Browse By

From http to https. AWS SSL install guide. Apache Ubuntu 14.04

From http to https. AWS SSL install guide

This two part guide traces our journey from http to https site on AWS. There were two reasons for the move. The first was the supposed SEO pickup that occurs when you switch from http to https. The second reason was the desire to provide a more secure environment to our mobile and responsive theme users. We had received some reports of session hijacking on infected smart phones and we felt that it was time that we switched from http to https.

Our effort started with  a quick Google search on installing SSL certificates on Amazon Web Services. The search results were somewhat helpful but not enough to help me figure out what I needed to do. Amazon Web Services documentation is hideously complicated. All I want to know is if I have a single self managed instance with Apache on an Ubuntu server, how do I set up SSL? Considering the heartache /headache I had to go through to get this done I thought it would be help to share this with others.

A few recommendations.

a) We made the move over four weekends period. Once you figure out the process the move itself is painless but we wanted to ensure that if a move related outage occurred it would have minimum traffic impact.  We started planning in mid March with the switch finally taking place in late April.

b) In the first two weeks we noticed a significant change in traffic signatures. Time on site, bounce rates and page views per session all shot up.  But then slid back to significantly lower levels compared to our pre-transition benchmarks. This may be because of an google update that hit us end of April, early May but we are not sure.  Our article posting frequency post the moe may also have had an impact on the drop in traffic.

c) The http to https transitions kills your original Quantcast implementation. Some tweaking is required to bring it back. You will also notice a steep drop in your Google Webmaster dashboard but that is because you are still tracking the old http site. You need to add a new property and resubmit your new sitemap with https links to track your new traffic results on webmaster.  Google analytics works the same so there is no issue there.

d) Server and page speed impact was significant in both absolute and percentage terms (roughly 30% slower) but not really noticeable at a user level. We went from 70 ms to 90 ms on server response and from 2 secs to 3 secs on page load speeds post the move.

Below are the steps to install SSL certificates if:

  1. You are using a self managed instance on Amazon Web Services
  2. Operating System – Ubuntu 14.04
  3. Webserver – Apache
  4. Follows the Ubuntu/Debian layout of Apache files
  5. Your website uses WordPress
  6. Use a Mac with Terminal

Step 1 – Check if your AWS instance has OPENSSL installed

You will first have to check if OPENSSL is installed on your AWS server. By default, it is always installed however to confirm, type in the following command in your Terminal window:

sudo dpkg –s openssl

The results will show the following:

Package: openssl
Status: install ok installed
Version: 1.0.1f-1ubuntu2.19

Step 2 — Activate the SSL Module

SSL support comes as standard in the Ubuntu 14.04 Apache package however; you will need to enable it. To enable the module run the command:

sudo a2enmod ssl

After you have enabled SSL, you will need to restart the server for the change to come into effect and handle SSL. Run the following command:

sudo service apache2 restart

Step 3 – Generate a Certificate Signing Request (CSR) for your server and Private Key

A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate.

First create a subdirectory in which you will place the private key and the CSR file. Run the following command:

sudo mkdir /etc/apache2/ssl

Now from this directory, run the following command to generate a pair of private key and public Certificate Signing Request (CSR) for the webserver:

openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr

Please note: for ease of use, it is recommended that you replace ‘server’ with the domain name the certificate will be issued for and similarly do that for the ‘myserver’ in the key file as well.

Now enter the details for your CSR:

Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: Surrey
Locality Name (eg, city) []: London
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Company Name Pvt Ltd
Organizational Unit Name (eg, section) []: IT Department
Common Name (eg, YOUR name) []: yourdomain.com
Email Address []:[email protected]
A challenge password []:
An optional company name []:

ITEMEXPLANATION
CountryTwo-letter ISO code for the country where your organization is located
State or Province NameState/region where your organization is located
Locality NameCity where your organization is located
Organization NameFull legal name of your organization
Organizational Unit NameDivision of your organization handling the certificate
Common Name  (server FQDN)Fully qualified domain name (FQDN) of your server
Email addressAn email address used to contact your organization

The key and certificate will be created and placed in your /etc/apache2/ssl directory.The fields email address, optional company name and challenge password can be left blank. If you enter ‘.’, the field will be left blank.

The above command will create 2 files.

The myserver.key file is the Private Key, that will be used for decryption of the SSL/TLS session between a server and a client. It looks like the following if you open the file in a text editor:

—–BEGIN PRIVATE KEY—–
3v9zk……………………… dLxa/s=
—–END PRIVATE KEY—–

Do not share this file and ensure that you have a backup of the private key as it is will be impossible to install the certificate without it on the server afterwards.

The server.csr file contains the CSR code that you will need to submit during the certificate activation process. The CSR will look like the following if you open the file in a text editor:

—–BEGIN CERTIFICATE REQUEST—–
MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
….
—–END CERTIFICATE REQUEST—–

Step 4 – Buy or get a trial SSL Certificate

You can either buy a SSL certificate or try out ones that are available for a 90-day trial period. For my own testing purposes I used Comodo’s Free SSL Certificate.

