-When you are first prompted for a domain to certify, you need to enter your top-level domain – not the subdomain Friendica uses. In the next step, you will be able to specify that subdomain. So if you have friendica.yourname.com on your server, you first enter yourname.com – and specify the subdomain friendica later.
-
-Don’t quit too fast when you have received your personal web server certificate at the end of the procedure. Depending on your server software, you will also require one or two generic files for use with this free StartSSL certificate. These are sub.class1.server.ca.pem and ca.pem. If you have already overlooked this step, you can download those files here: http://www.startssl.com/?app=21 But once again, the very best way of doing things is not to quit the StartSSL site until you are completely done and your https certificate is up and working.
-
-**Virtual private and dedicated servers (using StartSSL free)**
-
-The rest of this document is slightly more complicated, but it’s only for people running Friendica on a virtual private or dedicated server. Everyone else can stop reading at this point.
-
-Follow the instructions here ( http://www.startssl.com/?app=20 ) to configure the web server you are using (e.g. Apache) for your certificate.
-
-To illustrate the necessary changes, we will now assume you are running Apache. In essence, you can simply create a second httpd.conf entry for Friendica.
-
-To do this, you copy the existing one and change the end of the first line to read :443> instead of :80>, then add the following lines to that entry, as also shown in StartSSL’s instructions:
-
- SSLEngine on
- SSLProtocol all -SSLv2
- SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
-
- SSLCertificateFile /usr/local/apache/conf/ssl.crt
- SSLCertificateKeyFile /usr/local/apache/conf/ssl.key
- SSLCertificateChainFile /usr/local/apache/conf/sub.class1.server.ca.pem
- SSLCACertificateFile /usr/local/apache/conf/ca.pem
- SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
- CustomLog /usr/local/apache/logs/ssl_request_log \
- "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-
-(Note that the directory /usr/local/apache/conf/ may not exist on your machine. For Debian, for instance, the directory might be /etc/apache2/ - in which you can create an ssl subdirectory if it doesn’t already exist. Then you have /etc/apache2/ssl/… instead of /usr/local/apache/conf/…)
-
-You thus end up with two entries for your Friendica site - one for simple http and one for https.
-
-Note to those who want to force SSL: Don't redirect to SSL in your Apache settings. Friendica's own admin panel has a special setting for SSL policy. Please use this facility instead.
-
-**Mixing certificates on Apache – StartSSL and others (self-signed)**
-
-Many people using a virtual private or dedicated server will be running more than Friendica on it. They will probably want to use SSL for other sites they run on the server, too. To achieve this, they may wish to employ more than one certificate with a single IP – for instance, a trusted one for Friendica and a self-signed certificate for personal stuff (possibly a wildcard certificate covering arbitrary subdomains).
-
-For this to work, Apache offers a NameVirtualHost directive. You can see how to use it in httpd.conf in the following pattern. Note that wildcards (*) in httpd.conf break the NameVirtualHost method – you can’t use them in this new configuration. In other words, no more *80> or *443>. And you really must specify the IP, too, even if you only have one. Also note that you will soon be needing two additional NameVirtualHost lines at the top of the file to cater for IPv6.
-
- NameVirtualHost 12.123.456.1:443
- NameVirtualHost 12.123.456.1:80
-
- <VirtualHost www.anywhere.net:80>
- DocumentRoot /var/www/anywhere
- Servername www.anywhere.net
- </VirtualHost>
-
- <VirtualHost www.anywhere.net:443>
- DocumentRoot /var/www/anywhere
- Servername www.anywhere.net
- SSLEngine On
- <pointers to a an eligible cert>
- <more ssl stuff >
- <other stuff>
- </VirtualHost>
-
- <VirtualHost www.somewhere-else.net:80>
- DocumentRoot /var/www/somewhere-else
- Servername www.somewhere-else.net
- </VirtualHost>
-
- <VirtualHost www.somewhere-else:443>
- DocumentRoot /var/www/somewhere-else
- Servername www.somewhere-else.net
- SSLEngine On
- <pointers to another eligible cert>
- <more ssl stuff >
- <other stuff>
- </VirtualHost>
-
-Of course, you may optionally be using other places like the sites-available directory to configure Apache, in which case only some of this information need be in httpd.conf or ports.conf - specifically, the NameVirtualHost lines must be there. But if you're savvy about alternatives like that, you will probably be able to figure out the details yourself.
-
-Just restart Apache when you're done, whichever way you decide to do it.
-
-**StartSSL on Nginx**
-
-First, update to the latest Friendica code. Then follow the above instructions to get your free certificate. But instead of following the Apache installation instructions, do this:
-
-Upload your certificate. It doesn't matter where to, as long as Nginx can find it. Some people use /home/randomlettersandnumbers to keep it in out of paranoia, but you can put it anywhere, so we'll call it /foo/bar.
-
-You can remove the password if you like. This is probably bad practice, but if you don't, you'll have to enter the password every time you restart nginx. To remove it:
-
- openssl rsa -in ssl.key-pass -out ssl.key
-
-Now, grab the helper certificate:
-
- wget http://www.startssl.com/certs/sub.class1.server.ca.pem
-
-Now you need to merge the files:
-
- cat ssl.crt sub.class1.server.ca.pem > ssl.crt
-
-In some configurations there is a bug, and this doesn't quite work properly. You may now need to edit ssl.crt, so:
-
- nano /foo/bar/ssl.crt
-
-You'll see two certificates in the same file. Halfway down, you may see:
-
- -----END CERTIFICATE----------BEGIN CERTIFICATE-----
-
-This is bad. You need to see:
-
- -----END CERTIFICATE-----
- -----BEGIN CERTIFICATE-----
-
-You can enter the carriage return manually if the bug is present on your system. Note there is a single carriage return for -----BEGIN CERTIFICATE----- to start on a new line. There is no empty line.
-
-Now you need to tell Nginx about the certs.
-
-In /etc/nginx/sites-available/foo.com.conf you need something like:
-
- server {
-
- listen 80;
-
- listen 443 ssl;
-
- listen [::]:80;
-
- listen [::]:443 ipv6only=on ssl;
-
- ssl_certificate /foo/bar/ssl.crt;
-
- ssl_certificate_key /foo/bar/ssl.key;
-
- ...
-
-Now, restart nginx:
-
- /etc/init.d/nginx restart
-
-And that's it.
-
-For multiple domains, we have it easier than Apache users: Just repeat the above for each certificate, and keep it in it's own {server...} section.
\ No newline at end of file