Have fun with your Raspberry PI: secure your application with Self Signed certificates
In a previous article (https://medium.com/@r.robipozzi/have-fun-with-your-raspberry-pi-turn-it-into-your-own-home-web-server-c7caecc3a4f5) I explained how to use Raspberry PI as a home web server and how you can develop and deploy a sample Angular application to it.
As promised, in this article I will build on that foundation and describe how to secure your Raspberry PI web server and access the application with HTTPS protocol.
In this article I will keep things simple and just rely on Self Signed certificates, which does not require any complex service to be activated and it is very easy to configure; at the end you should be able to understand the concepts and replicate the following tasks:
- how to use openssl utility to generate and use a Self Signed SSL Certificate to secure Apache2 on your Raspberry PI;
- how to configure Apache2 on Raspberry PI to use SSL certificates and secure access via HTTPS.
Prerequisites
We always need to have some foundation to build upon, so I assume you meet some mandatory prerequisites before starting this tutorial:
- Raspberry PI is installed, setup and accessible;
- you have SSH access to and know how to connect to Raspberry Pi from your workstation;
- you have Apache2 installed, configured and running on Raspberry PI;
- you have an application deployed to Apache2, running and accessible.
You will not find instructions on how to do all these things in this article, but if you read my previous article (https://medium.com/@r.robipozzi/have-fun-with-your-raspberry-pi-turn-it-into-your-own-home-web-server-c7caecc3a4f5) and follow the steps along you will meet all the foundation prerequisites above.
Anatomy and architecture of an application
For the purpose of this article you will just need to have an application deployed and running on Apache2 on Raspberry PI, whatever technology you feel more comfortable with.
If you do not have one already, I developed a very simple web application based on Angular (https://angular.io/) and Bootstrap (https://getbootstrap.com/), you can clone it from my GitHub repository https://github.com/robipozzi/windfire-profile.git and run it on Raspberry (again, if you read my previous article you will have all the details on prerequisites and tasks needed to create a basic Angular application).
Whatever application you will use it, in the end the objective of this article is to have a target architecture like the following:
Secure Raspberry PI with Self Signed SSL certificates
Let’s begin by opening a terminal and ssh into Raspberry PI.
Apache2 gets installed by default in /etc/apache2 where you will find all the relevant configuration files, as you can see from the figure below.
To enable SSL/HTTPS we need to do some preliminary steps and then work with configuration files in sites-available and sites-enabled folder; in sites-available folder you should find the following 2 configuration files:
- 000-default.conf, which is the default configuration file for Virtual Hosts;
- default-ssl.conf, which is the template configuration file for SSL enabled Virtual Hosts. This is the file we are going to modify.
Let’s start and follow me.
Install OpenSSL
To enable SSL/HTTPS on Apache2 with self signed certificates, first of all we need to make sure that openssl is installed by issuing the following command (if it’s not, it will install it, if it is already installed, nothing will happen, very convenient !) :
sudo apt-get install opensslGenerate self signed SSL certificate
Let’s create a new directory to hold the custom self signed certificates we are going to generate:
sudo mkdir -p /etc/ssl/mycertsUse openssl utility to generate a Self Signed certificate, as in the example below (for more detailed info on the meaning of the different parameters and how to use openssl, please refer to https://www.openssl.org/):
sudo openssl req -new -x509 -days 365 -nodes -out /etc/ssl/mycerts/apache.pem -keyout /etc/ssl/mycerts/apache.keyThe process to request a new certificate will ask you several input (i.e.: Organization Name, your server FQDN, …), the following is an example you can take as a base for your own configuration:
The procedure will generate 2 files for you, apache.key (the private key) and apache.pem (the actual certificate file), set the permissions appropriately with the following command:
sudo chmod 600 /etc/ssl/mycerts/apache*Configure a Fully Qualified Domain Name
As you can see from Figure 3 above, in my case I defined FQDN (i.e.: Fully Qualified Domain Name) for my SSL certificate as robipozzi.com; since usage of a proper DNS is out of scope for the purpose of this article, nothing will respond when I will try to hit that domain. To overcome this, we need to do some extra step and tweak our workstation configuration a little bit.
Keep the terminal open to Raspberry Pi, open a new terminal on your workstation and open /etc/hosts file for change:
sudo vi /etc/hostsIn /etc/hosts add a new line to match the FQDN you chose for your SSL certificate with the IP Raspberry PI responds to, like this:
<YOUR_RASPBERRY_ID> <YOUR_FQDN>Change the 2 parameters above according to your specific environment and save.
Enable Apache2 SSL module
Before proceeding, we need to ensure Apache2 SSL module is enabled, go back to the terminal you kept opened to Raspberry PI and just issue the following command to do that:
sudo a2enmod sslConfigure Apache2 to use SSL certificate
Now that SSL is enabled, we need to tell Apache2 to use the private key and Self Signed SSL certificate we generated before. Remember the default-ssl.conf file in /etc/apache2/sites-available? We will use exactly that, so open it to modify:
sudo vi /etc/apache2/sites-available/default-ssl.confYou will just need to modify few lines and ensure the parameters are correct, the relevant configurations in the file should look something like the following:
Double check that:
- SSLEngine is set to on
- SSLCertificateFile points to the location where you saved the certificate file
- SSLCertificateKeyFile points to the location where you saved the private key file
We are almost done, we need to enable the configuration we just changed by issuing the following command:
sudo a2ensite default-sslThe command above does a very simple thing: it enables the default-ssl site (it is the default-ssl.conf file which contains a <VirtualHost> block) within the Apache2 configuration and it does this by simply creating a symlink within /etc/apache2/sites-enabled folder, as you can see below:
We need just one final step, issue the following command to let Apache2 load the configuration changes:
sudo service apache2 reloadVerify Apache2 is secured and uses SSL certificate
We are now finally able to test our newly secured website. Open a browser and point to Raspberry PI, something like https://<YOUR_FQDN> (in my case it’s https://robipozzi.com)
Ooops, we are getting a Security Risk Warning, what happened?
It happens that all our effort is working! If you read the message carefully it says “The certificate is not trusted because it is self-signed”, which means 2 things:
- it is actually using an SSL certificate to secure the communication with the server with HTTPS protocol
- you just decided not to pay a certification authority to issue a trusted certificate but you decided to use a self signed one so the browser warns you about that
Click on Accept the Risk and Continue and you are in with an SSL/HTTPS security enabled website on Raspberry PI.
Conclusion
In this article we have seen how to setup Raspberry PI to be a security enabled web server for your applications by using OpenSSL and self signed certificates.
Self signed certificates are a good, easy and cheap way to start testing web server security but, obviously, they are not the preferred and most “professional” way to enable that; for this reason I intend to follow up with a future article on how to use a real Trusted Certificate Authority, with all the additional configuration and infrastructure implications of that.
I hope you have found this article useful and watch out for future tutorials.
As always, if you find any mistake or you have any suggestion please let me know.
References
In the writing of this article I used and referred to other websites, which is right to mention here and leave for reference:
- Debian Wiki (for instructions on how to enable Self Signed SSL certificates on Apache2) https://wiki.debian.org/Self-Signed_Certificate
- Openssl website (for information and instructions related to openssl toolkit) https://www.openssl.org/