This lab provides an introduction to working with SSL-enabled services. The primary focus is on creating certificates and deploying them for use with the Apache2 web service to enable HTTPS. For this lab, we will be creating a new sub-domain (secure.lastname45678.mytld), configure a private Certificate Authority (CA), generate certificates and sign them using the CA, and enable SSL and create the virtual host in Apache2.

Notice: Please make sure to replace lastname45678 with your real last name and the last 5 digits of your student ID! Do not just blindly copy and paste unless you want to spend a lot of time deleting and redoing the steps!

Before you begin, try running sudo /root/server-check.sh -l 1234 firstname lastname studentnumber to make sure you haven't accidentally broken what was completed in previous labs.

Prepare Document Root and Sub-domain for secure.lastname45678.mytld

Create a document root and a default web page

In lab 4, we created a directory named /sites to hold the document directories for our virtual websites. Create a directory named secure.lastname45678.mytld, with your last name and student ID in the existing /sites directory. This will be the document store for your SSL-enabled website:

• Add an index.html to the /sites/secure.lastname45678.mytld directory with content to identify that page as the home page for your site:
• Sample contents of index.html

<html>
    <header>
        <title>HTTPS Secured Site</title>
    </header>
    <body>
        <h1>This is the SSL-protected home page for `secure.lastname45678.mytld`</h1>
    </body>
</html>

<html>
    <header>
        <title>HTTPS Secured Site</title>
    </header>
    <body>
        <h1>This is the SSL-protected home page for `secure.lastname45678.mytld`</h1>
    </body>
</html>

Add the hostname secure to your DNS

Add the name secure to the zone file (e.g. /etc/bind/db.lastname45678.mytld) for lastname45678.mytld as a CNAME for ns1:

• The line will look like this:
  • secure IN CNAME ns1
  • Increment the serial number!
  • Restart your DNS service using rndc reload
• Verify you can successfully ping secure.lastname45678.mytld

Setup a Private Certificate Authority (CA)

Create CA and CA certificate

Since more or less all the commands in this section require root, using a root shell (sudo bash or sudo su) is recommended. Run the commands to make the CA, the certificates and keys in the root shell. Don't forget to exit the root shell before continuing with the next section in the lab.

In the root shell, we will be performing the following tasks:

• Install the easy-rsa package
  • The easy-rsa provides scripts and tools that simplify certificate creation
  • For each step below, use ls -la to observe what was created inside the working directory
• Use make-cadir to create a default software directory for your CA.
• Use that directory to create a PKI with a CA certificate and key to use for issuing private certificates.

The commands to accomplish these tasks could look like this:

#Use a root shell:
sudo bash

# install the easy-rsa package:
apt update
apt install easy-rsa 

# Create the certificates directory using makecadir:
make-cadir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa

# From your certificates directory, create PKI and a CA certificate using the easy-rsa script
./easyrsa init-pki
./easyrsa --req-cn=COMP1071 --batch build-ca
# Ensure that you provide a passphrase for your CA Key that you can remember!

#Use a root shell:
sudo bash

# install the easy-rsa package:
apt update
apt install easy-rsa 

# Create the certificates directory using makecadir:
make-cadir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa

# From your certificates directory, create PKI and a CA certificate using the easy-rsa script
./easyrsa init-pki
./easyrsa --req-cn=COMP1071 --batch build-ca
# Ensure that you provide a passphrase for your CA Key that you can remember!

Add Your CA Certificate as a Trusted CA

The default location for CA certificates is under /usr/share/ca-certificates. To add your CA certificate to your system, make a sub-directory named comp1071 in your /usr/share/ca-certificates and copy your new CA certificate file from /etc/openvpn/easy-rsa/pki/ca.crt to it. Make the CA certificate file world-readable (644 is appropriate). Your system will see this certificate, but you will need to "trust" this CA by re-running the ca-certificates configuration script and explicitly selecting your CA.

