June 6, 2012

Beginner

How To Create a SSL Certificate on Apache for Ubuntu 12.04

Tagged In: Ubuntu, Apache

What the Red Means

The lines that the user needs to enter or customize will be in red in this tutorial!

The rest should mostly be copy-and-pastable.

About SSL Certificates

A SSL certificate is a way to encrypt a site's information and create a more secure connection. Additionally, the certificate can show the virtual private server's identification information to site visitors. Certificate Authorities can issue SSL certificates that verify the server's details while a self-signed certificate has no 3rd party corroboration.

Set Up

The steps in this tutorial require the user to have root privileges on the VPS. You can see how to set that up here in steps 3 and 4.

Additionally, you need to have apache already installed and running on your virtual server.
If this is not the case, you can download it with this command:
sudo apt-get install apache2

Step One—Activate the SSL Module


The next step is to enable SSL on the droplet.
sudo a2enmod ssl

Follow up by restarting Apache.
sudo service apache2 restart

Step Two—Create a New Directory


We need to create a new directory where we will store the server key and certificate
sudo mkdir /etc/apache2/ssl 

Step Three—Create a Self Signed SSL Certificate


When we request a new certificate, we can specify how long the certificate should remain valid by changing the 365 to the number of days we prefer. As it stands this certificate will expire after one year.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

With this command, we will be both creating the self-signed SSL certificate and the server key that protects it, and placing both of them into the new directory.

This command will prompt terminal to display a lists of fields that need to be filled in.

The most important line is "Common Name". Enter your official domain name here or, if you don't have one yet, your site's IP address.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:NYC
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Awesome Inc
Organizational Unit Name (eg, section) []:Dept of Merriment
Common Name (e.g. server FQDN or YOUR name) []:example.com                  
Email Address []:[email protected]

Step Four—Set Up the Certificate


Now we have all of the required components of the finished certificate.The next thing to do is to set up the virtual hosts to display the new certificate.

Open up the SSL config file:
 nano /etc/apache2/sites-available/default-ssl

Within the section that begins with <VirtualHost _default_:443>, quickly make the following changes.

Add a line with your server name right below the Server Admin email:
 ServerName example.com:443

Replace example.com with your DNS approved domain name or server IP address (it should be the same as the common name on the certificate).

Find the following three lines, and make sure that they match the extensions below:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Save and Exit out of the file.

Step Five—Activate the New Virtual Host


Before the website that will come on the 443 port can be activated, we need to enable that Virtual Host:
sudo a2ensite default-ssl

You are all set. Restarting your Apache server will reload it with all of your changes in place.
sudo service apache2 reload

In your browser, type https://youraddress, and you will be able to see the new certificate.

See More

Once you have setup your SSL certificate on the site, you can Install an FTP server if you haven't done so yet.

By Etel Sverdlov

Share this Tutorial

Vote on Hacker News

Try this tutorial on an SSD cloud server.

Includes 512MB RAM, 20GB SSD Disk, and 1TB Transfer for $5/mo! Learn more

Create an account or login:

133 Comments

Write Tutorial
  • Gravatar bossman759 almost 2 years

    I Get An Error bossman759@ubuntu:~$ sudo service apache2 reload Syntax error on line 173 of /etc/apache2/sites-enabled/default-ssl: SSLCertificateKeyFile: file '/etc/apache2/ssl/apache.ke' does not exist or is empty Action 'configtest' failed. The Apache error log may have more information. ...fail!

  • Gravatar Moisey almost 2 years

    Maybe a small typo, the error lists: "/etc/apache2/ssl/apache.ke" The tutorial is for: "/etc/apache2/ssl/apache.key" So the key file you are pointing doesn't exist, just looks like you missed the y on the end. Double check the paths to make sure all of the files you are referencing are where they are supposed to be and if you still have an issue let us know.

  • Gravatar alejandro.visiedo over 1 year

    You hava a mistake when you typed the location of your "apache.key" file. If you read the location of the error message, you can see that the file you typed was "/etc/apache2/ssl/apache.ke"

  • Gravatar rjyanyan18 over 1 year

    How about this? Syntax error on line 47 of /etc/apache2/sites-enabled/default-ssl: SSLCertificateFile: file '/etc/apache2/ssl/apache.crt' does not exist or is empty Action 'configtest' failed. The Apache error log may have more information. ...fail!

  • Gravatar Ben Uretsky over 1 year

    The error is the file does not exist or is empty, make sure you put your Apache certificate file in place /etc/apache2/ssl/apache.crt You can verify that its the right file by running: cat /etc/apache2/ssl/apache.crt -- that will show you the contents of the certificate file.

  • Gravatar styx over 1 year

    Worked like a charm. Thanks a lot.

  • Gravatar daddyfix over 1 year

    Thanks Worked Like a charm on Ubuntu 12.04!

  • Gravatar Etel Sverdlov over 1 year

    Thanks! Let me know if you there are any topics you would like to see. =]

  • Gravatar kampar over 1 year

    100% worked on my VPS Ubuntu 12.04.1 LTS thanks for sharing ...

  • Gravatar jjhartley1425 over 1 year

    Great walk-through, bookmarking this. This is the most clear and concise explanation that I have found yet. THANK YOU!

