How I Set Up SSL (Mostly) For My Website On My Personal Server.

The reason I wanted to set up SSL on my website was because everytime someone accesses my website the lock in the top corner will be crossed out indicating the fact that the website was not secure. Also because hosting my own server is risky and having SSL keeps it secure for me as well. Currently I have it set up properly, but the one thing I have to figure out is how to redirect all traffic to http to https since currently if anyone tries to go to my website without the https they get a 403 error. I have tried almost everything to fix this but nothing seems to be working, however I will still continue to do research, and I will add the things I have tried so far to redirect in this quick blog post.

Another thing I wanted to talk about was the fact that originally I wanted to make a self signed SSL certificate. This did not work based off the tutorials I tried. But I discovered that namecheap has SSL certificates selling quite cheaply (10$ for the year), so I decided to go with the simpler SSL certificate rather than the self signed. In the future however, I will definitely try to create a self signed SSL certificate that works so that I do not have to pay for one.

First open your server using SSH because you will be copying and pasting a large amount of random looking letters and numbers, and it isn't realistic to retype them.

Once your are logged in, and you have openssl installed using apt install openssl, run the following:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

You will be prompted to add a bunch of information about the server and yourself. For the section that asks about FQDN or anything related to the name of the server, use the domain name. Addind the domain name when generating the CSR is what helps with making the SSL.

This creates 2 files, one called server.csr and one called server.key.

Now the next step is to purchase an SSL (try a self signed SSL if you want, it is free, but not as secure). I strongly suggest going to namecheap. As mentioned before I was able to get my SSL for $10 for the year. I also trust namecheap as a service. There are a few others I found online, like the following:

https://cheapsslsecurity.com/
some of the deals on this site are SSL certificates for as low as $5.45 for a year
https://www.ssls.com/
I have seen some as low as $4.
https://www.namecheap.com/security/ssl-certificates/
In fact namecheap has one for 5.88 for a year, guess I got unlucky when I was getting my own :(

Now, once you have purchased the SSL, you will most likely be redirected or emailed a link to a page that asks for information about the servercsr.

Copy and paste what is in your csr file. To do so, run:

```
cat /path/to/server.csr
```

Then from your terminal you can copy and paste in the information.

The SSL certificate company will then ask for a way to verify that you do infact own the domain. There are 3 ways they will do this, via email, via an html file and via dns. I personally did the email way, because I wanted to add an admin email anyways, and with no-ip it was only $10 a month to forward admin@shangar.ddns.net to my own email. Later on I wish to create my own mailserver so that I do not have to pay, and I definitely will. For now, I chose the easy way.

Once this is all done. You will receive an email with 2 SSL .cert files. Once you receive them, copy the contents of the first one, which will most likely be one called yourdomainname.cert and another one labelled yourdomainname-bundle or sslcompanyname.cert. The second and third ones are called the intermediate certificate. These are the certificates needed by the browsers. I did not want to mess anything up, so I created a quick github repository (made it private) and added the files in, git cloned it to my server and used that path. Essentially, you need to get these files on to the server. You can also nano/vim a new file and then copy paste as well.

Next step is to go to your router and open port 443 and forward that to your server.

Now do the following:

sudo nano /etc/apache2/sites-available/000-default

create a new virtual host as such:

<VirtualHost *:80> ... </VirtualHost> <VirtualHost *:443> </VirtualHost>

I cut and pasted everything from my 80 and pasted it into my 443. I then added the following lines:

<VirtualHost *:443>
    Protocols h2 http:/1.1
    SSLEngine on
    ProxyRequests Off

    <Proxy *>
            Order deny,allow
            Allow from all
    </Proxy>

    SSLCertificateFile /path/to/yourdomain.crt
    SSLCertificateKeyFile /path/to/server.key
    SSLCertificateChainFile /path/to/yourdomain-bundle

</VirtualHost>

I then added to following lines to my port 80 to Try to permanently redirect all http traffic to https, it has not worked thus far, and once I have figured out how I will definitely edit this blog post and add it in, but this is what my virtual host 80 looks like right now:

<VirtualHost *:80>
        Redirect permanent / https://shangar.ddns.net
        RewriteEngine On
        RewriteCond %{SERVER_PORT} !443
        RewriteRule ^(/(.*))?$ https://%{HTTP_HOST}/$1 [R=301,L]
        RedirectMatch permanent ^(.*)$ https://yourdomain.com$1
</VirtualHost>

Once you have done both, you need to add the follwing to the main config file.

   SSLEngine on
    SSLCertificateFile /path/to/yourdomain.crt
    SSLCertificateKeyFile /path/to/server.key
    SSLCertificateChainFile /path/to/yourdomain-bundle

Now run

sudo apachectl configtest

If you get the syntax OK message:

sudo /etc/init.d/apache2 restart

And now you should have https access to your website. Just like my last blog post this is how I did it, and you can see it is not even fully done. But hopefully this gives you a general outline of how to approach this and hopefully you can try it out yourself and let me know how it worked for you, or you can hit me up if you have a question.

Please feel free to email me at sharanshangar@gmail.com if you have a question or if you found a solution!