How To Create a SSL Certificate on Apache for Ubuntu 12.04 | DigitalOcean

Sign Up Log In

CommunityTutorialsQuestionsProjectsExploreIRC

Search the Community

How To Create a SSL Certificate on Apache for Ubuntu 12.04Tagged In: Ubuntu, Apache

What the Red MeansThe lines that the user needs to enter or customize will be in red in this tutorial!

The rest should mostly be copy-and-pastable.

About SSL CertificatesA SSL certificate is a way to encrypt a site's information and create a more secure connection. Additionally, the certificate can show thevirtual private server's identification information to site visitors. Certificate Authorities can issue SSL certificates that verify the server'sdetails while a self-signed certificate has no 3rd party corroboration.

Set UpThe steps in this tutorial require the user to have root privileges on the VPS. You can see how to set that up here in steps 3 and 4.

Additionally, you need to have apache already installed and running on your virtual server. If this is not the case, you can download it with this command:sudo apt-get install apache2

Step OneActivate the SSL ModuleThe next step is to enable SSL on the droplet.sudo a2enmod ssl

Follow up by restarting Apache.sudo service apache2 restart

Step TwoCreate a New DirectoryWe need to create a new directory where we will store the server key and certificatesudo mkdir /etc/apache2/ssl

Step ThreeCreate a Self Signed SSL CertificateWhen we request a new certificate, we can specify how long the certificate should remain valid by changing the 365 to the number ofdays we prefer. As it stands this certificate will expire after one year.sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

With this command, we will be both creating the self-signed SSL certificate and the server key that protects it, and placing both of theminto the new directory.

This command will prompt terminal to display a lists of fields that need to be filled in.

The most important line is "Common Name". Enter your official domain name here or, if you don't have one yet, your site's IP address.You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:USState or Province Name (full name) [Some-State]:New York

Locality Name (eg, city) []:NYCOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Awesome IncOrganizational Unit Name (eg, section) []:Dept of MerrimentCommon Name (e.g. server FQDN or YOUR name) []:example.com Email Address []:[email protected]

Step FourSet Up the CertificateNow we have all of the required components of the finished certificate.The next thing to do is to set up the virtual hosts to display the newcertificate.

Open up the SSL config file: nano /etc/apache2/sites-available/default-ssl

Within the section that begins with , quickly make the following changes.

Add a line with your server name right below the Server Admin email: ServerName example.com:443

Replace example.com with your DNS approved domain name or server IP address (it should be the same as the common name on thecertificate).

Find the following three lines, and make sure that they match the extensions below:SSLEngine onSSLCertificateFile /etc/apache2/ssl/apache.crtSSLCertificateKeyFile /etc/apache2/ssl/apache.key

Save and Exit out of the file.

Step FiveActivate the New Virtual HostBefore the website that will come on the 443 port can be activated, we need to enable that Virtual Host:sudo a2ensite default-ssl

You are all set. Restarting your Apache server will reload it with all of your changes in place.sudo service apache2 reload

In your browser, type https://youraddress, and you will be able to see the new certificate.

See MoreOnce you have setup your SSL certificate on the site, you can Install an FTP server if you haven't done so yet.

By Etel Sverdlov

Try this tutorial on an SSD cloud server.Includes 512MB RAM, 20GB SSD Disk, and 1TB Transfer for $5/mo! Learn more

Create an account or login:EmailPassword

Get Started!

Share this TutorialTweetTweet

Share 12 0Submit

116 Comments

Write Tutorial

bossman759 over 1 year

I Get An Error bossman759@ubuntu:~$ sudo service apache2 reload Syntax error on line 173 of /etc/apache2/sites-enabled/default-

ssl: SSLCertificateKeyFile: file '/etc/apache2/ssl/apache.ke' does not exist or is empty Action 'configtest' failed. The Apache errorlog may have more information. ...fail!

Reply

Moisey over 1 year

Maybe a small typo, the error lists: "/etc/apache2/ssl/apache.ke" The tutorial is for: "/etc/apache2/ssl/apache.key" So the key fileyou are pointing doesn't exist, just looks like you missed the y on the end. Double check the paths to make sure all of the files youare referencing are where they are supposed to be and if you still have an issue let us know.

Reply

alejandro.visiedo over 1 year

You hava a mistake when you typed the location of your "apache.key" file. If you read the location of the error message, you cansee that the file you typed was "/etc/apache2/ssl/apache.ke"

Reply

rjyanyan18 over 1 year

How about this? Syntax error on line 47 of /etc/apache2/sites-enabled/default-ssl: SSLCertificateFile: file'/etc/apache2/ssl/apache.crt' does not exist or is empty Action 'configtest' failed. The Apache error log may have more information....fail!

