certificate for your website will guarantee a secure connection between your computer and the web site. However, since the SSL certificate is self-signed, it can be forged and there is no guarantee that the site is genuine, or if the site is the subject of what is called a man-in-the-middle attack - http://en.wikipedia.org/wiki/Man-in-the-middle_attack.

If the applications you are trying to secure contain very sensitive data, we strongly recommend that you purchase a commercial SSL certificate from a Certificate Authority.

Instructions on how to install a self-signed SSL certificate are found in the Using a self-signed SSL Certificate section of this User Guide.

Third Party SSL Certificates

If you have purchased a third party SSL certificate, see the Installing a third party SSL Certificate section of this User Guide.

No third party SSL certificates are officially supported, but eApps Support will attempt to assist you if you have any questions on how to install it.

Purchasing a Commercial SSL Certificate from eApps

eApps Hosting sells commercial SSL certificates from GlobalSign, AlphaSSL, and Symantec. If you purchase an SSL certificate from eApps, we will order and install the SSL certificate for you. However, you will be required to answer some questions to start the order process, and possibly reply to e-mails from the Certificate Authority as they try to verify your business details.

To begin the process, log in to the Customer Portal at http://portal.eapps.com. Once you are logged in, click on the Store link at the top right of the screen, and then on SSL Certificates. This will show a listing of all the SSL Certificates offered by eApps. Click on the name of an SSL certificate to show a description, as well as the yearly price.

If you are looking for an Extended Validation SSL certificate, eApps offers two: the GlobalSign Extended Validation (EV) SSL Certificate and the VeriSign Secure Site EV.

Once you have made your choice of which SSL certificate you wish to purchase, select your BILLING CYCLE, and the fill out the ADDITIONAL REQUIRED INFORMATION questionnaire. The answers to this questionnaire are crucial to the order process, because these are the answers that eApps provides to the Certificate Authority to order the SSL certificate. Please answer these questions carefully. Incomplete or incorrect answers will delay the order process.

If you realize that you have made any errors with the information given during the SSL certificate ordering process, contact eApps immediately. If the information used to issue the SSL certificate does not match your actual business information, there will be problems with the ordering process from the Certificate Authority, and your order may be rejected.

Once you have filled out the questionnaire, select your PAYMENT METHOD, agree to the Terms of Service, and click on Checkout. This will send the order to the Billing department for processing.

At all points during the SSL certificate ordering process, you will need to monitor the e-mail address that was used to place the order, as well as the e-mail address that matches the domain registration (if possible). Requests for more information from eApps or the Certificate Authority will need to be responded to as soon as possible, because the SSL certificate order will be on hold while waiting for your reply.

After the order is placed, and the SSL certificate issued, eApps Support will install and test the SSL certificate on your site. Then we will reply to you with the status of the SSL certificate and the link to add the Secure Seal to your site.

At several points during the SSL Certificate ordering process, eApps Support may need to access your Control Panel in order to set up the new virtual host that will accept connections on port 443 and generate the CSR, and to install the new SSL Certificate.

Installing a Self-Signed SSL Certificate

To create and install a self-signed SSL certificate, you will need to create what will appear to be another web site that will answer on port 443 (https) that matches your existing web site that answers on port 80 (http). But since you are using the same name as the existing web site, what you're actually creating is a VirtualHost block in the Apache configuration file for the same ServerName. The Control Panel software sees each VirtualHost block as a standalone web site, which is why it will look like you have two sites for the same domain name, one on port 80, and one on port 443.

If you are going to create the SSL enabled web site at the same time as you create the regular web site, create the regular web site first, then create the SSL web site.

The web site on port 443 will have an additional option in the Website Management section called SSL Certificate/CSR Info where you will create the CSR and install the self-signed SSL certificate.

As a reminder, you will need to install the mod_ssl application in order to use SSL on your Virtual Machine.

