SSL Troubles!

Why i hate SSL

Let me start by saying SSL is a good thing and its all ways something i make sure a site has when i'm on it... especially if i'm going to purchase something. But Christ! what a pain in the ass it was to setup!

when i read up about how to configure it all, it seemed simple enough... i just needed to change the port to 443 and then point my apache config to the cert files i uploaded like so....

SSLCertificateFile /usr/local/share/ca-certificates/yourdomain.co.uk_ssl_certificate.cer 
SSLCertificateKeyFile /usr/local/share/ca-certificates/.yourdomain.co.uk_private_key.key 
SSLCertificateChainFile /usr/local/share/ca-certificates/.yourdomain.co.uk_ssl_certificate_INTERMEDIATE.cer

the amount of failures i got from this was unbelievable. after more digging i found a few things id missed initially..

for example;

SSLEngine on

SSLCipherSuite ECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder On

I thought i was getting somewhere and the wonderful community at Laracast (My SSL Issue) where there the help out!

they helped me clean up my Apache Conf and also whilst getting help i spotted another issue....

i needed to enable SSL

sudo a2enmod ssl

Yep thats right... id done all the "hard work" and not even enable the extension for apache... So i thought i would (as best as i can talk through setting up the SSL for everyone.

STEP 1

First off you need to get your Certs on your server... in my case i had 3 files that i put into /usr/local/share/ca-certificates/

i added these to a sub folder also but they can stay in the root. I used CLI SFTP in order to get the files onto my server but you can use what ever you comfortable with.

STEP 2

Enable SSL Module for apache... i don't think i will ever forget this again... probably 2 days wasted...

sudo a2enmod ssl

STEP 3

Update your Sites Available conf file for your domain. when you first open it for editing you will have something that looks like this.

<VirtualHost *:80>
        ServerAdmin mike@raspada-blog.co.uk
        ServerName raspada-blog.co.uk
        ServerAlias www.raspada-blog.co.uk
    
        DocumentRoot /var/www/blog/public
    
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>

This first mistake i made when setting it up was i REMOVED this when i was using the SSL Certificate meaning that www.raspada-blog.co.uk would point to apache default page.. you need to put you new config above the old one... My file now looks like this:

    <VirtualHost *:443>
        ServerAdmin mike@raspada-blog.co.uk
        ServerName raspada-blog.co.uk
        ServerAlias www.raspada-blog.co.uk
    
        DocumentRoot /var/www/blog/public
    
        SSLEngine on
    
        SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDHSSL
        Protocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
        SSLHonorCipherOrder On
    
        SSLCertificateFile
PATH_TO_CERTIFICATESSSLCertificateKeyFile
PATH_TO_CERTIFICATESSSLCertificateChainFile
PATH_TO_CERTIFICATES
    
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>
    
    <VirtualHost *:80>
        ServerAdmin mike@raspada-blog.co.uk
        ServerName raspada-blog.co.uk
        ServerAlias www.raspada-blog.co.uk
    
        DocumentRoot /var/www/blog/public
    
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>

STEP 4

Restart apache....

sudo systemctl restart apache2

And that is pretty much it... if you get a failure run

sudo journalctl -u apache2

all of the above i originally done in a crazy order which is why it took me days to sort out... if you follow the steps above you should be up and running in 10 mins. if not, use the contact form to give me a shout :)

STEP 5

The .htaccess file needs updating so when you visit any link to your URL your directed to the SSL Certified URL.

This is all thanks to someone from the Laracast's post i linked above... id have spent days on this again if they hadn't mentioned it.

Simply add the following lines after RewriteEngine On

RewriteCond %{HTTPS} off 
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Pull to you live environment, dump-autoload and you should be good to go!