  • Gravatar fariazz over 1 year

    How could I do it to create a self-signed certificate that can work on all subdomains? example subdomain1.example.com, subdomain2.example.com, etc

  • Gravatar Etel Sverdlov over 1 year

    You can create an self-signed SSL certificate that will work on all domains by including a catchall in the common name. Include an asterisk in the following line: "Common Name (e.g. server FQDN or YOUR name) []:*.example.com"

  • Gravatar pmmail over 1 year

    I have a doubt.... In the original file where do you have to change this? SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key ? I can't find them like that btw in this part ServerName example.com:443 I used this ServerName localhost:443

  • Gravatar Moisey over 1 year

    You would put: SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key Inside of the VirtualHost where you would like that SSL to be active. As for the ServerName, that should actually be the name of the domain you setup such as "domain.com" and inside of your VirtualHost you can specify the IP as: VirtualHost xx.xx.xx.xx:443 Then this VirtualHost will only be active for requests on port 443 which is HTTPS.

  • Gravatar maxmueller over 1 year

    I have an error when executing the last command (sudo service apache2 reload): * Reloading web server config apache2 [Wed Jan 16 22:31:15 2013] [warn] NameVirtualHost *:80 has no VirtualHosts During the setup of the initial certificate, I didn't use the actual ".com" name of the website, as I thought common name was just a shorthand name. I then read the bit about common name being the most important step (oops), so after I received the above error the first time, I reran the certificate setup and used the correct ".com" name but I'm still getting the same error. Any ideas? (I checked that the SSL config file with VirualHost *:443 and the other edits and they have all been saved).

  • Gravatar Moisey over 1 year

    That error is related to your Apache virtualhost configuration and not your SSL certificate. It just means that you may have a Listen *:80 directive and that you have no VirtualHost *:80 configured, so while you are listening on port 80 you do not have anything configured to serve traffic which is what that refers to.

  • Gravatar maxmueller over 1 year

    Ok, so where would I go to change the "Listen *:80" directive? I guess what I'm asking is, how do I go about fixing this? I've followed all the steps so far word for word...

  • Gravatar maxmueller over 1 year

    So, I've found a "Listen 80" directive along with a "NameVirtualHost *:80" directive in ports.conf in /etc/apache2/. What and how do I need to edit this file (if it is this file) in order to make this work? I've tried visiting the address of the site both with regular http and https and both time out...

  • Gravatar Moisey over 1 year

    In most cases the SSL protected website and the non-SSL website are the same so you can do one of two things: 1. Create a VirtualHost *:80 directive with the same settings as your 443 VirtualHost just remove any mention of the SSL certs so you can serve the same website from http:// 2. Create a VirtualHost *:80 directive for the same site and redirect all requests via RewriteRules to the 443 SSL enabled VirtualHost. We do not use Apache, we use nginx, but we employ method 2, so if you goto http://www.digitalocean.com you will be redirected to https://www.digitalocean.com - this way we ensure that all connections to our website are secure and encrypted.

  • Gravatar maxmueller over 1 year

    So I searched around and instead of using rewrite rules, I decided to use a permanent redirect but I still am getting no results. Maybe posting these first few lines will shed some light on my situation: ServerName ec2-XXX.compute-1.amazonaws.com:80 Redirect permanent / ec2-XXX.compute-1.amazonaws.com:443 ServerAdmin webmaster@localhost ServerName ec2-XXX.compute-1.amazonaws.com:443 SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key ... I restarted the apache server with these settings but there is still a network timeout whenever I try to access either the regular or secure version of the site. Any ideas? I'll try rewrite rules, but I feel like the issue may be rooted elsewhere...

  • Gravatar Moisey over 1 year

    Remove the SSL lines from your VirtualHost for :80. Then also paste your 443 config, because it will be redirecting to 443 so if the 443 config isn't working then it wont load for either.

  • Gravatar maxmueller about 1 year

    Sorry about the last post, it apparently doesn't like things wrapped in HTML-style tags so it was hard to see what was actually a part of what VirtualHost (I'll post the rest of the 443 config though). There were/are no SSL directives/lines in my VirtualHost for :80. Here are both VirtualHosts in /etc/apache2/sites-enabled/000-default: </VirtualHost

  • Gravatar maxmueller about 1 year

    Argh - I'm going to change the HTML style brackets to {{ and }} {{VirtualHost *:80}} ServerName ec2-XXX.compute-1.amazonaws.com:80 Redirect permanent / ec2-XXX.compute-1.amazonaws.com:443 {{/VirtualHost}} {{VirtualHost *:443}} ServerAdmin webmaster@localhost ServerName ec2-XXX.compute-1.amazonaws.com:443 SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key DocumentRoot /var/www {{Directory /}} Options FollowSymLinks AllowOverride None {{/Directory}} {{Directory /var/www/}} Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all {{/Directory}} ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ {{Directory "/usr/lib/cgi-bin"}} AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all {{/Directory}} ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /doc/ "/usr/share/doc/" {{Directory "/usr/share/doc/"}} Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 {{/Directory}} {{/VirtualHost}}

  • Gravatar Moisey about 1 year

    When you access the 443 site directly what do you see? And have you checked your error log ? Lastly, you mentioned that you are getting a network timeout, so you want to also test connectivity to the webserver as well. For that just do: # telnet server.ip.address 80 # telnet server.ip.address 443 That will show you if you can connect to the server's HTTP server, if not that means you may have an issue possibly with firewall settings, or with what ports/ips HTTP is listening on.

