-
Sign Up Log In
CommunityTutorialsQuestionsProjectsExploreIRC
Search the Community
How To Create a SSL Certificate on Apache for Ubuntu 12.04Tagged In: Ubuntu, Apache
What the Red MeansThe lines that the user needs to enter or customize will be in red in this tutorial!
The rest should mostly be copy-and-pastable.
About SSL CertificatesA SSL certificate is a way to encrypt a site's information and create a more secure connection. Additionally, the certificate can show thevirtual private server's identification information to site visitors. Certificate Authorities can issue SSL certificates that verify the server'sdetails while a self-signed certificate has no 3rd party corroboration.
Set UpThe steps in this tutorial require the user to have root privileges on the VPS. You can see how to set that up here in steps 3 and 4.
Additionally, you need to have apache already installed and running on your virtual server. If this is not the case, you can download it with this command:sudo apt-get install apache2
Step OneActivate the SSL ModuleThe next step is to enable SSL on the droplet.sudo a2enmod ssl
Follow up by restarting Apache.sudo service apache2 restart
Step TwoCreate a New DirectoryWe need to create a new directory where we will store the server key and certificatesudo mkdir /etc/apache2/ssl
Step ThreeCreate a Self Signed SSL CertificateWhen we request a new certificate, we can specify how long the certificate should remain valid by changing the 365 to the number ofdays we prefer. As it stands this certificate will expire after one year.sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
With this command, we will be both creating the self-signed SSL certificate and the server key that protects it, and placing both of theminto the new directory.
This command will prompt terminal to display a lists of fields that need to be filled in.
The most important line is "Common Name". Enter your official domain name here or, if you don't have one yet, your site's IP address.You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:USState or Province Name (full name) [Some-State]:New York
-
Locality Name (eg, city) []:NYCOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Awesome IncOrganizational Unit Name (eg, section) []:Dept of MerrimentCommon Name (e.g. server FQDN or YOUR name) []:example.com Email Address []:[email protected]
Step FourSet Up the CertificateNow we have all of the required components of the finished certificate.The next thing to do is to set up the virtual hosts to display the newcertificate.
Open up the SSL config file: nano /etc/apache2/sites-available/default-ssl
Within the section that begins with , quickly make the following changes.
Add a line with your server name right below the Server Admin email: ServerName example.com:443
Replace example.com with your DNS approved domain name or server IP address (it should be the same as the common name on thecertificate).
Find the following three lines, and make sure that they match the extensions below:SSLEngine onSSLCertificateFile /etc/apache2/ssl/apache.crtSSLCertificateKeyFile /etc/apache2/ssl/apache.key
Save and Exit out of the file.
Step FiveActivate the New Virtual HostBefore the website that will come on the 443 port can be activated, we need to enable that Virtual Host:sudo a2ensite default-ssl
You are all set. Restarting your Apache server will reload it with all of your changes in place.sudo service apache2 reload
In your browser, type https://youraddress, and you will be able to see the new certificate.
See MoreOnce you have setup your SSL certificate on the site, you can Install an FTP server if you haven't done so yet.
By Etel Sverdlov
Try this tutorial on an SSD cloud server.Includes 512MB RAM, 20GB SSD Disk, and 1TB Transfer for $5/mo! Learn more
Create an account or login:EmailPassword
Get Started!
Share this TutorialTweetTweet
Share 12 0Submit
116 Comments
Write Tutorial
bossman759 over 1 year
I Get An Error bossman759@ubuntu:~$ sudo service apache2 reload Syntax error on line 173 of /etc/apache2/sites-enabled/default-
-
ssl: SSLCertificateKeyFile: file '/etc/apache2/ssl/apache.ke' does not exist or is empty Action 'configtest' failed. The Apache errorlog may have more information. ...fail!
Reply
Moisey over 1 year
Maybe a small typo, the error lists: "/etc/apache2/ssl/apache.ke" The tutorial is for: "/etc/apache2/ssl/apache.key" So the key fileyou are pointing doesn't exist, just looks like you missed the y on the end. Double check the paths to make sure all of the files youare referencing are where they are supposed to be and if you still have an issue let us know.
