A sysadminman template VPS comes already setup to use SSL (https) for web connections to a2billing and FreePBX. However, this is using a locally signed ssl certificate so you will receive a certificate warning when accessing your VPS. This is no less secure but can create a poor impression depending who will be accessing the site.
It’s relatively straight forward and inexpensive to get yourself a valid, externally signed, certificate.
The sysadminman template uses lighttpd as the web server so you need to follow these instructions –
Log in to your VPS as root:
[[email protected] /]#
Next create a folder to store the keys and then create the key. Make sure to replace the server name with the DNS name of your server. This must match the name that people will use to browse to your webserver/website. You will need to enter a password for the key at this point but we will remove it or it will need to be entered every time the webserver starts.
[[email protected] /]# mkdir -p /etc/lighttpd/ssl
[[email protected] /]# cd /etc/lighttpd/ssl
[[email protected] ssl]#
[[email protected] ssl]# openssl genrsa -des3 -out livedemo.sysadminman.net.key 2048
Generating RSA private key, 2048 bit long modulus
..........++++++
.......++++++
e is 65537 (0x10001)
Enter pass phrase for livedemo.sysadminman.net.key:
Verifying - Enter pass phrase for livedemo.sysadminman.net.key:
[[email protected] ssl]#
[[email protected] ssl]# openssl rsa -in livedemo.sysadminman.net.key -out livedemo.sysadminman.net.nopass.key
Enter pass phrase for livedemo.sysadminman.net.key:
writing RSA key
[[email protected] /]# cd /etc/lighttpd/ssl
[[email protected] ssl]#
[[email protected] ssl]# openssl genrsa -des3 -out livedemo.sysadminman.net.key 2048
Generating RSA private key, 2048 bit long modulus
..........++++++
.......++++++
e is 65537 (0x10001)
Enter pass phrase for livedemo.sysadminman.net.key:
Verifying - Enter pass phrase for livedemo.sysadminman.net.key:
[[email protected] ssl]#
[[email protected] ssl]# openssl rsa -in livedemo.sysadminman.net.key -out livedemo.sysadminman.net.nopass.key
Enter pass phrase for livedemo.sysadminman.net.key:
writing RSA key
Next generate the Certificate Signing Request (CSR). Be very careful when entering he hostname. This must match the name of your a2billing/FreePBX website. You can leave the password blank.
[[email protected] ssl]# openssl req -new -key livedemo.sysadminman.net.nopass.key -out livedemo.sysadminman.net.csr
You are about to be asked to enter information that will be incorporated
in to your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:Leics
Locality Name (eg, city) [Newbury]:Leicester
Organization Name (eg, company) [My Company Ltd]:sysadminman
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:livedemo.sysadminman.net
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
You are about to be asked to enter information that will be incorporated
in to your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:Leics
Locality Name (eg, city) [Newbury]:Leicester
Organization Name (eg, company) [My Company Ltd]:sysadminman
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:livedemo.sysadminman.net
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Now print the CSR and copy it
[[email protected] ssl]# cat livedemo.sysadminman.net.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBqjCCARMCAQAwajELMAkGA1UEBhMCR0IxDjAMBgNVBAgTBUxlaWNzMRIwEAYD
