Digital Nut


My pathetic & feeble excuse for a blogsite!


Enable https on a Raspberry Pi using the 'free' StartSSL certificates

SSL certificates can be quite expensive, but StartSSL offer class 1 certificates free, and which on most browsers do not flag up the ‘untrusted site’ warning. However, I found their website wizard quite difficult to follow, and this guide helped me sort it out.

NOTE: ensure that you download the sha256 intermediate certificate, and not the sha1 intermediate certificate as prompted in the StartCom toolbox. (see this article).

Port forwarding

Ensure that port 443 is open in your router

Configuration

Once you have your certificates, edit your SSL Virtual Host file;

sudo nano /etc/apache2/sites-available/default-ssl

In the section <VirtualHost _default_:443> add ‘ServerName yourdomain.co.uk’ just under ‘ServerAdmin’.

In the section <Directory /> change ‘AllowOverride None’ to ‘AllowOverride All

In section <Directory /var/www/> change ‘AllowOverride None’ to ‘AllowOverride All

Further down, enter the name of your 3 certificates against the proposed locations, un-commenting #SSLCertificateChainFile (the SSLCertificateChainFile is the sub.class1.server.sha2.ca.pem certificate that is downloaded from StartSSL).

Save the file, and then copy the respective certificates to the locations specified in the default-ssl file, and chmod both your SSLCertificateFile & SSLCertificateKeyFile to 400 to ensure that they are secure.

So far, none of the changes will be evident to the system because the default-ssl file is not loaded and SSL has not been activated, so to do so;

sudo a2ensite default-ssl
sudo a2enmod ssl
sudo /etc/init.d/apache2 restart

Now navigate to https://yourdomain.co.uk and hopefully you should have https access!

If however, you want to return things back to how they were before the changes above;

sudo a2dissite default-ssl
sudo a2dismod ssl
sudo /etc/init.d/apache2 restart

Restricting site to https only

sudo nano /etc/apache2/sites-available/default

Add a Rewrite rule within the section <VirtualHost *:80> and underneath ‘DocumentRoot’, add:

RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REMOTE_ADDR} !127.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

..to redirect port 80 requests to https, and yet allow emonhub to communicate via localhost .

Save the ‘default’ file and restart apache as per above command.

All done!