Setting up SSL on apache on linux ubuntu
I can't vote up on here, or comment, but Adrian Perez is right, you aren't using a certificate but a certificate signing request, on this line:
SSLCertificateFile /etc/apache2/ssl/www.example.com.csr
The CSR needs to be sent to a certificate authority to verify your identity and generate the certificate. You can self generate this using the command:
openssl x509 -req -days 365 -in www.example.com.csr -signkey www.example.com.key -out www.example.com.crt
And changing:
SSLCertificateFile /etc/apache2/ssl/www.example.com.csr
To:
SSLCertificateFile /etc/apache2/ssl/www.example.com.crt
But then you'll get warnings when you visit the site in your browser, as this would be a self signed certificate and therefore not trusted. Still, it's a good way to get your head around the process and test that the site is working. The basic steps are:
- Generate a private Key file (only do this once, the first time you set up a site)
- Generate a Certificate signing request
- Pay a ton of money to a Certificate Authority to verify and issue the certificate (Thwate or similar)
- Put key on server.
Regarding permissions, make sure the key/crt are only readable/writable by root (chmod 600) otherwise Apache will moan.
Hope this helps
Related videos on Youtube
ThomasReggi
Updated on September 18, 2022Comments
-
ThomasReggi over 1 year
I'm trying to get SSL to run on my apache web server.
I do not have the DNS for the domain setup yet is that an issue?
How do I setup SSL on my web server?
When I start apache it fails.
root@vannevar:/etc/apache2/ssl# service apache2 start * Starting web server apache2 Action 'start' failed. The Apache error log may have more information.
The log stats that it's unable to read the certificate.
[Thu Jun 28 15:01:02 2012] [error] Init: Unable to read server certificate from file /etc/apache2/ssl/www.example.com.csr [Thu Jun 28 15:01:02 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Thu Jun 28 15:01:02 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
The contents of
/etc/apache2/httpd.conf
ServerName [SERVERIP]
The contents of
/etc/apache2/ports.conf
# If you just change the port or add more ports here, you will likely also # have to change the VirtualHost statement in # /etc/apache2/sites-enabled/000-default # This is also true if you have upgraded from before 2.2.9-3 (i.e. from # Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and # README.Debian.gz NameVirtualHost [SERVERIP]:443 NameVirtualHost *:80 Listen 80 <IfModule mod_ssl.c> # If you add NameVirtualHost *:443 here, you will also have to change # the VirtualHost statement in /etc/apache2/sites-available/default-ssl # to <VirtualHost *:443> # Server Name Indication for SSL named virtual hosts is currently not # supported by MSIE on Windows XP. Listen 443 </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule>
The contents of
/etc/apache2/sites-available/www.example.com
<VirtualHost *:80> ServerAdmin [email protected] ServerName example.com ServerAlias www.example.com DocumentRoot /srv/sites/example.com/public/ ErrorLog /srv/sites/example.com/logs/error.log CustomLog /srv/sites/example.com/logs/access.log combined </VirtualHost> <VirtualHost [SERVERIP]:443> SSLEngine On SSLCertificateFile /etc/apache2/ssl/www.example.com.csr SSLCertificateKeyFile /etc/apache2/ssl/www.example.com.key SSLCACertificateFile /etc/apache2/ssl/comodo.crt ServerAdmin [email protected] ServerName example.com ServerAlias www.example.com DocumentRoot /srv/sites/example.com/public/ ErrorLog /srv/sites/example.com/logs/error.log CustomLog /srv/sites/example.com/logs/access.log combined </VirtualHost>
UPDATE:
In dreamhost (which i'm trying to get off of) I already have a domain with ssl / https I can see the three keys in the dreamhost admin certificate, private key, and intermediate certificate. Can I do anything with these? I can see that dreamhost is using comodo and my website says its PositiveSSL so... on comodo's website there is the root certificate and intermediate certificate. What do these five certificates have to do with the two created by the
openssl req -new -days 365 -nodes -keyout www.mydomain.com.key -out www.mydomain.com.csr
command? These two are requesting the actual certificate?I realized that apache's error is referring to the file
/etc/apache2/sites-available/www.example/com
where I messed up the file type forSSLCertificateFile /etc/apache2/ssl/www.example.com.csr
it's supposed to be.crt
according to the linode docsUpdate 2
So I went into dreamhost and coppied the keys to the following files and mapped the following
certificate => dh.crt private key => dh.key intermediate certificate => dh.cer
changed the connection in
/sites-available/example.com
and it worked (apache worked). Does this mean that ssl will work when I connect my domain? -
ThomasReggi almost 12 yearsI'm ok with the browser showing an error as long as it is set up and ready for me to setup dns. I'm checking the permissions now.
-
ThomasReggi almost 12 yearsIts not permissions just made the
csr
777 and the error is still there. -
ThomasReggi almost 12 yearsI used
openssl req -new -days 365 -nodes -keyout www.mydomain.com.key -out www.mydomain.com.csr
which is straight from the linode docs. Could this really be the case? -
ThomasReggi almost 12 yearsI created those files using
openssl req -new -days 365 -nodes -keyout www.mydomain.com.key -out www.mydomain.com.csr
which is straight from the linode docs. They have stuff in them. -
David Schwartz almost 12 yearsExcept that's a certificate signing request (hence the
req
part). You need the actual certificate. -
ThomasReggi almost 12 yearsI updated the question with a little bit of what has been going on in my head, care to take a look?
-
ThomasReggi almost 12 yearsI have certificates updates question. ^^
-
djangofan almost 12 yearsThat looks like it would generate a PEM to me. Therefore, if you used that CSR to request a cert reply, it should be ok.
-
Robbie Scourou almost 12 yearsIn order to test if the SSL is working on your Vhost, just make an amendment to your hosts file so that www.example.com (or whatever domain you've set up) points to the IP address of your server.