Reply
alejandro.visiedo over 1 year
You hava a mistake when you typed the location of your "apache.key" file. If you read the location of the error message, you cansee that the file you typed was "/etc/apache2/ssl/apache.ke"
Reply
rjyanyan18 over 1 year
How about this? Syntax error on line 47 of /etc/apache2/sites-enabled/default-ssl: SSLCertificateFile: file'/etc/apache2/ssl/apache.crt' does not exist or is empty Action 'configtest' failed. The Apache error log may have more information....fail!
Reply
Ben Uretsky over 1 year
The error is the file does not exist or is empty, make sure you put your Apache certificate file in place /etc/apache2/ssl/apache.crtYou can verify that its the right file by running: cat /etc/apache2/ssl/apache.crt -- that will show you the contents of the certificatefile.
Reply
styx over 1 year
Worked like a charm. Thanks a lot.
Reply
daddyfix over 1 year
Thanks Worked Like a charm on Ubuntu 12.04!
Reply
Etel Sverdlov over 1 year
Thanks! Let me know if you there are any topics you would like to see. =]
Reply
kampar over 1 year
100% worked on my VPS Ubuntu 12.04.1 LTS thanks for sharing ...
Reply
jjhartley1425 over 1 year
Great walk-through, bookmarking this. This is the most clear and concise explanation that I have found yet. THANK YOU!
June 6, 2012
Beginner
-
Reply
fariazz about 1 year
How could I do it to create a self-signed certificate that can work on all subdomains? example subdomain1.example.com,subdomain2.example.com, etc
Reply
Etel Sverdlov about 1 year
You can create an self-signed SSL certificate that will work on all domains by including a catchall in the common name. Include anasterisk in the following line: "Common Name (e.g. server FQDN or YOUR name) []:*.example.com"
Reply
pmmail about 1 year
I have a doubt.... In the original file where do you have to change this? SSLEngine on SSLCertificateFile/etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key ? I can't find them like that btw in this partServerName example.com:443 I used this ServerName localhost:443
Reply
Moisey about 1 year
You would put: SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.keyInside of the VirtualHost where you would like that SSL to be active. As for the ServerName, that should actually be the name ofthe domain you setup such as "domain.com" and inside of your VirtualHost you can specify the IP as: VirtualHost xx.xx.xx.xx:443Then this VirtualHost will only be active for requests on port 443 which is HTTPS.
Reply
maxmueller about 1 year
I have an error when executing the last command (sudo service apache2 reload): * Reloading web server config apache2 [Wed Jan16 22:31:15 2013] [warn] NameVirtualHost *:80 has no VirtualHosts During the setup of the initial certificate, I didn't use theactual ".com" name of the website, as I thought common name was just a shorthand name. I then read the bit about common namebeing the most important step (oops), so after I received the above error the first time, I reran the certificate setup and used thecorrect ".com" name but I'm still getting the same error. Any ideas? (I checked that the SSL config file with VirualHost *:443 andthe other edits and they have all been saved).
Reply
Moisey about 1 year
That error is related to your Apache virtualhost configuration and not your SSL certificate. It just means that you may have a Listen*:80 directive and that you have no VirtualHost *:80 configured, so while you are listening on port 80 you do not have anythingconfigured to serve traffic which is what that refers to.
Reply
maxmueller about 1 year
Ok, so where would I go to change the "Listen *:80" directive? I guess what I'm asking is, how do I go about fixing this? I'vefollowed all the steps so far word for word...
Reply
maxmueller about 1 year
So, I've found a "Listen 80" directive along with a "NameVirtualHost *:80" directive in ports.conf in /etc/apache2/. What and howdo I need to edit this file (if it is this file) in order to make this work? I've tried visiting the address of the site both with regular httpand https and both time out...
Reply
-
Moisey about 1 year
In most cases the SSL protected website and the non-SSL website are the same so you can do one of two things: 1. Create aVirtualHost *:80 directive with the same settings as your 443 VirtualHost just remove any mention of the SSL certs so you canserve the same website from http:// 2. Create a VirtualHost *:80 directive for the same site and redirect all requests viaRewriteRules to the 443 SSL enabled VirtualHost. We do not use Apache, we use nginx, but we employ method 2, so if you gotohttp://www.digitalocean.com you will be redirected to https://www.digitalocean.com - this way we ensure that all connections toour website are secure and encrypted.
