This article covers:
- How to generate CSR (certificate signing request), which is required before when you purchase an SSL.
- How to install SSL in a shared hosting environment
- How to redirect http to https
The server environment:
- Apache 2.4, Ubuntu 18.04
- Certificate purchased from RapidSSL Online and issued by GeoTrust.
- Website platform can be either WordPress or Magento
Step 1 Generate private key and CSR
Firstly we need to generate a server key for CSR and SSL; we recommend to use an encrypted key. However please keep in mind that, if you use an encrypted key, each time you restart apache server it will prompt you to enter the passphrase you used for encryption, this might cause issues in a multi-user environment unless you share the keys with all SSH users.
Since we’re installing SSL in a shared hosting environment. We prefer to keep things organised, so all certificate related files are stored in
/etc/ssl/your_website_name
The command to generate the key is:
sudo openssl genrsa -des3 -out www.your_domain_name.com.key 2048
// if you do not wish to use a passphrase simply use below:
sudo openssl genrsa -out www.your_domain_name.com.key 2048
Type in the passphrase, then keep it safe. If you haven’t heard of, passpack is one of the best password solutions.
The command you need to generate your CRS is:
sudo openssl req -new -key www.your_domain_name.com.key -out www.your_domain_name.com.csr
Then follow the prompts to filling the business information of your website. In case you might wonder, a common name is the same as the domain name.
Step 2 Purchase and save certificate files
If your SSL issuer is GeoTrust, then make sure you choose the domain validation method as file-based validation, because email validation requires you to have a domain email which is not as convenient.
Make sure you create the validation file and put it in the right folder GeoTrust suggested. If everything goes into plan and you’re only purchasing a basic SSL, you should receive your certificates in a couple of minutes once you complete the CSR process. There will be two files, server certificate and intermediate certificate which is also called chain file in Apache2.
Once again the folder should be same as above mentioned, and we prefer to name them as below:
cd /etc/ssl/your_website_name sudo pico www.your_website_name.com.au.cert sudo pico www.your_website_name.com.au.cert
Step 3 Install SSL certificate
Now go to Apache virtual host configuration folder:
cd /etc/apache2/sites-available/
Make a copy of your existing non-secure apache site configuration file:
sudo cp your_website_name_80.conf your_website_name_443.conf
Then edit the _433.conf file and firstly, change the port number to 443.
<VirtualHost *:443> ... </VirtualHost>
Then at the bottom of the file before the virtual host closing tag, paste the certificate details in:
SSLEngine on SSLCertificateFile /etc/ssl/your_website_name/www.your_website_name.com.au.cert SSLCertificateKeyFile /etc/ssl/your_website_name/www.your_website_name.com.au.key SSLCertificateChainFile /etc/ssl/your_website_name/www.your_website_name.com.au.chain.cert
Once completed, enable the new site configuration file, then reload apache2.
sudo a2enssite /etc/apache2/sites-available/your_website_name_433.conf sudo systemctl apache2 reload
Step 4 Fix non-https contents and redirect http to https
If your website is built on WordPress, then you’re likely to have some http links awaiting to be addressed. You may use a plugin such as SSL Insecure Content Fixer to do the majority of the work but make sure to back up the site before installing this plugin! The changes will be made soon as you activate this plugin, so be cautious as there is a risk of breaking your WordPress site.
To redirect http to https, add below in your .htaccess file, right after RewriteEngine On
RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteCond %{HTTP_HOST} ^(www\.)?your_website_name\.com RewriteRule ^(.*)$ https://www.your_website_name.com/$1 [R,L]
Lastly, make sure you test all the variants:
http://your_website_name.com http://www.your_website_name.com https://your_website_name.com https://www.your_website_name.com
They should be all working with http versions redirected to https versions.
Remove Private Key Passphrase
If your server contains individual SSLs and they all have passphrase in their private keys, it’s a bit of pain when restarting Apache as you need to key in every single passphrase. Even worse, you got too many passphrase to enter and it times out.
The simplest way is to remove the passphrase from your private keys:
sudo openssl rsa -in private_key -out private_key
# Then just enter your old passphrase and it will be removed