I have installed Godaddy SSL HTTPS certificates on many Amazon EC2 instances and I always end up having to look stuff up every time I do it, so I am creating this tutorial for future reference and to help others who have issues installing SSL certificates. The definitely are not the easiest things to install in the world by far! Godaddy certificates are a lot easier to install than Semantic or VeriSign certificates however. They are a lot cheaper too, but do not have the good reputation for security that VeriSign/Semantic has.
First Steps for Installing SSL Certificates:
- Log in to your Godaddy.com account and click in the drop down under your name in the top left green nav bar, click on "My Account".
- Then click on the plus sign next to "SSL Certificates" and select the certificate you most recently purchased and click on the orange "Set Up" button on the right. Then select your service in the drop-down that appears and click on the green "Set Up" button.
- Next, Click on the "Launch" Button to open your certificate control panel. Since you are installing the certificate on a third party server, Amazon, select the third party server option in the "Hosting Options" dialog and enter your CSR by following the instructions for CSR in the next section.
Generating a Certificate Signing Request (CSR) - Apache 2.x
- Log in to a secure shell. I uses Putty for this.
- Enter the following at the command prompt:openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr Replace yourdomain with the domain name you're securing. For example, if your domain name is coolexample.com, you would type coolexample.key and coolexample.csr.
- Provide the information asked for when doing the above command. You do not have to enter a password if you want to make the process simple and you don't have to enter any of the data that is specified as optional.
- After answering the questions, type "ls" at the command prompt to list the content of your directory and you should see the two files you just generated with the CSR signing request. Open the .csr file by typing "sudo vi yourdomain.csr" and highlight the entire file and copy it to your clipboard with cntrl+c.
- Paste the text into your Godaddy account below where it says "Enter your Certificate Signing Request (CSR) below:".
- Check the box to agree to terms of service and click the continue button leaving the other options set to default. Your certificate should be emailed to you.
- Next login back into your Godaddy account and click on "request certificat" next to the certificate you just did the CSR for.
- You do not have to wait for the email though, to get your certificate, go back to your account main page by clicking on "My Account" from the main nav on Godaddy.com. Scroll down to "SSL Certificates" again and click "Launch by your new certificate. If it is not ready yet, wait for your email and try again.
- wait on email....
Server Configuration for SSL Certificates
The next thing you will have to do, after you have received your certificate files from Godaddy, is to configure your web server to deal with SSL and HTTPS. To do so, first check that you have open ssl and mod_ssl installed by creating an info.php file with the following contents:
Upload info.php to your server's web root directory which will be /var/www/html on an Amazon Linux AMI. Then go to your info.php file in a web browser by navigating to yourDomain.com/info.php. You can verify that you have Open SSL by using the find feature of your browser and searching for "openssl" and check to make sure that it says enabled after the second instance of openssl you find on that page.
You can verify the existence of mod_ssl by searching info.php for "mod_ssl" if it is there, it is activated most likely. Just make certain it is listed under the loaded modules in your php info file.
If in the previous step, you could not find mod_ssl, it probably isn't installed. To install mod_ssl, open up a shell command prompt and type the following command at the command prompt:
sudo yum install mod_ssl
Type "y" for yes to give permission to install the module.
Now you can see mod_ssl in loaded by confirming it's presence in your info.php file from before.
Configure httpd.conf and ssl.conf
Before you start the following steps, go to your command prompt for your web server and make backup copies of your httpd.conf and ssl.conf files using the following commands:
sudo cp httpd.conf httpd.conf.bkup
sudo cp ssl.conf ssl.conf.bkup
- Next, download your files from Godaddy as described above. Unzip them onto your desktop and upload them to your ec2-user folder on the web server. Your key files should already be there from when you generated a CSR earlier
- If you're using an amazon Linux basic AMI, you will have a separate ssl.conf file at etc/httpd/conf.d/ssl.conf and your httpd.con file will be in the etc/httpd/conf/ folder. Open up /etc/httpd/conf.d/ssl.conf in vi using the command: sudo vi /etc/httpd/conf.d/ssl.conf
- Find the following lines and edit them according to the file names you just uploaded and your key file name: SSLCertificateFile /home/ec2-user/site.com.crt
SSLCertificateKeyFile /home/ec2-user/site.key SSLCACertificateFile /home/ec2-user/gd_bundle.crt
- Replace "site" with the actual file name above, then save the ssl.conf file in vi editor by typing :wq and if you didn't know how to edit in vi editor, u have to type "i" to insert or delete text then hit the esc key to get out of insert mode.
- Restart Apache by typing "sudo service httpd restart" at the command prompt and pressing return. If no errors occurred, you did everything correctly and your ssl certificate will work now. If Apache didn't restart, you have a problem in your config file most likely so check your error logs or read the output error and fix the problem and restart until it works. If all fails revert back to the original backed up config files and restart the process until it works.
