theITvideos Posted October 1, 2010 Share Posted October 1, 2010 Hi there, I am working on a PHP ecommerce website. I am going to install SSL on few of the pages. I need to install it on Apache web server coz thats the server our PHP website is running on. How we do go about installing SSL on PHP website. Can anybody please guide me in the right direction. All comments and feedback are always welcomed. Thank you! Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted October 1, 2010 Share Posted October 1, 2010 same way you install on a non-php apache site. just search for apache ssl installation Quote Link to comment Share on other sites More sharing options...
petroz Posted October 1, 2010 Share Posted October 1, 2010 It really depends on how your server is configured... But most SSL providers will give you a near step by step guide for your server... and..... this really isnt a php question. Quote Link to comment Share on other sites More sharing options...
theITvideos Posted October 1, 2010 Author Share Posted October 1, 2010 It really depends on how your server is configured... But most SSL providers will give you a near step by step guide for your server... and..... this really isnt a php question. Our server has a simple PHP Apache configuration. Can you recommend any good SSL providers. I understand that there are two types: Self-signed SSL Certificate (I think this is the one we can create on our own) Trusted SSL Certificate (This I suppose is the paid version) I am just a newbie on this. So do I contact some good company and they'll provide me with the instructions? Well before that I want to create a self-signed SSL on my WAMP just to get the taste of how it looks on my localhost. What do you suggest on this? Thank you! Quote Link to comment Share on other sites More sharing options...
petroz Posted October 1, 2010 Share Posted October 1, 2010 If your doing an e-commerce site, use a Trusted certificate... Godaddy has them for pretty cheap. As for seeing it on your localhost... your not gonna see any difference. Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted October 1, 2010 Share Posted October 1, 2010 In order to use SSL you need to do two things: 1) Obtain a certificate for your domain 2) Configure Apache to load the certificate For testing purposes you can generate a self-signed certificate in order to become familiar with how to install it on the web server. However, since you are probably not a Certificate Authority, any visitors seeing a self-signed certificate on your production box will be prompted with a "Do you trust this certificate?" prompt. In order to generate a self-signed cert for testing, here is a simple bash script you could use: #!/bin/bash hostname=$1 country=US state=California location=Los Angeles rm -f "$hostname.pem" cmd="openssl req -new -x509 -nodes -days 3650 -subj '/C=$country/ST=$state/L=$location/CN=$hostname' -newkey rsa:2048 -keyout $hostname.pem -out $hostname.pem" eval cmd chmod u=rw,go=r "$hostname.pem" exit 0 You can read the man page for openssl to learn more about each of those options or find some tutorials on the web. Let's say that script is called make-cert.sh and you want to create a testing site called devsite, you would enter the following at a command prompt: $ ./make-cert.sh devsite And the script would make a file devsite.pem The next step is to configure Apache. This will depend on your Apache version, but for example let's say you have Apache 2. 1) You need to locate the ssl.conf files included with your Apache distribution and load them into the configuration. 2) Configure your vhost to use the certificate <VirtualHost devsite:80> ServerAdmin email@domain.com RewriteEngine on RewriteCond %{HTTPS} !on RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,L] </VirtualHost> <VirtualHost devsite:443> ServerAdmin email@domain.com ServerName devsite SSLEngine on SSLProtocol TLSv1 SSLCipherSuite HIGH ; assuming certs are in $APACHE_HOME/certs SSLCertificate certs/devsite.pem DocumentRoot /var/www/devsite <Directory /var/www/devsite> SSLRequireSSL Order Allow,Deny Allow from 192.168 127 </Directory> </VirtualHost> Restart apache service and check the error logs for problems. That vhost configuration will send all non-ssl requests to SSL, therefore making the entire site SSL. You could add additional RewriteCond directives to redirect only for certain pages if you wanted. When it comes time to make a certificate for your production box you perform essentially the same steps. However instead of a self-signed certificate you need to generate a CSR (certificate signing request). You send this CSR to a true CA (certificate authority). The CA will verify all of the details contained in the CSR and within a few business days will send you back your certificate. They typically provide two files, a domain.key and a domain.crt; you can concatenate these two files into domain.pem for your Apache installation if you desire. This page contains useful SSL information: http://www.madboa.com/geek/openssl/ Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted October 1, 2010 Share Posted October 1, 2010 Also be warned that the domain name and ServerName (in vhost file) must match the CN (common name) provided in the certificate! Quote Link to comment Share on other sites More sharing options...
