Old:4.0-Mona: Enable SSL

Revision as of 12:43, 21 June 2013 by BobS (talk | contribs) (BobS moved page 4.0-Mona: Enable SSL to Old:4.0-Mona: Enable SSL without leaving a redirect)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

 

The Uniform Server 4-Mona

How to enable SSL on Uniform Server 4.0-Mona

Strange as this may sound although Uniform Server 4.0-Mona has integrated SSL support its not enabled by default. Added to this you will find no demo certificates or keys. The reason is quite simple and that’s one of security, you are forced to create your own personal server certificate and key.

So you are not a crypto expert! No problem the whole process has been fully automated. This page covers how to enable SSL, produce a self-signed server certificate and enable password protection to areas of the secure server you want protecting.

Enable SSL

Enable SSL in Apache's configuration file, there’s no need to worry about this it’s automatically enabled after a new server certificate and key are created.

The following is provided for completeness and outlines the manual procedure. After creating a new certificate uncomments a line in Apache’s configuration file, this enables SSL.

File:  \UniServer\udrive\usr\local\apache2\conf
Changes this line: 
From: #LoadModule ssl_module modules/mod_ssl.so
To: LoadModule ssl_module modules/mod_ssl.so

When Apache is restarted it loads the module ssl.so, this has a knock-on effect and this part of the configuration file becomes active.

<IfModule mod_ssl.c>
  Include conf/ssl.conf
</IfModule>

This loads the configuration file for SSL and sets up Apache accordingly. Before Apache can start it needs to load the server certificate server.crt and key server.key found in these folders respectively:

\UniServer\udrive\usr\local\apache2\conf\ssl.crt\
\UniServer\udrive\usr\local\apache2\conf\ssl.key\

If either of the files server.crt or server.key do not exist Apache will refuse to start. A thing to consider when manually editing the configuration files. Remember this is automatically enabled once a new server certificate and key are created.

Top

Creating a new server certificate and key

Uniform server is very versatile and has several methods to do this, choose one from the following.

Note: Whichever method you choose Apache needs restarting allowing it to pickup the new configuration.

Top

Method 1 Apanel

  1. From the left menu, scroll down to Plugin Manager and click link Server Key & Cert Gen
  2. A new page opens “Server Certificate and Key Generation” click link Generate.
  3. Enter Certificate information see below.
  4. That’s it, remember to restart the servers.

Top

Method 2 Apanel

  1. From the left menu, click link Server Security a new page opens Security Center.
  2. Scroll down to section Server Certificate and Key (SSL) to the right a link will display Unsecure (only when a certificate has not been already created) click this link, it takes you to page Server Certificate and Key Generation
  3. Click link Generate (Ok! So it’s the same page as above).
  4. Enter Certificate information see below.
  5. Remember to restart the servers

Top

Method 3 Manually

  1. Navigate to folder UniServer\udrive\plugins\key_cert_gen
  2. Double click on Run.bat (Note it is not necessary to have the servers running)
  3. Enter Certificate information see below.
  4. Once complete restart the servers.

Note 1: All methods use Run.bat this batch file runs the Perl script ssl_gen.pl which generates the server certificate, server key, copies these to their correct location and enables SSL in Apache's configuration file.

Note 2: The server-key does not contain a pass phrase this is not supported on Windows and would prevent Apache starting.

Note 3: When run as a service Methods 1 and 2 are unavailable you must manually run the batch file located in folder C:\UniServer\plugins\key_cert_gen.

Top

Certificate information

When the Perl scripts runs you will be prompted for three pieces of information CN, OU and O see below.

Localhost

If you are running a local test server just press enter to accept the defaults. This will allow you to quickly produce a secure server. If you wish; change OU (organisation unit) and O (organisation) to something different however do not change the default CN (common name).

Note: If you have changed the SSL port 443 to say 444 you must change the common name from localhost to localhost:444

Real Domain

If you have a real domain name for example www.fred.com enter that at the CN (common name) prompt. The remaining two parameters OU (organisation unit) and O (organisation) are not strictly required hence feel free enter something that meets your requirements.