Updates when I did this again in December of 2016
When I installed an SSL certifiate in December of 2016, the process was close to the one described above, so I'll leave it there for reference and note any differences here. One obvious difference is that the Godaddy site has changed, but not so much as to make the above instructions not work. You will just have to be aware that some of the buttons and links are a little different than I have described above. Also, I noticed that almost none of the Godaddy links to support and information worked, so it was difficult and nearly impossible to find any help from Godaddy's website. That is why I decided to update my guide here.
Info Needed for a CSR
Here is a list of the basic information you will be asked for when doing a Certificate Signing Request or CSR:
1- Country Name(2 letter code):
2- State or Province Name(full name):
3- Locality Name(eg, city):
4- Organization Name(eg, company):
5- Organiztion Unit Name(eg, section):
6- Common Name(eg, your name or your server's hostname):
7- Email Address:
8- Company name:
In December, 2016, I was able to use the command described above to get the CSR files from the Amazon server. So I got the CSR and received the email from Godaddy several minutes later. Here is the relavent portion of the email they sent me after I filled out the Godaddy CSR form on their site:
----------------------------Begin email from Godaddy:--------------------------
Dear Secure Certificate Customer,
Congratulations on becoming an SSL certificate owner for the domain: MySite.com! We're delighted to have you on board.
- Download your certificate, by logging in to your account at https://certs.godaddy.com/home.pki?AccountUid=REMOVED FOR SECURITY REASONS.
- Click here to follow our easy instructions to install your certificate.
- We've partnered with McAfee SECURE to deliver more value with your SSL Certificate. By installing the McAfee SECURE trustmark on your website, your site will be monitored by McAfee 24/7. McAfee SECURE trustmark will display on every page of your site and right in the search results of Google, Yahoo!, Bing and Ask.To add the seal to your site, log in to your SSL account at (Link Removed), select your certificate, then choose your seal from the “Seal” options.
If you have any trouble or questions, contact us and let us know. We are available to help around-the-clock, seven days a week.
For further information, log in to your account at https://certs.godaddy.com.
----------------------------End email from Godaddy--------------------------
Naturally, I attempted to follow the instructions emailed me in the above email message. I completed step one by clicking on the link they provided(or you can navigate to the SSL cert yourself from your Godaddy account). You simply click the link in step one from the email, click on the domain name that represents the current SSL certificate you wish to install, and click on the "Download" icon in the resulting web page. That will open a page that asks you the server type you wish to install the SSL certificate on. The options are:
- Mac OSX
How to Find Your Server Type
In order to to figure out what type of web server you're running, from Linux you can issue the following command from a shell prompt(command prompt):
curl -I www.jafty.com
Type the curl command replacing jafty.com with a domain name that points to your server and press enter. When entering the above command you should see results similar to this:
Notice the text that I circled in red. It says I'm on a cloudflare-nginx server. So for server type, I would choose "other". Then I clicked the download button.
So far, so good, but when I went on to step two after successfully downloading the SSL certificate files, the link that Godaddy provided in step two for instructions fails to open a web page, so you are on your own for instructions. Again, that is why I have provided the information here. I hope it helps people.
Installing SSL Certificate on Bitnami ec2 with WordPress
If your webroot directory is
/opt/bitnami/apps/wordpress/htdocs then you are surely usig a Bitnami ec2 with WordPress stack. In that case, here are the modified instructions for installing your SSL certificate:
Open your bitnami.conf file at /opt/bitnami/apache2/conf/bitnami/bitnami.conf by navigating to the directory and executing this command:
sudo vi bitnami.conf
scroll down to the virtual host settings for port 80 and port 443 and change this: DocumentRoot /opt/bitnami/apache2/htdocs
in each virtual host(ports 80 and 443).
Find the lines in the virtual host declaration for port 443 that look similar to:
Delete the above lines and replace them with the following lines:
Make sure you change the above files names with your own however and make sure you've placed the files named in the proper locations. THe first one, YourOwn.crt, will be replaced with the file you downloaded from Godaddy when you purchased your SSL certificate. The second file will have been created when you created your certificate signing request from the command line before you obtained your files from Godaddy and can normally be found in /home/bitnami. The last line is for your bundle certificate which should also have been in the files you downloaded from Godaddy. Place all three files in the /opt/bitnami/apache2/conf/ directory by opening each(before they exist) in vi editor then copy and pasting their content and saving them. I use that method because filezilla FTP clients will not allow you to modify files in this directory.
That's all there is to it. It's difficult if you don't have precise instructions to follow for your particular web server, so if you have an Apache server on an amazon ec2 instance, following these instructions in this tutorial should have you up and running with HTTPS in no time at all. If you are using a different type of server or hosting provider, the instructions will be similar but will differ in some spots, so be careful as this tutorial was written for Amazon, Linux users in mind.