SSL setup in webservers

 

1.  Setup SSL in tomcat with using Certificate, Chain certificate and Private key.

for example,

1. website.crt ( main certificate file )

2. website-ca.crt ( chain certificate )

3. website.key ( private Key )

Open server.xml which is located in tomcat base directory.

nano $CATALINA_BASE/Tomcat/conf/server.xml

<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
                compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json" 
                compression="force" compressionMinSize="1024" useSendfile="false" noCompressionUserAgents="gozilla, traviata"   
                URIEncoding="UTF-8" useBodyEncodingForURI="true"
                connectionTimeout="20000"
                enableLookups="false" 
                maxThreads="1500" SSLEnabled="true" 
                defaultSSLHostConfigName="Primary-Domain-name" maxParameterCount="-1">

                <SSLHostConfig hostName="Domain-name" protocols="TLSv1.2">
                              <Certificate certificateFile="PATH-To-SSL-Directory/website.crt"
                                        certificateKeyFile="PATH-To-SSL-Directory/website.key"
                                        certificateChainFile="PATH-To-SSL-Directory/website-ca.crt" />
                </SSLHostConfig>                                                 </Connector>

Restart Tomcat service.

2. Generate private key from Certificate and Chain certificate.

Generate CSR:

keytool -keysize 2048 -genkey -alias website -keyalg RSA -keystore website.keystore

keytool -certreq -keyalg RSA -alias website -file website.csr -keystore website.keystore

[Keep the password used at the time of generating CSR.]

Generate Certificates using Generated CSR from respected domain provider.

keytool -import -alias root -keystore website.keystore -trustcacerts -file website.crt

keytool -import -alias intermed -keystore website.keystore -trustcacerts -file website-ca.crt

keytool -import -alias website -keystore website.keystore -trustcacerts -file website.crt

keytool -importkeystore -srckeystore website.keystore -destkeystore website.keystore -deststoretype pkcs12

openssl pkcs12 -in website.keystore -out website.pem

Now add configuration into server.xml,

nano $CATALINA_BASE/Tomcat/conf/server.xml

<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
                compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json" 
                compression="force" compressionMinSize="1024" useSendfile="false" noCompressionUserAgents="gozilla, traviata"   
                URIEncoding="UTF-8" useBodyEncodingForURI="true"
                connectionTimeout="20000"
                enableLookups="false" 
                maxThreads="1500" SSLEnabled="true" 
                defaultSSLHostConfigName="Primary-Domain-name" maxParameterCount="-1">

                 <SSLHostConfig hostName="Domain-name">
                         <Certificate certificateFile="PATH-TO-SSL/website.pem" certificateKeyPassword="certificate-password"
                                      certificateChainFile="PATH-TO-SSL/website-ca.crt" />
                </SSLHostConfig>

</Connector> 

3. Setup Above SSL certificates on Nginx webserver.

below are the files which is available which we have generated earlier.[ in 2nd solution ]

1. website.csr

2. website.crt

3. website-ca.crt

4. website.pem

a. convert generated .pem file into key file using below command.

openssl rsa -text -in website.pem

Copy the generated context into one file named website.key. example of key file is given below.

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAgVa6C3+/p3AfEn1ZW8KgnxAegMgjv/AllpBEeC0lB2gAkecS
xvraI+PyyzjI7maEktIPw4k2TXafsl/OYZXbPOXpSVaeIZyKCW80RsApDvJysJq/
V0g6WQKBgQCzJMUlOXFUrPKelDfhS4/7YNYmm2+ztcj/X7SXMvaA7vY424KHc9br
MzqnExB01Ge1VDB5xKrEeWtcp30mQ8E9KQfVEIlJO4dsCDVL32+beY57kWbIivlC
mf3YvqeBdnRRSjanxn5bsHqu91GLP4jQIuBNKkz8dRYwBSVcZnb1SA==
-----END RSA PRIVATE KEY-----

b. create combine certificate file by combining CRT and Chain certificate file.

cat website.crt > website-combine.crt
cat website-ca.crt > website-combine.crt

c. open SSL configuration file of nginx.

/etc/nginx/conf.d/ssl.conf

server {
    listen      443 ssl http2;
    listen      [::]:443 ssl http2;
    server_name domainname.in;
    ssl_certificate /$PATH-TO-SSL/website.crt;
    ssl_certificate_key /$PATH-TO-SSL/website.key;;
    # SSL Settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache   shared:SSL:20m;
    ssl_session_timeout 4h;
    ssl_session_tickets off;
   # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /$PATH-TO-SSL/website-combine.crt;
        location / {
                proxy_pass              https://tomssl/;
                proxy_set_header        Host               $host;
                proxy_set_header        X-Real-IP          $remote_addr;
                proxy_set_header        X-Forwarded-For    $remote_addr;
                proxy_set_header        X-Forwarded-Host   $host:443;
                proxy_set_header        X-Forwarded-Server $host;
                proxy_set_header        X-Forwarded-Port   443;
                proxy_set_header        X-Forwarded-Proto  $scheme;
                allow all;
        }
        error_page 500 502 503 504 /server-busy.html;
        location = /server-busy.html {
                root /usr/share/nginx/html;
                internal;
        }
}

d. Restart Nginx.

nginx -t
systemctl restart nginx

4. Setup SSL in apache webserver.

Open SSL configuration file of apache. and add below configuration.

/etc/apache2/sites-available/default-ssl.conf

        <VirtualHost *:443>
                <Directory /path/to/website/dir>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride All
                    Require all granted
                </Directory>
                ServerAdmin purval@test.com
                ServerName impurval.blogspot.com
                ServerAlias www.impurval.blogspot.com
                DocumentRoot /path/to/website/dir
                ErrorLog ${APACHE_LOG_DIR}/website.log
                #CustomLog ${APACHE_LOG_DIR}/phpmyadmin_access.log combined
                SSLEngine on
                SSLCertificateFile "/path/to/ssl/website.crt"
                SSLCertificateKeyFile "/path/to/ssl/website.key"
                SSLCertificateChainFile "path/to/ssl/website-ca.crt"
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
                </Directory>
                Protocols h2 h2c http/1.1
        </VirtualHost>

Restart apache.

apachectl -t
/etc/init.d/apache2 restart

5. Setup free Lets encrypt SSL.

Please note that this SSL certificates are available fro 3 months only then we have to renew it.

1. Install certbot package if not installed.

apt-get install certbot

2. If webserver is already running on port 443 with SSL then need to stop application first.

3. Generate certificates using below command.

sudo certbot certonly --standalone -d domain-name.com

4. Add the configuration entry into configuration file. below is the configuration settings of SSL for tomcat webserver.

nano $CATALINA_BASE/config/server.xml

<SSLHostConfig hostName="domain-name.com">
                	<Certificate certificateFile="/etc/letsencrypt/live/domain-name.com/cert.pem"
                   	certificateKeyFile="/etc/letsencrypt/live/domain-name.com/privkey.pem"
                   	certificateChainFile="/etc/letsencrypt/live/domain-name.com/chain.pem" />
</SSLHostConfig>