Step 1 – Check if your AWS instance has OpenSSL installed
You will first have to check if OpenSSL is installed on your AWS server. By default, it is always installed however to confirm, type in the following command in your Terminal window:sudo dpkg –s openssl
The results will show the following:Package: openssl
Status: install ok installed
Version: 1.0.1f-1ubuntu2.19
Step 2 — Activate the SSL Module
SSL support comes as standard in the Ubuntu 14.04 Apache package, however; you will need to enable it. To enable the module, run the command:sudo a2enmod ssl
After you have enabled SSL, you will need to restart the server for the change to come into effect and handle SSL. Run the following command:sudo service apache2 restart
Step 3 – Generate a Certificate Signing Request (CSR) for your server and Private Key
A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate.
First, create a subdirectory in which you will place the private key and the CSR file. Run the following command:sudo mkdir /etc/apache2/ssl
Now from this directory, run the following command to generate a private key and a public Certificate Signing Request (CSR) for the webserver:openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
Please note: for ease of use, it is recommended that you replace ‘server’ with the domain name the certificate will be issued for and similarly do that for the ‘myserver’ in the key file as well.
Now enter the details for your CSR:
Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: Surrey
Locality Name (eg, city) []: London
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Company Name Pvt Ltd
Organizational Unit Name (eg, section) []: IT Department
Common Name (eg, YOUR name) []: yourdomain.com
Email Address []:[email protected]
A challenge password []:
An optional company name []:
| ITEM | EXPLANATION |
| Country | Two-letter ISO code for the country where your organization is located |
| State or Province Name | State/region where your organization is located |
| Locality Name | City where your organization is located |
| Organization Name | Full legal name of your organization |
| Organizational Unit Name | Division of your organization handling the certificate |
| Common Name (server FQDN) | Fully qualified domain name (FQDN) of your server |
| Email address | An email address used to contact your organization |
The key and certificate will be created and placed in your /etc/apache2/ssl directory. The fields email address, optional company name and challenge password can be left blank. If you enter ‘.’, the field will be left blank.
The above command will create 2 files.
The myserver.key file is the Private Key, that will be used for decryption of the SSL/TLS session between a server and a client. It looks like the following if you open the file in a text editor:
—–BEGIN PRIVATE KEY—–
3v9zk……………………… dLxa/s=
—–END PRIVATE KEY—–
Do not share this file and ensure that you have a backup of the private key as it is will be impossible to install the certificate without it on the server afterward.
The server.csr file contains the CSR code that you will need to submit during the certificate activation process. The CSR will look like the following if you open the file in a text editor:
—–BEGIN CERTIFICATE REQUEST—–
MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
….
—–END CERTIFICATE REQUEST—–
Step 4 – Buy or get a trial SSL Certificate
You can either buy an SSL certificate or try out ones that are available for a 90-day trial period. For my own testing purposes, I used Comodo’s Free SSL Certificate.
Once you have generated the CSR, you will need to provide it to the certificate authority to issue the SSL certificate. Before the certificate authority issues the SSL certificate, it will need to validate domain control i.e. that you control the domain for which the certificate is being requested. The domain control validation can happen in one of 3 ways:
1. Email based validation
Select the email recipient i.e. the registrar of the domain or the administrative contact of the domain i.e.. webmaster/[email protected]. An email will be sent to the administrative contact containing a unique validation code and link. Click the link and enter the code to confirm domain control.
2. DNS CNAME based validation
If you select this option, then Comodo will provide you with the hash values which must be entered as a DNS CNAME record for your domain.
The hashes are to be entered as follows:
<Value of MD5 hash of CSR>.yourdomain.com. CNAME <value of SHA1 hash of CSR>.comodoca.com.
3. HTTP based validation
If you select this option, then Comodo will provide you a plain-text file which needs to be placed in the root of yourdomain’s directory under the folder “.well-known” in sub folder “pki-validation”. Please note: the folder name is “.well-known”. if you miss out the dot in front of well-known your validation will not be successful.
The file and its content should be as follows:
http://yourdomain.com/.well-known/pki-validation/<Upper case value of MD5 hash of CSR>.txt
On confirmation of domain control, the certificate authority will issue your SSL certificate. The SSL certificate will be provided as a zip file which will contain the following 2 files:
- ca-bundle
- crt
You need to copy these files to the directory on your server where you will keep your certificate and key files by using a FTP program, in our case /etc/apache2/ssl.
Step 5 – Install the SSL Certificate on your webserver
Copy your SSL certificate file (www_yourdomain_com.crt) and the certificate bundle file (www_yourdomain_com.ca-bundle) to your Apache server. Your private key file should already be on the server from when you generated your certificate request (CSR) at the location /etc/apache2/ssl.
Create 2 additional directories in /etc/apache2/ssl:sudo mkdir /etc/ssl/keysudo mkdir /etc/ssl/certs
- key – this is where you will store the Private key
- certs – this is where you will store the .ca-bundle and .crt files received from the certificate authority
Place the files in the respective locations.
Step 6 — Configure Apache to use SSL
Now that you have the certificate and key available on the webserver, let’s configure Apache to use these files in a virtual host file.
Go to the following location – /etc/apache2/sites-available/ and open the file default-ssl.conf by typing the command:sudo nano /etc/apache2/sites-available/default-ssl.conf
Without the comments, the file looks like this:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars </FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch “MSIE [2-6]”
\ nokeepalive ssl-unclean-shutdown
\ downgrade-1.0 force-response-1.0
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown
</VirtualHost>
</IfModule>
We will configure for a virtual host (ServerAdmin, ServerName, ServerAlias, DocumentRoot, etc.) as well as change the location of where Apache looks for the SSL certificate and key.
Add the following item in the file right after “ServerAdmin”:
- ServerName yourdomain.com
Change only the following items in the file:
- ServerAdmin webmaster@localhost
- ServerAlias yourdomain.com
- DocumentRoot /var/www/yourdomain/
- SSLEngine on
- SSLCertificateFile /etc/ssl/ssl.certs/www_yourdomain_com.crt
- SSLCertificateKeyFile /etc/ssl/ssl.key/myserver.key
- SSLCertificateChainFile /etc/ssl/ssl.cert/www_yourdomain_com.ca-bundle
Press Control + X and then select ‘Y’ to save your changes.
Step 7 — Activate the SSL Virtual Host
Now that we have configured the SSL-enabled virtual host, we need to enable it.
Run the following command:sudo a2ensite default-ssl.conf
You will need to restart the server for the changes to come into effect. Run the following command:sudo service apache2 restart
This should enable your new virtual host, which will serve encrypted content using the SSL certificate you created.
Step 8 — Test that you have set up SSL correctly
Test that your SSL certificate has been correctly installed by going to the following site and entering your URL.
Step 9 – Install the plugin “REALLY SIMPLE SSL”
The plugin automatically detects your settings and configures your website. Just install the plugin and voila you are done! The site URL and home URL will be changed to https and all your content http:// urls will be replaced with the https:// urls.
Congratulations … you have now successfully installed SSL on AWS instance.
Reference : https://financetrainingcourse.com/education/2016/06/ssl-certificate-install-aws-guide-apache-ubuntu-14-04/
