papakota
asked on
Need advice on transfering SSL-enabled site from hosting to a localhost
Hello!
I have a web site that has HTTPS. Right now I DO NOT have SSL certificate installed on hosting. They charge extra for that. I want to transfer my site to a localhost and then to install SSL on Apache myself. So I wonder whether I should pay them and have them SSL certificate installed on a hosting server and after that to copy to site to a localhost OR to leave it alone as it is now and just install SSL on Apache from scratch myself.
I have a web site that has HTTPS. Right now I DO NOT have SSL certificate installed on hosting. They charge extra for that. I want to transfer my site to a localhost and then to install SSL on Apache myself. So I wonder whether I should pay them and have them SSL certificate installed on a hosting server and after that to copy to site to a localhost OR to leave it alone as it is now and just install SSL on Apache from scratch myself.
David Johnson, CD
leave it and get your own SSL certificate.. Can't you just get your own ssl certificate and add it to your hosting site? Who is the Hosting?
ASKER
Hello!
Thanks for your reply!
I don't have to get SSL certificate. I already have it. It's a question of whether I should pay them for it to be installed on my hosting account. And since I plan on trying to set up home hosting, then the question arises if it's wise to pay them now under circumstances. That's all.
Thanks for your reply!
I don't have to get SSL certificate. I already have it. It's a question of whether I should pay them for it to be installed on my hosting account. And since I plan on trying to set up home hosting, then the question arises if it's wise to pay them now under circumstances. That's all.
Probably best to move then SSL - moving is actually really really easy, the time taken is for the DNS record to propagate (you *DO* have a fixed IP for this, yes?).
Literally copy the directory structure of your site from the hosting location to whatever store root your apache installation uses (usually /var/www or /var/www/html for linux, c:/xampp/htdocs for xampp) and you are done.
Usually, apache will expect your cert to be in PEM format, and the key similarly. if you have it in a pfx file, you will need to convert it - easiest method there is to use the free tool XCA - open a new db, import everything from the pfx, export the certs as "PEM with Cert Chain" and the secret key as PEM, and configure the SSLCertificateFile and SSLCertificateKeyFile entries in the apache config file to point to those two new files. Then, assuming SSL is enabled (some distros require a command - such as "en2mod ssl" for example - to enable ssl support) you should be good to go. whole procedure should take less than an hour, and once you have tested external access, you can look to move your DNS pointer across to the new IP.
Literally copy the directory structure of your site from the hosting location to whatever store root your apache installation uses (usually /var/www or /var/www/html for linux, c:/xampp/htdocs for xampp) and you are done.
Usually, apache will expect your cert to be in PEM format, and the key similarly. if you have it in a pfx file, you will need to convert it - easiest method there is to use the free tool XCA - open a new db, import everything from the pfx, export the certs as "PEM with Cert Chain" and the secret key as PEM, and configure the SSLCertificateFile and SSLCertificateKeyFile entries in the apache config file to point to those two new files. Then, assuming SSL is enabled (some distros require a command - such as "en2mod ssl" for example - to enable ssl support) you should be good to go. whole procedure should take less than an hour, and once you have tested external access, you can look to move your DNS pointer across to the new IP.
ASKER
Dave Howe, hello and thanks a lot for your reply!
See, the thing is... I don't know maybe it's something that I didn't make clear enough before -- in that ZIP site archive file for CPanel re-installation I ALREADY have SSL certificate installed as it was PRIOR to my termination of my previous hosting account (when that archive ZIP file was originally created). It's already there files-wise, just not installed yet on my new (current) hosting server. And though I don't feel like wasting $25 for their job to install SSL's (I've got 2, but they charge for a bulk of an extra 10+1 free that comes with the hosting plan = 11 SSL's alltogether), money is not a critical point here. What is critical is the EASY path for me to get the job done. I'm not a big expert when it comes to system administration and Apache. And I'm a complete novice in Linux (I use W7/Ubuntu 14.04 Desktop edition dual-boot box). So what do you think now, after I shared some more info?
See, the thing is... I don't know maybe it's something that I didn't make clear enough before -- in that ZIP site archive file for CPanel re-installation I ALREADY have SSL certificate installed as it was PRIOR to my termination of my previous hosting account (when that archive ZIP file was originally created). It's already there files-wise, just not installed yet on my new (current) hosting server. And though I don't feel like wasting $25 for their job to install SSL's (I've got 2, but they charge for a bulk of an extra 10+1 free that comes with the hosting plan = 11 SSL's alltogether), money is not a critical point here. What is critical is the EASY path for me to get the job done. I'm not a big expert when it comes to system administration and Apache. And I'm a complete novice in Linux (I use W7/Ubuntu 14.04 Desktop edition dual-boot box). So what do you think now, after I shared some more info?
