Basics of HTTPS¶
Basic materials¶
Enabling HTTPS¶
Let's do it ourselves and get to know the basics. This is no longer the best way, but nowadays browsers require that the certificates on the identification chain work so that there are no errors. However, these certificates, which are not popular with the browser, protect the traffic and it is good to learn how to do these!
Let's create a folder for the certificates¶
Let's create our own certificate for the localhost domain
openssl req -x509 -out localhost.crt -keyout localhost.key \
-newkey rsa:2048 -nodes -sha256 \
-subj '/CN=localhost' -extensions EXT -config <( \
printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
We move them to the Apache folder. Depending on the way the company operates, these are stored in different paths
The files to be transferred are * localhost.crt * localhost.key
Let's create apache2 ssl configuration
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin student@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/localhost.crt
SSLCertificateKeyFile /etc/apache2/ssl/localhost.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
Activating the Apache2 SSL module. Let's test the new configuration and activate the ssl site
sudo a2enmod ssl
sudo apachectl -f /etc/apache2/sites-available/default-ssl.conf
sudo a2ensite default-ssl.conf
sudo systemctl restart apache2.service
sudo systemctl status apache2.service
Testing the certificate.¶
1) Open the Chrome browser or a similar browser where you can easily view the certificate information. Go to the address of your server https://YourServerAddress
2) You will receive an error report, which we will accept
3) When the site is opened, we open the certificate information from the address bar
4) We make sure that the certificate we created is in use.
Creating a working certificate on your own www server¶
Dy.fi Free DNS service
dy.fi is a free, dynamic DNS service intended only for Finnish users, which also offers short addresses for WWW sites. The service provides you with a short domain name, e.g. 'nimesi.dy.fi', which you can either assign to the dynamic IP address of your home computer equipped with an ADSL or other broadband connection, for example to facilitate maintaining a WWW/FTP server or SSH/VNC remote access, or to direct to your homepage found behind a hard-to-remember address.
1) Go to Dy.fi
2) Register your HAMK.fi email
3) Choose a suitable domain for your use
After this you have to TARGET ON SERVER programmatically or with a browser to press the point key. DO NOT press this on the machine you are currently reading this document on, because then you will be directed to that machine.
Dy.fi address control automatically using crontab¶
Let's open the root user's crontab
Let's add the following command every 12 hours to connect to dy.fi and update the IP address
0 */12 * * * wget --delete-after --no-check-certificate --no-proxy --user=ETUNIMI.SUKUNIMI@student.hamk.fi --password=SALASANA https://www.dy.fi/nic/update?hostname=harjoitus.dy.fi
However, this means that it could take us 12 hours for our machine's IP to be updated to the name service. Let's create dy-fi-update.sh, which we can run now and later attach, for example, to machine startup.
@reboot wget --delete-after --no-check-certificate --no-proxy --user=ETUNIMI.SUKUNIMI@student.hamk.fi --password=SALASANA https://www.dy.fi/nic/update?hostname=harjoitus.dy.fi
0 */12 * * * wget --delete-after --no-check-certificate --no-proxy --user=ETUNIMI.SUKUNIMI@student.hamk.fi --password=SALASANA https://www.dy.fi/nic/update?hostname=harjoitus.dy.fi
How does the script look like? Too much copy-paste and password in plain text? Let's create a script for this and run it. Also this hide the password from the crontab file and you can run it manually if you want to update the IP address immediately.
#!/bin/bash
wget --delete-after --no-check-certificate --no-proxy --user=ETUNIMI.SUKUNIMI@student.hamk.fi --password=SALASANA https://www.dy.fi/nic/update?hostname=harjoitus.dy.fi
Lets make the script executable and run it. DO NOT SPAM THE dy.fi PROVIDER WITH THIS!!!
Lets update crontab to run the script every 12 hours and at machine startup
Doe it look much better? You dont need to scroll or it not a wall of text anymore.
SSL Automation with Let's Encrypt¶
Remove the old SSL configuration
Change hostname to your dy.fi address
Continue the installation with the instructions below. You have the basic understanding of how SSL works so you can get a real working SSL certification with Let's Encrypt and Certbot.¶
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu
More information https://www.inmotionhosting.com/support/website/ssl/lets-encrypt-ssl-ubuntu-with-certbot/
The most important thing is that cerbot finds the following definition (ServerName SERVERNAME.dy.fi ) in Apache's file (etc/apache2/sites-enabled/000-default.conf ). Put simply, Certbot turns the 80 port configuration into an ssl configuration
Caution
"There has been cases that Chrome will not update SSL cert and will always show a warning. It is a good practice that you also test with a another browser like Firefox"