Reply
maxmueller about 1 year
So I searched around and instead of using rewrite rules, I decided to use a permanent redirect but I still am getting no results.Maybe posting these first few lines will shed some light on my situation: ServerName ec2-XXX.compute-1.amazonaws.com:80Redirect permanent / ec2-XXX.compute-1.amazonaws.com:443 ServerAdmin webmaster@localhost ServerName ec2-XXX.compute-1.amazonaws.com:443 SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile/etc/apache2/ssl/apache.key ... I restarted the apache server with these settings but there is still a network timeout whenever I try toaccess either the regular or secure version of the site. Any ideas? I'll try rewrite rules, but I feel like the issue may be rootedelsewhere...
Reply
Moisey about 1 year
Remove the SSL lines from your VirtualHost for :80. Then also paste your 443 config, because it will be redirecting to 443 so if the443 config isn't working then it wont load for either.
Reply
maxmueller about 1 year
Sorry about the last post, it apparently doesn't like things wrapped in HTML-style tags so it was hard to see what was actually a partof what VirtualHost (I'll post the rest of the 443 config though). There were/are no SSL directives/lines in my VirtualHost for :80.Here are both VirtualHosts in /etc/apache2/sites-enabled/000-default:
-
protocol (http vs https, it defaults to using http) comes back with an error saying that I was trying to access a secure port usingregular http. I simply edited the redirect code like the following: {{VirtualHost *:80}} ServerName ec2-XXX.compute-1.amazonaws.com:80 Redirect permanent / https://ec2-XXX.compute-1.amazonaws.com: {{/VirtualHost}} Thanks for the help -apologies for the simplicity of my mistake.
Reply
onrweb about 1 year
Hi, it works in my server (Ubuntu12.04) but when i tried to connect with https, chrome show a warning. I allow it but in url, there isa line on https://... (it doesn't seem trusted) Is it work like this? How can I verify the ssl?
Reply
Moisey about 1 year
That warning means that your SSL certificate isn't signed by a trusted authority like NetworkSolutions. What this means is that theconnection is secure via SSL, but visitors will get that warning, if you buy an SSL certificate from NetworkSolutions or anotherauthority then they will provide you a new SSL cert based on your SSL key and then the warning will go away.
Reply
Etel Sverdlov about 1 year
This is because it is a self-signed certificate and not verified by a third party. To avoid getting that screen, you will need to install avalid, signed, SSL certificate from a provider such as StartSSL (for a free one) or Comodo (for a low-priced paid one).
Reply
Wes Hooper about 1 year
Worth reading this too, only takes a few extra minutes: Hardening your Web Server's SSL Ciphers -http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
Reply
ronaldsu88 about 1 year
How do I make this work for a particular subdomain only? Such as cart checkout with https at "https://secure.mydomain.com" Andeverything else with http at "http://mydomain.com" Many thanks!
Reply
Ben Uretsky about 1 year
You should have 2 separate VirtualHost entries, one for secure and for www. Include the SSLCertificate key and file only in thesecure VirtualHost entry and make sure that its set to listen on port 443 for https protocol.
Reply
ish1301 about 1 year
I was seeing "SSL Connection Error" after following the above steps, after debugging i found ssl config file wasn't loaded byapache at all. for that i have to create symbolic link $ cd /etc/apache2/sites-enabled $ sudo ln -s ../sites-available/default-ssl 000-default-ssl
Reply
jongmo85 about 1 year
I get an error ~$ sudo service apache2 restart apache2: Syntax error on line 265 of /etc/apache2/apache2.conf: Cannot load/home/username.rvm/gems/ruby-1.9.3-p385/gems/passenger-3.0.12/ext/apache2/mod_passenger.so into server:/home/username/.rvm/gems/ruby-1.9.3-p385/gems/passenger-3.9.12/ext/apache2/mod_passenger.so: cannot open shared object file:No such file or directory Action 'configtest' failed. The Apache error log may have more information. ...fail!
Reply
-
Nick Van Weerdenburg 10 months
Worked for me. I duplicated the virtual host block (entire file copied after itself for two identical sections), and updated the copy tothe instructions. Now http: and https: both work.
Reply
Kamal Nasser 10 months
@jongmo85: this is not related to this article. If you have followed an article on installing rvm and configuring Apache to workwith it, please comment on it. Otherwise, please create a forum question.
