A few weeks ago I had to re-install an SSL certificate on a server running Apache, Varnish & Pound as the old certificate had just expired. I thought it would be good to write up a quick guide on how to do it as it may help others.
Note that if you are on a shared hosting plan, you can easilygenerate a *.CSR and *.Key file then install your *.CRT (once it is sent to you by the certificate authority) in cPanel.
This guide is written based on Centos commands, but you should be able to find the corresponding commands in other OS’s, if you get stuck leave a comment and I will happily help you out.
If you need a hand setting up Varnish and Pound, see the following guides as I found them quite helpful:
- Varnish: http://www.servermom.org/install-varnish-3-to-run-with-apache-2-on-centos-server/552/
- Pound: http://www.geoffstratton.com/2013/11/web-server-performance-part-ii-varnish-pound/
Note that this is a best effort post, we take no responsibility for the security of your website or server from anything posted on BlocksAndPixels.com.au.
Depending on your server configuration you may need to run the commands using sudo (or use sudo -i to access a sudo shell). You don’t need to generate a passphrase or a password.
First you’ll need to edit your openssl.cnf (may be located in /etc/pki/tls on Centos 6) and uncomment
#req_extensions = v3_req
req_extensions = v3_req
Then you’ll need to find the [v3_req] section and add your domain name (or names if you have multiple), for example:
[ v3_req ] # Extensions to add to a certificate request subjectAltName=DNS:example.com,DNS:example.me
Generate the CSR and Key
Once you have setup the openssl.cnf file, you’ll then need to change directory:
From there, you’ll need to generate the CSR and Key file using the following command. Before running this please check that the path to your openssl.cnf file is correct and that the common name matches the primary domain name:
OPENSSL_CONF=/etc/pki/tls/openssl.cnf openssl req -nodes -newkey rsa:2048 -keyout <domain>.key -out <domain>.csr
Buy Your SSL Certificate and Install
Once you have generated the CSR and KEY files (keep them handy, you’ll need them) you can buy your SSL Certificate. If you don’t know where you buy an SSL certificate, I would recommend using NameCheap (Disclaimer: affiliate link) as that is where I buy all my domains and SSL certificates from and they have fantastic support.
Ensure that you use a valid email when you are purchasing the SSL certificate, as it will be sent to that address.
Once you receive your SSL certificate, install it onto the server by copying into
If you are just using Apache, then you should be able restart Apache (CentOS 6):
service httpd restart
And be able to browse to https://<your-site>.com and have the certificate work as expected.
Generate your PEM file
If you are using Pound in conjunction with Apache and Varnish, then you’ll need to generate a PEM file before the certificate will be picked up correctly. To do so, in the same /etc/httpd/ssl directory run the following:
openssl x509 -in </span><span style="font-weight: 400;"><ssl-certificate></span><span style="font-weight: 400;">.crt -text
If that outputs something real and readible and not an error message, then you can now create the PEM file for pound
openssl x509 -in <ssl-certificate>.crt -out pound.pem
Then you can add the key to the PEM file:
openssl rsa -in <domain>.key >> pound.pem
If you received other *.CRT files from the Certificate Issuer, for example AddTrustExternalCARoot, AddTrustCA etc then you’ll need to open them up and append them to the bottom of the pound.pem file too.
If you haven’t configured Pound to point to the PEM file you will need to do so. Simply open your pound.cfg file in VIM or a text editor via WinSCP and add the Cert instruction, for example:
Find the pound.cfg and change, it should look something like this: ListenHTTPS Address 10.0.0.1 # put your server's public IP address here Port 443 Cert "/etc/httpd/ssl/myserver.com.pem" HeadRemove "X-Forwarded-Proto" AddHeader "X-Forwarded-Proto: https" Service BackEnd Address 127.0.0.1 Port 443 End End End
Then restart Apache, Varnish and Pound
service httpd restart && service varnish restart && service pound restart
And test that you can access your site using https i.e https://<yoursite>.com. If this doesn’t work, check the Pound / Apache error log (/var/log)
If this helped, please let me know in the comments below 🙂