Enabling HTTPS on Apache Web Server running in Ubuntu Azure VM

Today I had to work on enabling HTTPS for a website hosted in Apache Webserver running on Azure Ubuntu Virtual Machine.

The website was already running with HTTP:80 enabled i.e. the site is accessible via URL like 'http://analyticsapp.cloudapp.net'

Here are the steps I followed to enable HTTPS:443

Create CNAME and obtain cert for HTTPS

1. Create a CNAME record to map the specific domain for example 'analyticsapp.contoso.com' to canonical domain name e.g. 'analyticsapp.cloudapp.net'. See this for more details.

2. Obtain PFX file (and password) for the domain i.e. 'contoso.com'. Lets call it 'all.contoso.com.pfx'

Configuration in Azure Portal

3. Go to Microsoft Azure portal, find the above virtual machine and open port 443  [Public Port: 443, Private Port: 443, Protocol: HTTPS]. No need to set any specific ACL rule for this endpoint. See this for more details.

4. While you are in Microsoft Azure portal, find the the cloud service in which this virtual machine is hosted. In our example the name of the cloud service is 'analyticsapp' and upload the pfx certificate (step 3) [certificates => Upload, you will be asked to provide password to import the pfx]

Configuration in Virtual Machine

5. Connect to your virtual machine via SSH.

6. Create a temporary directory say 'workspace' and copy the PFX (step 3) (all.contoso.com.pfx) to this folder, generate cert and key from it

azureuser@analyticsapp: //home/azureuser$ cd workspace
azureuser@analyticsapp: //home/azureuser/workspace$ openssl pkcs12 -in all.contoso.com.pfx -clcerts -nokeys -out all.contoso.com.pfx.cer
azureuser@analyticsapp: //home/azureuser/workspace$ openssl pkcs12 -in all.contoso.com.pfx -nocerts -nodes  -out all.contoso.com.pfx.key

7. Copy the generated cert and key to etc/ssl directory

azureuser@analyticsapp: //home/azureuser/workspace$ sudo cp all.contoso.com.pfx.cer /etc/ssl/certs/
azureuser@analyticsapp: //home/azureuser/workspace$ sudo cp all.contoso.com.pfx.key /etc/ssl/private/

8. Enable SSL module in apache

azureuser@analyticsapp: //home/azureuser$ sudo a2enmod ssl

9. Enable SSL site

azureuser@analyticsapp: //home/azureuser$ sudo a2ensite default-ssl

10. Restart Apache service and reload the configs

azureuser@analyticsapp: //home/azureuser$ sudo service apache2 restart
azureuser@analyticsapp: //home/azureuser$ sudo service apache2 reload

11. Configure site to use the new SSL certs and keys

azureuser@analyticsapp: //home/azureuser$ cd /etc/apache2/sites-available
azureuser@analyticsapp: //etc/apache2/sites-available$ sudo vi default-ssl

      Look for 'SSLCertificateFile' and update the settings:

        SSLCertificateFile    /etc/ssl/certs/all.contoso.com.pfx.cer
        SSLCertificateKeyFile /etc/ssl/private/all.contoso.com.pfx.key

12. Restart Apache service and reload the configs

azureuser@analyticsapp: //home/azureuser$  sudo service apache2 restart
azureuser@analyticsapp: //home/azureuser$  sudo service apache2 reload


Now your site will be accessible using HTTPS e.g. https://analyticsapp.contoso.com

Any application specific configuration 

The website for which I enabled HTTPS was hosting Open Web Analytics (OWA), the open source web analytics software that we use to track and analyze how people use our other websites.

For HTTPS to completely work for this application, I have to follow below application specific configuration steps.

[ Check documentation of your application to see the application configuration changes required to make the app work with HTTPS. ]

13. Open the file /var/www/owa/owa-config.php

azureuser@analyticsapp: //home/azureuser$  sudo vi /var/www/owa/owa-config.php

14. Search for OWA_PUBLIC_URL and set value to HTTPS URL

In my case it was:

define('OWA_PUBLIC_URL', 'http://analyticsapp.cloudapp.net/owa/');

I had to change it to:

define('OWA_PUBLIC_URL', 'https://analyticsapp.contoso.com/owa/');

14. Restart Apache service and reload the configs

azureuser@analyticsapp: //home/azureuser$  sudo service apache2 restart
azureuser@analyticsapp: //home/azureuser$  sudo service apache2 reload

Generating SSH cert for Linux VM running on Azure

This post describes how to generate SSH private and public keys for Linux VM on azure. This post uses “Windows Azure Command Line tool for node.js” https://github.com/WindowsAzure/azure-sdk-tools-xplat to spin up the VM

1.      Install OpenSSL from http://gnuwin32.sourceforge.net/packages/openssl.htm (go for "Complete package, except sources")

2.      Open the location "C:\Program Files (x86)\GnuWin32\share" create a backup of the file "openssl.cnf"

3.      Open notepad.exe, copy the sample config file content from http://www.flatmtn.com/article/setting-openssl-create-certificates. Save this file with name "openssl.cnf" under "C:\Program Files (x86)\GnuWin32\share"

4.      Run the command prompt as administrator, switch to "C:\Program Files (x86)\GnuWin32\bin". Run the below command

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout myPrivateKey.key -out myCert.pem -config "c:\Program Files (x86)\GnuWin32\share\openssl.cnf"

5.      Create your VM using CLI tool with --ssh-cert value "myCert.pem"

azure vm create myvmssh3 b4590d9e3ed742e4a1d46e5424aa335e__SUSE-Linux-Enterprise-Server-11-SP3-v103  anuchandy <password> --location "West US" --ssh --ssh-cert "C:\Program Files (x86)\GnuWin32\bin\myCert.pem"

6.      Download puttygen.exe from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

7.      Run puttygen.exe, select "File => Load Private Key", You will need to change the file filter to show All Files (*.*) and select "myPrivateKey.key" file generated in step 4

8.      Click on "Save Private Key" and save with name "myPrivateKey.ppk"

9.      Download putty.exe from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

10.   Run putty.exe and connect to the VM created by providing host name as "myvmssh3.cloudapp.net" and select "SSH => Auth" give path to file "myPrivateKey.ppk" generated in step 7 as value for "Private Key file for authentication"