Install website SSL certificate in DTC admin panel

jesse's picture

This shows how to install a SSL certificate for a website hosted using the DTC control panel. This does not cover installing an SSL certificate for the DTC admin panel itself.

Each website requires a dedicated IP address

Configure website in DTC

DTC does not currently support Server Name Identification (SNI), so you must use a dedicated IP address for every website that needs an SSL certificate.

First, add the SSL IP address to the host itself, etc. in /etc/network/interfaces.

Go into the DTC admin panel and:

  • under DTC General Configuration > General, set show ssl tokens in my account to Yes and set Allow use of name based shared SSL vhosts to No
  • under DTC General Configuration > IP Addresses and Network, add the IP address Host IP addresses if you have not already, and make sure Use multiple IPs is off
  • under DTC General Configuration > SSL IP Addresses, add the IP address to be assigned to the site
  • under  Hosting Product Manager > Product list editor (SSL IPs) add a new product for the SSL IP address if you don't have any
  • under User Administration > {username} > Client interface > My account, Click the Buy an SSL IP button; you will be sent to the Client Payment screen, but it seems you don't have to do anything here
  • under User Administration, there will be a new order listed in the alert screen; validate that
  • under User Administration > {username} > Domain config, select the IP address from the drop down list for the domain you are configuring
  • under User Administration > {username} > Client interface > {domain} > Sub-domains, edit your subdomain (probably www), select the IP address from the list at SSL vhost listens on this IP and save

Wait at least 10 minutes for the next DTC cron job to run.

At this point, test that the website is up on the new IP address, and that https works. DTC will generate a self-signed certificate for the site, so you will see a warning about it, but the site should function. A little more info and screenshots of this process are found at the DTC FAQ for SSL certificates.

Replace the self-signed certificates

Assuming your website now works with https, all that's needed is to locate the generated certificate files for this domain and replace them with your purchased certificate.

Your website files are stored in a html/ directory, and the generated SSL certificates are stored in the adjacent ssl/ directory.

dtc1:~# ls -lF /var/www/sites/username/domain.com/subdomains/www/
total 36
drwxr-x---  2 dtc  dtcgrp     4096 Apr 29  2013 cgi-bin/
drwxr-xr-x  3 dtc  dtcgrp     4096 Oct 13  2013 home/
drwxr-x---  5 dtc  dtcgrp     4096 Mar  5 10:26 html/
drwxr-x---  6 dtc  dtcgrp    12288 Apr 12 06:26 logs/
drwx------  2 dtc  dtcgrp     4096 Sep 23  2012 root/
drwxr-xr-x  2 root root       4096 Oct  3  2013 ssl/
drwxrwxrwt  2 dtc  dtcgrp     4096 Apr 14 01:55 tmp/
 
dtc1:~# ls -lF /var/www/sites/username/domain.com/subdomains/www/ssl/
total 16
-rw-r--r-- 1 root root  963 Oct  3  2013 privkey.pem
-rw-r--r-- 1 root root 1034 Oct  3  2013 www.domain.com.cert.cert
-rw-r--r-- 1 root root  818 Oct  3  2013 www.domain.com.cert.csr
-rw-r--r-- 1 root root  887 Oct  3  2013 www.domain.com.cert.key

As can be seen, DTC created the ssl/ directory and generated files as owned by root, which means a customer cannot ever replace them. At the same time, it also means the webserver cannot overwrite them either, which is preferable for security. If you need the client to replace their own certificate files, run chown -R dtc:dtcgrp /var/www/sites/username/domain.com/subdomains/www/ssl/.

Backup the old certificate files.

dtc1:~# cd /var/www/sites/username/domain.com/subdomains/www/ssl/
dtc1:/var/www/sites/username/domain.com/subdomains/www/ssl# for f in www.*.cert.*
> do
> mv $f $f.old
> done
 
dtc1:/var/www/sites/username/domain.com/subdomains/www/ssl# ls -l
total 16
-rw-r--r-- 1 root root  963 Oct  3  2013 privkey.pem
-rw-r--r-- 1 root root 1034 Oct  3  2013 www.domain.com.cert.cert.old
-rw-r--r-- 1 root root  818 Oct  3  2013 www.domain.com.cert.csr.old
-rw-r--r-- 1 root root  887 Oct  3  2013 www.domain.com.cert.key.old

Generate a CSR. This will be submitted to whomever you are buying your SSL certificate from. It can help to put a date in the filename, as you never know how often you'll need to reissue a certificate nowadays.

