There are two major steps. Step 1 is to generate SSL certificate. Step 2 is to config the certificate in different servers.
At first, our environment is
Server Provider: Godaddy VPS
System: CentOS 7
What certificates we need:
1) private key (.key)
2) certificate request (.csr)
3) certificate (.crt)
We would generate a private key, then use the private key to generate the certificate request. With the .csr, we can get certificate (.crt)
Step 1: Get the SSL certificate
Method 1: OpenSSL (self signed certificate)
Disadvantage: not safe and cannot be tested on VPS (browser doesn’t trust self signed certificate)
1-1) install OpenSSL
sudo yum install mod_ssl openssl
1-2) generate keys
// Generate private key
$ openssl genrsa -out ca.key 2048
// Generate Certificate Request
$ openssl req -new -key ca.key -out ca.csr
// Generate Self Signed Certificate
$ openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Method 2: use Godaddy’s tool
| Godaddy’s WHM generate a SSL | self-signed certificate | worked but not valid certificate authority |
| Godaddy’s SSL Manager | Godaddy’s issue | not working (apache not recognize the private key) |
Method 3: use Let’s Encrypt (recommended)
https://au.godaddy.com/help/install-a-lets-encrypt-certificate-on-your-linux-hosting-account-28023
Firstly, Let’s Encrypt cannot be auto renewed on Godaddy, you need mannual renew every 60 days.
Secondly, Let’s Encrypt recommend the Certbot as the SSL generate client but Godaddy doesn’t support since it needs ACME autorenewal protocol.
SSL certificare generator (https://punchsalad.com/ssl-certificate-generator/)
add records to DNS to verify that you own the doamin
| Type | Name | Value |
|---|---|---|
| TXT | _acme-challenge | |
| TXT | _acme-challenge |
Step 2: Config Server
Server 1: Apache
// check current setting
$ grep -i -r "SSLCertificateFile" /etc/apache2/
$ apachectl configtest
$ apachectl restart
Apaceh Configureation / Include Editor / post virtualhost global
<VirtualHost 72.167.39.37:443 127.0.0.1:443>
ServerName cowpte.com # your certificate common name, has to be matched
ServerAlias www.cowpte.com
DocumentRoot /var/www/html
ServerAdmin limindeng92@gmail.com
<IfModule ssl_module>
SSLEngine on
# points to certificate and key
SSLCertificateFile /root/documents/ssl/LetsEncrypt-cowpte.com/ca-bundle.txt
SSLCertificateKeyFile /root/documents/ssl/LetsEncrypt-cowpte.com/private-key.txt
# SSLCertificateChainFile /root/documents/ssl/godaddy-cowpte.com/gd_bundle-g2-g1.crt
</IfModule>
</VirtualHost>
Step 4: redirect HTTP to HTTPS
https://au.godaddy.com/help/redirect-my-cpanel-website-to-https-27870
create .htaccess with the following content in /var/www/html.
- If you already have the
RewriteEnginein the - /etc/apache2/conf/httpd.conf, then you need to dismiss this line
- change coolexample to your domain, such as cowpte
// dismiss this line if you already have in conf or it will have 500 error
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{HTTP_HOST} ^(www\.)?coolexample\.com
RewriteRule ^(.*)$ https://www.coolexample.com/$1 [R,L]
Common Errors:
ERR_CERT_COMMON_NAME_INVALID
change ServerName in VirtualHost to match with Common Name in the SSL certificate
ERR_CERT_AUTHORITY_INVALID
- You’re using a self-signed SSL certificate. Using a self-signed certificate can save you money, but since browsers can’t verify its validity, your visitors may run into the error in question. Browser warnings can scare a lot of users away, so we recommend against this approach.
- Your certificate has expired. SSL certificates expire as a security precaution. How long your certificate lasts can vary, but at some point, you’ll need to renew it or automate the renewal process (some authorities and web hosts enable you to do this easily).
- The certificate comes from a non-trusted source. Just as with self-signed certificates, if browsers can’t verify the authority that generated your certificate, you’ll see an error