Blog » Server Infrastructure » Install an SSL Certificate on Apache + Varnish + Pound

Introduction

A few weeks ago I had to re-install an SSL certificate on a server running Apache, Varnish & Pound as the old certificate had just expired.  I thought it would be good to write up a quick guide on how to do it as it may help others.

Note that if you are on a shared hosting plan, you can easilygenerate a *.CSR and *.Key file then install your *.CRT (once it is sent to you by the certificate authority) in cPanel.

This guide is written based on Centos commands, but you should be able to find the corresponding commands in other OS’s, if you get stuck leave a comment and I will happily help you out.

If you need a hand setting up Varnish and Pound, see the following guides as I found them quite helpful:

Note that this is a best effort post, we take no responsibility for the security of your website or server from anything posted on BlocksAndPixels.com.au.

Preparation

Depending on your server configuration you may need to run the commands using sudo (or use sudo -i to access a sudo shell).  You don’t need to generate a passphrase or a password.

First you’ll need to edit your openssl.cnf (may be located in /etc/pki/tls on Centos 6) and uncomment


#req_extensions = v3_req

to


req_extensions = v3_req

Then you’ll need to find the [v3_req] section and add your domain name (or names if you have multiple), for example:

[ v3_req ]
# Extensions to add to a certificate request
subjectAltName=DNS:example.com,DNS:example.me

Generate the CSR and Key

Once you have setup the openssl.cnf file, you’ll then need to change directory:


cd /etc/httpd/ssl

From there, you’ll need to generate the CSR and Key file using the following command. Before running this please check that the path to your openssl.cnf file is correct and that the common name matches the primary domain name:


OPENSSL_CONF=/etc/pki/tls/openssl.cnf openssl req -nodes -newkey rsa:2048 -keyout <domain>.key -out <domain>.csr

Buy Your SSL Certificate and Install

Once you have generated the CSR and KEY files (keep them handy, you’ll need them) you can buy your SSL Certificate.  If you don’t know where you buy an SSL certificate, I would recommend using NameCheap (Disclaimer: affiliate link) as that is where I buy all my domains and SSL certificates from and they have fantastic support.

Ensure that you use a valid email when you are purchasing the SSL certificate, as it will be sent to that address.

Once you receive your SSL certificate, install it onto the server by copying into


/etc/httpd/ssl

If you are just using Apache, then you should be able restart Apache (CentOS 6):

 

service httpd restart

And be able to browse to https://<your-site>.com and have the certificate work as expected.

Generate your PEM file

If you are using Pound in conjunction with Apache and Varnish, then you’ll need to generate a PEM file before the certificate will be picked up correctly.  To do so, in the same /etc/httpd/ssl directory run the following:

openssl x509 -in </span><span style="font-weight: 400;"><ssl-certificate></span><span style="font-weight: 400;">.crt -text

If that outputs something real and readible and not an error message, then you can now create the PEM file for pound


openssl x509 -in <ssl-certificate>.crt -out pound.pem

Then you can add the key to the PEM file:


openssl rsa -in <domain>.key >> pound.pem

If you received other *.CRT files from the Certificate Issuer, for example AddTrustExternalCARoot, AddTrustCA etc then you’ll need to open them up and append them to the bottom of the pound.pem file too.

Final Steps

If you haven’t configured Pound to point to the PEM file you will need to do so.  Simply open your pound.cfg file in VIM or a text editor via WinSCP and add the Cert instruction, for example:


Find the pound.cfg and change, it should look something like this:
ListenHTTPS
        Address 10.0.0.1  # put your server's public IP address here
        Port 443
        Cert "/etc/httpd/ssl/myserver.com.pem"
        HeadRemove "X-Forwarded-Proto"
        AddHeader "X-Forwarded-Proto: https"
        Service
                BackEnd
                        Address 127.0.0.1
                        Port 443
                End
        End
End

Then restart Apache, Varnish and Pound


service httpd restart && service varnish restart && service pound restart

And test that you can access your site using https i.e https://<yoursite>.com.  If this doesn’t work, check the Pound / Apache error log (/var/log)

If this helped, please let me know in the comments below 🙂

Michael.

Michael has been doing web-development for 10 years and still gets excited by pulling data out of a database for the first time on a new site.

Over the last few years Michael has also developed a strong interest in digital marketing working on SEO, AdWords, Facebook and email marketing campaigns for various clients.

The focus is now on improving customers businesses through smart digital marketing campaigns, increasing revenue, profit and customer satisfaction.

No Comments

Be the first to start a conversation

Leave a Reply

Your email address will not be published. Required fields are marked *