  • Gravatar maxmueller about 1 year

    Wow... silly me. I'm using amazon web services as the backbone of the project, and a barebones EC2 Ubuntu instance comes default with no open ports. All I had to do was edit the security settings to allow incoming connections on ports 80 and port 443. I did have to edit the redirect code in the {{VirtualHost *:80}} tag though because simply using the port :443 without specifying the protocol (http vs https, it defaults to using http) comes back with an error saying that I was trying to access a secure port using regular http. I simply edited the redirect code like the following: {{VirtualHost *:80}} ServerName ec2-XXX.compute-1.amazonaws.com:80 Redirect permanent / https://ec2-XXX.compute-1.amazonaws.com: {{/VirtualHost}} Thanks for the help - apologies for the simplicity of my mistake.

  • Gravatar onrweb about 1 year

    Hi, it works in my server (Ubuntu12.04) but when i tried to connect with https, chrome show a warning. I allow it but in url, there is a line on https://... (it doesn't seem trusted) Is it work like this? How can I verify the ssl?

  • Gravatar Moisey about 1 year

    That warning means that your SSL certificate isn't signed by a trusted authority like NetworkSolutions. What this means is that the connection is secure via SSL, but visitors will get that warning, if you buy an SSL certificate from NetworkSolutions or another authority then they will provide you a new SSL cert based on your SSL key and then the warning will go away.

  • Gravatar Etel Sverdlov about 1 year

    This is because it is a self-signed certificate and not verified by a third party. To avoid getting that screen, you will need to install a valid, signed, SSL certificate from a provider such as StartSSL (for a free one) or Comodo (for a low-priced paid one).

  • Gravatar Wes Hooper about 1 year

    Worth reading this too, only takes a few extra minutes: Hardening your Web Server's SSL Ciphers - http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

  • Gravatar ronaldsu88 about 1 year

    How do I make this work for a particular subdomain only? Such as cart checkout with https at "https://secure.mydomain.com" And everything else with http at "http://mydomain.com" Many thanks!

  • Gravatar Ben Uretsky about 1 year

    You should have 2 separate VirtualHost entries, one for secure and for www. Include the SSLCertificate key and file only in the secure VirtualHost entry and make sure that its set to listen on port 443 for https protocol.

  • Gravatar ish1301 about 1 year

    I was seeing "SSL Connection Error" after following the above steps, after debugging i found ssl config file wasn't loaded by apache at all. for that i have to create symbolic link $ cd /etc/apache2/sites-enabled $ sudo ln -s ../sites-available/default-ssl 000-default-ssl

  • Gravatar jongmo85 about 1 year

    I get an error ~$ sudo service apache2 restart apache2: Syntax error on line 265 of /etc/apache2/apache2.conf: Cannot load /home/username.rvm/gems/ruby-1.9.3-p385/gems/passenger-3.0.12/ext/apache2/mod_passenger.so into server: /home/username/.rvm/gems/ruby-1.9.3-p385/gems/passenger-3.9.12/ext/apache2/mod_passenger.so: cannot open shared object file: No such file or directory Action 'configtest' failed. The Apache error log may have more information. ...fail!

  • Gravatar Nick Van Weerdenburg 11 months

    Worked for me. I duplicated the virtual host block (entire file copied after itself for two identical sections), and updated the copy to the instructions. Now http: and https: both work.

  • Gravatar Kamal Nasser 11 months

    @jongmo85: this is not related to this article. If you have followed an article on installing rvm and configuring Apache to work with it, please comment on it. Otherwise, please create a forum question.

  • Gravatar farhan.sheron 11 months

    How to Create a EV SSL Certificate on NGINX for Ubuntu 12.04 ?

  • Gravatar Kamal Nasser 11 months

    @farhan.sheron: you create it just like a regular SSL certificate but you have to sign it at a CA as an EV SSL cert.

  • Gravatar commerce 10 months

    I get this error: sudo service apache2 reload apache2: Syntax error on line 237 of /etc/apache2/apache2.conf: Syntax error on line 42 of /etc/apache2/sites-enabled/000-default: directive missing closing '>' Action 'configtest' failed. The Apache error log may have more information. ...fail!

  • Gravatar Kamal Nasser 10 months

    @commerce: Please pastebin your apache virtualhost config.

  • Gravatar commerce 10 months

    followed instruction to a 't' and get above error

  • Gravatar commerce 10 months

    ServerAdmin webmaster@localhost ServerName debt-x.com:443 DocumentRoot /var/www Options FollowSymLinks AllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /doc/ "/usr/share/doc/" Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key

  • Gravatar commerce 10 months

    don't worry i fixed it

  • Gravatar drmad 10 months

    Great tutorial. Plain and simple.I love it. Thank you very much ! What is interesting is that I can access my SSL server via 2 different IP adresses (2 different ADSL boxes) and it still works. That means to me that the Common Name field entered for the certificate is useless when using self certificates. I obviously get the warning message, but it still connects through either box. My setup is: Box 1 Router SSL server or Box 2 Router SSL server with Box1 and Box2 having 2 different WAN IP addresses. Normal ?