Reply
farhan.sheron 10 months
How to Create a EV SSL Certificate on NGINX for Ubuntu 12.04 ?
Reply
Kamal Nasser 10 months
@farhan.sheron: you create it just like a regular SSL certificate but you have to sign it at a CA as an EV SSL cert.
Reply
commerce 9 months
I get this error: sudo service apache2 reload apache2: Syntax error on line 237 of /etc/apache2/apache2.conf: Syntax error on line42 of /etc/apache2/sites-enabled/000-default: directive missing closing '>' Action 'configtest' failed. The Apache error log may havemore information. ...fail!
Reply
Kamal Nasser 9 months
@commerce: Please pastebin your apache virtualhost config.
Reply
commerce 9 months
followed instruction to a 't' and get above error
Reply
commerce 9 months
ServerAdmin webmaster@localhost ServerName debt-x.com:443 DocumentRoot /var/www Options FollowSymLinksAllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from allScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Orderallow,deny Allow from all ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error,crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /doc/ "/usr/share/doc/"Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from127.0.0.0/255.0.0.0 ::1/128 SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile/etc/apache2/ssl/apache.key
Reply
commerce 9 months
don't worry i fixed it
-
Reply
drmad 8 months
Great tutorial. Plain and simple.I love it. Thank you very much ! What is interesting is that I can access my SSL server via 2different IP adresses (2 different ADSL boxes) and it still works. That means to me that the Common Name field entered for thecertificate is useless when using self certificates. I obviously get the warning message, but it still connects through either box. Mysetup is: Box 1 Router SSL server or Box 2 Router SSL server with Box1 and Box2 having 2 different WAN IP addresses. Normal?
Reply
drmad 8 months
Sorry the arrow signs didn't show in my previous most. I meant: Box1 -- Router -- SSL Server or Box2 -- Router -- SSL Server ie Ihave an extra router in the way on top of my ADSL box
Reply
Kamal Nasser 8 months
@dmad: Your browser is warning you that you're using an SSL cert assigned to another hostname, but you can ignore it andcontinue browsing normally.
Reply
tiago.pcodelico 8 months
Hello, I did this, trying to put my ip in the servername, I bought a RapidSSL of ssl, but they do not accept generate the CSR by IPaddress. So I went back to my normal settings file / etc/apache2/sites-available/default: ServerAdmin webmaster @ localhost(...) and ran the command "sudo a2ensite default" and "sudo service apache2 reload", but my server is off, lookhttp://198.199.78.146. Does anyone know how to get back to normal (as before)?
Reply
tiago.pcodelico 8 months
my file / etc/apache2/sites-available/default: {{ VirtualHost *:80 }} ServerAdmin webmaster@localhost (...)
Reply
tiago.pcodelico 8 months
That's ok for me. I want did this: $ sudo nano /etc/apache2/sites-available/default I edit the servername to localhost ServerNamelocalhost and restart apache: sudo /etc/init.d/apache2 restart
Reply
sean 8 months
Thanks for the instructions. I'm stuck, maybe someone can point me in the right direction. Inside /etc/apache2/sites-available I have3 files: default, default-ssl, and mysite.com. My site is up and functional, I am trying to add an https version that admins can use tosecurely administer the site. I have tried modifying all three files with the above directives to no avail. What might I be missing?
Reply
Kamal Nasser 8 months
@sean: Did you restart apache? "service apache2 restart"
Reply
dagomnet 8 months
-
HI. Where could be my problem. I get this, when i wanted to restart apache after all above command. root@dago:/etc/apache2#service apache2 restart * Restarting web server apache2 Action 'start' failed. The Apache error log may have more information.
Reply
dagomnet 8 months
the error.log showed this: ue Jul 30 10:21:37 2013] [warn] Init: (82.196.8.151:443) You configured HTTP(80) on the standardHTTPS(443) port! [Tue Jul 30 10:21:37 2013] [warn] Init: (82.196.8.151:443) You configured HTTP(80) on the standardHTTPS(443) port! [Tue Jul 30 10:21:37 2013] [warn] Init: (82.196.8.151:443) You configured HTTP(80) on the standardHTTPS(443) port! [Tue Jul 30 10:21:37 2013] [warn] Init: (82.196.8.151:443) You configured HTTP(80) on the standardHTTPS(443) port! [Tue Jul 30 10:21:37 2013] [notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.6 with Suhosin-Patchmod_scgi/1.13 mod_ssl/2.2.22 OpenSSL/1.0.1 configured -- $ [Tue Jul 30 10:26:13 2013] [notice] Graceful restart requested, doingrestart [Tue Jul 30 10:26:13 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jul30 10:26:13 2013] [error] Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in globalscope.) [Tue Jul 30 10:27:02 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jul30 10:27:02 2013] [error] Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in globalscope.) [Tue Jul 30 10:33:29 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jul30 10:33:29 2013] [error] Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in globalscope.)
