Set Up SSL for OnApp UI on CentOS 6.0

Question

How can I enable HTTPS support in my OnApp Control Panel running on CentOS 6.

Environment

All OnApp versions

Answer

Enabling SSL in CentOS can come with a few extra steps. You will need to use the update-ca-trust command, which was not required in other versions.

For example, we have plain-text certifications to cover all the bases, these files can be in the place where installation is performed. There are three files, such as certification, intermediate/chain, and private key. The certification and private key should be placed in the correct directory, while the chain should be appended to a file using the update-ca-trust command. 

To do it:

1. Create files in the following locations which correspond to the type of file. Identify the type by viewing its content, e.g., ----BEGIN PRIVATE KEY----:

   Private key -- /etc/pki/tls/private/<file>.key
   
   Certification -- /etc/pki/tls/cert/<file>.crt
   
   Intermediate -- /etc/pki/ca-trust/source/anchors/<file>.crt

   CODE

2. Run the following commands to create a correct cert file. The commands take all the content in the /etc/pki/ca-trust/source/anchors directory and add it to a file in /etc/pki/tls/cert:

   update-ca-trust enable
   
   update-ca-trust extract

   CODE

   Then, you can see a file such as /etc/pki/tls/cert/ca-bundle.crt.

   
   

3. Edit  /etc/httpd/conf.d/onapp.conf to include these lines:

   SSLCertificateFile /etc/pki/tls/certs/<file>.crt
   SSLCertificateKeyFile /etc/pki/tls/private/<file>.key
   SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

   CODE

4. Restart httpd and check if it has been installed correctly on SSLShopper:

   service httpd restart

   CODE

5. For OnApp upgrades, make sure appropriate values are set in /onapp/onapp-cp.conf:

   # OnApp Control Panel SSL certificates (please do not change if you aren't familar with SSL certificates)
   # * The data below to generate self-signed PEM-encoded X.509 certificate
   SSL_CERT_COUNTRY_NAME=UK
   SSL_CERT_ORGANIZATION_NAME='OnApp Limited'
   SSL_CERT_ORGANIZATION_ALUNITNAME='OnApp Cloud'
   SSL_CERT_COMMON_NAME=`hostname --fqdn 2>/dev/null`
   
   #   SSLCertificateFile, SSLCertificateKeyFile Apache directives' values
   #   ssl_certificate, ssl_certificate_key Nginx directives' values
   SSLCERTIFICATEFILE=/etc/pki/tls/certs/ca.crt
   SSLCERTIFICATECSRFILE=/etc/pki/tls/private/ca.csr
   SSLCERTIFICATEKEYFILE=/etc/pki/tls/private/ca.key
   
   # * PEM-encoded CA Certificate (if custom one exists)
   #   SSLCACertificateFile, SSLCertificateChainFile Apache directives' values
   #   ssl_client_certificate Nginx directives' values
   SSLCACERTIFICATEFILE=
   SSLCERTIFICATECHAINFILE=
   
   #   SSLCipherSuite, SSLProtocol Apache directives' values
   #   ssl_ciphers, ssl_protocols Nginx directives' values
   SSLCIPHERSUITE=
   SSLPROTOCOL=

   CODE

This way /etc/httpd/conf.d/onapp.conf will contain the correct values after an upgrade.