I think the same - it would be wasted effort (money and time both) if you are planning to move anyhow. The move is simple to do and can be done by the end of today if you want it to be, the DNS will take a day or so to fully propagate over the internet, and then you are done.
Clearly, you need to fully test your migrated site before you commit to the DNS change, but that's probably the most time consuming part of the process :D
Clearly, you need to fully test your migrated site before you commit to the DNS change, but that's probably the most time consuming part of the process :D
ASKER
Okay then, thanks again for your reply!
One more thing... Do I have to clear those old SSL files before I install site on localhost and then proceed with Apache OpenSSL install on localhost? I mean, all the files are where they belong, BUT... If I plan to do things differently this time, then how it all play together in sync so to speak?
One more thing... Do I have to clear those old SSL files before I install site on localhost and then proceed with Apache OpenSSL install on localhost? I mean, all the files are where they belong, BUT... If I plan to do things differently this time, then how it all play together in sync so to speak?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks!
Well, I still need to learn about LAMP installation and SSL configuration, so I'll take my time to study the subject before asking any further questions.
Well, I still need to learn about LAMP installation and SSL configuration, so I'll take my time to study the subject before asking any further questions.
That would tend to vary depending on what you are planning to install to.
Most distributions will allow you to select a LAMP configuration on install - so with ubuntu (for example) you would select the LAMP option, complete the install (selecting a root password for mysql in the process), then retrofit phpmyadmin (with "apt-get install phpmyadmin") to make administration of your database easier during setup.
With that in place, you can copy the site files to /var/www/html (ubuntu's default location for a single website), move the ssl files to somewhere inside /etc/apache2/, and update the default ssl site (/etc/apache2/sites-availa
with apache on windows, it is easier to go with XAMPP - but the steps are essentially the same (XAMPP comes with phpmyadmin as standard)
Most distributions will allow you to select a LAMP configuration on install - so with ubuntu (for example) you would select the LAMP option, complete the install (selecting a root password for mysql in the process), then retrofit phpmyadmin (with "apt-get install phpmyadmin") to make administration of your database easier during setup.
With that in place, you can copy the site files to /var/www/html (ubuntu's default location for a single website), move the ssl files to somewhere inside /etc/apache2/, and update the default ssl site (/etc/apache2/sites-availa
with apache on windows, it is easier to go with XAMPP - but the steps are essentially the same (XAMPP comes with phpmyadmin as standard)
ASKER
Thanks a lot for your help!
Well, as a matter of fact, I have two public_html's on hosting server. I have a separate .tar archive with a separate SSL cert for one CPanel account (something like aaa.mysite.com), then I have another CPanel account (a secondary one) with another public_html root folder and it's something like bbb.mysite.com and ccc.mysite.com -- basically those are subdomains of my main domain that I don't even have a site on. I mean, there's NO actually mysite.com And for second public_html I also have a separate SSL certificate. That's what I have to be exact.
Well, as a matter of fact, I have two public_html's on hosting server. I have a separate .tar archive with a separate SSL cert for one CPanel account (something like aaa.mysite.com), then I have another CPanel account (a secondary one) with another public_html root folder and it's something like bbb.mysite.com and ccc.mysite.com -- basically those are subdomains of my main domain that I don't even have a site on. I mean, there's NO actually mysite.com And for second public_html I also have a separate SSL certificate. That's what I have to be exact.
OK. if you actually have three sites, and can spare three IP addresses for them (one per site) then it is fairly simple to set up (getting your webserver up and running first is key, of course) - Build the first site initially as though you were only going to have one site - put it in the document root and put it's key in /etc/apache2 as aaa.cer and aaa.key (or c:\xampp\apache\conf if you are on windows) - then you can modify that site to be bound explicitly to one IP (just change the * to an IP in the server definition) and modify it's folder to be html.aaa (or similar) - changing the document root to match in the config, of course - the second site is then based on the same config, but using a different document root html.bbb for example) and keys (bbb.key and bbb.cer)
if you have to get them running on one IP, that's where it gets interesting. you can overload multiple virtual http servers onto one IP easily enough, but to overlay ssl servers requires SNI support, or a wildcard cert (*.domain.com) - SNI suport is pretty common these days, so it's probably safe enough. one IP per site is still better though, if you can manage it.
if you have to get them running on one IP, that's where it gets interesting. you can overload multiple virtual http servers onto one IP easily enough, but to overlay ssl servers requires SNI support, or a wildcard cert (*.domain.com) - SNI suport is pretty common these days, so it's probably safe enough. one IP per site is still better though, if you can manage it.
ASKER
Thx!
