We moved this page to our Documentation Portal. You can find the latest updates here. |
Question
How can I enable HTTPS support on my OnApp control panel, running on CentOS 6.
Environment
All OnApp Versions
Answer
Enabling SSL in CentOS can come with a few extra steps. You will need to use the command update-ca-trust, which was not needed in other versions.
Here are the steps required. We are assuming we have plain text certifications to cover all bases, these files could very well already be in place when you go to install. In a nutshell: there are 3 files: Certification, Intermediate/chain, and private key. Cert and private key will just need placed in correct directory, while the chain will have to be appended to a file using the update-ca-trust command. Then we edit the /etc/httpd/conf.d/onapp.conf to point to these files and restart httpd.
1. Create files in these locations, corresponding to the type of file. You should see which type it is by viewing it's contents. You should see something like ----BEGIN PRIVATE KEY----.
Private key -- /etc/pki/tls/private/<file>.key
Certification -- /etc/pki/tls/cert/<file>.crt
Intermediate -- /etc/pki/ca-trust/source/anchors/<file>.crt
2.Once these files are in place you will need to run these two commands to create correct cert file. This command will take all contects on the /etc/pki/ca-trust/source/anchors directory and add them to a file in /etc/pki/tls/cert.
update-ca-trust enable
update-ca-trust extract
You should now see a file like this: /etc/pki/tls/cert/ca-bundle.crt
3. Edit the /etc/httpd/conf.d/onapp.conf to include these lines. All three should be there, but if they aren't, add them.
SSLCertificateFile /etc/pki/tls/certs/<file>.crt
SSLCertificateKeyFile /etc/pki/tls/private/<file>.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
4. Restart httpd and check if installed correctly on SSLShopper
service httpd restart;https://www.sslshopper.com/ssl-checker.html
Concerning OnApp upgrades-- make sure appropriate values are set in /onapp/onapp-cp.conf
# OnApp Control Panel SSL certificates (please do not change if you aren't familar with SSL certificates)
# * The data below to generate self-signed PEM-encoded X.509 certificate
SSL_CERT_COUNTRY_NAME=UK
SSL_CERT_ORGANIZATION_NAME='OnApp Limited'
SSL_CERT_ORGANIZATION_ALUNITNAME='OnApp Cloud'
SSL_CERT_COMMON_NAME=`hostname --fqdn 2>/dev/null`
# SSLCertificateFile, SSLCertificateKeyFile Apache directives' values
# ssl_certificate, ssl_certificate_key Nginx directives' values
SSLCERTIFICATEFILE=/etc/pki/tls/certs/ca.crt
SSLCERTIFICATECSRFILE=/etc/pki/tls/private/ca.csr
SSLCERTIFICATEKEYFILE=/etc/pki/tls/private/ca.key
# * PEM-encoded CA Certificate (if custom one exists)
# SSLCACertificateFile, SSLCertificateChainFile Apache directives' values
# ssl_client_certificate Nginx directives' values
SSLCACERTIFICATEFILE=
SSLCERTIFICATECHAINFILE=
# SSLCipherSuite, SSLProtocol Apache directives' values
# ssl_ciphers, ssl_protocols Nginx directives' values
SSLCIPHERSUITE=
SSLPROTOCOL=
This way /etc/httpd/conf.d/onapp.conf will contain the correct values after an upgrade.