Once you have generated the CSR, you will need to provide it to the certificate authority to issue the SSL certificate. Before the certificate authority issues the SSL certificate, it will need to validate domain control i.e. that you control the domain for which the certificate is being requested. The domain control validation can happen in one of 3 ways:

1. Email based validation

Select the email recipient i.e. the registrar of the domain or the administrator contact of the domain i.e.. webmaster/[email protected].  An email will be sent to the administrative contact containing a unique validation code and link. Click the link and enter the code to confirm domain control.

2. DNS CNAME based validation

If you select this option, then Comodo will provide you with the hash values which must be entered as a DNS CNAME record for your domain.

The hashes are to be entered as follows:

<Value of MD5 hash of CSR>.yourdomain.com. CNAME <value of SHA1 hash of CSR>.comodoca.com.

3. HTTP based validation

If you select this option, then Comodo will provide you with the hash values which must used to create a plain-text file which needs to be placed in the root of yourdomain’s  directory and served over HTTP-only.

The file and it’s content should be as follows:
http://yourdomain.com/<Upper case value of MD5 hash of CSR>.txt

Content (as a plain text file):
<Value of SHA1 hash of CSR>
comodoca.com

On confirmation of domain control, the certificate authority will issue your SSL certificate. The SSL certificate will be provided as a zip file which will contain the following 2 files:

  • ca-bundle
  • crt

You need to copy these files to the directory on your server where you will keep your certificate and key files by using a FTP program, in our case /etc/apache2/ssl.

Step 5 – Install the SSL Certificate on your webserver

Copy your SSL certificate file (www_yourdomain_com.crt) and the certificate bundle file (www_yourdomain_com.ca-bundle) to your Apache server. Your private key file should already be on the server from when you generated your certificate request (CSR) at the location /etc/apache2/ssl.

Create 2 additional directories in /etc/apache2/ssl:

sudo mkdir /etc/apache2/ssl/keysudo mkdir /etc/apache2/ssl/certs
  1. key – this is where you will store the Private key
  2. certs – this is where you will store the .ca-bundle and .crt files received from the certificate authority

Place the files in the respective locations.

Step 6 — Configure Apache to use SSL

Now that you have the certificate and key available on the webserver, lets configure Apache to use these files in a virtual host file.

Go to the following location – /etc/apache2/sites-available/ and open the file default-ssl.conf by typing the command:

sudo nano /etc/apache2/sites-available/default-ssl.conf

Without the comments, the file looks like this:

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin [email protected]
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars        </FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch “MSIE [2-6]”
\ nokeepalive ssl-unclean-shutdown
\ downgrade-1.0 force-response-1.0
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown
</VirtualHost>
</IfModule>

We will configure for a virtual host (ServerAdmin, ServerName, ServerAlias, DocumentRoot, etc.) as well as change the location of where Apache looks for the SSL certificate and key.

Add the following item in the file right after “ServerAdmin”:

  1. ServerName yourdomain.com

Change only the following items in the file:

  1. ServerAdmin [email protected]
  2. ServerAlias yourdomain.com
  3. DocumentRoot /var/www/yourdomain/
  4. SSLEngine on
  5. SSLCertificateFile /etc/ssl/ssl.certs/www_yourdomain_com.crt
  6. SSLCertificateKeyFile /etc/ssl/ssl.key/myserver.key
  7. SSLCertificateChainFile /etc/ssl/ssl.cert/www_yourdomain_com.ca-bundle

Press Control + X and then select ‘Y’ to save your changes.

Step 7 — Activate the SSL Virtual Host

Now that we have configured the SSL-enabled virtual host, we need to enable it.

Run the following command:

sudo a2ensite default-ssl.conf

You will need to restart the server for the changes to come into effect. Run the following command:

sudo service apache2 restart

This should enable your new virtual host, which will serve encrypted content using the SSL certificate you created.

Step 8 — Test that you have setup SSL correctly

Test that your SSL certificate has been correctly installed by going to the following site and entering your URL.

https://www.sslshopper.com/ssl-checker.html

Step 9 – Install the plugin “REALLY SIMPLE SSL”

The plugin automatically detects your settings and configures your website. Just install the plugin and viola you are done! The site url and home url will be changed to https and all your content http:// urls will be replaced with the https:// urls.

Congratulations … you have now successfully installed SSL on AWS.

Useful links

  1. https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04
  2. https://www.digicert.com/ssl-certificate-installation-apache.htm
  3. https://www.namecheap.com/support/knowledgebase/article.aspx/794/67/how-do-i-activate-an-ssl-certificate
  4. https://www.sslshopper.com/ssl-checker.html
  5. https://wordpress.org/plugins/really-simple-ssl/
Comodo SSL