  • Gravatar drmad 10 months

    Sorry the arrow signs didn't show in my previous most. I meant: Box1 -- Router -- SSL Server or Box2 -- Router -- SSL Server ie I have an extra router in the way on top of my ADSL box

  • Gravatar Kamal Nasser 10 months

    @dmad: Your browser is warning you that you're using an SSL cert assigned to another hostname, but you can ignore it and continue browsing normally.

  • Gravatar tiago.pcodelico 9 months

    Hello, I did this, trying to put my ip in the servername, I bought a RapidSSL of ssl, but they do not accept generate the CSR by IP address. So I went back to my normal settings file / etc/apache2/sites-available/default:          ServerAdmin webmaster @ localhost (...)   and ran the command "sudo a2ensite default" and "sudo service apache2 reload", but my server is off, look http://198.199.78.146. Does anyone know how to get back to normal (as before)?

  • Gravatar tiago.pcodelico 9 months

    my file / etc/apache2/sites-available/default: {{ VirtualHost *:80 }}          ServerAdmin webmaster@localhost (...)

  • Gravatar tiago.pcodelico 9 months

    That's ok for me. I want did this: $ sudo nano /etc/apache2/sites-available/default I edit the servername to localhost ServerName localhost and restart apache: sudo /etc/init.d/apache2 restart

  • Gravatar sean 9 months

    Thanks for the instructions. I'm stuck, maybe someone can point me in the right direction. Inside /etc/apache2/sites-available I have 3 files: default, default-ssl, and mysite.com. My site is up and functional, I am trying to add an https version that admins can use to securely administer the site. I have tried modifying all three files with the above directives to no avail. What might I be missing?

  • Gravatar Kamal Nasser 9 months

    @sean: Did you restart apache? "service apache2 restart"

  • Gravatar dagomnet 9 months

    HI. Where could be my problem. I get this, when i wanted to restart apache after all above command. root@dago:/etc/apache2# service apache2 restart * Restarting web server apache2 Action 'start' failed. The Apache error log may have more information.

  • Gravatar dagomnet 9 months

    the error.log showed this: ue Jul 30 10:21:37 2013] [warn] Init: (82.196.8.151:443) You configured HTTP(80) on the standard HTTPS(443) port! [Tue Jul 30 10:21:37 2013] [warn] Init: (82.196.8.151:443) You configured HTTP(80) on the standard HTTPS(443) port! [Tue Jul 30 10:21:37 2013] [warn] Init: (82.196.8.151:443) You configured HTTP(80) on the standard HTTPS(443) port! [Tue Jul 30 10:21:37 2013] [warn] Init: (82.196.8.151:443) You configured HTTP(80) on the standard HTTPS(443) port! [Tue Jul 30 10:21:37 2013] [notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.6 with Suhosin-Patch mod_scgi/1.13 mod_ssl/2.2.22 OpenSSL/1.0.1 configured -- $ [Tue Jul 30 10:26:13 2013] [notice] Graceful restart requested, doing restart [Tue Jul 30 10:26:13 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jul 30 10:26:13 2013] [error] Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.) [Tue Jul 30 10:27:02 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jul 30 10:27:02 2013] [error] Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.) [Tue Jul 30 10:33:29 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jul 30 10:33:29 2013] [error] Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in global scope.)

  • Gravatar dagomnet 9 months

    Sorry , I've found the error. Actually, i put the last three lines on wrong place. I made SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key The correct form is like this: SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key Now it's OK.

  • Gravatar dagomnet 9 months

    Gravatar dagomnet Sorry , I've found the error. Actually, i put the last three lines on wrong place. I made " SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key" The correct form is like this: "SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key " Now it's OK.

  • Gravatar tiago.pcodelico 9 months

    The certificate requires that bought the key CSR, and the tutorial how to create a key CRT. How to proceed to create a key CSR required by the certificate purchased? Just change the extension?

  • Gravatar Kamal Nasser 9 months

    @tiago.pcodelico: Follow steps 2 and 3 from this article: https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-nginx-for-ubuntu-12-04

  • Gravatar tiago.pcodelico 9 months

    Thanks @Kamal, is what I thought to do! I am a layman in ssl =)

  • Gravatar misterxx64 9 months

    Hey guys, anyone know if it works with varnish 1.1 installed? Thank you:)

  • Gravatar Kamal Nasser 9 months

    @misterxx64: Yes. Varnish does not support SSL natively so you'll have to set up a reverse proxy in front of it: http://plone.org/documentation/kb/plone-behind-varnish-using-pound-for-ssl

  • Gravatar tytung 8 months

    The easier configuration of a self-signed certificate is as follows. $ sudo a2enmod ssl $ sudo a2ensite default-ssl $ sudo service apache2 restart Now you have both http://example.com/ and https://example.com/ at the same time. Reference: http://d.klwe.info/ubuntu-12-04-setting-up-apache2-and-ssl-with-self-signed-certificate/ Option 1: Type the following command if you update your hostname/DNS. $ sudo make-ssl-cert generate-default-snakeoil –force-overwrite It creates the following files: /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/certs/ssl-cert-snakeoil.pem $ sudo service apache2 restart Option 2: Type the following commands if you want to set more things. $ sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt Update the SSL site setting $ sudo nano /etc/apache2/sites-enabled/default-ssl SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key $ sudo service apache2 restart Next, you could further secure some services, e.g., phpmyadmin, by enforcing SSL connection. $ sudo a2enmod rewrite $ sudo nano /usr/share/phpmyadmin/.htaccess =============== Edit .htaccess and add the following content =============== RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} =============== $ sudo service apache2 reload Now when you type http://example.com/phpmyadmin/ , the Apache will redirect it to https//example.com/phpmyadmin/.

