Thursday, September 1, 2022

Testing SSL Certs Using Apache on Docker

Sometimes we have a need to test our SSL, before we deploy it to production. If we have a development or staging environment, then we can test it there. But if we do not have that, we can always rely on trusty old docker to test the ssl in our own machine. Please follow along to learn how to do it.

- have docker installed 

1. Put our ssl cert, intermediate cert (if we have one) and key into our current directory. Rename them as server.crt, server.key and server-ca.crt

2. Prepare a configuration file like below inside our current directory, and save it as https.conf
Listen 443
<VirtualHost _default_:443>
  DocumentRoot "/usr/local/apache2/htdocs"
  ErrorLog /proc/self/fd/2
  TransferLog /proc/self/fd/1
  SSLEngine on
  SSLCertificateFile "/ssl/server.crt"
  SSLCertificateKeyFile "/ssl/server.key"
  SSLCertificateChainFile "/ssl/server-ca.crt"
3. Run a container based on the httpd image from dockerhub, and mount the current folder with our ssl key and certs into /ssl in the container
docker run -dit --name apache -v ${PWD}:/ssl httpd
4. Copy /usr/local/apache2/conf into /ssl, so that we can edit it inside our host machine
docker exec -it apache cp /usr/local/apache2/conf/httpd.conf /ssl
5. Enable ssl in apache config by adding these lines into httpd.conf. We can just edit the file in our host machine, since text editor is not installed by default inside the apache image. The first 2 lines are to enable ssl support for apache, and the last line is for apache to include any files that end with .conf into its configuration
LoadModule ssl_module modules/
LoadModule socache_shmcb_module modules/
Include conf/extra/https.conf
6. Copy the edited httpd.conf file back into its original location
docker exec -it apache cp /ssl/httpd/conf /usr/local/apache2/conf
7. Create a symlink from /ssl/https.conf into /usr/local/apache2/conf/extra/
docker exec -it apache ln -s /ssl/https.conf /usr/local/apache2/conf/extra
8. Test the configuration file
docker exec -it apache httpd -t
9. If no error was found from the above command, restart the container
docker restart apache
10. Open a new terminal, and get the ip address of the container
docker inspect apache | grep IPAddress
11. Put the ip address and your hostname inside your machine's /etc/hosts
echo "" | sudo tee -a /etc/hosts 

12. Try to access the above domain using a web browser, and check the ssl cert information

13. If the ssl certs are working fine inside docker, you can be sure that it will work just fine in your production server