Installing an SSL certificate and enabling https was a faff, here are my notes. …

Firstly, my DNS provider is NOIP, and I chose to get a TrustCOR certificate through their portal. Their free service offers a single certificate as a bundled feature.

Basically, the process is in three parts, get a certificate, configure apache, & configure the firewall.

The NOIP Portal

Go to “My Services > SSL Certificates”, there are four help pages, generate a CSR, which pointed my at “Apache OpenSSL“; read this all and note that the Country code of where I live is GB not UK and they require a state/province field. This use of openssl generates the private key. The installation guide is at apache-ssl-installation, wish I’d read it thoroughly, although at Apache 2.4.8, it is no longer necessary to separately define the ‘chain’ file. The portal offers a feature to down load the certificate, do so and copy to /etc/ssl/certs.

I installed a new cert in 2024, it was much easier, see the comment dated Feb 2024. Download it, copy to the ./certs folder and then ensure the apache config file points at it. The issuer documents the process here.

The Server

Firstly, mod_ssl and apache2 are already installed, this can be checked with both apt and ls /etc/apache/mods-available. This guide assumes you have certificate chain file, I had a .pem file and that this is issued by a CA and that you have its private key.

  1. The mod needs to be enabled a2enmod ssl. This creates a default ssl conf file in ./sites-available.
  2. The SSL .conf file needs to be edited. This is in the ./sites-available, and it was created by the enable mod command i.e. a2enmod ssl ; its name is 000-default-ssl.conf but ideally make a copy and change the basename. i.e. cp default-ssl.conf mydns.conf
  3. Then edit the two keyfile parameters, use the .pem-chain and .key. The version of Apache I have (2.4.8) does not require the separate declaration of the chain file.
  4. My initial parameters are now set to, Listen 433; <VirtualHost *:433>; ServerName ${InternetName}
  5. a2ensite $(basename ${conf.file}) enables the site, note that a2dissite disables it if necessary.
  6. the hostname needs to match the hostname declared to the certificate, edit /etc/hosts and /etc/hostname
  7. then systemctl reload apache2 and systemctl restart apache2 for good measure
  8. I was having problems getting it to work, because https was prohibited at the boundary,  and so I ran hostname to change the hostname and put the FQDN into the hosts file. I am thus unsure if this and the ServerName parameter is required. This may break something else.

Firewall

  1. I use a BT HomeHub (5A) and it needed an https rule to be set because I had not set one before. Not doing this first, probably cost me days.

Help

I found these sites helpful

  1. Adding https to the raspberry pi apache web server from variax.wordpress.com, uses local certs, but documents making a key pair using openssl and the changes needed in the .conf file and How to Host Multiple Websites with Apache Virtual Hosts
  2. How to enable/disable a website from linode.com, talks about the conf file and a2 commands, also enable mod_ssl apache on the commands, mainly systemctl, from ubiq.co, but also 14 apache commands to help you manage your server like apro from devdojo which also documents the commands and has more than ubiq’s
  3. Here’s YAF page, How to install an SSL certificate on apache  from www.ssls.com.
  4. Apache loads mod_ssl but ifmodule mod_ssl.c ignored in my vhosts from stackoverflow, the order of the include statements is important, but was not relevant to me.
  5. An example vhosts file from Apache, and  a how to, again from Apache, both major on the .conf file settings.
  6. and Set new hostname raspberry pi/ which points at raspi-config.
  7. A page on Remapping at apache,com was used to redirect port 80 to the https port, I needed a CNAME in dns to redirect the standby name
  8. man openssl from linux.die.net how to make the key pair.

See also https://davelevy.info/wiki/raspberry-pi-iii/#comment-148525

Dave Networking, Technology , , , , , , , , , ,

3 Replies

  1. Pingback: Raspberry Pi III – davelevy . info / wiki

  2. Remember to backup your certificates and keys, I needed to rebuild the Pi and found that my certificate vendor had decided to withdraw the offer and so I needed to recover the keys from the old disk. More faff. I did so by rebooting the old disk and copying the certs to the new disk. Mounting a raspbian boot disk on a windows laptop seems harder than I want and the best advice would seem to be as above.

    Reply

  3. Over the winter of 2023/2024, I had to renew the certificate. The complexity of the install frightened me but this is what I eventually did. I logged into the website, downloaded the new pem-chain file and moved it to /etc/ssl/certs. I then edited the SSLCertificateFile parameter in the apache config file as it had a new name. The restarted the apache server. It was simple, next time have no fear.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Ka-52 “Alligator”
Hugo Air theme