  • Gravatar felix.johnson 8 months

    I have followed this tut till the end...and when I view it on the browser it says: my domail(example.com) is not configured to connect to port https. What should I do? or what am I doing wrong?

  • Gravatar Kamal Nasser 8 months

    @felix.johnson: Did you restart apache after editing the virtualhost configs? Do you have your actual domain or literally example.com?

  • Gravatar ismail.eltahawy 8 months

    Thanks alot for the simple and nice post, i wonder did anybody tried to decrypt the ssl traffic using the "apache.key" generated as mentioned in this post ? i tried to decrypt the captured traffic in the wireshark but it didn't work, i have followed the same steps mentioned in the following link http://wiki.wireshark.org/SSL and this also http://www.youtube.com/watch?v=vQtur8fqErI , it works only in the snakoil .cap file provided by wireshark.org but didn't work in my captured SSL traffic under apache2 , any ideas ?

  • Gravatar deekin 8 months

    OMG, I have been knocking my head on this forever!!! Gah I'm close to giving up on the idea. This is what I have: me@foo:/etc/apache2/ssl$ ll total 32 drwxr-xr-x 2 root root 4096 Sep 4 02:16 ./ drwxr-xr-x 8 root root 4096 Sep 4 01:48 ../ -rw-r--r-- 1 root root 1407 Sep 4 01:50 apache.crt -rw-r--r-- 1 root root 1704 Sep 4 01:50 apache.key -rw-r--r-- 1 root root 1903 Sep 4 02:15 foo.com.crt -rw-r--r-- 1 root root 1123 Sep 4 01:57 foo.csr -rw-r--r-- 1 root root 1704 Sep 4 01:57 foo.key -rw-r--r-- 1 root root 3192 Sep 4 02:16 sf_bundle-g2.crt I followed the directions at GoDaddy, regenerated the info, and slapped it in here, and nada after following the guide posted above. Restarted apache, set virtual host to port 443, renamed the conf info to the proper names, etc etc: ServerAdmin [email protected] ServerName foo.com:443 DocumentRoot /var/www Options FollowSymLinks AllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /doc/ "/usr/share/doc/" Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 SSLEngine on SSLCertificateFile /etc/apache2/ssl/foo.com.crt SSLCertificateKeyFile /etc/apache2/ssl/foo.com.key Dear Great Beings in the sky, someone help me out here :( - on testing at https://www.foo.com and at https://foo.com I get: Google Chrome's connection attempt to foo.com was rejected. The website may be down, or your network may not be properly configured.

  • Gravatar mehul.bhandari 8 months

    * Restarting web server apache2 [Wed Sep 04 12:50:57 2013] [warn] NameVirtualHost *:80 has no VirtualHosts [Wed Sep 04 12:50:58 2013] [warn] NameVirtualHost *:80 has no VirtualHosts Action 'start' failed. The Apache error log may have more information. [fail]

  • Gravatar Kamal Nasser 8 months

    @deekin: Is there anything listening on port 443? Did you try restarting apache?

    sudo netstat -plutn | grep :443

  • Gravatar Kamal Nasser 8 months

    @mehul.bhandari: Check apache's error logs:

    tail /var/log/apache2/error.log

  • Gravatar usavp.suvarna 7 months

    how does ssl certificate nam appears in browser url eg ur connected to :example.com which is run by: example inc

  • Gravatar Kamal Nasser 7 months

    @usavp.suvarna: That is only possible with an EV SSL certificate: http://en.wikipedia.org/wiki/Extended_Validation_Certificate

  • Gravatar technicallyblue 7 months

    Hello, What can I do to correct this? When I restart apache I get this: NameVirtualHost *:80 has no VirtualHosts Action 'start' failed In the browser it tells me: Can't establish a connection to the server at ###.###.###.###

  • Gravatar Kamal Nasser 7 months

    @technicallyblue: Comment out (add # in the beginning) the NameVirtualHost *:80 line in /etc/apache2/ports.conf

  • Gravatar king_himself88 6 months

    Got the following error message after the final command "sudo service apache2 reload" "apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName [warn] NameVirtualHost *:80 has no VirtualHosts" I used the server IP for common name. Will this cover all the add on domain?

  • Gravatar Kamal Nasser 6 months

    @king_himself88: See http://www.cyberciti.biz/faq/apache2-namevirtualhost-80-has-no-virtualhosts/ and http://stackoverflow.com/questions/9541460/httpd-could-not-reliably-determine-the-servers-fully-qualified-domain-name-us

  • Gravatar detrix42 6 months

    Ok, after reading all this excellent help, I still did not see the answer I need. My site novasector.net:4280 (port 4280 is required because my ISP blocks port 80 to residential accounts) is working at http:// level. I do not have my web site located at the default location of /var/www, its it /www/novasector.net. I have a debian setup. My question is this: I do not use the default vertualhost file in /etc/apache2/sites-available. I have made a novasector.net-ssl with what has described in this tutorial. How do I set this up , not using the default file?