theITvideos Posted October 1, 2010 Author Share Posted October 1, 2010 In order to use SSL you need to do two things: 1) Obtain a certificate for your domain 2) Configure Apache to load the certificate For testing purposes you can generate a self-signed certificate in order to become familiar with how to install it on the web server. However, since you are probably not a Certificate Authority, any visitors seeing a self-signed certificate on your production box will be prompted with a "Do you trust this certificate?" prompt. In order to generate a self-signed cert for testing, here is a simple bash script you could use: #!/bin/bash hostname=$1 country=US state=California location=Los Angeles rm -f "$hostname.pem" cmd="openssl req -new -x509 -nodes -days 3650 -subj '/C=$country/ST=$state/L=$location/CN=$hostname' -newkey rsa:2048 -keyout $hostname.pem -out $hostname.pem" eval cmd chmod u=rw,go=r "$hostname.pem" exit 0 You can read the man page for openssl to learn more about each of those options or find some tutorials on the web. Let's say that script is called make-cert.sh and you want to create a testing site called devsite, you would enter the following at a command prompt: $ ./make-cert.sh devsite And the script would make a file devsite.pem The next step is to configure Apache. This will depend on your Apache version, but for example let's say you have Apache 2. 1) You need to locate the ssl.conf files included with your Apache distribution and load them into the configuration. 2) Configure your vhost to use the certificate <VirtualHost devsite:80> ServerAdmin email@domain.com RewriteEngine on RewriteCond %{HTTPS} !on RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,L] </VirtualHost> <VirtualHost devsite:443> ServerAdmin email@domain.com ServerName devsite SSLEngine on SSLProtocol TLSv1 SSLCipherSuite HIGH ; assuming certs are in $APACHE_HOME/certs SSLCertificate certs/devsite.pem DocumentRoot /var/www/devsite <Directory /var/www/devsite> SSLRequireSSL Order Allow,Deny Allow from 192.168 127 </Directory> </VirtualHost> Restart apache service and check the error logs for problems. That vhost configuration will send all non-ssl requests to SSL, therefore making the entire site SSL. You could add additional RewriteCond directives to redirect only for certain pages if you wanted. When it comes time to make a certificate for your production box you perform essentially the same steps. However instead of a self-signed certificate you need to generate a CSR (certificate signing request). You send this CSR to a true CA (certificate authority). The CA will verify all of the details contained in the CSR and within a few business days will send you back your certificate. They typically provide two files, a domain.key and a domain.crt; you can concatenate these two files into domain.pem for your Apache installation if you desire. This page contains useful SSL information: http://www.madboa.com/geek/openssl/ Thank you very much for the reply. I am a total newbie. I have created a file called make-cert.sh and pasted the bash script into it. And saved the file in my C directory. Now in my Windows command prompt I am trying to run this file by using the command as: C:\> $ ./make-cert.sh devsite I get '$' unrecognized error. Do we run the make-cert.sh file in windows command prompt? how do we create a devsite.pem out of this file or do we need to call this from inside php code. Sorry I am new to this. Please reply Thank you! Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted October 1, 2010 Share Posted October 1, 2010 The script I provided is a Linux script; you can recognize it as such from the first line: #!/bin/bash Here is a DOS script: @echo off set hostname=%1% set country=US set state=California set location=Los Angeles set openssl=C:\Program Files\NuSphere\TechPlat\apache\bin\ set subject="/C=%country%/ST=%state%/L=%location%/CN=%hostname%" set mycmd="%openssl%openssl.exe" req -new -x509 -nodes -days 3650 set mycmd=%cmd% -subj %subject% -newkey rsa:2048 -keyout %hostname%.pem -out %hostname%.pem -config "%openssl%openssl.cnf" %mycmd% Name it make-cert.bat and execute as: make-cert.bat devsite You need to change the C:\Program Files\NuSphere\TechPlat\apache\bin\ to the path on your system where openssl.exe is located. You run this from a DOS command prompt. Quote Link to comment Share on other sites More sharing options...
