This shows how to install a SSL certificate for a website hosted using the DTC control panel. This does not cover installing an SSL certificate for the DTC admin panel itself.
Each website requires a dedicated IP address
Configure website in DTC
DTC does not currently support Server Name Identification (SNI), so you must use a dedicated IP address for every website that needs an SSL certificate.
First, add the SSL IP address to the host itself, etc. in /etc/network/interfaces
.
Go into the DTC admin panel and:
- under
DTC General Configuration > General
, setshow ssl tokens in my account
toYes
and setAllow use of name based shared SSL vhosts
toNo
- under
DTC General Configuration > IP Addresses and Network
, add the IP addressHost IP addresses
if you have not already, and make sureUse multiple IPs
is off - under
DTC General Configuration > SSL IP Addresses
, add the IP address to be assigned to the site - under
- under
User Administration > {username} > Client interface > My account
, Click theBuy an SSL IP
button; you will be sent to the Client Payment screen, but it seems you don't have to do anything here - under
User Administration
, there will be a new order listed in the alert screen; validate that - under
User Administration > {username} > Domain config
, select the IP address from the drop down list for the domain you are configuring - under
User Administration > {username} > Client interface > {domain} > Sub-domains
, edit your subdomain (probablywww
), select the IP address from the list atSSL vhost listens on this IP
and save
Wait at least 10 minutes for the next DTC cron job to run.
At this point, test that the website is up on the new IP address, and that https works. DTC will generate a self-signed certificate for the site, so you will see a warning about it, but the site should function. A little more info and screenshots of this process are found at the DTC FAQ for SSL certificates.
Replace the self-signed certificates
Assuming your website now works with https, all that's needed is to locate the generated certificate files for this domain and replace them with your purchased certificate.
Your website files are stored in a html/
directory, and the generated SSL certificates are stored in the adjacent ssl/
directory.
dtc1:~# ls -lF /var/www/sites/username/domain.com/subdomains/www/ total 36 drwxr-x--- 2 dtc dtcgrp 4096 Apr 29 2013 cgi-bin/ drwxr-xr-x 3 dtc dtcgrp 4096 Oct 13 2013 home/ drwxr-x--- 5 dtc dtcgrp 4096 Mar 5 10:26 html/ drwxr-x--- 6 dtc dtcgrp 12288 Apr 12 06:26 logs/ drwx------ 2 dtc dtcgrp 4096 Sep 23 2012 root/ drwxr-xr-x 2 root root 4096 Oct 3 2013 ssl/ drwxrwxrwt 2 dtc dtcgrp 4096 Apr 14 01:55 tmp/ dtc1:~# ls -lF /var/www/sites/username/domain.com/subdomains/www/ssl/ total 16 -rw-r--r-- 1 root root 963 Oct 3 2013 privkey.pem -rw-r--r-- 1 root root 1034 Oct 3 2013 www.domain.com.cert.cert -rw-r--r-- 1 root root 818 Oct 3 2013 www.domain.com.cert.csr -rw-r--r-- 1 root root 887 Oct 3 2013 www.domain.com.cert.key
As can be seen, DTC created the ssl/
directory and generated files as owned by root
, which means a customer cannot ever replace them. At the same time, it also means the webserver cannot overwrite them either, which is preferable for security. If you need the client to replace their own certificate files, run chown -R dtc:dtcgrp /var/www/sites/username/domain.com/subdomains/www/ssl/
.
Backup the old certificate files.
dtc1:~# cd /var/www/sites/username/domain.com/subdomains/www/ssl/ dtc1:/var/www/sites/username/domain.com/subdomains/www/ssl# for f in www.*.cert.* > do > mv $f $f.old > done dtc1:/var/www/sites/username/domain.com/subdomains/www/ssl# ls -l total 16 -rw-r--r-- 1 root root 963 Oct 3 2013 privkey.pem -rw-r--r-- 1 root root 1034 Oct 3 2013 www.domain.com.cert.cert.old -rw-r--r-- 1 root root 818 Oct 3 2013 www.domain.com.cert.csr.old -rw-r--r-- 1 root root 887 Oct 3 2013 www.domain.com.cert.key.old
Generate a CSR. This will be submitted to whomever you are buying your SSL certificate from. It can help to put a date in the filename, as you never know how often you'll need to reissue a certificate nowadays.