VQQHEwlMZWljZXN0ZXIxFDASBgNVBAoTC3N5c2FkbWlubWFuMSEwHwYDVQQDExhs
aXZlZGVtby5zeXNhZG1pbm1hbi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBANR0hOz7bXEwMB1jMW8j7GgnsaZGM+ySIdp1h9kZx5qh8Ma07CCmUJ3i8Anf
FOWmiEx+04qxs2scaSaRgJpm499nflcm6lTzh6VwV/5hQuxwTHjN4DAPaxOB6Hrk
ewjcz6KsDWv7+VnyFN3MYwqE4075Q5LtF0+4XsDmNmjvUktbAgMBAAGgADANBgkq
hkiG9w0BAQUFAAOBgQDB3DbGcCSBqLDGVVRDEVOhICFKIlubKJ4S2Q2TLW2pa+j/
Iqt7qcGdombxVJMk3EfVkC//5KuiA/PaZen8ViBLWwAaRlLZq2NOrWEweYMihKXb
0a7CwVTMNWqji7QPjNtq4fyhKYKseZiAHpzyocVfw97zfGmk0hWjZbQfW5uwQA==
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE REQUEST-----
MIIBqjCCARMCAQAwajELMAkGA1UEBhMCR0IxDjAMBgNVBAgTBUxlaWNzMRIwEAYD
VQQHEwlMZWljZXN0ZXIxFDASBgNVBAoTC3N5c2FkbWlubWFuMSEwHwYDVQQDExhs
aXZlZGVtby5zeXNhZG1pbm1hbi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBANR0hOz7bXEwMB1jMW8j7GgnsaZGM+ySIdp1h9kZx5qh8Ma07CCmUJ3i8Anf
FOWmiEx+04qxs2scaSaRgJpm499nflcm6lTzh6VwV/5hQuxwTHjN4DAPaxOB6Hrk
ewjcz6KsDWv7+VnyFN3MYwqE4075Q5LtF0+4XsDmNmjvUktbAgMBAAGgADANBgkq
hkiG9w0BAQUFAAOBgQDB3DbGcCSBqLDGVVRDEVOhICFKIlubKJ4S2Q2TLW2pa+j/
Iqt7qcGdombxVJMk3EfVkC//5KuiA/PaZen8ViBLWwAaRlLZq2NOrWEweYMihKXb
0a7CwVTMNWqji7QPjNtq4fyhKYKseZiAHpzyocVfw97zfGmk0hWjZbQfW5uwQA==
-----END CERTIFICATE REQUEST-----
Now order your SSL certificate from – http://www.namecheap.com/learn/other-services/cheap-ssl-certificate-rapidssl.asp. Select Apache + OpenSSL and paste the CSR text from earlier.
Complete the order process. You will be required to accept an e-mail to a predefined address. This must be a valid address as you will receive an order confirmation e-mail which you must acknowledge.
You will ultimately receive a zip file containing your certificate. You want the text from the file with your server name ending in .crt.
Create a file on the server called yoursername.crt and paste in the contents of the crt file
[[email protected] ssl]# vi livedemo.sysadminman.net.crt
[[email protected] ssl]# cat livedemo.sysadminman.net.crt
-----BEGIN CERTIFICATE-----
MIIEuTCCA6GgAwIBAgIQDvsV1EqjvyMdeQU5381EPDANBgkqhkiG9w0BAQUFADBx
....
-----END CERTIFICATE-----
[[email protected] ssl]# cat livedemo.sysadminman.net.crt
-----BEGIN CERTIFICATE-----
MIIEuTCCA6GgAwIBAgIQDvsV1EqjvyMdeQU5381EPDANBgkqhkiG9w0BAQUFADBx
....
-----END CERTIFICATE-----
Next combine the key and certificate to create a single .pem file.
[[email protected] ssl]# cat livedemo.sysadminman.net.nopass.key livedemo.sysadminman.net.crt > livedemo.sysadminman.net.pem
[[email protected] ssl]# chmod 600 livedemo.sysadminman.net.pem
[[email protected] ssl]# chmod 600 livedemo.sysadminman.net.pem
Now edit the lighttpd config file. Locate the reference to the existing .pem file and change it to your new .pem file
[[email protected] ssl]# cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.backup
[[email protected] ssl]# vi /etc/lighttpd/lighttpd.conf
#### SSL engine
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/livedemo.sysadminman.net.pem"
[[email protected] ssl]# vi /etc/lighttpd/lighttpd.conf
#### SSL engine
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/livedemo.sysadminman.net.pem"
Now restart lighttpd and ensure it starts backup correctly
[[email protected] ssl]# service lighttpd restart
Stopping lighttpd: [ OK ]
Starting lighttpd: [ OK ]
Stopping lighttpd: [ OK ]
Starting lighttpd: [ OK ]