Creating a web site on port 443 (https)

The example configuration for this User Guide starts with an existing web site of http://eapps-example.com on port 80, and the mod_ssl application installed. The end result will be a second web site using the same domain name of eapps-example.com, on port 443. This site will be available at https://eapps-example.com, using a self-signed SSL certificate.

Log in to the Control Panel, and go to System > Website Management. This shows that mod_ssl is installed (the Server Name of Automatic on port 443), and the existing web site of eapps-example.com on port 80.

To create the new web site that will answer on port 443, click on Create Web Sites. This opens the screen for Create a New Web Site.

Create a New Web Site

• Handle connections to address - choose the default of Specific address, and make certain to select the same IP address that is used by the existing non-SSL web site.

  Leave Add name virtual server address (if needed) and Listen on address (if needed) at their default values (checked).

• Port - since this will be an SSL web site, choose port 443.

• Administrative User - make sure to use the same user as the existing non-SSL web site. Do not create a new user.

• Website Name - enter the domain name for this web site in the text box, and use the exact same name as the non-SSL web site. Remember that you need to use the fully qualified domain name (FQDN).

• Prevent hot linking - for the web site to use SSL correctly, all the images and and media must be in the same DocumentRoot. Check this ON.

• Enable SuExec - suexec allows CGI or SSI scripts to run as the user who owns the site (the Administrative User) instead of as the user who owns the webserver process (the apache user). Only disable this if you have a specific need to do so.

• Enable Mail Service - you can leave this checked.

As an example, here are the settings to create the eapps-example.com web site on port 443 (SSL) using the webadmin Administrative User.

Once you have entered all the necessary settings, click on Create Now. This will write the new virtual host block to the Apache configuration file for the web site using port 443.

Once this is done, you will be taken back to the main Apache Webserver screen, which will show the new web site.

Creating the self-signed SSL certificate

Once the new web site for port 443 is created, click on the Server Name for the new site. This will take you to the Website Management screen. To start the process for the self-signed certificate, click on SSL Certificate/CSR Info.

This takes you to the Web Site SSL Certificate Info screen. This shows the Web Site Certificate Details, including the locations of the files used for SSL.

To create a self-signed SSL certificate, click on Generate CSR and Self-Signed SSL Certificate.

This opens the New SSL Self-Signed Certificate and CSR Details screen, which is where you enter the information to create the CSR (Certificate Signing Request) that will be used to generated your self-signed SSL certificate.

New SSL Self-Signed Certificate and CSR details

Items with an asterisk (*) are required.

• Country* - choose your country from the drop down list

• State/Province* - enter the name or your state, province, or administrative region

• Locality Name* - enter the name of your city or town

• Company/Organization Name* - enter the name of your company, or whomever will "own" the SSL Certificate

• Organizational Unit Name - if you are part of an organizational unit inside your company, enter that here

• Web Site Name - enter the name of the site you are creating the CSR for here (by default it will use the Website Name from the existing site)

• Email Address - enter the e-mail address for the Administrative User for this domain.

As an example, here are the settings for eapps-example.com, located in the United States, state of Georgia, locality of Norcross, and part of eApps.

Once you have entered all the required information, click on Create.

This takes you to the Web Site SSL Certificate Info screen, which shows the SSL Certificate Information at the bottom of the screen.

If you have made any mistakes, you can simply repeat the process to generate the CSR and self-signed SSL certificate.

If everything looks correct, click on Return to server index, and at the top of the screen click on Apply Changes to restart the Apache web server.

Now you will be able to browse to the SSL version of the site at https://eapps-example.com or https://www.eapps-example.com.

Since this is a self-signed SSL certificate, you (and your users) will need to accept the certificate in your browser. How you do this will depend on your browser and operating system.

Installing a Third Party SSL Certificate

Overview

In order to use a third party SSL certificate, you will need to create a new web site using SSL on port 443, generate a CSR (Certificate Signing Request) to provide to the third party SSL vendor, and then install the SSL certificate and any related files on the Virtual Machine. When ordering your SSL certificate, make sure to choose Apache mod_ssl for the Server type.

