ATMINTINĖ kaip susikūriau self-signed SSL sertifikatą virtualhost’ui ant localhost’o :)

OS: ubuntu 16.04
Webserver: apache
Virtualhost: https://buba/

Toliau – tik konsolės kodas su minimaliais paaiškinimais.

Generuojam sertifikatą, raktą:

$ sudo openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout /etc/ssl/private/buba.key -out /etc/ssl/certs/buba.crt
Generating a 2048 bit RSA private key
......................................................+++
........................................+++
writing new private key to '/etc/ssl/private/buba.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:LT
State or Province Name (full name) [Some-State]:Foo
Locality Name (eg, city) []:Bar
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Buba Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:buba
Email Address []:webmaster@localhost

„Pastiprinsim“ saugumą Diffie–Hellman navarotais :)

$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Sukūriau failą:

$ sudo vim /etc/apache2/conf-available/ssl-params.conf

tokiu turiniu:

$ sudo cat /etc/apache2/conf-available/ssl-params.conf
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off 
SSLSessionTickets Off
SSLUseStapling on 
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

Konfigūruoju virtualhost’ą (mano konfigas yra tam skirtam faile klientai.conf):

$ sudo vim /etc/apache2/sites-enabled/klientai.conf

Ką pakeičiau? – Pridėjau 443 port’o direktyvas:

$ sudo cat /etc/apache2/sites-enabled/klientai.conf

...
<VirtualHost *:80>
        DocumentRoot /var/www/virt/buba.lt/public_html
        ServerName buba
</VirtualHost>

<VirtualHost *:443>
        DocumentRoot /var/www/virt/buba.lt/public_html
        ServerName buba
        SSLCertificateFile      /etc/ssl/certs/buba.crt
        SSLCertificateKeyFile /etc/ssl/private/buba.key
</VirtualHost>
...

Atsišaukimas: šio straipsnelio rašymo metu domenas buba.lt yra laisvas. Ir jei šio straipsnelio skaitymo metu toks domenas jau yra užregistruotas, tai aš su juo niekaip nesu susijęs. Savininkams prašant savo pavyzdžius pakeisčiau. Reikalausiu nuosavybės patvirtinimo :)

Na ir pabaigai:

$ sudo a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled

$ sudo a2enmod headers
Enabling module headers.
To activate the new configuration, you need to run:
  service apache2 restart

$ sudo a2enconf ssl-params
Enabling conf ssl-params.
To activate the new configuration, you need to run:
  service apache2 reload

$ sudo apache2ctl configtest
Syntax OK

$ sudo systemctl restart apache2

Užeinu į https://buba/, naršyklė „pasispjaudo“, pridedu exception’ą ir toliau viskas veikia „ant amžių amžinųjų“…