How would I get 3 separate static IP's at home? I'm lucky I've got one. And my SSL certificates are not wildcard ones. Yeah, my hoster told me something that they use SNI. Hope I would be able to manage it myself at home on localhost. I will use LAMP on Ubuntu, not XAMPP on Windows. Actually, I used XAMPP a few years ago in Windows environment, but I was told it's best to go with Linux for a production web server.
How would I get 3 separate static IP's at home? I'm lucky I've got one. And my SSL certificates are not wildcard ones. Yeah, my hoster told me something that they use SNI. Hope I would be able to manage it myself at home on localhost. I will use LAMP on Ubuntu, not XAMPP on Windows. Actually, I used XAMPP a few years ago in Windows environment, but I was told it's best to go with Linux for a production web server.
To be honest, I don't think it really matters if you are on windows or linux - whichever you are more comfortable with, although personally I prefer linux for servers (a gui just gets in the way)
OK. I am going to assume ubuntu (recent LTS version) and SNI.
start by removing the default site. you can do this by the command:
a2dissite 000-default
this will give you a clean starting point.
now, cd to /etc/apache2/sites-availab
cp 000-default.conf aaa.conf
cat default-ssl.conf > aaa.conf
(replace aaa with the name of your first site subdomain)
you now have one file called aaa.conf (or whatever :D) with both a http and https config in it (this is going to make managing this a bit tider)
edit the aaa.conf file.
it should begin <VirtualHost *:80>
everything below that is the insecure (http) site. you will want to add the line:
ServerName aaa.mysite.com
immediately below that so apache knows this is the site to serve for visitors who went to that url.
carry on down, edit ServerAdmin and DocumentRoot (latter should probably be something like /var/www/aaa I would think) and Ideally ErrorLog and CustomLog should be /var/log/apache2/aaa-err.l
make sure that whatever you have as DocumentRoot really exists, and create a dummy index.html file there (saying something like "aaa test site")
when you get down to </VirtualHost> you are done with the insecure site.
Now, you should have an IfModule line, then another <VirtualHost> - edit this one to read *:443 instead of _default_
Again, add the ServerName directive, and edit your way down. I usually use aaa-ssl-err and aaa-ssl but it's up to you.
exit the editor, and run
a2ensite aaa.conf
one thing left to do. on 14.04 (which I am currently on) the NameVirtualHost directive isn't there by default (not even commented out).
I like to put this in the /etc/apache2/ports.conf - this is because the directives "Listen 80" and "Listen 443" are in this file, so putting
NameVirtualHost *:80
and
NameVirtualHost *:443
below each one seems cleaner to me.
now, just to be sure you remembered to turn on ssl, re-run
a2enmod ssl
and then restart the server with
server apache2 restart
if all went well (and it should do) apache should restart.
In order to test it, you are going to want to web browse to your new server, and to do THAT you need to be able to fake a domain name for test purposes.
on the machine with your web browser (I am assuming windows) locate your hosts file - for windows this is usually c:\windows\system32\driver
x.x.x.x aaa.mysite.com
and save that back (You will usually need to be an administrator to edit this) - x.x.x.x is your lan (not internet) IP address for the new server.
now, ping aaa.mysite.com and check it is pinging your new server's lan IP. if it is, try web browsing to http://aaa.mysite.com/ and then https://aaa.mysite.com/ - you should get your dummy index page, and you should see entries in your new logs.
Assuming all went well, then you can repeat that by using cp to copy aaa.conf as bbb.conf (correcting the values inside and then using a2ensite to turn it on) and then again as ccc.conf (again, activating the site after)
once you have your three dummy sites up and running, you can deploy your tarballs, restore any databases you need to restore using phpmyadmin, and generally get your sites ready in your sandbox. that just leaves then commenting out those host file entries for a while, forwarding your ports 80 and 443 from the router to your new box, and updating DNS with the outside (router) static IP.
OK. I am going to assume ubuntu (recent LTS version) and SNI.
start by removing the default site. you can do this by the command:
a2dissite 000-default
this will give you a clean starting point.
now, cd to /etc/apache2/sites-availab
cp 000-default.conf aaa.conf
cat default-ssl.conf > aaa.conf
(replace aaa with the name of your first site subdomain)
you now have one file called aaa.conf (or whatever :D) with both a http and https config in it (this is going to make managing this a bit tider)
edit the aaa.conf file.
it should begin <VirtualHost *:80>
everything below that is the insecure (http) site. you will want to add the line:
ServerName aaa.mysite.com
immediately below that so apache knows this is the site to serve for visitors who went to that url.
carry on down, edit ServerAdmin and DocumentRoot (latter should probably be something like /var/www/aaa I would think) and Ideally ErrorLog and CustomLog should be /var/log/apache2/aaa-err.l
make sure that whatever you have as DocumentRoot really exists, and create a dummy index.html file there (saying something like "aaa test site")
when you get down to </VirtualHost> you are done with the insecure site.