Reply

Ben Uretsky over 1 year

The error is the file does not exist or is empty, make sure you put your Apache certificate file in place /etc/apache2/ssl/apache.crtYou can verify that its the right file by running: cat /etc/apache2/ssl/apache.crt -- that will show you the contents of the certificatefile.

Reply

styx over 1 year

Worked like a charm. Thanks a lot.

Reply

daddyfix over 1 year

Thanks Worked Like a charm on Ubuntu 12.04!

Reply

Etel Sverdlov over 1 year

Thanks! Let me know if you there are any topics you would like to see. =]

Reply

kampar over 1 year

100% worked on my VPS Ubuntu 12.04.1 LTS thanks for sharing ...

Reply

jjhartley1425 over 1 year

Great walk-through, bookmarking this. This is the most clear and concise explanation that I have found yet. THANK YOU!

June 6, 2012

Beginner

Reply

fariazz about 1 year

How could I do it to create a self-signed certificate that can work on all subdomains? example subdomain1.example.com,subdomain2.example.com, etc

Reply

Etel Sverdlov about 1 year

You can create an self-signed SSL certificate that will work on all domains by including a catchall in the common name. Include anasterisk in the following line: "Common Name (e.g. server FQDN or YOUR name) []:*.example.com"

Reply

pmmail about 1 year

I have a doubt.... In the original file where do you have to change this? SSLEngine on SSLCertificateFile/etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key ? I can't find them like that btw in this partServerName example.com:443 I used this ServerName localhost:443

Reply

Moisey about 1 year

You would put: SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.keyInside of the VirtualHost where you would like that SSL to be active. As for the ServerName, that should actually be the name ofthe domain you setup such as "domain.com" and inside of your VirtualHost you can specify the IP as: VirtualHost xx.xx.xx.xx:443Then this VirtualHost will only be active for requests on port 443 which is HTTPS.

Reply

maxmueller about 1 year

I have an error when executing the last command (sudo service apache2 reload): * Reloading web server config apache2 [Wed Jan16 22:31:15 2013] [warn] NameVirtualHost *:80 has no VirtualHosts During the setup of the initial certificate, I didn't use theactual ".com" name of the website, as I thought common name was just a shorthand name. I then read the bit about common namebeing the most important step (oops), so after I received the above error the first time, I reran the certificate setup and used thecorrect ".com" name but I'm still getting the same error. Any ideas? (I checked that the SSL config file with VirualHost *:443 andthe other edits and they have all been saved).

Reply

Moisey about 1 year

That error is related to your Apache virtualhost configuration and not your SSL certificate. It just means that you may have a Listen*:80 directive and that you have no VirtualHost *:80 configured, so while you are listening on port 80 you do not have anythingconfigured to serve traffic which is what that refers to.

Reply


Ok, so where would I go to change the "Listen *:80" directive? I guess what I'm asking is, how do I go about fixing this? I'vefollowed all the steps so far word for word...

Reply


So, I've found a "Listen 80" directive along with a "NameVirtualHost *:80" directive in ports.conf in /etc/apache2/. What and howdo I need to edit this file (if it is this file) in order to make this work? I've tried visiting the address of the site both with regular httpand https and both time out...

Reply

Moisey about 1 year

In most cases the SSL protected website and the non-SSL website are the same so you can do one of two things: 1. Create aVirtualHost *:80 directive with the same settings as your 443 VirtualHost just remove any mention of the SSL certs so you canserve the same website from http:// 2. Create a VirtualHost *:80 directive for the same site and redirect all requests viaRewriteRules to the 443 SSL enabled VirtualHost. We do not use Apache, we use nginx, but we employ method 2, so if you gotohttp://www.digitalocean.com you will be redirected to https://www.digitalocean.com - this way we ensure that all connections toour website are secure and encrypted.

Reply


So I searched around and instead of using rewrite rules, I decided to use a permanent redirect but I still am getting no results.Maybe posting these first few lines will shed some light on my situation: ServerName ec2-XXX.compute-1.amazonaws.com:80Redirect permanent / ec2-XXX.compute-1.amazonaws.com:443 ServerAdmin webmaster@localhost ServerName ec2-XXX.compute-1.amazonaws.com:443 SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile/etc/apache2/ssl/apache.key ... I restarted the apache server with these settings but there is still a network timeout whenever I try toaccess either the regular or secure version of the site. Any ideas? I'll try rewrite rules, but I feel like the issue may be rootedelsewhere...

