OpenSSL: set SSL untuk https di Ubuntu
Pengantar
TLS, atau transport layer security, dan pendahulunya SSL, secure socket layer, adalah protokol keamanan yang dibuat untuk menempatkan lalu lintas normal dalam bungkus terenkripsi yang dilindungi.
Protokol ini memungkinkan lalu lintas dikirim dengan aman di antara pihak-pihak yang berjauhan tanpa kemungkinan lalu lintas dicegat dan dibaca oleh seseorang di tengahnya. Mereka juga berperan dalam memvalidasi identitas domain dan server di seluruh internet dengan membuat server sebagai terpercaya dan asli oleh otoritas sertifikat.
Dalam panduan ini, kami akan membahas cara membuat sertifikat SSL yang ditandatangani sendiri untuk Apache di server Ubuntu terbaru, yang memungkinkan Anda mengenkripsi lalu lintas ke server Anda. Meskipun ini tidak memberikan manfaat validasi pihak ketiga terhadap identitas server Anda, namun ini memenuhi persyaratan orang-orang yang hanya ingin mentransfer informasi dengan aman.
Catatan: Anda mungkin ingin mempertimbangkan untuk menggunakan Let's Encrypt daripada self-signed certificatei. Let's Encrypt adalah otoritas sertifikat baru yang mengeluarkan sertifikat SSL / TLS gratis yang dipercaya di kebanyakan browser web. Simak tutorialnya untuk memulai: Cara Mengamankan Apache dengan Let's Encrypt di Ubuntu 14.04
Kebutuhan
Install apache
sudo apt-get update sudo apt-get install apache2
Step 1 - Aktifkan SSL Module
Aktifkan SSL & restart apache
sudo a2enmod ssl sudo service apache2 restart
Step 2 - buat self-sign SSL certificate
Buat folder SSL & buat self-signed certificate
sudo mkdir /etc/apache2/ssl sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
Artinya
- openssl - perintah untuk operasi SSL
- req - X.509 certificate signing request (CSR)
- X.509 - self-signed
- nodes - key file tidak perlu di amankan dengan passphrase
- days 365 - valid untuk 1 tahun
- newkey rsa:2048: buat CSR dan private key bersamaan. RSA key panjangnya 2048 bit.
- keyout: nama outfile dari private key yang dibuat.
- out: nama certificate file yang dibuat.
Setelah tekan "ENTER", ada beberapa pertanyaan / jawaban yang perlu dilakukan dalam proses adalah,
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) []:New York City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company Organizational Unit Name (eg, section) []:Department of Kittens Common Name (e.g. server FQDN or YOUR name) []:your_domain.com Email Address []:your_email@domain.com
Sertificate & key akan di letakan di directory /etc/apache2/ssl
Step Three — Configure Apache to Use SSL
Now that we have our certificate and key available, we can configure Apache to use these files in a virtual host file. You can learn more about how to set up Apache virtual hosts here.
Instead of basing our configuration file off of the 000-default.conf file in the sites-available subdirectory, we're going to base this configuration on the default-ssl.conf file that contains some default SSL configuration.
Open the file with root privileges now:
sudo nano /etc/apache2/sites-available/default-ssl.conf
With the comments removed, the file looks something like this:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
This may look a bit complicated, but luckily, we don't need to worry about most of the options here.
We want to set the normal things we'd configure for a virtual host (ServerAdmin, ServerName, ServerAlias, DocumentRoot, etc.) as well as change the location where Apache looks for the SSL certificate and key.
In the end, it will look something like this. The entries in red were modified from the original file:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
Save and exit the file when you are finished.
Step Four — Activate the SSL Virtual Host
Now that we have configured our SSL-enabled virtual host, we need to enable it.
We can do this by typing:
sudo a2ensite default-ssl.conf
We then need to restart Apache to load our new virtual host file:
sudo service apache2 restart
This should enable your new virtual host, which will serve encrypted content using the SSL certificate you created.
Step Five — Test your Setup
Now that you have everything prepared, you can test your configuration by visiting your server's domain name or public IP address after specifying the https:// protocol, like this:
https://server_domain_name_or_IP
You will get a warning that your browser cannot verify the identity of your server because it has not been signed by one of the certificate authorities that it trusts.
apache ssl warning
This is expected since we have self-signed our certificate. While our certificate will not validate our server for our users because it has had no interaction with a trusted certificate authority, it will still be able to encrypt communication.
Since this is expected, you can hit the "Proceed anyway" button or whatever similar option you have in your browser.
You will now be taken to content in the DocumentRoot that you configured for your SSL virtual host. This time your traffic is encrypted. You can check this by clicking on the lock icon in the menu bar:
apache ssl encrypted
You can see in the middle green section that the connection is encrypted. Conclusion
You should now have SSL enabled on your website. This will help to secure communication between visitors and your site, but it will warn each user that the browser cannot verify the validity of the certificate.
If you are planning on launching a public site and need SSL, you will be better off purchasing an SSL certificate from a trusted certificate authority.
If you want to learn more about how to configure Apache, click here. Check out this link for more ideas on how to secure your Linux server. By Justin Ellingwood jellingwood Justin Ellingwood Subscribe Share Spin up an SSD cloud server in under a minute.
Simple setup. Full root access. Straightforward pricing. Deploy Server Related Tutorials
How To Set Up Apache with a Free Signed SSL Certificate on a VPS How To Install the Apache Web Server on Ubuntu 16.04 How To Use GPG to Encrypt and Sign Messages How To Host a Website with Caddy on CentOS 7 How To Host a Website with Caddy on Ubuntu 16.04
39 Comments Log In to Comment
rapidfoxx May 11, 2014 Your tutorial is really nice and thanks for that,
But could you/someone please explain the following if possible, Still trying to learn this stuff :)
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Romeygraphics May 14, 2014 would you be kind enough to do this tut with Comodo PositiveSSL
Files I have
AddTrustExternalCARoot COMODORSAAddTrustCA COMODORSADomainValidationSecureServerCA Mydomain_com
Please!!!! help thank you
RinkuY January 27, 2015
Keep Try !
jellingwood MOD January 28, 2015
@Romeygraphics: We have a guide on how to use commercial SSL certificates here. In the comments, you'll see how to combine your certificate files into a single chained file here.
Hope that helps. How To Install an SSL Certificate from a Commercial Certificate Authority This tutorial will show you how to acquire and install an SSL certificate from a trusted, commercial Certificate Authority (CA). SSL certificates allow web servers to encrypt their traffic, and also offer a mechanism to validate server identities to their visitors. The...
mityukov June 4, 2014 After fgollowing this guide I've got "SSL protocol error".
This error has gone away after appending ":433" to the server name and alias: --
ServerName your_domain.com:443 ServerAlias www.your_domain.com:433
--
derek June 9, 2014 I have purchased SSL from GeoTrust. Now is there any tutorial to configure it? or what can I do to install it?
hnwebdesign5 June 10, 2014 This is a great tutorial, but could you do one on how to install a ssl certificate that was actually purchased? Please!
asb MOD June 10, 2014 @hnwebdesign5: It will be more or less the same using a cert that you purchased from a CA. The only difference is that you should replace:
SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key
with the cert provided by you CA:
SSLCertificateFile /path/to/your/ssl.crt SSLCertificateKeyFile /path/to/your/private.key SSLCertificateChainFile /path/to/your/bundle.pem
@derek: GeoTrust also has their own documentation:
http://www.geotrust.com/support/video/install-ssl-certificates-apache.html