There is no official support for any SSL certificate that was not purchased through eApps. If you have purchased an SSL certificate from a third party vendor, you are responsible for installing it, as well as any troubleshooting needed to make the SSL certificate work. As always, eApps Support will attempt to assist you if you have any issues.

For a flat fee of $25, eApps Support will attempt to install your third party SSL certificate for you. And while the vast majority of all unsupported SSL certificates work with no problems, there is no guarantee that every third party SSL certificate will work, and eApps is under no obligation to make an unsupported SSL certificate work.

In the rare instance where the standard installation of an unsupported SSL certificate does not work, you have the option of contracting with eApps to continue troubleshooting the installation at our standard rate of $15 per 10 minute increment ($90/hr). Depending on the issues encountered, you may need to work with with the certificate vendor for support. The ultimate responsibility for the installation and operation of an unsupported SSL certificate lies with you and the vendor.

Creating the web site and generating the CSR

Follow the steps for Creating a web site on port 443 (https) from the Installing a Self-Signed SSL Certificate section of this User Guide.

Once you have the new web site created, click on the Server Name for the new site. This will take you to the Website Management screen. Click on SSL Certificate/CSR Info.

This takes you to the Web Site SSL Certificate Info screen. This shows the Web Site Certificate Details, including the locations of the files used for SSL.

To generate the CSR, click on Generate CSR.

Follow the steps for Creating the self-signed SSL certificate to generate the CSR.

When you generate a CSR, you also create a self-signed SSL certificate. The self-signed certificate will be replaced with your commercial SSL certificate once it is issued.

Once you have generated the CSR, you are taken back to the Web Site SSL Certificate Info screen. Near the top of the Web Site Certificate details section is the Site CSR File location that shows the absolute path to the CSR, and a link to (Click to View/Edit)

Click on (Click to View/Edit). Depending on your browser preferences, this will either open a new tab or new window and display the CSR.

You will need to copy the CSR file, starting at -----BEGIN CERTIFICATE REQUEST----- and continuing on to -----END CERTIFICATE REQUEST-----. Both those lines, and everything in between, must be copied. This is what your SSL vendor is looking for. They will use this file to generate your actual SSL certificate.

If you need to paste this file into something other than an order form for your vendor, make sure to only use something that is plain text, such as Notepad or TextEdit in plain text mode. If you use a word processor, such as MS Word, WordPad, LibreOffice, or Pages, you will insert invisible control and formatting characters into the CSR, which could cause it to be rejected by your SSL vendor.

After you submit your CSR to your SSL vendor, they will generate your SSL certificate. How long this will take, and what kind of information you need to provide will depend upon the type of SSL certificate that you are ordering. The general rule is that the more expensive the SSL certificate, the longer the process takes. This is because the vendor has to verify more information about you and your business for the more expensive SSL certificates.

Installing the SSL certificate

Once you receive your SSL certificate back from your vendor, you will need to install it on the Virtual Machine. The format of the SSL certificate should look very similar to the CSR that you provided to the vendor, but will probably be somewhat longer in length. You may also receive several other files, including a root or intermediate certificate file. If you receive a root or intermediate file, that will need to be installed also. See the Installing a root or intermediate certificate file section for more information.

To install the SSL certificate, navigate back to Website Management > click on the Server Name of the web site that was created on port 443 > SSL Certificate/CSR Info.

In the Web Site SSL Certificate Info screen, click on (Click to View/Edit) for SSL Certificate file location.

This will open a new browser tab or window, showing the self-signed SSL certificate. Depending on your browser, the end of the file may be below the line that is just above Save and Close.

Select the self-signed SSL certificate using Edit > Select All or Control + a or Command + a, and delete the contents of the file. Then, paste in your commercial SSL certificate file, starting at -----BEGIN CERTIFICATE----- and continuing on to -----END CERTIFICATE-----. Both those lines, and everything in between, must be copied into the browser window.