Now, you should have an IfModule line, then another <VirtualHost> - edit this one to read *:443 instead of _default_
Again, add the ServerName directive, and edit your way down. I usually use aaa-ssl-err and aaa-ssl but it's up to you.
exit the editor, and run
a2ensite aaa.conf
one thing left to do. on 14.04 (which I am currently on) the NameVirtualHost directive isn't there by default (not even commented out).
I like to put this in the /etc/apache2/ports.conf - this is because the directives "Listen 80" and "Listen 443" are in this file, so putting
NameVirtualHost *:80
and
NameVirtualHost *:443
below each one seems cleaner to me.
now, just to be sure you remembered to turn on ssl, re-run
a2enmod ssl
and then restart the server with
server apache2 restart
if all went well (and it should do) apache should restart.
In order to test it, you are going to want to web browse to your new server, and to do THAT you need to be able to fake a domain name for test purposes.
on the machine with your web browser (I am assuming windows) locate your hosts file - for windows this is usually c:\windows\system32\driver
x.x.x.x aaa.mysite.com
and save that back (You will usually need to be an administrator to edit this) - x.x.x.x is your lan (not internet) IP address for the new server.
now, ping aaa.mysite.com and check it is pinging your new server's lan IP. if it is, try web browsing to http://aaa.mysite.com/ and then https://aaa.mysite.com/ - you should get your dummy index page, and you should see entries in your new logs.
Assuming all went well, then you can repeat that by using cp to copy aaa.conf as bbb.conf (correcting the values inside and then using a2ensite to turn it on) and then again as ccc.conf (again, activating the site after)
once you have your three dummy sites up and running, you can deploy your tarballs, restore any databases you need to restore using phpmyadmin, and generally get your sites ready in your sandbox. that just leaves then commenting out those host file entries for a while, forwarding your ports 80 and 443 from the router to your new box, and updating DNS with the outside (router) static IP.
(Oh, and I have two static IP addresses here; my ISP is quite happy to sell me additional static IPs if I want them, for a fixed setup fee but no more monthly; it's handy, and it means my DMZ host isn't being port forwarded, but is actually ON the internet (with the other IP used for my internal lan and outbound NAT)
ASKER
Again, thanks a lot for such a thorough explanation that even goes beyond an original question of mine.
If I understand it correctly, in your answer wherever I see anything with triple aaa, I should substitute it with my site's subdomain, correct? And then substitute aaa with another subdomain?
I really do have to learn more about installing and configuring LAMP, even the basics before more advanced stuff is being explained to me. Otherwise, it's a wasted effort. I simply don't understand it.
So please do answer my questions and let's consider this question solved.
If I understand it correctly, in your answer wherever I see anything with triple aaa, I should substitute it with my site's subdomain, correct? And then substitute aaa with another subdomain?
I really do have to learn more about installing and configuring LAMP, even the basics before more advanced stuff is being explained to me. Otherwise, it's a wasted effort. I simply don't understand it.
So please do answer my questions and let's consider this question solved.
yes. I used aaa (and aaa.mysite.com) as a placemarker for what you would really use. filenames don't really matter of course; you can use any naming convention you prefer, but I like to keep things easy to follow (always assume you are coming to this cold after four months or so, can't remember what you did, and need filenames to be logical enough that you won't get confused. this is going to be true when (for example) you need to renew your ssl certificates)
Happy to answer other questions, but if you want to raise those as separate queries here, we can do that too. That gives some other experts a chance to earn a few points :D
Happy to answer other questions, but if you want to raise those as separate queries here, we can do that too. That gives some other experts a chance to earn a few points :D
ASKER
Great! Maybe we'll leave this thread open, just in case, but when my next question arises, I would open a new topic. But if my problem won't get solved there, then I'll try to ask you here to be on a safe side. Of course, you're welcome to help me everywhere, but if you want others to get their points too, I think it's the best way.
See, I don't want to complain, but some guys here just want to get their points without actually providing an answer that solves the original problem that I raise. Either they're lazy or not competent enough -- I don't know. I'm looking for information and facts, and they're just expressing their opinions. And those are totally different things, you know. It's like if I'd claim that there's life on Mars without proving it. I have no problem to give them the points, but then why am I here to begin with...
Again, thanks for your help and have a good one!
See, I don't want to complain, but some guys here just want to get their points without actually providing an answer that solves the original problem that I raise. Either they're lazy or not competent enough -- I don't know. I'm looking for information and facts, and they're just expressing their opinions. And those are totally different things, you know. It's like if I'd claim that there's life on Mars without proving it. I have no problem to give them the points, but then why am I here to begin with...
Again, thanks for your help and have a good one!