(Optional) Configuring SSL for your domain

  • Update the virtual hosting config for your domain

    Setting up SSL for your new domain is optional, but it is recommended - with SSL you can configure Jamroom to use SSL for the login and signup pages, making your site more secure for your visitors.

    Also - if you are using the ShareThis module:

    https://www.jamroom.net/the-jamroom-network/networkmarket/105/share-this

    and want to share audio files via an embedded MP3 player to Facebook, you will need to be running SSL - Facebook requires SSL for media embedding.

    So while it is optional, it is highly recommended to setup SSL for your domain.
  • Note that SSL hosting works best if only one domain is setup for SSL hosting for each IP Address on your droplet - in this guide we're assuming this is the only domain you will be setting up with SSL.

    If other domains on the same droplet need SSL, I would recommend getting additional IP Addresses allocated to your droplet for each domain. There is a way to host multiple SSL sites on the same IP address (SNI), but it lacks support in older browsers. See the following site for more info:

    https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm
  • Purchase an SSL Certificate for your website

    The first step in getting setup for SSL is to make sure you have a valid SSL certificate for your site. While you are testing it is OK to use a self-signed certificate, but if you go live you need to have "real" SSL certificate signed by a CA (Certificate Authority) - this ensures visitors to your site do not get an SSL "warning" that your SSL certificate is unsafe.

    I use Namecheap for all of my domains (including jamroom.net):

    http://www.namecheap.com/?aff=59571

    (that has my affiliate ID on there and if you are new to Namecheap they will give me a little kickback, which is awesome :)

    I can highly recommend Namecheap - they are low priced and have a nice, easy to use control panel. If you are currently using another domain registrar they likely sell SSL certificates as well - you can purchase yours through your current registrar.

    (On a side note, if you are on Godaddy I would highly recommend changing - they've moved to a constant "upsell" model to try and tack on all sorts of stuff you don't need, which is really annoying).

    Since each SSL provider handles it differently, make sure and follow the instructions you receive in the email you get when you purchase the SSL certificate for creating the necessary keys to get your SSL certificate created - that won't be covered here.
  • Upload the SSL certificates to your droplet

    After you have received your SSL certificates (via email) from your provider, the next step is to upload the certificates to your server and configure them in your domain.

    I like to store all SSL certificates in the following directory:

    /etc/apache2/certs
    
    and I like to name them with the domain name they belong to, which makes it easy to know which is which if you have multiple SSL domains on the same server.

    So upload your files to the /etc/apache2/certs directory (create the directory if it does not exist) and then name them. Note that along with your SSL certificate you may have received some other "intermediate" or "chained" certificates - these extra certificates need to be uploaded to your server as well as they provide the "chain" of trust browsers need to trace the certificate back to the CA.

    For example - on Jamroom.net here's what the directory listing looks like:

    AddTrustExternalCARoot.crt
    jamroom_net_bundle.crt
    jamroom_net.crt
    jamroom_net.key
    PositiveSSLCA2.crt
    
    the jamroom_net.key is the key that was created as part of the order process when I ordered the SSL certificate - this is the "private" key that the web server needs.
  • Setup your domain to use the SSL certificate

    The next step is to configure the Apache config file for your domain so that SSL is enabled on port 443 and the document root is setup to be the same as your non-SSL website - this ensures Jamroom can switch back and forth between SSL and non-SSL as needed.

    As the root user, edit your Apache domain config file:

    pico /etc/apache2/sites-available/jamroom.net
    
    (of course replace jamroom.net with the name of your config file you created for your domain).

    We are going to add an entirely new section to the bottom that is basically identical to the non-SSL config - and then we will just add in the proper certificate config options.
  • So at the bottom of your config, add a new section that should look like this (with your domain instead of jamroom.net of course):
    <VirtualHost *:443>
    
        ServerAdmin [YOUR_EMAIL_ADDRESS]
        ServerName [YOUR_DOMAIN]
        ServerAlias www.[YOUR_DOMAIN]
    
        RMode stat
    
        SSLEngine on
        SSLCertificateKeyFile /etc/apache2/certs/jamroom_net.key
        SSLCertificateFile /etc/apache2/certs/jamroom_net.crt
        SSLCertificateChainFile /etc/apache2/certs/jamroom_net_bundle.crt
    
        DirectoryIndex index.php index.html index.htm
        DocumentRoot /home/[USER_NAME]/public_html
        <Directory /home/[USER_NAME]/public_html/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride all
            Order allow,deny
            allow from all
        </Directory>
    
        ErrorLog /home/[USER_NAME]/logs/error.log
        LogLevel error
    
    </VirtualHost>
  • Save Changes and restart Apache

    So the main difference between the non-SSL config and the SSL config is:

    - we are listening on port 443 instead of 80
    - we add in the specific options that tells Apache where it can find our certificate files (remember - use the actual name of your certificate files - not jamroom.net!

    That's it - the config is pretty easy and straight forward.

    After making your changes, save the file and restart Apache:

    service apache2 restart
    
    If you get any errors, double check that you haven't made any syntax errors in the config file and try again. If you get a notice that SSL is not enabled, run the following command as root:

    a2enmod ssl
    
    and that will enable the SSL module.

    Once Apache has restarted, you should be able to go to the SSL side of your domain (i.e. https) and see your Jamroom. Jamroom "autodetects" when it has been called via SSL and automatically uses an SSL URL for everything - this ensures you don't get any warnings on the site about non-SSL items being shown on an SSL page.

    That's it - you're all setup on SSL now :)

Tags