Installing an SSL certificate on a cPanel-based web server is certainly a breeze, at least for me. There is a step-to-step guide with tutorials awash on the web. I must also say that the UI comes in handy to make the process smoother. This dramatically changes when you want to install the SSL certificate using the terminal on a Linux instance running on Google Cloud Platform. If you’ve ever tried this, you quickly realize that it may not be as straight-forward as you might have expected.

For my case, I used an approach that involved two parties; Namecheap who are the ones issuing the certificate and Google Compute Engine, the new server host for my application.

Namecheap

  • I already had an existing certificate bought from Namecheap and had been installed on Godaddy hosting server
  • I subsequently transferred hosting to Google Cloud Platform and using Google Cloud Compute, GCP’s IaaS offering.
  • As a result of the transfer, there is need to re-issue the certificate in Namecheap in order to generate a valid .crt and .ca-bundle for the new host
  • When you re-issue SSL certificate, the CA will require you to get a new CSR (Certificate Signing Request) from the current hosting provider (GCE for my case)

Google Compute Engine

  • Create a temporary folder anywhere in your instance. Ensure you remember the location. I created a folder named ssl in the default user folder at the /home directory. An example of the path would be /home/testuser/ssl. Replace the testuser name with the real username in your GCE account.
  • Create a new private key inside the folder created above
    • $ openssl genrsa -out example.key 2048
    • You can also use ECDSA P-256 encryption as well if you choose not to use RSA-2048 bit encryption
  • Generate a CSR. This is what you will copy and paste to the CA to re-issue the certificate (in my case Namecheap)
    • $ openssl req -new -key example.key -out example.csr
  • Fill out the details asked
    • Country name: 2 letter abbreviation. For instance, KE
    • State of Province: full name, no abbreviation. For instance, Nairobi County
    • Locality Name (City): for instance Nairobi
    • Organization Name: You can use N/A if no company is associated with the domain. Otherwise, use the company name, for instance, Asili Halisi PVT
    • Organizational Unit Name: You can use N/A. Otherwise use department abbreviation, for instance, IT
    • Common Name: Use the domain URL eg asili.photos or the Fully Qualified Domain Name of the server
    • Email address: Enter an email address you have access to. This is where the certificate will be sent to after it has been validated.
    • A challenge password and An optional company name should not be filled as this may complicate certificate activation process. Press ‘Enter’ to skip these fields
  • Download the file to your local computer. To do this, just click on the settings icon on the cloud shell and then click on Download file. Ensure the present working directory is where the ssl folder was created. For my case, this was /home/testuser/ssl/example.csr. I actually tried copy/paste using the Shift+Ctrl key combination but that did not work for me
  • Copy the contents of example.csr and paste it to the CA (Namecheap) that requires to be filled for the process to proceed
  • The rest of the steps on the CA side should be self-explanatory
  • When the certificate is issued, download the zipped files. In some cases, the file is emailed to the contact provided. When you unzip the archive, there should be three files (sometimes two depending on the CA). These files are example.crt, example.ca-bundle and example.p7b.
  • Copy the .crt and the .ca-bundle to the home directory of your GCE instance from your terminal on the local computer using the gcloud compute scp  command (gcloud compute copy-files has since been deprecated)
    • $ gcloud compute scp example.crt example.ca-bundle example-instance:/home/testuser
    • The reason why I advocate copying the files to them home directory is that when I tried to copy to other directory, say /var/ww/html, I got a permission denied error. Maybe you can try and see if it works for you.
  • Copy the .crt and .ca-bundle files to /etc/ssl/ssl.crt. Also copy the example.key file we generated earlier on into the /etc/ssl/ssl.key folder. Create the ssl.crt and ssl.key folders if they do not exist.
  • Create a configuration file, default-ssl.conf, in /etc/apache2/sites-enabled/ folder if it does not exist. Add the content below to the file
<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # SSL Engine Switch:
    # Enable/Disable SSL for this virtual host.
    SSLEngine on

    SSLCertificateFile /etc/ssl/ssl.crt/yourDomainName.crt
    SSLCertificateKeyFile /etc/ssl/ssl.key/private.key
    SSLCACertificateFile /etc/ssl/ssl.crt/yourDomainName.ca-bundle

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
      SSLOptions +StdEnvVars
    </Directory>
    <Directory /var/www/html/>
      AllowOverride All
    </Directory>
 
    BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    ServerName yourdomain.com
 </VirtualHost>
</IfModule>
  • To finally configure the SSL, run these commands
    • $ sudo a2enmod ssl
    • $ sudo a2ensite default-ssl
  • Restart the web server to effect the changes
    • $ sudo service apache2 restart

Yous SSL should now be up and running.

Credits: http://techrofile.com/

Image Credit: https://privacyend.com/