  • Gravatar Kamal Nasser 6 months

    @detrix42: Please pastebin all of the files in /etc/apache2/sites-enabled

  • Gravatar detrix42 6 months

    I pasted 2 files: the site-enabled one, and the site-available ssl verson. http://pastebin.com/1LVaEvUR Thanks for the help

  • Gravatar Kamal Nasser 6 months

    @detrix42: You can enable the SSL virtualhost by running sudo a2ensite novasector.net-ssl followed by sudo service apache2 reload Does that fix it?

  • Gravatar Duane Adam 6 months

    Hello everyone, I am a bit confused on this article. How do I install SSL if let's say I am using EssentialSSL

  • Gravatar Kamal Nasser 6 months

    @duaneadam: Please create a new question (https://www.digitalocean.com/community/questions) if you haven't managed to do that yet.

  • Gravatar jntslvdrt 6 months

    Hey, I have a problem. I followed all over the tutorial and I'm getting this error " ERR_SSL_PROTOCOL_ERROR" I'm using Chrome, Ubuntu 13.04 X64 Desktop and a Ubuntu 12.04.3 X64 Deploy.

  • Gravatar jfgodin 6 months

    I'm having the same error as @jntslvdrt however I'm using Ubuntu 12.04.3 LTS. Firefox error states: "SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)". Chrome error is "ERR_SSL_PROTOCOL_ERROR".

  • Gravatar null 6 months

    I have the same issue like the guys above ( jntslvdrt, jfgodin) "ERR_SSL_PROTOCOL_ERROR".

  • Gravatar Kamal Nasser 6 months

    @jntslvdrt, jfgodin, null: Please see if http://stackoverflow.com/a/4762977 helps.

  • Gravatar null 6 months

    Thank dear Kamal Finally, I got it running, here what I've done: executed this command: sudo a2ensite default-ssl and then: sudo service apache2 reload :)

  • Gravatar erwin.de.laat 6 months

    When I go to my address https://mydomain.com I get : An error occurred during a connection to cleveridge.org. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

  • Gravatar erwin.de.laat 6 months

    I believe I tried all the above

  • Gravatar erwin.de.laat 6 months

    Found it... I use Zpanel and I had to change httpd-vhosts.conf in /etc/zpanel/configs/apache. It seems like it is working but FireFox tells me the Connection is untrusted (The certificate is not trusted because it is self-signed.)

  • Gravatar alfredo 5 months

    Step 5 "sudo a2ensite default" should be changed to "sudo a2ensite default-ssl". Thank you.

  • Gravatar will-v-king 5 months

    with the https:// my website can't display completely. the background picture is missing.

  • Gravatar Kamal Nasser 5 months

    @will-v-king: See https://developer.mozilla.org/en-US/docs/Security/MixedContent/fix_website_with_mixed_content

  • Gravatar yadavrajesh25june 5 months

    i am using ubuntu after following this step i am getting this message on browser "Secure Connection Failed An error occurred during a connection to www.gohna.com. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) "

  • Gravatar yadavrajesh25june 5 months

    @Gravatar : Thank you It work for me now after running "sudo a2ensite default-ssl"

  • Gravatar ludensen 5 months

    Thank you for your great tutorials! :-) BUT this one still have one error - as others already has pointed out. When you in step 4 make changes to the /etc/apache2/sites-available/default-ssl then in step 5 you should also enable default-ssl and not default PLEASE take a look at this :-) Linux Regards Tom Ludensen

  • Gravatar ludensen 5 months

    If you follow the above tutorial and execute "sudo a2ensite default" instead of "sudo a2ensite default-ssl" you will probably get the following error when trying to open a https-connection: "SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)"

  • Gravatar Kamal Nasser 5 months

    Thanks, I've updated the article.

  • Gravatar jamied_uk 4 months

    find? on what file be specific please SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key

  • Gravatar akshayjain07 4 months

    Thanks it's working. But when I visit my site I get the error: On Chrome: The site's security certificate is not trusted! and similar error on Firefox. I know this is the free version of Openssl but is there anyway of preventing this error from coming up in front of new visitors to my site? (They do get an option of proceeding anyway, but I'd rather that this error is not displayed at all)

  • Gravatar akshayjain07 4 months

    I found the answer in the comments. Guess I'll have to switch to StartSSL or some other provider to avoid this error.

  • Gravatar trevor 4 months

    So I setup the default file which works great but how to I make SSL enabled for each of my vhosts? The default site will only let me set one DocumentRoot which is problematic since I have vhosts with separate folders for each set of content per site. Is there a way to account for this make these SSL settings carry through to all sites? Thanks.

  • Gravatar Kamal Nasser 4 months

    @trevor: You will need to create a separate ssl-enabled vhost for each existing non-ssl vhost, replacing *:80 with *:443 and adding the appropriate SSL directives (Step Four).

  • Gravatar kato223 3 months

    Worked perfect. Thank you very much!

  • Gravatar alexander 3 months

    i thought you could only buy ssl certs.how can you make one? please reply: [email protected] thank you.

  • Gravatar kurtulus.m 3 months

    Worked on Debian 7! Which SSL is the best to buy for a Wordpress website? maybe in the future i could open an online shop too. Thanks!

  • Gravatar tim 3 months

    I too had this error: SSLEngine On should go in the VirtualHost, not in global scope. Eventually, by adding SSLEngine On to my new file httpd-ssl.conf (which is included in httpd.conf) with the address of my server certificate and server key, the problem was resolved.

