KB / Account Control Panel / Goodies :: Secure Server
From DreamHost
Do you need a secure server using SSL (https)? And if so, how do you get one? Find the answers here!
Parent Article
What is a Secure Server?
When a visitor sends information to your site, for example, by filling out a form, the secure server feature encrypts that information while it is in transit to your site. This keeps the information safe from any potential prying eyes.
This is especially useful when users are sending you sensitive data, such as credit card numbers.
Do I need a secure server?
If your site processes information submitted by CGI, you may wish to use the secure server feature to encrypt that information en route. For example, if a page on your site takes ordering information (like credit card numbers), your customers may be more comfortable submitting information if they know that it cannot be snooped on while in transit.
Also, if you use WebDAV to publish information to your website, the password will be transmitted over the Internet using only relatively weak (htaccess) encryption unless you use a secure server.
Is Formmail covered by the Secure Server?
Unfortunately, Formmail is not covered by the secure server. The reason is formmail uses the sendmail protocol while the secure server encrypts everything passed through https. It is suggested to use PGP with formmail.
Do any Dreamhost plans come with a Secure Server?
Yes, now that Dreamhost has slimmed down to one hosting plan option, all new plans now allow you to setup an unlimited number of secure servers!
Requirements
Unique IP Address
In order to set up a secure server you will need to assign a unique IP address to that domain/sub-domain. If you have not already assigned a unique IP address you will be prompted to do so during the set up process. Unique IP addresses are charged at $3.95/month or $47.40/year. You can select which billing option you prefer when you set it up. See this link for more information on unique IP addresses.
Customers with "Strictly Business" (Level 4) or Dedicated hosting plans are still allotted one free Unique IP Address. Additional Unique IP Addresses are charged at the regular price and can be added as described above.
Customers with the new "Happy Hosting" plan may receive discounted pricing depending on the billing terms and add-ons they have selected.
SSL Certificate
When you complete the set up process for a secure server we provide a free self-signed SSL certificate along with a Certificate Signing Request (CSR) and private key.
It's very important to know the difference between signed and self-signed SSL certificates!
- SSL certificates that are self-signed (by an unrecognized Certification Authority (CA)) DO provide excellent encryption, however they will give an warning when accessed ("the Certification Authority cannot be verified"). If you're using this secure server for your own personal use and you're OK with that warning message then you're good to go. However, if you intend to have customers use this site the warning will definitely put them off. In that case you'll probably want to purchase a signed SSL certificate from a Certification Authority and replace our self-signed certificate.
- SSL certificates that are signed by a recognized Certification Authority DO excellent encryption and do NOT give a warning.
NOTE: Some CAs require the use of an intermediate certificate (if their CA is not recognized by certain web browsers and other applications). This is a special certificate that needs to be installed on our servers to direct requests to the location of their certificate the validates them as a Certification Authority.
Only the "Strictly Business" (Level 4) and dedicated hosting plans come with one free signed SSL certificate and one free unique IP address. If you need more than one secure server you'll have to purchase additional unique IP address (from us) and purchase signed SSL certificates from a Certification Authority (unless self-signed certificates are OK).
If you selected the "SSL Secure Certificate" add-on option on the initial account sign-up page (with our new "Happy Hosting" plan) then it will work the same as the "Strictly Business" (Level 4) does (as far as the SSL certificate is concerned). When you set up your first secure server we will initiate the order of your first SSL certificate for you.
If you don't have either a "Strictly Business" (Level 4) or dedicated hosting plan then you'd need to purchase your own signed SSL certificate from a Certification Authority.
Where can I purchase my own signed SSL certificate?
Here is a (non-exhaustive) list of SSL Certification Authorities;
I'd recommend checking with them to find the best combination of price and features.
When asked for your server type select (Apache + MOD_SSL).
How can I still get my free Secure Server/Certificate? (Level 4 Hosting Plan only)
In order to get your free Geotrust secure certificate, you will need to follow these steps:
- First, add the domain to your Web Admin Panel via the Domains::Manage Domains tab; click the bottom [Add New Domain / Sub-Domain] link.
- Once the domain is listed on your account, click the wrench icon link under Secure Hosting.
- Please configure your secure service: fill in all fields. The system will default to the same settings as the non-secure domain, which normally will not need to be altered except in advanced set ups.
- Generate a new secure certificate: fill in all fields to coincide with your site and/or business. This will create and install your domain's CSR (Certificate Signing Request) and Private Key in our database.
- Scroll down and click "Set up https now!"
- Our system will now send an automated message to tech support containing the information you supplied above for the CSR. Your order will be placed and an approval email from Geotrust then sent to ssladmin@yoursecuredomain.com (which forwards to the address specified as the Certificate Admin. Email). You must click the link in that email to complete your order.