Once you have copied your commercial SSL certificate into the window, click on Save and Close. In the Web Site SSL Certificate Info screen, the values in SSL Certificate Information should now reflect what you provided to the SSL vendor from your CSR.

Scroll to the bottom of the screen, and click on Return to server index. In the Website Management screen, click on Apply Changes to restart the Apache web server. Your SSL certificate should now be active.

Installing a root or intermediate certificate file

Your SSL certificate may have come with another file, possibly called a root or intermediate certificate or bundle - the name used depends on the vendor. If this is the case, you will need to install the file on your server, and then tell the Control Panel where that file is located. This file will also be in plain text.

You can install the root or intermediate file using either the File Manager, or the command line. For either method, the file will need to be located at /etc/pki/tls/certs, with owner:group of root and 644 permissions.

The file name has to end with .crt, but make sure to name the file something relevant to the site it is for. This will be important if there are more than one site that needs this type of file. For this example, the name of eapps-example.com.bundle.crt is used. Make sure not to use the name of any existing SSL certificate files, which also end in .crt.

File Manager

In the Control Panel, open the File Manager, and navigate to the /etc/pki/tls/certs directory. Click on the New button for File (the New button just to the right of Delete), and create the file using your chosen file name (in this example, eapps-example.com.bundle.crt). Paste in the text from the root or intermediate certificate file, and Save & Close the file. Make sure the box for Windows newlines is unchecked.

Once you have saved the file, click on Info, and make sure the Permissions and Ownership match the example shown below.

After you have installed the root or intermediate bundle file, you will need to tell the Control Panel where the file is located. Navigate back to Website Management, and select the Server Name for the web site that was created on port 443. Make sure to select the correct Server Name, as there may be several that are on port 443.

In Website Management, click on Edit Directives. At the bottom of the Edit Directives screen, there will be three lines for SSL: two that point to the location of the SSL certificate and key, and one that turns the SSL Engine on. The lines will look similar to this:

SSLCertificateFile /etc/pki/tls/certs/eapps-example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/eapps-example.com.key
SSLEngine On

Just above the SSLEngine On line, insert this line (remember to use your own file name):

SSLCACertificateFile /etc/pki/tls/certs/eapps-example.com.bundle.crt

The end result will look similar to this:

Click on Save, and then on Return to server index at the bottom of the screen. In the Website Management screen, click on Apply Changes. This will install the bundle file for any browser or application that needs it.

Command line

Connect to the Virtual Machine via SSH. You will need to be able to work as the root user and edit files in a text editor, as well as navigate the Linux file system and execute commands.

Navigate to the /etc/pki/tls/certs directory, and create the bundle file. This example uses the vim editor, the vi and nano editors are also available.

Paste the text from the root or intermediate bundle file, and then save and exit the file.

By default, the file should have the correct owner, group and permissions: root:root and 644.

In case the owner:group and permissions are wrong, you can set them with the chown and chmod commands.

Once the file has been created, and the owner:group and permissions are set, change directories to /etc/httpd/conf and edit the httpd.conf file so that the web server knows where the bundle file is.

Before editing the file, make a backup copy of the known good file. This example uses the current date {,.YYYYMMDD} to show when the backup copy was made. You can use any format that you are comfortable or familiar with.

Once the backup has been made, edit the file with a text editor. This example uses vim.

Navigate to the VirtualHost block for the web site. The VirtualHost blocks are generally at the end of the httpd.conf file, usually starting on or around line 993. Make sure to edit the VirtualHost block that is using port 443, and make sure to edit the correct VirtualHost block. There may be more than one using port 443.

As an example, here is how the VirtualHost block for the eapps-example.com web site using port 443 will start:

At the end of the VirtualHost block for the web site will be the already existing lines for SSL:

Add the line that points to the bundle file, just above the SSLEngine On line. Make sure to substitute your own file name.

The end result will look like this:

Save and exit the file. The web server must now be restarted for the changes to take effect.

