This site is a static archive of the Aegir community site. Documentation has moved to http://docs.aegirproject.org. Other community resources can be found on the Contacting the community page.
Skip navigation

Revision of Using SSL from Wed, 11/03/2010 - 21:58

Help

Using SSL

Introduction

SSL support was significantly improved in Aegir 0.4 alpha9 and subsequent releases have further refined the SSL functionality. Here are the current steps to configure SSL support in Aegir and apply it to your web sites.

Prepare Your Server

1. Make sure port 443 is open for SSL traffic.

2. From the command line, install SSL software for your web server (e.g. on Debian/Ubuntu you can use sudo apt-get install openssl).

3. Enable SSL support (e.g. sudo a2enmod ssl). You will need to restart Apache at this point.

Enable SSL Support in Aegir

4. You have to enable SSL support in Aegir as it is off by default. Assuming the URL of your Aegir front end is aegir.example.com, browse to aegir.example.com/admin/hosting/features
how to get to the Aegir features page

5. Click on Experimental to reveal experimental features experimental features of Aegir

6. Check SSL support

7. Click Save configuration

Configure Your Aegir Server

8. Click on the Servers tab

9. Click on the server that you wish to enable SSL support

10. Click Edit to change the server configuration

11. Click apache_ssl (this will reveal an additional field: SSL port, which should be already populated with 443). Note: you may also have to add an IP address to the IP addresses field. enabling SSL on your Aegir server

12. Click Save - this will start various tasks beginning with a verify task on the server followed by verify tasks on all platforms that are associated with that server

13. If all goes well you will see the following changes in your Aegir file system structure:
a) under /var/aegir/config you will see a new directory ssl.d
b) under /var/aegir/config/server_name you will see a similar new directory ssl.d

Configure Your Aegir Site

14. You must enable SSL on your sites that are on those platforms associated with the server. Browse to aegir.example.com/hosting/c/site-1.com

15. Click Edit to change the site configuration

16. Choose the type of Encryption required and the Encryption key (see the explanatory notes below each option) configuring an Aegir site for SSL. Alternatively, you may want to specify a directory under /var/aegir/config/server_master/ssl.d where your own certificate and key is stored.

17. Click Save. Aegir will then generate a certificate and private key for your web site and insert these into a new VirtualHost directive in your vhost file. (This file is typically at /config/server_master/apache/vhost.d/site-1.com).

18. If all goes well the VirtualHost directive will now have these important elements:

<VirtualHost xx.xx.xx.xx:443>  <-- where xx.xx.xx.xx is an IP address dedicated for SSL access to your site and 443 is the port number
    ....

    # Enable SSL handling.
    SSLEngine on

    SSLCertificateFile /var/aegir/config/server_master/ssl.d/site-1.com/openssl.crt
    SSLCertificateKeyFile /var/aegir/config/server_master/ssl.d/site-1.com/openssl.key

Now, when you navigate to https://site-1.com you should see that your site is SSL enabled.

Notes:

i) If you have your own commercial certificate and key you may need to add another line to your vhost file SSLCertificateChainFile /var/aegir/config/server_master/ssl.d/site-1.com/site-1_com.ca-bundle. You will also have to rename your certificate and key to the names openssl.crt and openssl.key (see above) or amend the vhost file accordingly.

ii) Whenever you reverify your site this vhost file is automatically regenerated by Aegir and any non-Aegir generated certificate information will be replaced in the vhost file. Hence you probably want to use the option (see step 15 above) that lets you specify a directory under /var/aegir/config/server_master/ssl.d where your own certificate and key is stored.

#1

Documentation on initial SSL setup is pretty good, but what about a renewal? I really dont want to fix anything that doesnt need fixing. Aegir can be unforgiving when missing the small stuff:-) I cant exactly test this out on a staging site. Do I need to generate a new rsa key for a renewal? I'm using a wildcard cert on a single Linode server running CentOS/Apache, that hosts rabout a dozen Atrium sites through Aegir under individual subdomains under a single domain name.
If I need to upload something new, what folders do I put it in? And do I need to manually update all the virtual hosts of my existing Atrium sites, or will this happen automatically??? Here's where I'm at (with deer-n-headlights look).