Reply
dagomnet 8 months
Sorry , I've found the error. Actually, i put the last three lines on wrong place. I made SSLEngine on SSLCertificateFile/etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key The correct form is like this: SSLEngine onSSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key Now it's OK.
Reply
dagomnet 8 months
Gravatar dagomnet Sorry , I've found the error. Actually, i put the last three lines on wrong place. I made " SSLEngine onSSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key" The correct form is like this:"SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key " Now it's OK.
Reply
tiago.pcodelico 8 months
The certificate requires that bought the key CSR, and the tutorial how to create a key CRT. How to proceed to create a key CSRrequired by the certificate purchased? Just change the extension?
Reply
Kamal Nasser 8 months
@tiago.pcodelico: Follow steps 2 and 3 from this article: https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-nginx-for-ubuntu-12-04
Reply
tiago.pcodelico 8 months
Thanks @Kamal, is what I thought to do! I am a layman in ssl =)
Reply
misterxx64 7 months
Hey guys, anyone know if it works with varnish 1.1 installed? Thank you:)
Reply
Kamal Nasser 7 months
-
@misterxx64: Yes. Varnish does not support SSL natively so you'll have to set up a reverse proxy in front of it:http://plone.org/documentation/kb/plone-behind-varnish-using-pound-for-ssl
Reply
tytung 7 months
The easier configuration of a self-signed certificate is as follows. $ sudo a2enmod ssl $ sudo a2ensite default-ssl $ sudo serviceapache2 restart Now you have both http://example.com/ and https://example.com/ at the same time. Reference:http://d.klwe.info/ubuntu-12-04-setting-up-apache2-and-ssl-with-self-signed-certificate/ Option 1: Type the following command ifyou update your hostname/DNS. $ sudo make-ssl-cert generate-default-snakeoil force-overwrite It creates the following files:/etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/certs/ssl-cert-snakeoil.pem $ sudo service apache2 restart Option 2: Type the followingcommands if you want to set more things. $ sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout/etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt Update the SSL site setting $ sudo nano /etc/apache2/sites-enabled/default-ssl SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key $ sudoservice apache2 restart Next, you could further secure some services, e.g., phpmyadmin, by enforcing SSL connection. $ sudoa2enmod rewrite $ sudo nano /usr/share/phpmyadmin/.htaccess =============== Edit .htaccess and add the following content=============== RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} =============== $ sudo service apache2 reload Now when you type http://example.com/phpmyadmin/ , theApache will redirect it to https//example.com/phpmyadmin/.
Reply
felix.johnson 7 months
I have followed this tut till the end...and when I view it on the browser it says: my domail(example.com) is not configured toconnect to port https. What should I do? or what am I doing wrong?
Reply
Kamal Nasser 7 months
@felix.johnson: Did you restart apache after editing the virtualhost configs? Do you have your actual domain or literallyexample.com?
Reply
ismail.eltahawy 7 months
Thanks alot for the simple and nice post, i wonder did anybody tried to decrypt the ssl traffic using the "apache.key" generated asmentioned in this post ? i tried to decrypt the captured traffic in the wireshark but it didn't work, i have followed the same stepsmentioned in the following link http://wiki.wireshark.org/SSL and this also http://www.youtube.com/watch?v=vQtur8fqErI , itworks only in the snakoil .cap file provided by wireshark.org but didn't work in my captured SSL traffic under apache2 , any ideas?
