the itjerk

my adventures with technology

Tag Archives: https

ssl and your server

Comments Off on ssl and your server Posted by on June 30, 2013

Setting up ssl to your server is quite easy. Getting everything to work correctly is also a pretty easy, especially with some good guidance. Why use ssl? Because it encrypts traffic so no one can listen in on it. Really, it's that simple. Just like closing open ports on a server, by encrypting packets, your traffic is secure.

I purchased a ssl certificate from Go Daddy because it was $5.99/year. That's cheap. They have pretty good instructions on their site on how to generate it, but the gist of the matter is to first generate a key, then have your ssl-provider verify who you are and generate a certificate that matches that key. You'll also need an intermediate certificate (certificate authority or "ca") from the ssl-provider.

Once you have the certificate, you'll need to set it up on your server. Easy enough, just copy the key, cert and ca files to /path/to/your/certs, and make sure the permission are 600 for each file. Once installed you'll then need to configure services to use the cert, setting a path to the crt, key and ca files. Also remember to open any ports on your server in your firewall so you can get their in the first place (like 443 for https)!

For Apache2, you'll need to copy your /etc/apache2/sites-available/default file to /etc/apache2/sites-available/default-ssl and configure it for ssl. The salient parts are: 

SSLCertificateFile /path/to/file/myserver.com.crt
SSLCertificateKeyFile /path/to/file/myserver.com.key
SSLCertificateChainFile /path/to/file/ca_bundle.crt

Once that's done, restart Apache, and modify .htaccess if you want to force https browsing.

For Dovecot, edit /etc/dovecot.conf and ensure the following are there:

ssl = required
ssl_cert = </path/to/myserver.com.crt 
ssl_key = </path/to/file/myserver.com.key 
ssl_ca_file = /path/to/file/ca_bundle.crt

Finally your can test your ssl installation at Digicert by providing the hostname.com:port. You'll want to check 443, pop3s or imaps.

You can also test your ssl installation with the openssl command, e.g.: 

openssl s_client -connect myserver.com:port
Advertisement
How-to , , , , , , , ,