  • Gravatar rmaiolo about 1 month

    I followed these steps for an aws instance ...everything from the cli seemed to go ok..but every https request times out and cant find anything helpful in the logs..if there's any advice you have, I'd love it

  • Gravatar dahalpi about 1 month

    Hello, i installed on my server following the guide and can't recognize the certeificate yet, what can i do? https://www.cultura-libre.cl/# PD: it's a vps on digitalocean see ya!

  • Gravatar bitlather about 1 month

    Correction: sudo vim /etc/apache2/sites-available/default-ssl --> sudo vim /etc/apache2/sites-available/default-ssl.conf Works for me.

  • Gravatar Kamal Nasser about 1 month

    @dahalpi: Make sure port 443 is open. I believe AWS has an external firewall (it's called "security groups" if I recall correctly).

  • Gravatar bitlather about 1 month

    My correction above of using default-ssl.conf was for the LAMP install instructions from digital ocean. I noted that plain default-ssl worked on my dev machine.

  • Gravatar ctefanos.t about 1 month

    Hello, I installed the certificate but the browser says the certificate is untrusted, what can I do?

  • Gravatar stephen about 1 month

    comodo gives you three files the .key a .crt and a .ca-bundle how does one install in the apache /etc/apache2/sites-available/default-ssl or are we supposed to add the 443 instruction the individual site virtual host file? thanks!

  • Gravatar Kamal Nasser about 1 month

    @ctefanos.t: See Etel's comment above (January 18th, 2013 20:05).

  • Gravatar Kamal Nasser about 1 month

    @stephen:

    SSLEngine On
    SSLCertificateFile /path/to/.crt
    SSLCertificateChainFile /path/to/.ca-bundle
    SSLCertificateKeyFile /path/to/.key
    Make sure you secure the private key file:
    sudo chown root:root /path/to/.key
    sudo chmod 400 /path/to/.key

  • Gravatar stephen about 1 month

    @kamal Thank you! Just to clarify - if this certificate is issued for a domain that is one virtual host on an IP, does one put the VirtualHost _default_:443 block into the /etc/apache2/sites-available/somSSLsite.com file ? e.g. and NOT the /etc/apache2/sites-available/default-ssl?

  • Gravatar Kamal Nasser about 1 month

    @stephen: It doesn't matter as long as ServerName is properly set.

  • Gravatar deeptigp9 about 1 month

    Hi, I am trying to get https://localhost to work. When I followed all of the above steps, running https://localhost still gives me "site's security certificate is not trusted!" warning. Thus, I a) edited my /etc/hosts file to include 127.0.0.1 classifyimagedistortions.com in the first line b) Then went to http://www.cacert.org/ and tried to generate a certificate for the domain name "classifyimagedistortions.com" . However, it asks for a valid email address with this domain and because that doesn't exist. this gives me "Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid Failed to make a connection to the mail server" error. Any idea where I am going wrong and how to enable https to localhost? Thanks!

  • Gravatar pedro.m.t.amaral about 1 month

    Hello. I followed this tutorial, and many others I have found online, but I still cannot reach my server via HTTPS (or :443). When I restart apache2 I get the following warning: [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) In my 'port.conf' I have the following: NameVirtualHost *:80 Listen 80 Listen 443 Listen 443 My Vhost default-ssl starts as follows: ServerAdmin webmaster@localhost ServerAlias www...com:443 ServerName ..com:443 ... SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key ... BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown My httpd.conf is empty. And I am sure apache2 is listening on 443: sudo netstat -ltnp | grep ':443' tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5137/apache2 Yes, I have ran 'sudo a2enmod ssl' and ' sudo a2ensite default-ssl'. However, when I try to access https://..com, the connection timesout and no page is served... I don't know what else to do :(

  • Gravatar pedro.m.t.amaral about 1 month

    Also, it seems like when I run ' /usr/bin/openssl s_client -connect www...com:443' The certificate is ok, since it ends with: Start Time: 1394704433 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- closed

  • Gravatar pedro.m.t.amaral about 1 month

    Posted this on stack overflow too: http://stackoverflow.com/questions/22375116/cannot-access-apache2-server-via-https-using-virtual-hosts-and-a-self-signed-cer

  • Gravatar 1665130109 about 1 month

    I setup to oneclick woldpress on Ubuntu. but i want to disable SSL. How can i do? Sorry i can speak english. so i hope simple answers. thanks.

  • Gravatar Kamal Nasser about 1 month

    @1665130109: Run

    sudo a2dissite default-ssl
    sudo service apache2 reload

  • Gravatar teo7691 about 1 month

    After following this tutorial, I run service apache2 reload and I get this: [error] VirtualHost _default_:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results Can anyone help me?

  • Gravatar Kamal Nasser about 1 month

    @teo7691: See http://wiki.apache.org/httpd/VirtualHostsMixingPorts. If you're not able to fix it, please pastebin your virtualhost config.

  • Gravatar teo7691 about 1 month

    I figured out my error and I fixed it by myself. Now can someone tell me why I get a bad certificate? Can I fix it? Here's my error: There is a problem with this website’s security certificate. The security certificate presented by this website was not issued by a trusted certificate authority. The security certificate presented by this website was issued for a different website's address.

