SSL setup
25 views
Skip to first unread message
Barry Paul
Apr 2, 2009, 7:24:30 PM4/2/09
to ec2-on-rails-discuss
I haven't seen this mentioned anywhere before but there are a couple
of issues with SSL support in the current release.
1. The paths and file names mentioned in the example deploy.rb and cap
task descriptions are wrong.
Your cert and key should be in:
/etc/ec2onrails/ssl/certs/ec2onrails-default.crt (certificate)
/etc/ec2onrails/ssl/private/ec2onrails-default.key (key)
As with all server files, to have them deployed automatically they
should be in your_app_root/server_config/etc/ec2onrails/ssl/...
2. If your signing authority requires you to use a chain cert (like
GoDaddy) you must add it to the apache ssl configuration file on your
server.
I put the chain cert in:
/etc/ec2onrails/ssl/certs/ec2onrails-chain.crt
And added the following to /etc/apache2/sites-available/default-ssl
SSLCertificateChainFile /etc/ec2onrails/ssl/cert/ec2onrails-
chain.crt
I have submitted a patch to automate this process (and fix previous
issue) so hopefully this will be in the next release.
3. (This is not ec2onrails specific but something that gets SSL
newbies every time!) Make sure your private key file doesn't have a
passphrase on it.
If it does, Apache will hang at startup, waiting for you to enter your
passphrase.
When you generate your private key you will probably be required to
enter a passphrase. To remove it follow the instructions here:
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#removepassphrase
Hope that helps others get going with SSL. Thanks Paul for putting the
foundations in place. Setting up SSL can be frustrating, automating it
with ec2onrails is definitely a big step forward.
Cheers,
--
BP
Frank O'Dwyer
Apr 3, 2009, 6:39:09 AM4/3/09
to ec2-on-rails-discuss
Yes I hit the same problem with the godaddy chain cert and had to roll
my
own config. I figured the documented paths might be wrong, however
I'm
not sure when the default self-signed cert is generated - is it part
of the
'setup' cap task? Just wondering under what circumstances a custom
config might get clobbered by capistrano.
Also do you know how the chain cert is set up with nginx?
Cheers,
Frank
my
own config. I figured the documented paths might be wrong, however
I'm
not sure when the default self-signed cert is generated - is it part
of the
'setup' cap task? Just wondering under what circumstances a custom
config might get clobbered by capistrano.
Also do you know how the chain cert is set up with nginx?
Cheers,
Frank
Barry Paul
Apr 3, 2009, 1:26:33 PM4/3/09
to ec2-on-rails-discuss
Frank, as far as I know the self-signed cert is generated by a script
that is run on first startup of the server. So you should be okay.
I haven't done this on nginx but it should be pretty similar.
--
BP
Paul Dowman
Apr 5, 2009, 2:09:13 PM4/5/09
to ec2-on-rails-discuss
Thanks for pointing out the error with the paths in the documentation.
FYI, here's what the apache config looks like:
http://github.com/pauldowman/ec2onrails/blob/06378f1c8450c30c777ea4cd7708843110429da7/server/files/etc/apache2/sites-available/default-ssl
Just one clarification though, the files that get deployed with the
deploy_files capistrano task can be located wherever you want, the
location is specified in your deploy.rb.
Paul
FYI, here's what the apache config looks like:
http://github.com/pauldowman/ec2onrails/blob/06378f1c8450c30c777ea4cd7708843110429da7/server/files/etc/apache2/sites-available/default-ssl
Just one clarification though, the files that get deployed with the
deploy_files capistrano task can be located wherever you want, the
location is specified in your deploy.rb.
Paul
Reply all
Reply to author
Forward
0 new messages