Reply
deekin 6 months
OMG, I have been knocking my head on this forever!!! Gah I'm close to giving up on the idea. This is what I have:me@foo:/etc/apache2/ssl$ ll total 32 drwxr-xr-x 2 root root 4096 Sep 4 02:16 ./ drwxr-xr-x 8 root root 4096 Sep 4 01:48 ../ -rw-r--r-- 1 root root 1407 Sep 4 01:50 apache.crt -rw-r--r-- 1 root root 1704 Sep 4 01:50 apache.key -rw-r--r-- 1 root root 1903 Sep 402:15 foo.com.crt -rw-r--r-- 1 root root 1123 Sep 4 01:57 foo.csr -rw-r--r-- 1 root root 1704 Sep 4 01:57 foo.key -rw-r--r-- 1 rootroot 3192 Sep 4 02:16 sf_bundle-g2.crt I followed the directions at GoDaddy, regenerated the info, and slapped it in here, and nadaafter following the guide posted above. Restarted apache, set virtual host to port 443, renamed the conf info to the proper names, etcetc: ServerAdmin [email protected] ServerName foo.com:443 DocumentRoot /var/www Options FollowSymLinksAllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from allScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Orderallow,deny Allow from all ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error,crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /doc/ "/usr/share/doc/"Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from127.0.0.0/255.0.0.0 ::1/128 SSLEngine on SSLCertificateFile /etc/apache2/ssl/foo.com.crt SSLCertificateKeyFile/etc/apache2/ssl/foo.com.key Dear Great Beings in the sky, someone help me out here :( - on testing at https://www.foo.com and athttps://foo.com I get: Google Chrome's connection attempt to foo.com was rejected. The website may be down, or your networkmay not be properly configured.
Reply
mehul.bhandari 6 months
* Restarting web server apache2 [Wed Sep 04 12:50:57 2013] [warn] NameVirtualHost *:80 has no VirtualHosts [Wed Sep 0412:50:58 2013] [warn] NameVirtualHost *:80 has no VirtualHosts Action 'start' failed. The Apache error log may have more
-
information. [fail]
Reply
Kamal Nasser 6 months
@deekin: Is there anything listening on port 443? Did you try restarting apache?sudo netstat -plutn | grep :443
Reply
Kamal Nasser 6 months
@mehul.bhandari: Check apache's error logs:tail /var/log/apache2/error.log
Reply
usavp.suvarna 6 months
how does ssl certificate nam appears in browser url eg ur connected to :example.com which is run by: example inc
Reply
Kamal Nasser 6 months
@usavp.suvarna: That is only possible with an EV SSL certificate: http://en.wikipedia.org/wiki/Extended_Validation_Certificate
Reply
technicallyblue 6 months
Hello, What can I do to correct this? When I restart apache I get this: NameVirtualHost *:80 has no VirtualHosts Action 'start'failed In the browser it tells me: Can't establish a connection to the server at ###.###.###.###
Reply
Kamal Nasser 6 months
@technicallyblue: Comment out (add # in the beginning) the NameVirtualHost *:80 line in /etc/apache2/ports.conf
Reply
king_himself88 5 months
Got the following error message after the final command "sudo service apache2 reload" "apache2: Could not reliably determine theserver's fully qualified domain name, using 127.0.0.1 for ServerName [warn] NameVirtualHost *:80 has no VirtualHosts" I usedthe server IP for common name. Will this cover all the add on domain?
Reply
Kamal Nasser 5 months
@king_himself88: See http://www.cyberciti.biz/faq/apache2-namevirtualhost-80-has-no-virtualhosts/ andhttp://stackoverflow.com/questions/9541460/httpd-could-not-reliably-determine-the-servers-fully-qualified-domain-name-us
Reply
detrix42 5 months
Ok, after reading all this excellent help, I still did not see the answer I need. My site novasector.net:4280 (port 4280 is requiredbecause my ISP blocks port 80 to residential accounts) is working at http:// level. I do not have my web site located at the defaultlocation of /var/www, its it /www/novasector.net. I have a debian setup. My question is this: I do not use the default vertualhost file
-
in /etc/apache2/sites-available. I have made a novasector.net-ssl with what has described in this tutorial. How do I set this up , notusing the default file?
Reply
Kamal Nasser 5 months
@detrix42: Please pastebin all of the files in /etc/apache2/sites-enabled
Reply
detrix42 5 months
I pasted 2 files: the site-enabled one, and the site-available ssl verson. http://pastebin.com/1LVaEvUR Thanks for the help
Reply
Kamal Nasser 5 months
@detrix42: You can enable the SSL virtualhost by running sudo a2ensite novasector.net-ssl followed by sudo serviceapache2 reload Does that fix it?