dtc1:~# mkdir /root/ssl
dtc1:~# cd /root/ssl/
 
dtc1:~/ssl# openssl req -out domain.com-20150417.csr -new -newkey rsa:2048 -nodes -keyout domain.com-20150417-private.key
Generating a 2048 bit RSA private key
.....................................................+++
...................................................................+++
writing new private key to 'domain.com-20150417-private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:Merino
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Domain.com, Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.domain.com
Email Address []:webmaster@domain.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
 
dtc1:~/ssl# cat domain.com-20150417.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIIC0DCCAbgCAQAwgYoxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhDb2xvcmFkbzEP
MA0GA1UEBxMGTWVyaW5vMRkwFwYDVQQKExBEb21haW4uY29tLCBJbmMuMRcwFQYD
VQQDEw53d3cuZG9tYWluLmNvbTEjMCEGCSqGSIb3DQEJARYUd2VibWFzdGVyQGRv
bWFpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGF+ibRDla
1uSL1AmvEzMITNKHP01Y+gFZ6BVXfTzoFl4ANO33orMAhXaOev+/FOr1IbzDISK1
ixbCpatkK+hIZzxcWQUq4P5cWNy/19NLUfNfENghxcxzmMPdTI6IdXVsPUVaV/0p
uJn88WnYgf471cRf5WXz3ykxub3lfupktQptlLDVZLg+ez3Ptz2dF1DF7Tr2djRH
Xop69Q5Yy4v3d3xjsU8mImvX5t7pNTFQ8b7eEk/AnvZcCd9SM3XIAkBpir+P3UFc
QC51odUzScz+yf9glDZTZ0Cgc1swjDD+07omSsquCfJx2PTn55JsT6udlFqFhnre
eGKBbd8N1ba5AgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAvKHh8tRTVNo4e8ns
AFGr7TD6JoZ5JVeuElBBAF1NIBMQGztOKZtQ6ROV2IdwqfwSPh5kSXacLkhxE8jt
/o/U0bWD3DOFbLiboRQVStdlv0Del1iJ+IVZaMsUliggawvSyKBD/Qsqhgr+MjJm
tA+8aQIvW6AgBUGpCYp69rkwdowGejYti+QIvy7dIwU3ae1S3Z8MMcAMjGqLqHSa
2dGOet/qKD1qXzwstyosd1qOVq9ja/vkixI8lkeX5yoCJFVvaBVQFz+sk37e+hZp
+7G84PJDVyqAQeX5ktoOrLDLjBfTcGXH/ZrM5zD5y1WK3EunhYAcNM7VG6rxbr3r
WX4ZQw==
-----END CERTIFICATE REQUEST-----

Send that CSR text off to your certificate issuer and you'll get back your signed certificate, along with their root certificate and some intermediate certificates. You need to combine all of these into a single .pem file, along with the unencrypted PKCS8 format of your key.

dtc1:~/ssl# openssl pkcs8 -topk8 -in domain.com-20150417-private.key -out domain.com-20150417-private.key.pkcs8 -nocrypt
 
dtc1:~/ssl# cat domain.com-20150417-private.key.pkcs8 domain.com-20150417.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > domain.com-20150417.pem

Now just copy that .pem file where the generated certificate files were, and restart apache:

dtc1:~/ssl# cp domain.com-20150417.pem /var/www/sites/username/domain.com/subdomains/www/ssl/
dtc1:~/ssl# cd /var/www/sites/username/domain.com/subdomains/www/ssl/
 
dtc1:/var/www/sites/username/domain.com/subdomains/www/ssl# ln -s domain.com-20150417.pem www.domain.com.cert.cert
dtc1:/var/www/sites/username/domain.com/subdomains/www/ssl# ln -s domain.com-20150417.pem www.domain.com.cert.key
 
dtc1:/var/www/sites/username/domain.com/subdomains/www/ssl# service apache2 restart
Restarting web server: apache2 ... waiting .

And that's it. Reload the site and check the certificate you're presented.

Tags: 

Comments

jesse's picture

A note if your SSL IP expires

A note if your SSL IP expires and you add it back, or otherwise "touch" the SSL IP for a subdomain: expect your site to break.

Specifically, if you get a connection reset error, you have this problem; the apache config gets generated without the correct Listen addr:443 line, and pointing to the wrong certificate files. As alluded to in this post, the solution is to rename the site's ssl directory and let DTC regenerate self-signed certificates again:

dtc1:~# mv /var/www/sites/username/domain.com/subdomains/www/ssl /var/www/sites/username/domain.com/subdomains/www/ssl-save

Then edit the subdomain, set the SSL IP to none and then back to the correct address. After the next cron run, the apache config will be correct again. You'll need to put your old certificates back then:

dtc1:~# rm -rf /var/www/sites/username/domain.com/subdomains/www/ssl
dtc1:~# mv /var/www/sites/username/domain.com/subdomains/www/ssl-save /var/www/sites/username/domain.com/subdomains/www/ssl

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.