curt00
By:
curt00

Cannot create SSL Certificate on Apache for Ubuntu 12.04

February 14, 2014 2.7k views
There are two articles that explain how to add SSL: How To Create a SSL Certificate on Apache for Ubuntu 12.04 https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-12-04 How To Set Up Apache with a Free Signed SSL Certificate on a VPS https://www.digitalocean.com/community/articles/how-to-set-up-apache-with-a-free-signed-ssl-certificate-on-a-vps DigitalOcean suggested that I follow the first article, which I did. When editing /etc/apache2/sites-available/default-ssl, I entered something different for "ServerName" than what I entered for "Common Name" during the key generation. I think this is why I got the following error message when I ran "service apache2 reload": "Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName" When I made the names consistent and followed some of the suggestions at http://stackoverflow.com/questions/9541460/httpd-could-not-reliably-determine-the-servers-fully-qualified-domain-name-us (which was suggested by Kamal Nasser on https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-12-04), the error message no longer appeared. However, when I go to my domain on the browser, I still do not see HTTPS. Does anyone have any suggestions on how to get this to work? After trying many of the different suggestions, here is what I have. Here is my terminal session from key generation: root@mydomain:~# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt Generating a 2048 bit RSA private key ........................................................................... ............................................................+++ .............+++ writing new private key to '/etc/apache2/ssl/apache.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:. State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:mydomain Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []:mydomain.com Email Address []:. Here is what I have in /etc/apache2/sites-available/default-ssl : ServerAdmin webmaster@localhost ServerName mydomain.com:443 ... # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on ... SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key Here is what I have in /etc/apache2/httpd.conf ServerName myhost.mydomain.com Here is what I have in /etc/apache2/apache2.conf ServerName localhost Here is what I have in /etc/hosts 127.0.0.1 localhost myhost.mydomain.com # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback myhost.mydomain.com fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters Here is what I have in /etc/sysconfig/network HOSTNAME = myhost.mydomain.com Then I did the following: root@mydomain:~# a2dissite default-ssl Site default-ssl disabled. To activate the new configuration, you need to run: service apache2 reload root@mydomain:~# a2ensite default-ssl Enabling site default-ssl. To activate the new configuration, you need to run: service apache2 reload root@mydomain:~# service apache2 reload * Reloading web server config apache2 ...done. root@mydomain:~# /etc/init.d/apache2 restart * Restarting web server apache2 ... waiting ...done. root@mydomain:~# When I go to mydomain.com on the browser, I still do not get HTTPS. Can anyone help?
3 Answers
I had found out that it worked as per the first article. To see HTTPS, I need to type in "https://mydomain.com" into the browser, not just "mydomain.com". Then HTTPS shows up, but Chrome is telling me that "The site's security certificate is not trusted!...the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. You should not proceed, especially if you have never seen this warning before for this site." I clicked Proceed Anyway. I now see https://mydomain.com but the https has a horizontal cross-out line.

Clicking on the lock shows "Identity not verified...Server's certificate is not trusted.. Your connection is encrypted with 256-bit encryption. The connection uses TLS 1.1. the connection is encrypted using CAMELLIA_256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism. The econnection does not use SSL compression."

If it is working as expected, then can someone explain to me the value of this SSL cert? I don't understand why any developer would bother putting this on, even if it is free. No user is going to type in HTTPS://domain.com. Users are going to type only domain.com, which goes to HTTP://domain.com. Even if I redirect http to https, the URL looks awful with a red https with a line crossed over it.
No user is going to type in HTTPS://domain.com. Users are going to type only domain.com, which goes to HTTP://domain.com
That's how it works, you will have to redirect visitors from http to https otherwise they will have to type in https:// manually.
the URL looks awful with a red https with a line crossed over it.
That's because the certificate is self-signed and not signed by a trusted certificate authority such as Comodo, GlobalSign, GoDaddy, Thawte, and many others. In order to get rid of the warning, you will need to send the CSR to a CA to sign and then replace the self-signed certificate with the signed one.
Have another answer? Share your knowledge.