SSL Troubles!
Why i hate SSL
Let me start by saying SSL is a good thing and its all ways something i make sure a site has when i'm on it... especially if i'm going to purchase something. But Christ! what a pain in the ass it was to setup!
when i read up about how to configure it all, it seemed simple enough... i just needed to change the port to 443 and then point my apache config to the cert files i uploaded like so....
SSLCertificateFile /usr/local/share/ca-certificates/yourdomain.co.uk_ssl_certificate.cer
SSLCertificateKeyFile /usr/local/share/ca-certificates/.yourdomain.co.uk_private_key.key
SSLCertificateChainFile /usr/local/share/ca-certificates/.yourdomain.co.uk_ssl_certificate_INTERMEDIATE.cer
the amount of failures i got from this was unbelievable. after more digging i found a few things id missed initially..
for example;
SSLEngine on
SSLCipherSuite ECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder On
I thought i was getting somewhere and the wonderful community at Laracast (My SSL Issue) where there the help out!
they helped me clean up my Apache Conf and also whilst getting help i spotted another issue....
i needed to enable SSL
sudo a2enmod ssl
Yep thats right... id done all the "hard work" and not even enable the extension for apache... So i thought i would (as best as i can talk through setting up the SSL for everyone.
STEP 1
First off you need to get your Certs on your server... in my case i had 3 files that i put into /usr/local/share/ca-certificates/
i added these to a sub folder also but they can stay in the root. I used CLI SFTP in order to get the files onto my server but you can use what ever you comfortable with.
STEP 2
Enable SSL Module for apache... i don't think i will ever forget this again... probably 2 days wasted...
sudo a2enmod ssl
STEP 3
Update your Sites Available conf file for your domain. when you first open it for editing you will have something that looks like this.
<VirtualHost *:80>
ServerAdmin mike@raspada-blog.co.uk
ServerName raspada-blog.co.uk
ServerAlias www.raspada-blog.co.uk
DocumentRoot /var/www/blog/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
This first mistake i made when setting it up was i REMOVED this when i was using the SSL Certificate meaning that www.raspada-blog.co.uk would point to apache default page.. you need to put you new config above the old one... My file now looks like this:
<VirtualHost *:443>
ServerAdmin mike@raspada-blog.co.uk
ServerName raspada-blog.co.uk
ServerAlias www.raspada-blog.co.uk
DocumentRoot /var/www/blog/public
SSLEngine on
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDHSSL
Protocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCertificateFile
PATH_TO_CERTIFICATESSSLCertificateKeyFile
PATH_TO_CERTIFICATESSSLCertificateChainFile
PATH_TO_CERTIFICATES
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerAdmin mike@raspada-blog.co.uk
ServerName raspada-blog.co.uk
ServerAlias www.raspada-blog.co.uk
DocumentRoot /var/www/blog/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
STEP 4
Restart apache....
sudo systemctl restart apache2
And that is pretty much it... if you get a failure run
sudo journalctl -u apache2
all of the above i originally done in a crazy order which is why it took me days to sort out... if you follow the steps above you should be up and running in 10 mins. if not, use the contact form to give me a shout :)
STEP 5
The .htaccess file needs updating so when you visit any link to your URL your directed to the SSL Certified URL.
This is all thanks to someone from the Laracast's post i linked above... id have spent days on this again if they hadn't mentioned it.
Simply add the following lines after RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Pull to you live environment, dump-autoload and you should be good to go!