How to properly install SSL to my server?

Question

I have a sub-domain I want to install a valid SSL (possibly free SSL). I used to access my website through the public address of my server. Now I am using subdomain to access my website. I want to add a valid SSL to my server to secure my website. I am using XAMPP. How can I install SSL properly because when I access my website using HTTPS I am getting a NET::ERR_CERT_AUTHORITY_INVALID and where can I get a valid SSL Certificate?

Answer 1

Arguably most popular free SSL Provider (and the one I use) will be LetsEncrypt.

Steps for installation will vary based on OS, like this for Ubuntu

Answer 2

The most popular Free SSL certificate you can get from letsencrypt.

Than here is the steps you can get your certificate works on localhost machine (XAMPP):

1. Create new folder crt, in default XAMPP location C:\xampp\apache\crt
2. Paste there 2 files: cert.conf and make-cert.bat
3. Now edit cert.conf and Run make-cert.bat Change {{DOMAIN}} text using the domain we want to use, in this case site.test and save.

Double click the make-cert.bat and input the domain site.test when prompted. And just do enter in other question since we already set the default from cert.conf.

4. After that, you will see site.test folder created. In that folder we will have server.crt and server.key. This is our SSL certificate.

Double click on the server.crt to install it on Windows so Windows can trust it.

And then Select “Place all certificate in the following store” and click browse and select Trusted Root Certification Authorities.

5. Edit your host file

5.1 Open notepad as administrator.

5.2 Edit C:\Windows\System32\drivers\etc\hosts (the file have no ext)

5.3 Add this in a new line:

127.0.0.1 site.test

This will tell windows to load XAMPP when we visit http://site.test You can try and it will show XAMPP dashboard page.

6. Add the site in XAMPP conf.

We need to enable SSL for this domain and let XAMPP know where we store the SSL Cert. So we need to edit C:\xampp\apache\conf\extra\httpd-xampp.conf

And add this code at the bottom:

    ## site.test
 <VirtualHost *:80>
     DocumentRoot "C:/xampp/htdocs"
     ServerName site.test
     ServerAlias *.site.test
 </VirtualHost>
 <VirtualHost *:443>
     DocumentRoot "C:/xampp/htdocs"
     ServerName site.test
     ServerAlias *.site.test
     SSLEngine on
     SSLCertificateFile "crt/site.test/server.crt"
     SSLCertificateKeyFile "crt/site.test/server.key"
 </VirtualHost>

After that, you will need to restart Apache in XAMPP. It’s very simple, simply open XAMPP Control Panel and Stop and re-Start Apache Module.

7. Restart your browser

Answer 3

You may get free ssl using this link [1]. You need to select the Software that you're using for example Apache and select what operating system you are using in my case I am using Debian 9. If you're unsure about your system, you need to ssh to your server and execute the command "$ cat /etc/*release" if you're using Linux.Once you have selected the correct software and system, it will give you instructions on how to get SSL.

You may follow the instructions here [2] on how to install SSL.

Hope this information helps you.

[1] https://certbot.eff.org/lets-encrypt/debianstretch-apache

[2] https://www.sslshopper.com/apache-server-ssl-installation-instructions.html

Answer 4

The most common solution of free SSL is LetsEncrypt.

LetsEncrypt provides a variety of clients for most OSs. I recommend using the client ACMESharp.

Follow the following steps on Powershell (as described in the official documentation of the project)

1) Install ACMESharp

Import-Module ACMESharp

2) Initialize the vault

Initialize-ACMEVault

3) Create new ACME registration using email

New-ACMERegistration -Contacts mailto:somebody@example.org -AcceptTos

4) Submit the domain identifier

New-ACMEIdentifier -Dns myserver.example.com -Alias dns1

5) Handle the Challenge to Prove Domain Ownership

Pick a method to porve that you own your domain, I recommend HTTP Challenge.

(Complete-ACMEChallenge dns1 -ChallengeType http-01 -Handler manual).Challenge

If you do not get the challenge details like file path and content in the output , try this:

(Update-ACMEIdentifier dns1 -ChallengeType http-01).Challenges | Where-Object {$_.Type -eq "http-01"}

You'll probably have to allow hidden locations to be accessed via apache, so the challenge can reach .well-known location. You could use something like the following config, depending on your custom needs (as mentioned in this post as well):

<IfModule mod_rewrite.c> 
        RewriteCond %{REQUEST_FILENAME} !.well-known/
        RewriteRule "(^|/)\.(?!well-known)" - [F]
</IfModule>

6) Submit the Challenge Response to Prove Domain Ownership (HTTP method)

Submit-ACMEChallenge dns1 -ChallengeType http-01

The challenge does not get updated instantly so try updating on the results until it's valid.

(Update-ACMEIdentifier dns1 -ChallengeType http-01).Challenges |Where-Object {$_.Type -eq "http-01"}

Once it's valid, try:

Update-ACMEIdentifier dns1

7) Request and Retrieve the Certificate

New-ACMECertificate dns1 -Generate -Alias cert1
Submit-ACMECertificate cert1

The certificate might not be issued instantly so try:

Update-ACMECertificate cert1

Until it's ok.

8) Export the public and private keys

Private key:

Get-ACMECertificate cert1 -ExportKeyPEM "path\to\cert1.key.pem"

Certificate signing request:

 Get-ACMECertificate cert1 -ExportCsrPEM "path\to\cert1.csr.pem"

Lets encrypt public certificate:

Get-ACMECertificate cert1 -ExportCertificatePEM "path\to\cert1.crt.pem" -ExportCertificateDER "path\to\cert1.crt"

Issuer's public certificate:

Get-ACMECertificate cert1 -ExportIssuerPEM "path\to\cert1-issuer.crt.pem" -ExportIssuerDER "path\to\cert1-issuer.crt"

You don't practically need all of the above, anyway, but the private key is absolutely necessary so keep it safe.

For more documentation visit the github repo of the project.