theITvideos Posted October 2, 2010 Author Share Posted October 2, 2010 The script I provided is a Linux script; you can recognize it as such from the first line: #!/bin/bash Here is a DOS script: @echo off set hostname=%1% set country=US set state=California set location=Los Angeles set openssl=C:\Program Files\NuSphere\TechPlat\apache\bin\ set subject="/C=%country%/ST=%state%/L=%location%/CN=%hostname%" set mycmd="%openssl%openssl.exe" req -new -x509 -nodes -days 3650 set mycmd=%cmd% -subj %subject% -newkey rsa:2048 -keyout %hostname%.pem -out %hostname%.pem -config "%openssl%openssl.cnf" %mycmd% Name it make-cert.bat and execute as: make-cert.bat devsite You need to change the C:\Program Files\NuSphere\TechPlat\apache\bin\ to the path on your system where openssl.exe is located. You run this from a DOS command prompt. Thanks for your reply. I created a .bat in Windows and set the correct path as you described. Now when I try to run it in Command Prompt using the command as: make-cert.bat devsite I get this error: '-subj' is not recognized as an internal or external command, operable program or batch file. Do I need to make any changes somewhere in the subject line etc. Please see the 2 Screenshots I have taken as to see exactly what I getting. Thank you! [attachment deleted by admin] Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted October 2, 2010 Share Posted October 2, 2010 On a typical Apache installation there will be a file openssl.cnf one directory above the openssl.exe. Copy openssl.cnf into the same directory as openssl.exe or change this part of the bat: -config "%openssl%openssl.cnf" to -config "%openssl%\..\openssl.cnf" The fact that it can't find the config file could be screwing it up, although I doubt that. You could try these two commands at the command prompt without the bat file: cd \wamp\bin\apache\apache2.2.11 bin\openssl.exe req -new -x509 -nodes -days 3650 -subj "/CN=devsite" -newkey rsa:2048 -keyout devsite.pem -out devsite.pem -config openssl.cnf And failing that take out the -subj part: cd \wamp\bin\apache\apache2.2.11 bin\openssl.exe req -new -x509 -nodes -days 3650 -newkey rsa:2048 -keyout devsite.pem -out devsite.pem -config openssl.cnf Quote Link to comment Share on other sites More sharing options...
theITvideos Posted October 3, 2010 Author Share Posted October 3, 2010 On a typical Apache installation there will be a file openssl.cnf one directory above the openssl.exe. Copy openssl.cnf into the same directory as openssl.exe or change this part of the bat: -config "%openssl%openssl.cnf" to -config "%openssl%\..\openssl.cnf" The fact that it can't find the config file could be screwing it up, although I doubt that. You could try these two commands at the command prompt without the bat file: cd \wamp\bin\apache\apache2.2.11 bin\openssl.exe req -new -x509 -nodes -days 3650 -subj "/CN=devsite" -newkey rsa:2048 -keyout devsite.pem -out devsite.pem -config openssl.cnf And failing that take out the -subj part: cd \wamp\bin\apache\apache2.2.11 bin\openssl.exe req -new -x509 -nodes -days 3650 -newkey rsa:2048 -keyout devsite.pem -out devsite.pem -config openssl.cnf Thank you for your reply. I was able to generate the devsite.pem file using the command you mentioned. I found the 'httpd-vhosts.conf' file inside the 'C:\wamp\bin\apache\Apache2.2.11\conf\extra' folder and pasted the <VirtualHost> commands in it and restarted my wamp server. It restarted fine. I also enabled the ssl_module in Apache on my Wamp. Now where do we go from here. I am a newbie bro, whats the next step. Thank you Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted October 3, 2010 Share Posted October 3, 2010 In your Windows host file, typically in \Windows\system32\drivers\etc\, you need to add a line like: 127.0.0.1 devsite That will enable you to browse to http://devsite and DNS will send it back to your machine where your local WAMP will handle the request. If you set everything up correctly, then http://devsite should automatically redirect to https://devsite If not...well then you got some trouble shooting to do. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.