Note: If you have changed the SSL port 443 to say 444 you must add this to your domain name www.fred.com:444 otherwise the certificate will be rejected.

Top

Running the secure server

At this stage it’s worth pointing out secure and non-secure servers are completely separate use the appropriate Web root folder:.

Web root folders

The Web root folders are:

  • UniServer\udrive\www -- Containing all your non-secure sites and pages
  • UniServer\udrive\ssl -- Contains only sites pages that require encryption.

View secure pages

To view secure (encrypted) pages type the following into your browser:

https://localhost/

Or if you have a real domain name

https://www.mydomain.com/

Note: If you changed the SSL port to say 444 this needs to be included hence you would type the following:

https://localhost:444/

Or if you have a real domain name

https://www.mydomain.com:444/

One drawback with self-signed certificates browsers rightly complain they cannot be trusted. The next section shows how to resolve these issue.

Top

Browser issues and Problems

Using self-signed certificates your browser will issue error messages.

This section looks at two browsers, FireFox 3.0.5 and IE7 which provide examples of the type of error messages and how to resolve them.

FireFox 3.0.5

On viewing a secure page in FireFox you will be greeted with this little chap and the following error message:

 

Secure Connection Failed
The certificate is not trusted because it is self signed.
(Error code: sec_error_ca_cert_invalid)

Solution is to import the certificate into your browser as follows:

  1. Click link Or you can add an exception…
  2. Click link Add Exception (opens new pop-up)
  3. Click link Get Certificate (top right)
  4. Box bottom left Permanently store this exception Check this box
  5. Click link Confirm Security Exception

This saves the Certificate and allows you to view the secure server unrestricted.

Note: to the left of https://localhost
the symbol turns blue. Blue indicates.
a secure encrypted connection.

Click this icon.
A drop down is displayed the information
shows the connection is secure.

What about Which is run by unknown!

 

A standard SSL certificate even signed by a CA will not resolve, “Which is run by unknown” issue. What is required is something known as an Extended Validation (EV) SSL certificate this raises the security level to green. You can purchase this type of signing however it comes at a high price because both the site and site owner require verification.

Top

IE 7

On viewing a secure page in IE you will be greeted with a read sheild and the following error message:

 

There is a problem with this website's security certificate
The security certificate presented by this website was not issued by a trusted certificate authority.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

On the alert page click the link Continue to this website (not recommended).
This allows the page to be displayed notice the navigation bar turns "red"

Import the certificate:

  1. Click the icon Certicicate error
    to the right of the navigation bar.
    A pop-up is displayed Untrusted Certificate.
  2. At the bottom of this pop-up Click view Certificates

A new pop-up is displayed Certificate


  1. Click Install Certificate
    Follow the instructions
  2. Either refresh the page or Restart IE
    When page is viewed a normal secure
    navigation bar is display .

 

Top

Truted CA

It is strongly recommend obtaining a signed certificate by a trusted CA check out this Wiki page for details.

CAcert Signing Process

You will need the certificate signing request file this is located in folder:

\UniServer\udrive\plugins\key_cert_gen\server.csr

Top

How to put SSL server on-line

The server has been locked down allowing only local access. You can develop sites while connected to the Internet knowing that external access has been restricted.

To enable external access either on a local network or from the Internet you need to edit file:

UniServer\udrive\ssl\.htaccess

Locate the following lines:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

These lines restrict access to localhost (port 127.0.0.1)

  • Order Deny,Allow
  • Deny from all
  • Allow from 127.0.0.1

Comment the lines out by adding a hash "#" as shown

#Order Deny,Allow
#Deny from all
#Allow from 127.0.0.1

There is no need to restart the server, your server is now externally accessible.

Note 1: All lines with a comment are disabled and ignored by Apache.

Note 2: There is a corresponding .htaccess file for the unencrypted server this is located in root folder www edit this file as above to put-this part of the server on-line.

