Month: November 2017

Apache Server, Apache2 mod_rewrite module and OpenSSL has been installed by default on Debian 7

Check OpenSSL  version

#openssl version

OpenSSL 1.0.1t  3 May 2016

Create SSL directory

#mkdir -p /etc/apache2/ssl

#cd /etc/apache2/ssl

Generate a pair of private key and public Certificate Signing Request (CSR)

#openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out myserver.csr

*** change myserver with domain name (example.com)

This creates a two files, myserver.key and myserver.csr. Enter details into your CSR, let the challenge password empty

Generating a 2048 bit RSA private key
.......................+++
.........+++
writing new private key to 'example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:New South Wales
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Pty Ltd
Organizational Unit Name (eg, section) []:Web SSL Security
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

done!

#ls -la /etc/apache2/ssl
-rw-r--r-- 1 root root 1123 Nov 18 18:23 example.com.csr
-rw-r--r-- 1 root root 1704 Nov 18 18:23 example.com.key

To create CRT and CA Bundle file log in to website where you buy the SSL Cert, vim example.com.csr and paste to their form to generate both CRT and CA Bundle files

Vim example.com.csr, paste to the panel where we buy the SSL Cert to generate CRT file. Follow their step then wait around 5 minutes for activation, with an email from Comodo Security Services  including Cert, CA file on attachment, once received, then download all the Cert, CA files then upload to your server at directory /etc/apache2/ssl.

cd /etc/apache2/ssl

Upload all the Cert, CA files to directory /etc/apache2/ssl above

Replace every of “AllowOverride None” with “AllowOverride all”, then insert SSL configuration to default-ssl

SKIP and jump to the SSL test on Qualys SSL Labs Rating A Configuration
Below instruction are outdated, better move to the SSL test Qualys Labs Configuration

#vim /etc/apache2/sites-available/default-ssl

SSLEngine on

#take from https://www.apachelounge.com/viewtopic.php?t=7474

SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv2 -SSLv3
SSLHonorCipherOrder On

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA25$

SSLProxyProtocol +TLSv1.2 -SSLv2 -SSLv3

SSLCertificateFile /etc/apache2/ssl/example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.com.key
SSLCertificateChainFile /etc/apache2/ssl/example.com.ca-bundle

Enable SSL Module

Ensure that the Apache SSL module is enabled, and enable default-ssl configuration:
‘default-ssl’ can be replaced by the real site name you set up in /etc/apache2/sites-available/

#cd /etc/apache2/ssl

Enable SSL

#a2enmod ssl

Disable SSL

#a2dismod ssl

Apply SSL Module to Site

#a2ensite default-ssl

Disable SSL Module to Site

#a2dissite default-ssl

To activate the new configuration, you need to run:

#service apache2 reload