- When receiving the approved certificate email, you may copy/paste it into the Domains::Manage Domains tab; click the wrench icon link under Secure Hosting. If you are unsure about this or have any problems, please Contact Support and we will install it for you.
- The system should now configure and restart your web service for proper activation. If you notice the https service is still reporting any sort of insecure error, please Contact Support.
Does Dreamhost resell Certificates for Levels 1-3 customers?
No. At this time Dreamhost does not resell certificates. See this section for more information on where to purchase your own SSL certificates.
However, if you selected the "SSL Secure Certificate" add-on option on the initial account sign-up page (with our new "Happy Hosting" plan) then we will provide one SSL Secure Certificate for you. When you set up your first secure server we will initiate the order for you.
Setting up your Secure Server
To set up a secure server, you will may want to purchase a signed SSL certificate from a Certification Authority (CA). See this section for more information on where to purchase your own SSL certificates. However, when you complete the set up process for a secure server we provide a free self-signed SSL certificate along with a Certificate Signing Request (CSR) and private key. See this section for more information.
This certificate allows you to have your secure server directory appear at a URL in the following form: https://secure.yourdomain.com/ (notice the 's' in https)
Each CA has a different ordering process, though we will be providing information based on GeoTrust.com's. All will require a CSR (Certificate Signing Request) which is created simultaneously with a matching KEY (Private Key). The CSR holds important information that is then used to create the CRT (Certificate). KEY/CSR generation is now free through the DreamHost Web Admin Panel, or you can complete the task on your own if you have openssl installed on a machine you use. Strictly Business (Level 4 hosting) includes one free certificate that we purchase for you. (All renewals are paid for while you have an active Strictly Business hosting plan!). See the above Wiki article for set up details.
The Process
- First, add the domain to your Web Admin Panel via the Domains::Manage Domains tab; click the bottom [Add New Domain / Sub-Domain] link.
- Once the domain is listed on your account, click the wrench icon link under Secure Hosting.
- Please configure your secure service: fill in all fields. The system will default to the same settings as the non-secure domain, which normally will not need to be altered except in advanced set ups.
- Unique IP: use the drop-down menu to choose how you wish to pay for your Unique IP service. This is necessary and secure service cannot be established without it.
- Generate a new secure certificate: fill in all fields to coincide with your site and/or business. This will create and install your domain's CSR (Certificate Signing Request) and Private Key in our database. If you already have your own CRT and KEY files, please click the (Already got one?) link and install both accordingly.
- Scroll down and click "Set up https now!"
You are now presented with a Success! page. The most important information here is the series of numbers and letters which is your CSR. Copy and paste the entire contents between and including -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- into a text file on your computer for backup. You will use this file for the purchase of your CRT.
We've also just installed a temporary self-signed certificate for your domain. This can be used to test the service, or if you only need the secure connection for non-payment-gateways. Should this CRT be left installed, visitors to your secure site will be warned by most browsers that your site is using a self-signed certificate. This will look unprofessional and usually scares away potential customers. Completing this process to purchase a CRT from a trusted CA will avoid this.
Make sure that you only go through the above panel once or you will completely delete the CSR and KEY that we now have on file. If you go through the process twice then you need to make sure that you use the last CSR you received or else your CRT will not match your KEY. This will cause problems and possibly lead to you having to buy a second certificate.
Next you will need to visit GeoTrust's signup page, choose QuickSSL certificate (Level 4 customers get QuickSSL Premium certificates which retail at $249) and submit your CSR along with the other information that GeoTrust requests. Fill out the entire form, making sure to completely read the instructions provided. If you choose to purchase your certificate from another provider, the process should be similar.
Once your certificate arrives you will receive an email from GeoTrust (or your certificate provider) giving you a URL to approve your certificate from. That approval email is sent to an email address you choose in the certificate ordering process. After you approve it, your certificate (which is code that looks similar to the CSR) will be emailed to you.
Some computers will recognize the certificate and attempt to install it. You don't want to do this. Instead, open the certificate in a text editor and copy the entire text, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
Log into the DreamHost control panel go to Domains::Manage Domains and wrench icon the Secure Hosting option for the domain. On the following page update the Certificate: field only, with entire contents of your certificate file. Do not modify the KEY section, because that KEY matches your certificate, and it's already in our database.
You should recieve a message saying the certificate was successfully installed. For faster activation, you should then Contact Support and ask them to restart your webserver so that your SSL certificate will work immediately.
If you are provided with an intermediate certificate (or bundle file) we will have to install that for you manually. If this is the case please upload all of the files that were provided to you into a specific directory under the FTP/shell user account where you domain is hosted. Then submit a support request giving us the location of those files and request that we install them for your domain.
Can I have a new CSR created without affecting my current Secure Service?
