Install SSL

English Network/Internet
1

Hi.

I have tried many internet-solutions before I ask here…

I have a hobby-server at home, I have a domain name, and everything is working great.
But… I cant install SSL (https).

I have bought a certificate from my internet provider, which I can se, or download as a zip file, to make the web site secure.
But from this point I cant find the right solution to how to do it. Its so different from version to version i feel.

Can anyone point me in the right direction to make this work? :slight_smile:

Best regards from Roald, Norway.

2

On 01/06/2019 04:26 AM, rsimonsen wrote:
>
> I have tried many internet-solutions before I ask here…

It would help if you specified what those were, so we could either confirm
they were valid and void them, or correct some steps in them. Provide a
lot of details.

> I have a hobby-server at home, I have a domain name, and everything is
> working great.
> But… I cant install SSL (https).

Thanks for clarifying the HTTPS, as SSL does not make sense to generally
be unable to install.

> I have bought a certificate from my internet provider, which I can se,
> or download as a zip file, to make the web site secure.
> But from this point I cant find the right solution to how to do it. Its
> so different from version to version i feel.

The problem here is we still have no context. Version to version of what?
Different openSUSE versions? Different web service (Apache httpd, nginx,
node.js, etc.) versions? Different TLS/SSL versions?

> Can anyone point me in the right direction to make this work? :slight_smile:

Possibly, but we need to know more about your system, what its version is,
what you have tried, the format of the file you were given, etc. It may
also help to know how experienced you are with Linux and the web service
you are using in general. Have you ever done this before? With which
systems?


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

3

This is the most cocky reply I have ever got.

I am a new person in Linux, wanted some help and guidens, and I actually feel offended.
Thanks for your help, will go back to Windows because of you.

I know Linux people are smart, but a question from a new person should not be that difficult.

Microsoft here I come!

4

I’m sorry you feel that way.

You asked a very vague question, and ab was just asking for more details so that he could understand what you are trying to do.

5

Yea. Comon rsimonsen, ab was just trying to help you by asking clarifying questions as your post was missing important details. I, for one, am glad ab is willing to read posts like yours, take some time to respond and try to help. ab, don’t give up on us! We appreciate you!

6

I’m sorry ab.

Maybe I was explaining it wrong…
Just need a little help or some guidence…

As I said, Im new to Linux, so therefor I dont know all commands and all that.
I want to learn it. Thats why I chose it. And I am the person who tries and failes until i get it. :slight_smile:

Please give me the commands to get the output you need to help me, and I will post it to you.

Again, sorry ab. Maybe it was ME who was rude. :slight_smile:

7

How did you setup the webserver. Stock openSUSE goes for the apache webserver. Since you state the website works, I assume apache. You can check this by


sudo systemctl status apache2.service

Furthermore, you will have to add portforwarding for port 443 from your router to the server.

Next, you will need a vhost for apache for port 443 and port 443 needs to be opened in the firewall

The apache vhost should look like this, replace home.knurpht.nl by your domain, and the letsencrypt paths to where you store the cert.


<VirtualHost *:443>
 ServerName home.knurpht.nl
 SSLEngine on
    # Path to the LetsEncrypt created certificate fullchain.pem
 SSLCertificateChainFile /etc/letsencrypt/live/home.knurpht.nl/fullchain.pem
 SSLCertificateFile /etc/letsencrypt/live/home.knurpht.nl/cert.pem
    # Path to the LetsEncrypt created private key privkey.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/home.knurpht.nl/privkey.pem
 CustomLog /var/log/apache2/ssl_request_log   ssl_combined
 <Directory /srv/www/htdocs/home.knurpht.nl/>
  AllowOverride None
  Require all granted
 </Directory>
</VirtualHost>
8

Hi.

I havent used virtual host, just as it comes “from the bag”…
So, a vhost is needed?

Output is…

srv1:~ # systemctl status apache2.service
● apache2.service - The Apache Webserver
Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2019-01-07 20:13:57 CET; 4min 10s ago
Main PID: 1706 (/usr/sbin/httpd)
Status: “Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec”
Tasks: 26
CGroup: /system.slice/apache2.service
├─1706 /usr/sbin/httpd-prefork -DSYSCONFIG -DSSL -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf ->
├─1772 /usr/sbin/httpd-prefork -DSYSCONFIG -DSSL -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf ->
├─1773 /usr/sbin/httpd-prefork -DSYSCONFIG -DSSL -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf ->
├─1775 /usr/sbin/httpd-prefork -DSYSCONFIG -DSSL -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf ->
├─1776 /usr/sbin/httpd-prefork -DSYSCONFIG -DSSL -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf ->
└─1777 /usr/sbin/httpd-prefork -DSYSCONFIG -DSSL -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf ->

Jan 07 20:13:52 srv1 systemd[1]: Starting The Apache Webserver…
Jan 07 20:13:57 srv1 systemd[1]: Started The Apache Webserver.
srv1:~ #

9

Hi,

There are two general approaches to this - either try to use the admin interface “yast2” or try to work with the files. I prefer the latter, so here are the steps you could take:

Go and have a look at /etc/apache2/vhosts.d/vhost-ssl.template - you might want to copy that file to a new one with a unique name (like “www.yourdomain.org-ssl.conf”, in the same directory and make sure the name ends in “.conf”) and then adjust its content with values appropriate to your situation.

From your output for “systemctl status apache2.service”, I can see that SSL is already enabled (there’s “-D SSL”) - so restarting apache2 after creating the file might be sufficient. If the daemon won’t restart, have a look at the log files in /var/log/apaches/* - usually, these will give you a clue on typical configuration file errors.

Regards,
J

10

When you want to set up SSL for your website, you can’t just go buy a certificate from a CA. When you buy a certificate like that (just by asking for one), you usually get a client-side certificate which can be authorized for use in other things, but not to secure a website.

You should understand that the procedure to obtain a SSL certificate is the same no matter what kind of webserver you have.
You start off by setting up your non-secured website which can be done a number of different ways (YaST can help you do this on openSUSE if you’re setting up an Apache webserver).
You then generate a CSR (Certificate Signing Request) for that website.
Depending on the practice and procedure of your CA, you will then either send the file to them or copy and paste the CSR contents into a form.
The CA will then use your CSR to generate your SSL certificate and give that to you, which is then installed into your website on your webserver.

So,
I doubt you ever generated your CSR, so you didn’t buy yourself something that will work for your website.
You should also know that nowadays, there are projects that will generate an SSL certificate for you for free.
You might also be interested in knowing that the only difference between an SSL certificate you might get from a commercial CA vs if you built your own private CA is that the commercial CAs are pre-authorized in all major web browsers by default while a private CA like one you can build yourself is not. That simple difference can cost commercial CAs enormous amounts of money for the simple privilege that website guests don’t have to manually accept the SSL certificate the first time they visit your website.

For instructions on generating your CSR, there are plenty of articles on the Internet, just search “apache generate csr”
If you still have problems, post again with the link to the instructions you’re following and a link to the CSR page at your CA.

HTH,
TSU