Reply
Duane Adam 5 months
Hello everyone, I am a bit confused on this article. How do I install SSL if let's say I am using EssentialSSL
Reply
Kamal Nasser 5 months
@duaneadam: Please create a new question (https://www.digitalocean.com/community/questions) if you haven't managed to dothat yet.
Reply
jntslvdrt 4 months
Hey, I have a problem. I followed all over the tutorial and I'm getting this error " ERR_SSL_PROTOCOL_ERROR" I'm usingChrome, Ubuntu 13.04 X64 Desktop and a Ubuntu 12.04.3 X64 Deploy.
Reply
jfgodin 4 months
I'm having the same error as @jntslvdrt however I'm using Ubuntu 12.04.3 LTS. Firefox error states: "SSL received a record thatexceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)". Chrome error is"ERR_SSL_PROTOCOL_ERROR".
Reply
null 4 months
I have the same issue like the guys above ( jntslvdrt, jfgodin) "ERR_SSL_PROTOCOL_ERROR".
Reply
Kamal Nasser 4 months
@jntslvdrt, jfgodin, null: Please see if http://stackoverflow.com/a/4762977 helps.
Reply
-
null 4 months
Thank dear Kamal Finally, I got it running, here what I've done: executed this command: sudo a2ensite default-ssl and then: sudoservice apache2 reload :)
Reply
erwin.de.laat 4 months
When I go to my address https://mydomain.com I get : An error occurred during a connection to cleveridge.org. SSL received arecord that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)
Reply
erwin.de.laat 4 months
I believe I tried all the above
Reply
erwin.de.laat 4 months
Found it... I use Zpanel and I had to change httpd-vhosts.conf in /etc/zpanel/configs/apache. It seems like it is working but FireFoxtells me the Connection is untrusted (The certificate is not trusted because it is self-signed.)
Reply
alfredo 4 months
Step 5 "sudo a2ensite default" should be changed to "sudo a2ensite default-ssl". Thank you.
Reply
will-v-king 4 months
with the https:// my website can't display completely. the background picture is missing.
Reply
Kamal Nasser 4 months
@will-v-king: See https://developer.mozilla.org/en-US/docs/Security/MixedContent/fix_website_with_mixed_content
Reply
yadavrajesh25june 4 months
i am using ubuntu after following this step i am getting this message on browser "Secure Connection Failed An error occurredduring a connection to www.gohna.com. SSL received a record that exceeded the maximum permissible length. (Error code:ssl_error_rx_record_too_long) "
Reply
yadavrajesh25june 4 months
@Gravatar : Thank you It work for me now after running "sudo a2ensite default-ssl"
Reply
ludensen 4 months
-
Thank you for your great tutorials! :-) BUT this one still have one error - as others already has pointed out. When you in step 4make changes to the /etc/apache2/sites-available/default-ssl then in step 5 you should also enable default-ssl and not defaultPLEASE take a look at this :-) Linux Regards Tom Ludensen
Reply
ludensen 4 months
If you follow the above tutorial and execute "sudo a2ensite default" instead of "sudo a2ensite default-ssl" you will probably get thefollowing error when trying to open a https-connection: "SSL received a record that exceeded the maximum permissible length.(Error code: ssl_error_rx_record_too_long)"
Reply
Kamal Nasser 4 months
Thanks, I've updated the article.
Reply
jamied_uk 3 months
find? on what file be specific please SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile/etc/apache2/ssl/apache.key
Reply
akshayjain07 3 months
Thanks it's working. But when I visit my site I get the error: On Chrome: The site's security certificate is not trusted! and similarerror on Firefox. I know this is the free version of Openssl but is there anyway of preventing this error from coming up in front ofnew visitors to my site? (They do get an option of proceeding anyway, but I'd rather that this error is not displayed at all)
Reply
akshayjain07 3 months
I found the answer in the comments. Guess I'll have to switch to StartSSL or some other provider to avoid this error.
Reply
trevor 3 months
So I setup the default file which works great but how to I make SSL enabled for each of my vhosts? The default site will only letme set one DocumentRoot which is problematic since I have vhosts with separate folders for each set of content per site. Is there away to account for this make these SSL settings carry through to all sites? Thanks.