The commands will look like this:

# Make the sub-directory
mkdir /usr/share/ca-certificates/comp1071
# Copy the CA certificate file
cp /etc/openvpn/easy-rsa/pki/ca.crt /usr/share/ca-certificates/comp1071/
# Make the certificate file readable for everyone
chmod 644 /usr/share/ca-certificates/comp1071/ca.crt

# Re-configure your system to trust this CA
dpkg-reconfigure ca-certificates

# Make the sub-directory
mkdir /usr/share/ca-certificates/comp1071
# Copy the CA certificate file
cp /etc/openvpn/easy-rsa/pki/ca.crt /usr/share/ca-certificates/comp1071/
# Make the certificate file readable for everyone
chmod 644 /usr/share/ca-certificates/comp1071/ca.crt

# Re-configure your system to trust this CA
dpkg-reconfigure ca-certificates

When the config screen comes up:

• You can choose Yes to install a new certificate
• On the next screen, press space to enable (add * character in the checkbox) your COMP1071 CA Cert.
• Then use tab to navigate and press enter on Ok to save the changes

Create a Key and Sign the Certificate Website secure.lastname45678.mytld

Before generating the key pair and signing the certificate, modify the /etc/openvpn/easy-rsa/vars file to add the following information (make sure to read the comments and only modify and uncomment the items you need).

• Modify the variables in the configuration file: sudo nano /etc/openvpn/easy-rsa/vars
• Organization name: COMP1071
  • You may use any other information that is valid for the location information, but the Organization name must be COMP1071
• Use Common Name: secure.lastname45678.mytld
• Email address: hostmaster@lastname45678.mytld

Proceed with creating the keys and certificates for your website.

# Navigate to your certificates directory
cd /etc/openvpn/easy-rsa

# Generate the public/private key-pair and request files
./easyrsa gen-req secure.lastname45678.mytld
# Create a passphrase that is easy to remember for the server's private key file
# We have already supplied the Common Name, so you should be able to just hit enter for the default
# Make note of the location of your key file (This is your website's Private Key!!!)

# Request your CA to sign your public key to generate a certificate
./easyrsa sign-req server secure.lastname45678.mytld
# Read to make sure your CommonName is correct!
# Notice that you will be asked to give your **CA key passphrase** from the previous steps!
# make note of the location of your cert file (This is your website's signed certificate!!!)

# Navigate to your certificates directory
cd /etc/openvpn/easy-rsa

# Generate the public/private key-pair and request files
./easyrsa gen-req secure.lastname45678.mytld
# Create a passphrase that is easy to remember for the server's private key file
# We have already supplied the Common Name, so you should be able to just hit enter for the default
# Make note of the location of your key file (This is your website's Private Key!!!)

# Request your CA to sign your public key to generate a certificate
./easyrsa sign-req server secure.lastname45678.mytld
# Read to make sure your CommonName is correct!
# Notice that you will be asked to give your **CA key passphrase** from the previous steps!
# make note of the location of your cert file (This is your website's signed certificate!!!)

Once you have requested and signed the secure server's certificate, copy the crt and key files into /etc/ssl.

• Put the certificate file in the /etc/ssl/certs directory
• Put the key file in the /etc/ssl/private directory.

Example commands:

cp pki/issued/secure.lastname45678.mytld.crt /etc/ssl/certs/
cp pki/private/secure.lastname45678.mytld.key /etc/ssl/private/

cp pki/issued/secure.lastname45678.mytld.crt /etc/ssl/certs/
cp pki/private/secure.lastname45678.mytld.key /etc/ssl/private/

Create and Enable The Website in Apache2

Create Configuration File for The Website

To create a virtual website for secure.lastname45678.mytld, you can begin by copying the default-ssl.conf site file in /etc/apache2/sites-available to a file named secure.lastname45678.mytld.conf:

cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/secure.lastname45678.mytld.conf

cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/secure.lastname45678.mytld.conf

Configure the file by modifying at least the following options:

• VirtualHost
• ServerAdmin
• ServerName
• SSLCertificateFile
• SSLCertificateKeyFile
• DocumentRoot and Directory stanza for your DocumentRoot

nano /etc/apache2/sites-available/secure.lastname45678.mytld.conf

nano /etc/apache2/sites-available/secure.lastname45678.mytld.conf

An example file might look like this:

<VirtualHost secure.lastname45678.mytld:443>
        ServerName
        ServerAdmin webmaster@lastname45678.mytld

        DocumentRoot /sites/secure.lastname45678.mytld
        <Directory /sites/secure.lastname45678.mytld>
                Require all granted
        </Directory>

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        SSLCertificateFile      /etc/ssl/certs/secure.lastname45678.mytld.crt
        SSLCertificateKeyFile   /etc/ssl/private/secure.lastname45678.mytld.key

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>

</VirtualHost>

<VirtualHost secure.lastname45678.mytld:443>
        ServerName
        ServerAdmin webmaster@lastname45678.mytld

        DocumentRoot /sites/secure.lastname45678.mytld
        <Directory /sites/secure.lastname45678.mytld>
                Require all granted
        </Directory>

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        SSLCertificateFile      /etc/ssl/certs/secure.lastname45678.mytld.crt
        SSLCertificateKeyFile   /etc/ssl/private/secure.lastname45678.mytld.key

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>

</VirtualHost>

Turn on SSL Module and Enable The Site

• Enable the ssl module for Apache2
• Enable your site
• Restart your apache2 service.

a2enmod ssl
a2ensite secure.lastname45678.mytld
systemctl restart apache2

a2enmod ssl
a2ensite secure.lastname45678.mytld
systemctl restart apache2

Note: You will need to supply the passphrase for the server's private key to start the service successfully!

• Whenever you start any service that needs to ask for a passphrase for a protected resource, such as a private key file, you will need to give the password before the service will complete startup. If the startup is not interactive, such as when the system boots, you will need to use the systemd-tty-ask-password-agent --query command to enter the password:
• If you see the systemd-ask-password process when you run the systemctl status apache2 command, it means you have not successfully given the password, and the service has not completed startup.

  systemd-tty-ask-password-agent --query
  systemctl start apache2 

  systemd-tty-ask-password-agent --query
  systemctl start apache2 

• Using systemctl reload may not require entering passwords, as it only re-reads configuration files. If the protected resources have not changed in the config files, no password is needed (since they still live in memory).

Allow web access to the SSL-enabled site through your firewall

Add a UFW rule to allow HTTPS service through your firewall.

ufw allow 443/tcp

ufw allow 443/tcp

Verify you can access the site in a terminal window.

wget -O - https://secure.lastname45678.mytld

wget -O - https://secure.lastname45678.mytld

Verify you can access your personal home page on your new site using https with a web browser on your host laptop. You may need to add the hostname secure.lastname45678.mytld to your host laptop's hosts file, and check that you still have the private route on your host laptop to the 172.16.3.0/24 network through your host 99 address. To test for those things, consider doing ping 172.16.3.2 and ping secure.lastname45678.mytld in a command line terminal window on your host laptop.

Troubleshooting and Log Files

Apache2 Service

You can attempt the following to make sure that the service is running and listening for network requests:

• sudo service apache2 status
• sudo apachectl configtest to check the syntax of your configuration files
• sudo ss -tlpn and look for ports 80 and 443 to see if the service is listening for incoming traffic

Examine the content of access.log and error.log in /var/log/apache2 to see what is being logged for your activity on your web server.

• sudo tail /var/log/apache2/access.log

• sudo tail /var/log/apache2/error.log

  Tip: to view the live logs as you restart the service, make use of the -f option for tail:

  • Open a new terminal (via SSH or a new window, depending on your host system and software) and issue the command.
    • for errors: sudo tail -f /var/log/apache2/error.log
    • for access logs: sudo tail -f /var/log/apache2/access.log
  • restart the service, visit a page in a browser, use wget or curl, or perform the operation that is not giving the expected results and watch the live logs!

Tip: Logs are "historic"! If you see errors, check the date and time before assuming something is wrong right now

Evaluate your server

• Run sudo /root/server-check.sh -l 5 firstname lastname studentnumber.
• Review any problems detected and correct as necessary. Do not move on to the next labs until you have this lab's result at 100%.