Update An SSL Certificate

Once every year, I need to update the SSL certificate for one my domains. Somehow, I’ve never written down the instructions until now:

Step 1: Initiate the Certificate Renewal

Start by purchasing a certificate renewal from the vendor. (I use Thawte.) They’ll send an email asking for purchase approval.

Step 2: Generate a Certificate Signing Request (CSR)

At the command line, navigate to the folder where certs and keys are stored. Mine is /etc/pki/tls/, and contains folders certs, misc, and private. In my setup, it also contains the .conf file for openssl.

Type the following command:

sudo openssl genrsa -des3 -out private/your-keyname-here.key 2048

This creates a private key owned by root and stores it in the file, /etc/pki/tls/private/your-keyname-here.key.

Next, working from within the same folder as before, use this private key to create a CSR. Type:

sudo openssl req -new -key private/your-keyname-here.key -out your-keyname-here.csr

The openssl process will now ask for certain details to be included in the CSR. When requested, do not enter an email address, challenge password or an optional company name. The process creates a CSR file owned by root and stores it in, /etc/pki/tls/your-keyname-here.csr.

Now validate the CLR on this testing site. For more details about generating the CSR, check here.

Step 3: Submit the CSR

Navigate to the certificate provider’s website, sign in, then submit the CSR for approval. On success, the provider will send download and installation instructions via email.

Step 4: Install the certificate

Follow the instructions in the email to download the certificate, unzip it, and move the contained files into the appropriate target directory or directories for your setup. My latest certificate included two files, namely, ssl_certificate.crt and IntermediateCA.crt. In my setup, both files went into the /etc/pki/tls/certs/ folder. Make sure to be logged as root when creating these files, and set file permissions to 644.

For more details, visit this page.

Step 5: Update the SSL config file

Back at the command line, navigate to /etc/httpd/conf.d/ and open ssl.conf. Find the lines for the following settings:

SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile

… and make sure they point to correct files and locations for each of these settings. My setup looks like this:

SSLCertificateFile /etc/pki/tls/certs/ssl_certificate.crt
SSLCertificateKeyFile /etc/pki/tls/private/mydomain.com.key
SSLCertificateChainFile /etc/pki/tls/certs/IntermediateCA.crt

Step 6: Reboot the server

Follow the instructions in the earlier article, Rebooting the MSA Server on Digital Ocean, to restart the server.

Step 7: Verify success

Once the server is back up, verify the certificate is working properly using this testing tool.


@Note on passphrases for SSL certs: if you opt for a passphrase when creating a CSR, you’ll need to provide this passphrase each time the server is rebooted. This is okay for a stable environment but becomes a pain when server restarts are frequent.

I opted to remove the passphrase on my dev server using the instructions outlined here. However, my production server still requires the passphrase.

 

Creating a SubDomain in Apache

I recently needed to create a subDomain for one of my websites. This subdomain points to a separate WordPress installation that is linked to from the parent domain. Here’s a quick overview of how to do this.

The directory structure on my server is similar to the following:

var/www/html/example
var/www/html/blog

Start by navigating to the /etc/apache2/sites-available directory, then create a configuration file for the new subDomain using a command structured as follows – just switch ‘example’ and ‘blog’ with your target domain and subDomain names:

$ sudo cp 000-default blog.example.com.conf

Now open blog.example.com.conf in an editor and make the following changes:

ServerName blog.example.com
ServerAdmin <your admin's email address goes here>
DocumentRoot /var/www/html/blog

If it’s been set, remove or comment out ServerAlias.

Next, enable the new subDomain as follows:

sudo a2ensite blog.example.com.conf

Now reload and restart the server:

$ sudo service reload apache2
$ sudo service restart apache2

And finally, set up a CNAME record for the subdomain in the parent domain’s DNS zone file.

That’s all! Go to blog.example.html to view the contents of the subdirectory.

Installing CakePHP

I started out at http://cakephp.org with reading the cookbook. After skimming the intro, I went to the install instructions as recommended.

First thing, I needed to install was Composer. Although easy, I’ve never used Composer. So, it took me a while to figure out what I was doing (and why). In the end, I opted for the easy route by installing Composer directly into the public html folder:

curl -s https://getcomposer.org/installer | php

Next, I installed CakePHP by using composer to create a new project for the bookmarks tutorial in the html folder, like so:

composer create-project --prefer-dist cakephp/app bookmarker

This is where I ran into my first glitch. The installation wouldn’t complete properly because my Php installation did not include the ‘intl’ or ‘mbstring’ modules. The (simple) solution was to install these modules like so:

 apt-get install php-intl

 apt-get install php-mbstring

… Then reload the server:

service apache2 reload

… And then confirm the installation succeeded:

php -m

Once the needed modules were installed, the previous ‘create-project’ instruction worked perfectly and Composer successfully set up the tutorial project as promised.

FYI, I let Composer set permissions automatically

Well, almost as promised. The default home page showed up in my browser, but the CSS files couldn’t be found.

It turns out that ‘URL rewriting’ wasn’t properly configured on my server. As a result, the server was looking for the ‘/css’ folder in the project’s root directory, instead of the ‘/webroot’ folder.

At this point, I switched to the manual installation instructions on the CakePHP site for more precise guidance. It turns out that I had two issues to resolve.

The first issue related to allowing .htaccess files to overwrite the server’s default configuration settings. The fix for this was easy enough:

# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
<Directory /var/www />
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

The second issue was that mod_rewrite was turned off in apache by default, so the .htaccess files were not being read. The fix was easy too:

a2enmod rewrite

service apache2 restart

With these fixes behind me, everything showed up in my browser just as promised, including a message to tell me the app couldn’t connect to the database (as expected).

I now went back to the quick start guide and followed the instructions to create a database and add some tables for the tutorial by copying and pasting the code provided. Then I modified the installation’s config/app.php file by setting the user, password, and database name defaults so the app could make the connection.

Another browser refresh and, WooHoo, the oven is hot!