Question
How can I enable HTTPS support on my OnApp control panel?
Environment
All OnApp Versions
Answer
You can enable HTTPS support on the OnApp Control Panel, and it should only take you a few minutes.
As of about Vr 3.x and above, the steps A and B are irrelevant.
Since httpd is configured by default on clouds:
a) Install mod_ssl rpm using the yum installer.
b) Need to decide if using self-signed certificate (mostly for internal use / testing) or a verified SSL certificate from SSL provider.
For Self-signed Certificate:
- Generate certificate using openssl command.
For verified SSL certificate from SSL provider (Comodo, Verisign, GeoTrust,GoDaddy, etc.):
- Generate the CSR on the CP to send to the SSL provider, generate 2048bit key rather than 1024 bit as recommended by provider.
- Use providers certificate files for next steps.
c) Place the .key and .crt files in a known location on the server (/etc/httpd/conf.d/ssl is a good place).
d) Make symbolic links to the .crt and .key files in the default directories assigned by openssl.
SSLCertificateFile /etc/pki/tls/certs Command: ln -s /etc/httpd/conf.d/ssl/server.crt /etc/pki/tls/certs/server.crt SSLCertificateKeyFile /etc/pki/tls/private Command: ln -s /etc/httpd/conf.d/ssl/server.key /etc/pki/tls/private/server.key SSLCACertificateFile /etc/pki/tls/certs Command: ln -s /etc/httpd/conf.d/ssl/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt
e) Change the .crt and .key file names in the ssl.conf file, so they read as follows:
SSLCertificateFile /etc/pki/tls/certs/server.crt SSLCertificateKeyFile /etc/pki/tls/private/server.key SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
f) Make sure the following line is listed in /etc/httpd/conf/httpd.conf or /etc/httpd/conf.d/ssl.conf:
LoadModule ssl_module modules/mod_ssl.so
g) Set the document root in the VirtualHost section of /etc/httpd/conf.d/ssl.conf:
DocumentRoot "/onapp/interface/public"
h) Set the correct locations for .crt and .key files in the /etc/httpd/conf.d/onapp.conf file as well, similar to ssl.conf:
SSLCertificateFile /etc/pki/tls/certs/server.crt SSLCertificateKeyFile /etc/pki/tls/private/server.key SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
i) Restart httpd service:
/etc/init.d/httpd stop /etc/init.d/httpd start
There is currently no setting to force https logins, but this can be done instead:
1. Remove Listen 80 directive from httpd.conf file.
2. Remove VirtualHost *:80 section from /etc/httpd/conf.d/onapp.conf.
3. Restart Apache.
Additional Info
Concerning OnApp upgrades, make sure appropriate values are set in /onapp/onapp-cp.conf:
# OnApp Control Panel SSL certificates (please do not change if you aren't familar with SSL certificates)
# * The data below to generate self-signed PEM-encoded X.509 certificate
SSL_CERT_COUNTRY_NAME=UK
SSL_CERT_ORGANIZATION_NAME='OnApp Limited'
SSL_CERT_ORGANIZATION_ALUNITNAME='OnApp Cloud'
SSL_CERT_COMMON_NAME=`hostname --fqdn 2>/dev/null`
# SSLCertificateFile, SSLCertificateKeyFile Apache directives' values
# ssl_certificate, ssl_certificate_key Nginx directives' values
SSLCERTIFICATEFILE=/etc/pki/tls/certs/ca.crt
SSLCERTIFICATECSRFILE=/etc/pki/tls/private/ca.csr
SSLCERTIFICATEKEYFILE=/etc/pki/tls/private/ca.key
# * PEM-encoded CA Certificate (if custom one exists)
# SSLCACertificateFile, SSLCertificateChainFile Apache directives' values
# ssl_client_certificate Nginx directives' values
SSLCACERTIFICATEFILE=
SSLCERTIFICATECHAINFILE=
# SSLCipherSuite, SSLProtocol Apache directives' values
# ssl_ciphers, ssl_protocols Nginx directives' values
SSLCIPHERSUITE=
SSLPROTOCOL=
This way /etc/httpd/conf.d/onapp.conf will contain the correct values after an upgrade.