September 26, 2014

Enabling HTTPS on Apache Web Server running in Ubuntu Azure VM


Today I had to work on enabling HTTPS for a website hosted in Apache Webserver running on Azure Ubuntu Virtual Machine.

The website was already running with HTTP:80 enabled i.e. the site is accessible via URL like 'http://analyticsapp.cloudapp.net'

Here are the steps I followed to enable HTTPS:443

Create CNAME and obtain cert for HTTPS


1. Create a CNAME record to map the specific domain for example 'analyticsapp.contoso.com' to canonical domain name e.g. 'analyticsapp.cloudapp.net'. See this for more details.

2. Obtain PFX file (and password) for the domain i.e. 'contoso.com'. Lets call it 'all.contoso.com.pfx'

Configuration in Azure Portal


3. Go to Microsoft Azure portal, find the above virtual machine and open port 443  [Public Port: 443, Private Port: 443, Protocol: HTTPS]. No need to set any specific ACL rule for this endpoint. See this for more details.

4. While you are in Microsoft Azure portal, find the the cloud service in which this virtual machine is hosted. In our example the name of the cloud service is 'analyticsapp' and upload the pfx certificate (step 3) [certificates => Upload, you will be asked to provide password to import the pfx]

Configuration in Virtual Machine


5. Connect to your virtual machine via SSH.

6. Create a temporary directory say 'workspace' and copy the PFX (step 3) (all.contoso.com.pfx) to this folder, generate cert and key from it

azureuser@analyticsapp: //home/azureuser$ cd workspace
azureuser@analyticsapp: //home/azureuser/workspace$ openssl pkcs12 -in all.contoso.com.pfx -clcerts -nokeys -out all.contoso.com.pfx.cer
azureuser@analyticsapp: //home/azureuser/workspace$ openssl pkcs12 -in all.contoso.com.pfx -nocerts -nodes  -out all.contoso.com.pfx.key

7. Copy the generated cert and key to etc/ssl directory

azureuser@analyticsapp: //home/azureuser/workspace$ sudo cp all.contoso.com.pfx.cer /etc/ssl/certs/
azureuser@analyticsapp: //home/azureuser/workspace$ sudo cp all.contoso.com.pfx.key /etc/ssl/private/

8. Enable SSL module in apache

azureuser@analyticsapp: //home/azureuser$ sudo a2enmod ssl

9. Enable SSL site

azureuser@analyticsapp: //home/azureuser$ sudo a2ensite default-ssl

10. Restart Apache service and reload the configs

azureuser@analyticsapp: //home/azureuser$ sudo service apache2 restart
azureuser@analyticsapp: //home/azureuser$ sudo service apache2 reload

11. Configure site to use the new SSL certs and keys

azureuser@analyticsapp: //home/azureuser$ cd /etc/apache2/sites-available
azureuser@analyticsapp: //etc/apache2/sites-available$ sudo vi default-ssl

      Look for 'SSLCertificateFile' and update the settings:

        SSLCertificateFile    /etc/ssl/certs/all.contoso.com.pfx.cer
        SSLCertificateKeyFile /etc/ssl/private/all.contoso.com.pfx.key

12. Restart Apache service and reload the configs

azureuser@analyticsapp: //home/azureuser$  sudo service apache2 restart
azureuser@analyticsapp: //home/azureuser$  sudo service apache2 reload


Now your site will be accessible using HTTPS e.g. https://analyticsapp.contoso.com


Any application specific configuration 


The website for which I enabled HTTPS was hosting Open Web Analytics (OWA), the open source web analytics software that we use to track and analyze how people use our other websites.

For HTTPS to completely work for this application, I have to follow below application specific configuration steps.

[ Check documentation of your application to see the application configuration changes required to make the app work with HTTPS. ]

13. Open the file /var/www/owa/owa-config.php

azureuser@analyticsapp: //home/azureuser$  sudo vi /var/www/owa/owa-config.php

14. Search for OWA_PUBLIC_URL and set value to HTTPS URL

In my case it was:

define('OWA_PUBLIC_URL', 'http://analyticsapp.cloudapp.net/owa/');

I had to change it to:

define('OWA_PUBLIC_URL', 'https://analyticsapp.contoso.com/owa/');

14. Restart Apache service and reload the configs

azureuser@analyticsapp: //home/azureuser$  sudo service apache2 restart
azureuser@analyticsapp: //home/azureuser$  sudo service apache2 reload