dtc1:~# mkdir /root/ssl dtc1:~# cd /root/ssl/ dtc1:~/ssl# openssl req -out domain.com-20150417.csr -new -newkey rsa:2048 -nodes -keyout domain.com-20150417-private.key Generating a 2048 bit RSA private key .....................................................+++ ...................................................................+++ writing new private key to 'domain.com-20150417-private.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Colorado Locality Name (eg, city) []:Merino Organization Name (eg, company) [Internet Widgits Pty Ltd]:Domain.com, Inc. Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:www.domain.com Email Address []:webmaster@domain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: dtc1:~/ssl# cat domain.com-20150417.csr -----BEGIN CERTIFICATE REQUEST----- MIIC0DCCAbgCAQAwgYoxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhDb2xvcmFkbzEP MA0GA1UEBxMGTWVyaW5vMRkwFwYDVQQKExBEb21haW4uY29tLCBJbmMuMRcwFQYD VQQDEw53d3cuZG9tYWluLmNvbTEjMCEGCSqGSIb3DQEJARYUd2VibWFzdGVyQGRv bWFpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGF+ibRDla 1uSL1AmvEzMITNKHP01Y+gFZ6BVXfTzoFl4ANO33orMAhXaOev+/FOr1IbzDISK1 ixbCpatkK+hIZzxcWQUq4P5cWNy/19NLUfNfENghxcxzmMPdTI6IdXVsPUVaV/0p uJn88WnYgf471cRf5WXz3ykxub3lfupktQptlLDVZLg+ez3Ptz2dF1DF7Tr2djRH Xop69Q5Yy4v3d3xjsU8mImvX5t7pNTFQ8b7eEk/AnvZcCd9SM3XIAkBpir+P3UFc QC51odUzScz+yf9glDZTZ0Cgc1swjDD+07omSsquCfJx2PTn55JsT6udlFqFhnre eGKBbd8N1ba5AgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAvKHh8tRTVNo4e8ns AFGr7TD6JoZ5JVeuElBBAF1NIBMQGztOKZtQ6ROV2IdwqfwSPh5kSXacLkhxE8jt /o/U0bWD3DOFbLiboRQVStdlv0Del1iJ+IVZaMsUliggawvSyKBD/Qsqhgr+MjJm tA+8aQIvW6AgBUGpCYp69rkwdowGejYti+QIvy7dIwU3ae1S3Z8MMcAMjGqLqHSa 2dGOet/qKD1qXzwstyosd1qOVq9ja/vkixI8lkeX5yoCJFVvaBVQFz+sk37e+hZp +7G84PJDVyqAQeX5ktoOrLDLjBfTcGXH/ZrM5zD5y1WK3EunhYAcNM7VG6rxbr3r WX4ZQw== -----END CERTIFICATE REQUEST-----
Send that CSR text off to your certificate issuer and you'll get back your signed certificate, along with their root certificate and some intermediate certificates. You need to combine all of these into a single .pem file, along with the unencrypted PKCS8 format of your key.
dtc1:~/ssl# openssl pkcs8 -topk8 -in domain.com-20150417-private.key -out domain.com-20150417-private.key.pkcs8 -nocrypt dtc1:~/ssl# cat domain.com-20150417-private.key.pkcs8 domain.com-20150417.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > domain.com-20150417.pem
Now just copy that .pem file where the generated certificate files were, and restart apache:
dtc1:~/ssl# cp domain.com-20150417.pem /var/www/sites/username/domain.com/subdomains/www/ssl/ dtc1:~/ssl# cd /var/www/sites/username/domain.com/subdomains/www/ssl/ dtc1:/var/www/sites/username/domain.com/subdomains/www/ssl# ln -s domain.com-20150417.pem www.domain.com.cert.cert dtc1:/var/www/sites/username/domain.com/subdomains/www/ssl# ln -s domain.com-20150417.pem www.domain.com.cert.key dtc1:/var/www/sites/username/domain.com/subdomains/www/ssl# service apache2 restart Restarting web server: apache2 ... waiting .
And that's it. Reload the site and check the certificate you're presented.
Comments
A note if your SSL IP expires
Submitted by jesse on
A note if your SSL IP expires and you add it back, or otherwise "touch" the SSL IP for a subdomain: expect your site to break.
Specifically, if you get a connection reset error, you have this problem; the apache config gets generated without the correct
Listen addr:443
line, and pointing to the wrong certificate files. As alluded to in this post, the solution is to rename the site'sssl
directory and let DTC regenerate self-signed certificates again:Then edit the subdomain, set the SSL IP to
none
and then back to the correct address. After the next cron run, the apache config will be correct again. You'll need to put your old certificates back then:Add new comment