To make it cheaper for myself to register SSL Certs I have created a Go Daddy reseller certificate shop WideCert . I encourage everyone to use SSL on all web apps that use passwords or contain private data.
I find it really is somewhat disrespectful to users when a web site owner requires the users to type their passwords in clear text. In particular nowadays with WIFI where it is really easy to sniff the passwords of people around you.
For this reason I want to offer these SSL certs at the cheapest possible price to rails and other web 2.0 app developers. At the time of writing the lowest price I can offer is $27.95 for a 1 year Turbo Cert. GoDaddy is offering the same at the time of writing for $19.95, which I should be able to match this coming week. If you need the cert quickly go get it there. I will update this as well as post another entry in the blog when this is available.
Following are instructions in setting it up for Lighttpd.
Pre planning
Firstly you need to find out what domain name and ip address you want to use for your site.
Dedicated IP Address
You may be used to domain based virtual hosts, but with SSL this is not possible. This means that for each SSL based web site you are running you need a dedicated IP address.
Don’t worry though you can still run all your non SSL websites on port 80 of the same IP address if you only have one IP address.
Domain name
Many people have their server set up to accept both the www.domain.com and domain.com form of their domain names. This is fine, but you need to pick one of them for using consistently in the future. You can still redirect from the other form though. The reason for this is that the the certificate can only contain one form of your domain name and the users browser will through a scary sounding error message if it doesn’t match the sites domain name.
Generating the Certificate
To generate the certificate you need to:
- Generate a private key
- Generate a Certificate Signing Request (CSR)
- Submit CSR to CA
- Verify that you are the domain name owner
- Download Certificate
- Package up key and cert
Generate the private key
The Private key is used by the server to encrypt the server traffic. You must never share this key with anybody:
$ openssl genrsa -des3 -out yoursite.net.key 1024 Generate the Certificate Signing Request
The Certificate Signing Request is the basis of your certificate. This includes all your company data (Note for TurboCerts only your Organizational name and domain name will be shown) that you want in the cert.
$ openssl req -new -key yoursite.net.key -out yoursite.net.csrEnter the details it asks for. For the common name put your domain name of your site. This should be the main domain name you will be using for your site. So pick either:
www.yoursite.net or yoursite.net and stick with it.
Submit to WideCert
Now you need to submit the CSR to WideCert. Login or create a new account and buy a SSL Certificate credit. Follow the instructions for generating your certificate and when it asks you for the CSR paste the contents of the yoursite.net.csr file that you created into the web form. If you use lighttpd for your web server just select Apache here.
Verify domain ownership
Within a minute or two it will send a verification message to the owner of the domain you put in the common name field of your CSR above. The minute you click on the link in the email your cert is ready. Click on your cert in the web interface and select “Reissue”. This shows your cert in a text area. Copy this and paste it into a file called yoursite.net.crt .
Package key and certificate for use with Lighttpd
Now you need to create the final pem file for lighttpd. Todo this you need to first strip the password in the private key file you generated in the first step:
$ openssl rsa -in yoursite.net.key -out yoursite.net.bareWhile this might seem insecure, it is unfortunately a necessity as there is no way to enter the password when the server starts up.
Now concatenate the key and the cert together to create your final pem file:
$ cat yoursite.net.bare yoursite.net.cer >yoursite.net.pemNow you should copy this file into your lighttpd config directory.
You also need an intermediate certificate for widecert certificates. Rename this file widecert.crt so you know what it is in the future. This should also be copied over to the lighttpd config directory.
Install certificate in lighttpd
Logon to your web server with ssh and go to your lighttpd configuration folder.
Verify SSL is built into lighttpd
Firstly you must make sure that your lighttpd binary was compiled with SSL support. To verify this type:
$ lighttpd -v
lighttpd-1.4.6 (ssl) - a light and fast webserver
Build-Date: Nov 2 2005 06:05:53 Note the (ssl) this means that it was built wiht ssl. If it doesn’t say ssl you must rebuild it or download a new binary package with ssl built in. To rebuild it yourself download the latest source package
Basic build instructions:
$ wget http://lighttpd.net/download/lighttpd-1.4.9.tar.gz
$ tar xzf lighttpd-1.4.9.tar.gz
$ cd lighttpd-1.4.9/
$ ./configure --with-openssl
$ make
$ sudo make installConfigure lighttpd.conf
Edit your lighttpd.conf file by adding the following in the file:
$SERVER["socket"] == "YOURIPADDRESS:443" {
server.document-root = "/www/yoursite"
server.name = "yoursite.net"
server.errorlog = "/www/logs/yoursite_error.log"
accesslog.filename = "/www/logs/yoursite_access.log"
# ADD YOUR RAILS or PHP or WHATEVER DETAILS HERE
#### SSL engine
ssl.engine = "enable"
ssl.ca-file = "/etc/lighttpd/widecert.crt"
ssl.pemfile = "/etc/lighttpd/yoursite.net.pem"
}Change it to use your details and if using fastcgi add that within the block as well.
Now you should be setup.
So I just launched my new Blog for the Panasonic Lumix FX9 digital camera.
I just bought it before my vacation as my old camera died. Rather than write the customary review of it, I figured that it would be better to write a little blog about my experiences with it.
My aim is to be helpful both for people in the market for a camera as well as existing owners.
It’s a great little camera and has already garnered a bit of a cult status here in Denmark, even though there are only a few places that sell it.
Google Earth is now available for Mac. I have been ignoring all articles from PC users about this for a while now as it would give me bouts of jealousy. I have to say it is really cool.
I could even find my old apartment building in Panama:
Or as seen from the roof:
God with this cold right now here in Denmark, I miss Panama more than ever.
We’ve got the following from Apple:
- OSX 10.4.4
- Ipod Updater 1.1
- ITunes 6.0.2 with requisite Quicktime update.
So far I have found no major problems here. I’m not sure there are any major features. Besides bug fixes etc.
MarsEdit 1.1 which I’m using to write this is pretty good. The only new feature that looks really interesting is the support for enclosures. Mainly it’s just a good stable update for a great product.