  • Gravatar Kamal Nasser 25 days

    @teo7691: That's because the certificate is self-signed, which browsers usually don't trust. You can get a free certificate signed by a certificate authority that most browsers trust, StartSSL: https://www.digitalocean.com/community/articles/how-to-set-up-apache-with-a-free-signed-ssl-certificate-on-a-vps.

  • Gravatar ryms84_1 24 days

    thank you very much! This article is very good.

  • Gravatar MountMANDALAY.net 16 days

    I bought domains and SSL certificate from Godaddy and I have a VPS running Ubuntu in DO. How can I make this thing work? If you have time to write a tutorial for that, that'd be great. Thanks

  • Gravatar a.starr.b 16 days

    @MountMANDALAY: For the most part, the steps will be the same. Skip step three where the certificate is created as you will download yours from Godaddy. In step four, when editing /etc/apache2/sites-available/default-ssl point to where you have stored the files you downloaded from Godaddy instead of the ones you would have created: ``` SSLEngine On SSLCertificateFile /path/to/.crt SSLCertificateKeyFile /path/to/.key SSLCertificateChainFile /path/to/.ca-bundle ```

  • Gravatar MountMANDALAY.net 15 days

    @a.starr.b Thank you so much ^_^ :)

  • Gravatar vasanth 15 days

    This information was very useful, thank you.

  • Gravatar brandonlipman 5 days

    I have gotten the following "Action 'configtest' failed." I ran through all of the comments and tried a few of the solutions offered but have not found a solution. Any suggestions. I am still learning so it could be a very simple error. Thanks. root@lipmanb:~# nano /etc/apache2/sites-available/default-ssl root@lipmanb:~# sudo a2ensite default-ssl Enabling site default-ssl. To activate the new configuration, you need to run: service apache2 reload root@lipmanb:~# service apache2 reload Syntax error on line 52 of /etc/apache2/sites-enabled/default-ssl: SSLCertificateFile: file '/etc/ssl/apache2/ssl/apache.crt' does not exist or is empty Action 'configtest' failed. The Apache error log may have more information. ...fail! root@lipmanb:~# service apache2 reload Syntax error on line 52 of /etc/apache2/sites-enabled/default-ssl: SSLCertificateFile: file '/etc/ssl/apache2/ssl/apache.crt' does not exist or is empty Action 'configtest' failed. The Apache error log may have more information. ...fail! root@lipmanb:~# Action 'configtest' failed. Action: command not found root@lipmanb:~# /etc/apache2/apache2.conf -bash: /etc/apache2/apache2.conf: Permission denied root@lipmanb:~# root@lipmanb:~# root@lipmanb:~# test root@lipmanb:~# test root@lipmanb:~# $ sudo a2enmod ssl $: command not found root@lipmanb:~# sudo a2enmod ssl Module ssl already enabled root@lipmanb:~# sudo a2ensite default-ssl Site default-ssl already enabled root@lipmanb:~# sudo service apache2 restart Syntax error on line 52 of /etc/apache2/sites-enabled/default-ssl: SSLCertificateFile: file '/etc/ssl/apache2/ssl/apache.crt' does not exist or is empty Action 'configtest' failed. The Apache error log may have more information. ...fail! root@lipmanb:~# sudo netstat -plutn | grep :443 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 16698/apache2 root@lipmanb:~# Error Log showed the following: [Mon Apr 14 17:50:53 2014] [notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.11 with Suhosin-Patch configured -- resuming normal operations [Mon Apr 14 17:51:29 2014] [error] [client 24.7.121.250] File does not exist: /var/www/favicon.ico [Mon Apr 14 17:53:07 2014] [notice] caught SIGTERM, shutting down [Mon Apr 14 17:53:08 2014] [notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.11 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/1.0.1 configured -- resuming normal operations [Mon Apr 14 18:04:03 2014] [error] [client 24.7.121.250] Invalid method in request \x16\x03\x01 [Mon Apr 14 18:04:03 2014] [error] [client 24.7.121.250] Invalid method in request \x16\x03\x01 [Mon Apr 14 18:04:03 2014] [error] [client 24.7.121.250] Invalid method in request \x16\x03\x01 [Mon Apr 14 18:04:03 2014] [error] [client 24.7.121.250] Invalid method in request \x16\x03\x01 [Mon Apr 14 18:04:03 2014] [error] [client 24.7.121.250] Invalid method in request \x16\x03\x01 [Mon Apr 14 18:04:03 2014] [error] [client 24.7.121.250] Invalid method in request \x16\x03

  • Gravatar Andrew SB 4 days

    @brandonlipman: This is the part of the error output that explains what the problem is: ``` Syntax error on line 52 of /etc/apache2/sites-enabled/default-ssl: SSLCertificateFile: file '/etc/ssl/apache2/ssl/apache.crt' does not exist or is empty ``` In the file /etc/apache2/sites-enabled/default-ssl The line with "SSLCertificateFile:" is pointing to a location that doesn't contain a certificate file. You need to edit that file to point to the certificate file that you generated in "Step Three."

  • Gravatar Dread Knight about 14 hours

    A lot of people want SSL for facebook apps and such. Self-signed SSL certificates are half-useless, as visitors tend to get a red screen and such instead of the website. I REALLY wish Digital Ocean would provide a shared SSL, it's a bit of a deal breaker for me :\

Leave a Comment

Create an account or login:
Ajax-loader