Top

Name/Password protected server

The entire SSL server can be name/password protected as follows:

Edit file UniServer\udrive\ssl\.htaccess

Locate the following lines:

#AuthName "Uniform Server - Secure Server Access"
#AuthType Basic
#AuthUserFile /htpasswd/ssl/.htpasswd
#Require valid-user

To enable name/password protection un-comment the lines by removing the hash "#" as shown

AuthName "Uniform Server - Secure Server Access"
AuthType Basic
AuthUserFile /htpasswd/ssl/.htpasswd
Require valid-user

No need to restart the servers .htaccess files are automatically picked up.

Access a secure page on the server, e.g type https://localhost into your browser. If you have a real domain name use that.

You will be challenged for a name and password. The defaults are root and root.

Top

Change name and password

You have two methods of changing the name and password either using Apanal or manually as follows.

Apanel

  1. Start Apanel either from Unicontroller or by typing http://localhost/ananel into your browser.
  2. Using the left menu navigate to section Configurations and click link Private Secure Server Config.
  3. This opens the Private Secure Server Configuration (SSL) page and displays the current name and password, change these and click the Change button.

Manually edit password file

  1. Edit file UniServer\udrive\htpasswd\ssl\.htpasswd
  2. Change the current name and password (in that order) to your new values

Note: Use a single colon ":" between name and password do not enter any spaces or carriage returns at the end of the password.

Top

Name/Password protected single folder

To protect a single folder and not the entire SSL server copy the .htaccess file to a folder you want protecting.

Edit the copied .htaccess file as explained above, the four lines look like this

AuthName "Uniform Server - Secure Server Access"
AuthType Basic
AuthUserFile /htpasswd/ssl/.htpasswd
Require valid-user

Make sure you have not changed the .htaccess file in SSL otherwise the entire server will remain under name/password control. Hence the lines must be commented out asshown:

#AuthName "Uniform Server - Secure Server Access"
#AuthType Basic
#AuthUserFile /htpasswd/ssl/.htpasswd
#Require valid-user

Note: The name and password are those used for the main SSL server hence change these as described above.

Top

Name/Password protected multi folders

It is possible to assign a user their own protected folder with a unique name/password pair. For example take these three users John, Mike and Ruth

First create three new folders in UniServer\udrive\htpasswd\ssl

  • UniServer\udrive\htpasswd\ssl\john
  • UniServer\udrive\htpasswd\ssl\mike
  • UniServer\udrive\htpasswd\ssl\ruth

Copy file UniServer\udrive\htpasswd\ssl\.htpasswd into each of the above folders.

Edit each copied .htpasswd file to have a new name/password pair you want to assign to each use.

Now create three new folders in UniServer\udrive\ssl

  • UniServer\udrive\ssl\john
  • UniServer\udrive\ssl\mike
  • UniServer\udrive\ssl\ruth

Copy the unmodified file UniServer\udrive\ssl\.htaccess to each of these new folders.

Edit each .htaccess file in turn, enable password protection and change path to new location of corresponding .htpasswd file. I have shown an example for john:

AuthName "John please enter your name and password"
AuthType Basic
AuthUserFile /htpasswd/ssl/john/.htpasswd
Require valid-user

Note 1: All files and sub-folder in Johns folder are protected by his name/password pair.

Note 2: John has decided to shate the information in his protected area with Ruth but not with Mike. Hence John's .htpasswd file will look similar to this:

John:xxxxxxx
Ruth:yyyyyyy

Note 1: Do not enter any spaces after John's password only a carriage return is allowed. After Ruth's password do not enter any spaces or carriage returns.

Note 2: You can add any number of name/password pairs to a .htpasswd file.

Top

Related Information

SSL Part 2: Generate CSR -- How to obtain a free certificate

Stunnel: SSL Certificate -- Background information

SSL Part 1: Key & Certificate -- Background information

Top

Summary

The above has shown how easy it is to enable SSl on Uniform Server 4.0-Mona and should you wish how to password protect folders.

Top