Yes! Contact Support with the following information and we will manually create a new file on your behalf:
- Country Name (2 letter code):
- State or Province Name (full name):
- Locality Name (eg, city):
- Organization Name (eg, company name):
- Organizational Unit Name (eg, company section name):
- Common Name (eg, SECURE DOMAIN NAME - include 'www' if necessary):
- Email Address:
Can Dreamhost install my Secure Certificate?
Geotrust users only: If you would like DreamHost to install your certificate you will need to use us as your Technical Contact. The information you will use is as follows:
First Name: SSL Last Name: Support phone number: 213-947-1032 email address: ssl@dreamhost.com
All other certificate companies are not supported for the above method, but we can still assist in the installation process.
Should you require assistance, please upload the certificate and/or zip file you received to your FTP/shell user's home directory (not the publicly-accessible domain directory). Contact Support with its path and we will properly install/reference all certificates to avoid errors.
What if my CA requires an Intermediate Third Party Certificate?
You can use certificates from other trusted authorites such as Go Daddy, but we are most comfortable working with GeoTrust.
Aside from GeoTrust, many of the above-mentioned CAs require an intermediate third party certificate to be installed in order to be fully trusted. If not, some browsers (such as Safari) will display an unknown certificate warning. If this is your case, we have now taken the initiative and globally installed the most used intermediate certificates. Once the domain's certificate is installed through the Panel, the system will recognize the issuing company and add the necessary back-end parameter to avoid the aforementioned errors. Should you still run into problems, however, please upload the zip and/or certificate file you received to your FTP user's home directory. Contact Support and we will look into the cause.
What if my Private Key is passphrase protected?
Dreamhost will not accept passphrase protected keys. If yours is, please upload it with your certificate to your user's home directory (not the publicly-accessible domain directory). Contact Support with the location and current passphrase. We will remove the encryption and continue with installation.
What server software do you use for Secure Service?
If you do not use our automatic CSR/KEY generation panel, you will need to know that our web server software is Apache-ModSSL; Apache-SSL will also work if the only option, but ModSSL is the official one.
How do I renew my Secure Certificate?
For Level 4 and Dedicated customers, Dreamhost will continue to renew your certificates for free for the life of your hosting. GeoTrust will send you reminders about when your certificate will expire. When you receive these, just Contact Support with the following information and request your certificate be renewed:
- Administrator Contact (First name, Last name, Email Address and Telephone Number)
- Approval Email Address (admin, administrator, hostmaster, root, ssladmin, sysadmin, or webmaster@secure.domain.com or @domain.com)
For Levels 1-3 hosted customers, you will need to handle the renewal on your own in the same manner you bought the original certificate. Most CAs will accept the original CSR used for the initial purchase which can be found via your Web Panel; click the wrench icon link under Secure Hosting and copy the CSR file in its entirety.
Some CAs do require a new CSR be created for renewal. If so, they should alert you of this in their expiration notice. Contact Support with the following information and we will manually create a new file on your behalf:
- Country Name (2 letter code):
- State or Province Name (full name):
- Locality Name (eg, city):
- Organization Name (eg, company name):
- Organizational Unit Name (eg, company section name):
- Common Name (eg, SECURE DOMAIN NAME - include 'www' if necessary):
- Email Address:
Once you receive the new certificate file, you can install it via your Web Panel; click the wrench icon link under Secure Hosting and paste the CRT file in its entirety.
How Can I Test My New Secure Server Before Switching The Name Servers For My Domain?
You can add the unique IP address for that domain/sub-domain into your computers local "C:\WINDOWS\system32\drivers\etc\hosts" file to direct connections to our servers rather than what the current name servers resolves to. That way you can check the operation of the certificates before changing the name servers over to point to ours. To find the unique IP address for that domain/sub-domain to go (DOMAINS > MANAGE DOMAINS) in the control panel. The unique IP address for that domain will be listed below it.
Click on the "Edit" link (under the "Secure Hosting" section) to verify whether or not you are hosting the domain with our without the sub-domain "www".
NOTE: Depending on how you have your secure hosting set up you may also want to set up "WWW.YOURDOMAIN.COM" and "YOURDOMAIN.COM" in your "hosts" file. The secure certificate will only match one or the other! If you get a warning about a domain mismatch do NOT accept the certificate! Change the URL in your browser to the correct domain and try again.
Examples;
127.0.0.1 localhost 192.168.54.25 YOURDOMAIN.COM <----<<< ADD THIS 192.168.54.25 WWW.YOURDOMAIN.COM <----<<< AND THIS
If you get a warning about the CA (Certification Authority) not being trusted then an intermediate certificate may need to be installed. If your certificate provider gave you an intermediate certificate please upload it (and the regular certificate) to your account. Submit a support request and let us know where it is and we can install it for you.
Once you've finished testing you can delete those entries from the "hosts" file again so your computer will rely on the DNS system to resolve the IP address for you (as it would for everyone else).
