A lot of effort had gone into making our website into a HTTPS enabled website.
First of all I had bought an SSL certificate from PositiveSSL. I got it for $9 from namecheap.com. It’s worth it. The process as a whole is not very tough. It all depends on the amount of system administration experience that you have.
Coming to the configuration. Am going to assume that you are going to set it up on your Amazon EC2 instance. Anyway that doesn’t make a big difference as the same applies to the web server that you would be configuring.
Set up Apache on your instance.
1. Install apache and mod-ssl
yum install httpd mod_ssl
2. Enable the ports 22 and 443 on your Amazon EC2 instance. Open up the ports for access for 0.0.0.0/0 under security credentials.
Follow the instructions in this post to get your SSL certificate from an SSL provider.
3. Installing the certificate on to your Apache Web server.
3.1 : Copy your certificate file
You will receive an email from your SSL provider (yourdomainname.crt). Open you certificate in some text editor and your certificate will look something like:
—–BEGIN CERTIFICATE—–
MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAAhAF
UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNlVTMSAw
(…….)
E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6
K99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS/16S36ITclu4AADEAAAAAAAAA
—–END CERTIFICATE—–
Copy your Certificate into the directory that you will be using to hold your certificates. In this example we will use /etc/ssl/crt/. Both the public and private key files will already be in this directory. The private key used in the example will be labeled private.key and the public key will be yourdomainname.crt.
Make sure that it’s readable only by root.
3.2 : Install the Intermediate Certificate
You will need to install the chain certificate (intermediates) in order for browsers to trust your certificate. As well as your SSL certificate (yourdomainname.crt) .If you are using Apache you’ll need the following files AddTrustUTNServerCA.crt and PositiveSSLCA.crt certificates and then your key file as well.
You need a bundle file.Create a file say bundle.txt. To do this you will need to open the certificates with a text editor and add both of the certificate texts to that file, first the PositiveSSLCA.crt then the AddTrustUTNServerCA.crt and save this file as bundle.txt
Copy the bundle.txt file to the directory that consists of httpd.conf (/etc/httpd/conf/) (this contains all of the CA certificates in the chain).
4. Configure virtual hosts in httpd.conf
NameVirtualHost 23.21.221.101:443
<VirtualHost x.x.x.x:443>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /var/www/html
ServerName http://www.myexample.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM# ErrorLog logs/errorlogs
# CustomLog logs/custom
SSLCertificateFile /etc/ssl/certs/lets/certificate.crt
SSLCertificateKeyFile /home/ec2-user/private.key
# SSLCertificateChainFile /home/ec2-user/PositiveSSLCA2.crt
SSLCACertificateFile /etc/httpd/conf/bundle.txt
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
# CustomLog /usr/local/apache/logs/ssl_request_log \
# “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
</VirtualHost>
5. Since I have given the name of the files make sure you configure it according to the above configuration file. For readers convenience i’ll list out what each configuration means.
- SSLCertificateFile is the certificate you received through email from SSL provider
- SSLCertificateKeyFile is the private key
- SSLCACertificateFile is the bundle you created
6. Save your httpd.conf file and restart Apache.
7. Pray to God that it must work. I had to figure out so many things. I’ll post them once i recollect these things. It’s been a while since I did this.
8. Make sure mod_ssl is installed. Reflect the changes in /etc/httpd/conf.d/ssl.conf file as well. I mean the path of the configuration of the above parameters.(SSLCertificateFile ,SSLCertificateKeyFile ,SSLCACertificateFile )
A few tips: (Common issues)
1. Make sure hostname configuration is fine
2. Check for iptable rules that may be blocking access
3. Check Amazon security credentials for any denial of access
4. Update your instance. (yum update)
5. Check for resolv.conf, /etc/hosts configuration, /proc/sys/kernel/hostname parameter.
6. check nmap localhost, check if ports 443 and 80 are open.
Ananthakrishnan Ravi 
I have searched, high and low, this is the only tutorial I have found that worked. Thankyou for sharing your expertises!
Works like charm thanks. Now I wonder, Is there a way to automatize this? For instance when autoscaling grows the number of instances up I do this configuration manually for each one.
Awesome, worked with very few issues.
Had to add an
NameVirtualHost: *:443
to make it work (noT correct syntax if anyone reading this) but I think apart from that it worked perfectly.
Thanks very much, saved me a lot of hassle.