Skip to content

Securing Ubuntu Server with a free SSL certificate from StartSSL™

Pre-Requirements:
Working LAMP installation with Ubuntu Server. Help is here and here. 
SSL security is enabled for Apache with Name Based Virtualhosts.
Assumption
Name of the website is www.example.com. Replace it with your correct domain name.

Obtaining a SSL certificate for your website from StartSSL is quite straightforward. Use ExpressLane option from the  StartSSL start page and steps will be self explanatory. Here I assume you already created a personal digital certificate, logged in to StartSSL, verified your domain, and created a private key (you can also create your own private key and a CSR yourself from openssl command) and finally downloaded/saved both your server certificate and private certificate files.

Now it is assumed you have following three files with you in your current working directory.

example.com.key   (the private key used to generate the server certificate) 
example.com.crt   (the server certificate downloaded from StartSSL)
sub.class1.server.ca.pem   (the certificate chain file downloaded from StartSSL)

By default your private key will be pass-phrase protected. In order to use this private-key easily with Ubuntu server, we have to remove the passphrase. Following command removes the passphrase. Here ‘example.com.key’ is the private key you downloaded from StartSSL or created yourself.

sudo openssl rsa -in example.com.key -out example.com.key

Copy the certificate files to correct locations in Ubuntu server and set correct permissions.

sudo cp example.com.key /etc/ssl/private/
sudo chmod 400 /etc/ssl/private/example.com.key
sudo cp example.com.crt /etc/ssl/certs/
sudo chmod 400 /etc/ssl/certs/example.com.crt
sudo cp sub.class1.server.ca.pem /etc/ssl/certs/startssl.sub.class1.server.ca.pem
sudo chmod 400 /etc/ssl/certs/startssl.sub.class1.server.ca.pem

Now create a Apache Virtualhost configuration file like the one shown below. The file given is configured for a WordPress installation with clean-URL enalbed.

sudo nano /etc/apache2/sites-available/example.com
 

<VirtualHost *:80>
 ServerAdmin admin@example.com
 ServerName example.com
 ServerAlias www.example.com

 DocumentRoot /var/www/example.com
 <Directory />
 Options -Indexes FollowSymLinks
 AllowOverride None
 </Directory>

 <Directory /var/www/example.com>
 Options -Indexes FollowSymLinks
 AllowOverride None
 Order allow,deny
 allow from all

 #Wordpress auto generates this code for Clean-URLs to work
 #This code can also be put in to an .htaccess file in the wordpress root
 #If .htaccess files are to be used 'AllowOverride None' should be
 #changed to 'AllowOverride All' above

 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 </IfModule>
 </Directory>

ErrorLog ${APACHE_LOG_DIR}/example.com.error.log
 # Possible values include: debug, info, notice, warn, error, crit,
 # alert, emerg.
 LogLevel error

CustomLog ${APACHE_LOG_DIR}/example.com.access.log combined

</VirtualHost>

<IfModule mod_ssl.c>
 #Makesure name based vhosts support is turned on apache 'ports.conf'
<VirtualHost *:443>

 ServerAdmin admin@example.com
 ServerName example.com
 ServerAlias www.example.com

 DocumentRoot /var/www/example.com
 <Directory />
 Options FollowSymLinks
 AllowOverride None
 </Directory>


 <Directory /var/www/example.com>
 Options -Indexes FollowSymLinks
 AllowOverride None
 Order allow,deny
 allow from all

 #Wordpress auto generates this code for Clean-URLs to work
 #This code can also be put in to an .htaccess file in the wordpress root
 #If .htaccess files are to be used 'AllowOverride None' should be
 #changed to 'AllowOverride All' above

 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 </IfModule>
 </Directory>
 #location of the error log
 ErrorLog ${APACHE_LOG_DIR}/ssl_example.com.error.log

# Possible values include: debug, info, notice, warn, error, crit,
 # alert, emerg.
 LogLevel error

CustomLog ${APACHE_LOG_DIR}/ssl_example.com.access.log combined

# SSL Engine Switch:
 # Enable/Disable SSL for this virtual host.
 SSLEngine on

 #Server Certificate Obtained from certificate authority :
 SSLCertificateFile /etc/ssl/certs/example.com.crt

 #Your private certificate key used to generate the
 #Certificate signing request (CSR) without a passphrase
 SSLCertificateKeyFile /etc/ssl/private/example.com.key

# Server Certificate Chain:
 # Point SSLCertificateChainFile at a file containing the
 # concatenation of PEM encoded CA certificates which form the
 # certificate chain for the server certificate. Alternatively
 # the referenced file can be the same as SSLCertificateFile
 # when the CA certificates are directly appended to the server
 # certificate for convinience.
 # In this instance certificate is obtained from startssl.com
 SSLCertificateChainFile /etc/ssl/certs/startssl.sub.class1.server.ca.pem

</VirtualHost>

</IfModule>

Finally enable your site by giving this command:

sudo a2ensite example.com
sudo service apache2 reload

Congratulations! Now you are running your website with SSL enabled.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.