I paid for the new SSL with godaddy, and downloaded 2 files 1. gd_bundle.crt 2. mydomain.crt

Inside var/aegir/config/ssl.d/godaddy I have the following files:

  1. gd_bundle.crt (this one has 3 chained certs, but the one I downloaded from godaddy only has 2. Just leave the new one as is and upload it? Thoughts?)
  2. openssl.crt (what I was planning to do is replace the contents of this file with what I have in mydomain.crt -copy/paste and upload it. Yes?)
  3. openssl.csr (I alerted godaddy to use my existing csr during activation, so I'll do nothing here. Yes?)
  4. openssl.key (I suppose this is the key generated the first time. Do I need to regenerate on a renewed SSL? Would rather not...)
  5. info.txt (this file appears to be a public cert. I don't recall how it was generated, what should I do about this mystery? It starts like so:

Certificate: Data: Version: 3 (0x2) Serial Number: 2x:67:z3: Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=123456 Validity Not Before: Apr 16 22:18:16 2012 GMT Not After : May 3 17:00:47 2013 GMT Subject: O=.example.com, OU=Domain Control Validated, CN=.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c0:1d:5a:07:98:42:b1:be:de:b7:20:b5:79:d2: ae:3e:99:06:e3:4b:a8:fc:59:18:f1:3a:05:aa:50: 94:1f:64:71:9f:ea:90:eb:06:e9:1d:a0:89:00:a8:

#2

No sweat. Here it is: Upload/overwrite existing gd_bundle.crt into the active ssl folder. Copy/paste the contents of domain.crt into the openssl.crt file. Make sure to put both files in ssl.d and servermaster/ssl.d. Restart apache & enjoy.

#3

I'm quite confused how SSL works now in Aegir2 with IP's being allocated in the front-end. I posted a question about this at the end of move the SSL IP allocation to the frontend, but I'm guessing as this is a closed issue, it might slip below the radar. Any info on this or a pointer in the right direction is much appreciated.

#4

Seems to be a bug (omission?) in Provision that ignores ssl chain files. I found that the vhost file wouldn't get updated with the SSLCertificateChainFile entry even when following the documentation. Perhaps I was doing something incorrectly but if I was, I never found it. In the end I ended up applying a couple patches, reverifying my platform and all was right with the world. I did have to remove some whitespace in between the two diffs in the patch but other than that it applied to provision 6.x-1.9 (bit of patch fuzz but otherwise ok)

See http://nicksantamaria.net/article/getting-ca-chain-certificates-work-usi... and http://nicksantamaria.net/sites/nicksantamaria.net/files/article_attachm... if you have the same problem. :)

#5

If I select 'Encryption: Required', the server will not redirect traffic from the http port to the https port as described

I am using 5080 and 5443, so it redirects http://server:5080 to https://server:5080, which of course does not work.

lynx attempt:
Looking up stage.web:5080
Making HTTP connection to stage.web:5080
Sending HTTP request.
HTTP request sent; waiting for response.
HTTP/1.1 301 Moved Permanently
Data transfer complete
HTTP/1.1 301 Moved Permanently
Using https://stage.web:5080/
Looking up stage.web:5080
Making HTTPS connection to stage.web:5080
Retrying connection without TLS.
Looking up stage.web:5080
Making HTTPS connection to stage.web:5080
Alert!: Unable to make secure connection to remote host.

Accessing https://stage.web:5443 works however

What gives?

#6

Any Update on this?

We would like to utilize SNI since we have a multi-site setup under one drupal core. Is there anyway to override the process where verify replaces the edit *:443 back to xxx.xx.xxxx:443 ?

Need help?

Documentation

The notebook section provides a way for you to store and share information with your group members. With the book feature you can:

  • Add book pages and organize them hierarchically into different books.
  • Attach files to pages to share them with others.
  • Track changes that others have made and revert changes as necessary.
  • Archive books that are no longer of interest to the group. Archived books can be reactivated later if needed.

The revisions let you track differences between multiple versions of a post.