SE 4472 / ECE 9064

Configuring TLS in Apache for Assignment 3

Step 1: Configure Environment

Virtual Environment

First we need to setup an environment to do the assignment in. Because we're going to be making a few system changes, we strongly suggest you do the assignment in a virtual machine. That way you don't have to worry about messing up your system, or reverting any settings later. In particular we recommend using Virtual Box.

Web Server

We'll be using Apache, but if you really want to, you can use another web server like nginx or lighttpd. But you'll be on your own to get it up and running.

Operating System

You'll need a Linux installation. We tested the assignment in Ubuntu but your favourite up-to-date Linux disto should also work for this purpose. You can install it yourself, or there are some pre-installed VirtualBox images of Ubuntu available that will help you get up and running more quickly.

If you download one of these pre-installed .vdi's, just run Virtual Box -> New -> Name: Ubuntu (64-bit) -> Use an existing virtual hard disk file, and it will. Make sure everything's updated before proceeding by running

sudo apt-get update

VirtualBox Guest Additions

You may also want to invest the time to install the VirtualBox guest additions which will make VirtualBox much easier to work with (e.g., allowing you to use full-screen and copy and paste between host and guest OS's).

Install Programs

You'll need to install a couple of programs if you haven't already:

  1. Install Chrome
  2. Install the Apache webserver. In a terminal type:

sudo apt-get install apache2

Step 2: Setup Certificates

This step involves modifying your OS setting to make TLS work locally and without us having pay for real certificates. You would not normally perform these steps when setting up a secure website, which is why we recommend doing it in a virtual machine.

Create Root Certificate

First you will create a Root Certificate Authority (root CA). Create a key pair for your Root CA:

openssl genrsa -out fakerootca.key 4096

Generate Self-Signed RootCA certificate:

openssl req -x509 -new -nodes -key fakerootca.key -days 60 -out fakerootca.crt

Set the common name to "My Fake CA."

Create Server Certificate

Next you will create a signing keypair for your website:

openssl genrsa -out mysite.key 4096

Now we create a certificate signing request (CSR):

openssl req -new -sha256 -key mysite.key -out mysite.csr

The Common Name is your website's domain name. For this exercise, use your Western email username e.g., if your email address was aessex@uwo.ca, set the common name to www.yoursite.com. OpenSSL will sign your CSR using your RSA keypair. Direct it to use SHA256:

This certificate signing request will now be used by your root CA to issue a certificate on your site's public verification key:

openssl x509 -req -in mysite.csr -CA fakerootca.crt -CAkey fakerootca.key -CAcreateserial -out mysite.crt -days 60

The previous two steps generated the following files which we'll need in the next steps:

WWW vs. No WWW

[TIP]: If you generate a certificate using www in the common name (i.e., www.[your site].com) then you must continue to use the 'www' prefix throughout the rest of the assignment, and vice versa. So be consistent. Setting up your website and certificates to accept connections to both https://www.[your site].com and https://[your site].com requires a few additional steps, but you can skip them for this assignment.

Install Root Certificate in Chrome's Trust Store

Install fakerootca.crt in Chrome's trust store: Settings -> Show advanced settings -> HTTPS/SSL -> Manage Certificates -> Authorities -> Import -> fakerootca.crt

Move keys/certificates and set permissions

Now we need to move your site's key and certificate to a reasonable location and then secure them by setting proper permissions. First let's create two directories:

sudo mkdir /etc/apache2/tls

sudo mkdir /etc/apache2/tls/private

and give them the following permissions

sudo chmod 755 /etc/apache2/tls

sudo chmod 710 /etc/apache2/tls/private

Now we need to move your website's key and certificate to the appropriate directories:

sudo cp mysite.crt /etc/apache2/tls/

sudo cp mysite.key /etc/apache2/tls/private/

Now change the file permissions:

sudo chmod 755 /etc/apache2/tls/*.crt

sudo chmod 710 /etc/apache2/tls/private/*.key

If this last operation fails, switch into superuser mode: sudo su (and don't forget to exit when you're done)

Modify Hosts File

Now we modify the system hosts file to capture requests to visit your website, and point them to localhost. Add the line

127.0.0.1 [hostname]

to the file /etc/hosts, where [hostname] is your website URL (e.g., www.yoursite.com).

Step 3: Setup Apache

Verify Apache is running

We can verify its correct installation by navigating to localhost in a web browser. If successful, we'll see the "Apache 2 Ubuntu Default Page". Otherwise try

sudo service apache2 start.

If you ever want to stop apache type

sudo service apache2 stop

Activate and Configure the SSL/TLS module

First enable the modssl TLS module by typing

sudo a2enmod ssl

then

sudo service apache2 restart

Setup new website

Let's setup a new website. Let www.yoursite.com denote the common name of your website. First let's create a directory to house our website:

sudo mkdir /var/www/www.yoursite.com/public_html/

This directory /var/www/www.yoursite.com/public_html/ is your document root. In this directory make a default webpage index.html that contains the following:

<html>
<header><title>Assignment 3</title></header>
<body>
<h3>SE 4472 / ECE 9064</h3>
<h2>Assignment 3</h2>
Hello World!
</body>
</html>

Configure Default TLS

Now we must create a configuration file. Copy the default config file to a new one for our site:

sudo cp /etc/apache2/sites-available/default-ssl.conf \
/etc/apache2/sites-available/www.yoursite.com.conf

In www.yoursite.com.conf replace the following line:

DocumentRoot /var/www/html

with

DocumentRoot /var/www/www.yoursite.com/public_html
ServerName www.yoursite.com:443
ServerAlias www.yoursite.com:443

Now update set the paths to your certificate and key. Modify these placeholder paths to the certificate and key:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

to point to your certificate and key:

SSLCertificateFile  /etc/apache2/tls/yoursite.crt
SSLCertificateKeyFile /etc/apache2/tls/private/mysite.key

Enable site

Now enable your site:

sudo a2ensite www.yoursite.com.conf

and restart Apache:

sudo service apache2 restart

Test site

Open Chrome and visit https://www.yoursite.com and you should see the Hello World page and the green padlock! For more information about basic Apache setup check out this tutorial.