Reply
Kamal Nasser 2 months
@trevor: You will need to create a separate ssl-enabled vhost for each existing non-ssl vhost, replacing *:80 with *:443 and addingthe appropriate SSL directives (Step Four).
Reply
kato223 2 months
Worked perfect. Thank you very much!
Reply
alexander 2 months
-
i thought you could only buy ssl certs.how can you make one? please reply: [email protected]. thank you.
Reply
kurtulus.m about 1 month
Worked on Debian 7! Which SSL is the best to buy for a Wordpress website? maybe in the future i could open an online shop too.Thanks!
Reply
tim about 1 month
I too had this error: SSLEngine On should go in the VirtualHost, not in global scope. Eventually, by adding SSLEngine On to mynew file httpd-ssl.conf (which is included in httpd.conf) with the address of my server certificate and server key, the problem wasresolved.
Reply
rmaiolo 22 days
I followed these steps for an aws instance ...everything from the cli seemed to go ok..but every https request times out and cant findanything helpful in the logs..if there's any advice you have, I'd love it
Reply
dahalpi 19 days
Hello, i installed on my server following the guide and can't recognize the certeificate yet, what can i do? https://www.cultura-libre.cl/# PD: it's a vps on digitalocean see ya!
Reply
bitlather 18 days
Correction: sudo vim /etc/apache2/sites-available/default-ssl --> sudo vim /etc/apache2/sites-available/default-ssl.conf Works forme.
Reply
Kamal Nasser 18 days
@dahalpi: Make sure port 443 is open. I believe AWS has an external firewall (it's called "security groups" if I recall correctly).
Reply
bitlather 18 days
My correction above of using default-ssl.conf was for the LAMP install instructions from digital ocean. I noted that plain default-ssl worked on my dev machine.
Reply
ctefanos.t 15 days
Hello, I installed the certificate but the browser says the certificate is untrusted, what can I do?
Reply
stephen 12 days
comodo gives you three files the .key a .crt and a .ca-bundle how does one install in the apache /etc/apache2/sites-available/default-ssl or are we supposed to add the 443 instruction the individual site virtual host file? thanks!
-
Reply
Kamal Nasser 11 days
@ctefanos.t: See Etel's comment above (January 18th, 2013 20:05).
Reply
Kamal Nasser 11 days
@stephen:SSLEngine OnSSLCertificateFile /path/to/.crtSSLCertificateChainFile /path/to/.ca-bundleSSLCertificateKeyFile /path/to/.key
Make sure you secure the private key file:sudo chown root:root /path/to/.keysudo chmod 400 /path/to/.key
Reply
stephen 10 days
@kamal Thank you! Just to clarify - if this certificate is issued for a domain that is one virtual host on an IP, does one put theVirtualHost _default_:443 block into the /etc/apache2/sites-available/somSSLsite.com file ? e.g. and NOT the /etc/apache2/sites-available/default-ssl?
Reply
Kamal Nasser 9 days
@stephen: It doesn't matter as long as ServerName is properly set.
Reply
deeptigp9 8 days
Hi, I am trying to get https://localhost to work. When I followed all of the above steps, running https://localhost still gives me "site'ssecurity certificate is not trusted!" warning. Thus, I a) edited my /etc/hosts file to include 127.0.0.1 classifyimagedistortions.com inthe first line b) Then went to http://www.cacert.org/ and tried to generate a certificate for the domain name"classifyimagedistortions.com" . However, it asks for a valid email address with this domain and because that doesn't exist. thisgives me "Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the emailaddress as invalid Failed to make a connection to the mail server" error. Any idea where I am going wrong and how to enable httpsto localhost? Thanks!
Reply
Leave a Comment
Leave a comment...
Create an account or login:EmailPassword
Submit Comment
Copyright 2014
-
DigitalOcean Inc.Proudly Made in NYTerms, Privacy, & Copyright Security
ProductPricingFeaturesCustomersOne-Click AppsAPI
CompanyAbout UsBlogJobsPressLogos & BadgesEventsContact
HelpKnowledgebaseGetting StartedFeedbackReferral ProgramNetwork Status
CommunityDashboardOverviewTutorial SuggestionsGet Paid to WriteIRC Chat
ConnectTwitterFacebookLinkedInGoogle+Instagram
1,284,337 Droplets Launched