At the moment Aegir doesn't provide any means of managing SSL certificates, or accessing a site via https. There is a lot of discussion around implementing this however, and future versions are likely to include this.
You can follow the discussion here: http://drupal.org/project/issues/search/hostmaster?issue_tags=aegir-ssl
In the meantime you can set this up manually without causing problems with Aegir.
In this how-to I'm using Ubuntu 9.04 on a Linode VPS, but this will be the same for most OS's.
Creating a Certificate
First, create a place to store certificates:
sudo mkdir -p /var/aegir/ssl/certsEnable OpenSSL:
sudo apt-get install openssl
And now let's generate a key pair and a Certificate Signing Request (CSR):
cd /var/aegir/ssl
sudo openssl genrsa -out <name of your certificate>.key 2048
sudo openssl req -new -key <name of your certificate>.key -out <name of your certificate>.csr Note that we have not used the -des3 option to generate the rsa key. This is because of the requirement to enter the passphrase duiring apache start - and if someone can get to your key file, they can also get to any script used by the SSLPassPhraseDialog (thanks to skwashd and mig5 for the advice on this).
Although it asks you to input a Common Name such as your own name, the name entered in the "CN" (common name) field of the CSR MUST be the fully-qualified domain name for the Web site you will be using the certificate for (e.g., "www.example.com"). Do not include the "http://" or "https://" prefixes in your common name.
You will also be asked for the 2-letter ISO country code (ISO Country Code list)
You'll now need to provide this .csr file, or the text in it, to your CA (for a list of available CA resellers google 'SSL certificate'. If you copy and paste the text into a field on their webpage you will need to include the lines that say '-----BEGIN CERTIFICATE REQUEST-----' and '-----END CERTIFICATE REQUEST-----'.
When you get the certificates back from the CA, copy the .crt file(s) to the /var/aegir/ssl/certs directory.
Setting up Apache SSL
You may have setup Aegir on a new server with a basic OS image. In this case the apache ssl module might not be enabled by default.
To enable it, enter the following:
sudo a2enmod ssl
Edit /etc/apache2/ports.conf to add the following (but it may be there already):
<IfModule mod_ssl.c>
Listen 443
</IfModule>Then enable the default https site for your apache installation
a2ensite default-ssl
Setting up Your Aegir Site Config Files
First, setup your site under Aegir as normal. Then, in a shell session, navigate to /var/aegir/config/vhost.d directory. Here you will see the apache config files that aegir creates automatically for each site and platform. There will be one for your site 'example.com'. Take a look at it to see the format, and note the path to the DocumentRoot.
Now create a new file in the same directory called 'example.com-ssl'
vim example.com-ssl
The template of the apache configuration we need to add (expanded on from a draft by anarcat) to our example.com-ssl configuration file is:
# SSL configuration for Aegir site
# Note that this file is not managed by Aegir
<VirtualHost 01.02.03.04:443>
RewriteEngine On
SSLEngine On
ServerAdmin webmaster@localhost
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/aegir/platforms/drupal-6.13
# Details of the SSL Cert
SSLCertificateFile /var/aegir/ssl/certs/your_domain_name.crt
SSLCertificateKeyFile /var/aegir/ssl/your_domain_name.key
SSLCertificateChainFile /var/aegir/ssl/certs/CA_bundle.crt
# This is important to prevent session hijacking
php_value session.cookie_secure 1
# Extra configuration from modules:
# Error handler for Drupal > 4.6.7
<Directory "/var/aegir/drupal-6.13/sites/default/files">
SetHandler This_is_a_Drupal_security_line_do_not_remove
</Directory>
## Aegir hosted database values are now set here in the virtualhost rather than in settings.php
## which is just a passthrough. If not set, you may get a site offline error.
SetEnv db_type mysqli
SetEnv db_name your_db_name
SetEnv db_user your_db_user
SetEnv db_passwd your_aegir_mysql_passwd
SetEnv db_host localhost
</VirtualHost>In this template, change the IP to your website's IP (note that there can only be one certificate per IP address so you'll need to get multiple IPs for your server to support multiple secure sites).
Change example.com to your domain name.
Change the DocumentRoot to the path to your platform that the site is on.
And change the details of the certificate names.
Now we want apache to test the new configuration settings. There's lots that could go wrong and we'd rather catch it now than when restarting apache!
sudo apache2ctl configtest
All Ok? now we can restart Apache:
sudo /etc/init.d/apache2 restart
Finally check it's all working by browsing to https://example.com! You should see the padlock icon in the bottom of the screen and your site should work as normal