This will install the bundle file for any browser or application that needs it.

Forcing web site visitors to use SSL

In some cases, you may want to force the visitors to your site to use SSL (https). You can use mod_rewrite and a .htaccess file to force site visitors to use https, even if they typed in http.

To do this, you will need to create a .htaccess file in the DocumentRoot for the site. Note the file name - it begins with a dot (period), and is called "dot htaccess".

You can create the .htaccess file using either the File Manager, or the command line. The owner and group will need to be the Administrative user for the site, and the permissions need to be 644.

Be aware that the syntax for a .htaccess file has to be exactly right. There is no middle ground or room for error. Your syntax is either absolutely correct, or totally wrong. One misplaced or forgotten slash, or a space where a space shouldn't be can mean that you may now be totally unable to browse the site, or that your .htaccess file is completely ignored.

File Manager

In the Control Panel, open the File Manager, and navigate to the DocumentRoot directory of your web site. This example uses the DocumentRoot of /home/webadmin/eapps-example.com/html.

Click on the New button for File (the New button just to the right of Delete), and create the .htaccess file.

Paste in the following text, making sure to substitute your actual web site name for www.eapps-example.com. Then click on Save & Close. Make sure the box for Windows newlines is unchecked.

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.eapps-example.com/$1 [R,L]

Here is an example of what this will look like:

After you save the file, you will need to change the permissions and ownership for the file. The file will need to be owned by the webadmin user, in the webadmin group, and have 644 permissions.

To do this, click on Info, and make sure the Permissions and Ownership match the example shown below. Then click on Save.

Once you have created the .htaccess file, click on System > Website Management > Apply Changes. This restarts the web server. Your web site should now redirect all requests for http to https.

Command line

Connect to the Virtual Machine via SSH. You will need to be able to work as the root user and edit files in a text editor, as well as navigate the Linux file system and execute commands.

Navigate to the DocumentRoot of the web site - in this example, /home/webadmin/eapps-example.com/html, and create the .htaccess file. This example uses the vim editor, the vi and nano editors are also available.

Paste in the following text, making sure to substitute your actual web site name for www.eapps-example.com.

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.eapps-example.com/$1 [R,L]

Save and exit the file, and then change the owner:group of the file to the Administrative user for the web site (in this case, webadmin), and if necessary change the permissions of the file to 644.

Restart the web server for the changes to take effect. Your web site should now redirect all requests for http to https.

This is only a small example of what can be done with a .htaccess file. There are many references online for using and creating a .htaccess file, including several .htaccess generators.

Common Issues using SSL

The SSL certificate will let you encrypt all content under the DocumentRoot for the site. For example, this means that all content under /home/webadmin/eapps-example.com/html (the DocumentRoot for http://www.eapps-example.com) can be served using https.

This also means that any content you want to serve using https has to be under the DocumentRoot for the site that is using SSL - all graphics, all images and video, all text content, any sound files, etc.

If your HTML code links to directories or web forms outside the DocumentRoot of the site using SSL, you will need to move those directories or forms into the DocumentRoot for the site, and change your HTML code to point to the new locations. If your site uses CSS, you will need to make sure any external CSS stylesheets are also in the DocumentRoot of the site using SSL, and change your HTML to point to their new locations.

Images and Graphics are not using SSL

Many sites use shared graphics and images, such as header and footer images or common icon images. If these images are not in the same domain directory that belongs to the site that is using SSL, some browsers will issue a warning that the site is not secure. Make sure that all the images and graphics for the site that is using SSL are in the same directory as the site itself.

Links to off-site content are not using SSL

It is common to link to off-site content, such as information from a third party vendor, or even to Youtube videos or various social networking sites. If those links to off-site content do not point to SSL https links, some browsers will issue warnings that the site content is not encrypted.

Links to other information

mod_ssl main site - http://www.modssl.org/

mod_ssl documentation - http://www.modssl.org/docs/