Reply

Moisey about 1 year

Remove the SSL lines from your VirtualHost for :80. Then also paste your 443 config, because it will be redirecting to 443 so if the443 config isn't working then it wont load for either.

Reply


Sorry about the last post, it apparently doesn't like things wrapped in HTML-style tags so it was hard to see what was actually a partof what VirtualHost (I'll post the rest of the 443 config though). There were/are no SSL directives/lines in my VirtualHost for :80.Here are both VirtualHosts in /etc/apache2/sites-enabled/000-default:

protocol (http vs https, it defaults to using http) comes back with an error saying that I was trying to access a secure port usingregular http. I simply edited the redirect code like the following: {{VirtualHost *:80}} ServerName ec2-XXX.compute-1.amazonaws.com:80 Redirect permanent / https://ec2-XXX.compute-1.amazonaws.com: {{/VirtualHost}} Thanks for the help -apologies for the simplicity of my mistake.

Reply

onrweb about 1 year

Hi, it works in my server (Ubuntu12.04) but when i tried to connect with https, chrome show a warning. I allow it but in url, there isa line on https://... (it doesn't seem trusted) Is it work like this? How can I verify the ssl?

Reply

Moisey about 1 year

That warning means that your SSL certificate isn't signed by a trusted authority like NetworkSolutions. What this means is that theconnection is secure via SSL, but visitors will get that warning, if you buy an SSL certificate from NetworkSolutions or anotherauthority then they will provide you a new SSL cert based on your SSL key and then the warning will go away.

Reply

Etel Sverdlov about 1 year

This is because it is a self-signed certificate and not verified by a third party. To avoid getting that screen, you will need to install avalid, signed, SSL certificate from a provider such as StartSSL (for a free one) or Comodo (for a low-priced paid one).

Reply

Wes Hooper about 1 year

Worth reading this too, only takes a few extra minutes: Hardening your Web Server's SSL Ciphers -http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

Reply

ronaldsu88 about 1 year

How do I make this work for a particular subdomain only? Such as cart checkout with https at "https://secure.mydomain.com" Andeverything else with http at "http://mydomain.com" Many thanks!

Reply

Ben Uretsky about 1 year

You should have 2 separate VirtualHost entries, one for secure and for www. Include the SSLCertificate key and file only in thesecure VirtualHost entry and make sure that its set to listen on port 443 for https protocol.

Reply

ish1301 about 1 year

I was seeing "SSL Connection Error" after following the above steps, after debugging i found ssl config file wasn't loaded byapache at all. for that i have to create symbolic link $ cd /etc/apache2/sites-enabled $ sudo ln -s ../sites-available/default-ssl 000-default-ssl

Reply

jongmo85 about 1 year

I get an error ~$ sudo service apache2 restart apache2: Syntax error on line 265 of /etc/apache2/apache2.conf: Cannot load/home/username.rvm/gems/ruby-1.9.3-p385/gems/passenger-3.0.12/ext/apache2/mod_passenger.so into server:/home/username/.rvm/gems/ruby-1.9.3-p385/gems/passenger-3.9.12/ext/apache2/mod_passenger.so: cannot open shared object file:No such file or directory Action 'configtest' failed. The Apache error log may have more information. ...fail!

Reply

Nick Van Weerdenburg 10 months

Worked for me. I duplicated the virtual host block (entire file copied after itself for two identical sections), and updated the copy tothe instructions. Now http: and https: both work.

Reply

Kamal Nasser 10 months

@jongmo85: this is not related to this article. If you have followed an article on installing rvm and configuring Apache to workwith it, please comment on it. Otherwise, please create a forum question.

Reply

farhan.sheron 10 months

How to Create a EV SSL Certificate on NGINX for Ubuntu 12.04 ?

Reply


@farhan.sheron: you create it just like a regular SSL certificate but you have to sign it at a CA as an EV SSL cert.

Reply

commerce 9 months

I get this error: sudo service apache2 reload apache2: Syntax error on line 237 of /etc/apache2/apache2.conf: Syntax error on line42 of /etc/apache2/sites-enabled/000-default: directive missing closing '>' Action 'configtest' failed. The Apache error log may havemore information. ...fail!

Reply


@commerce: Please pastebin your apache virtualhost config.

Reply

commerce 9 months

followed instruction to a 't' and get above error

Reply

commerce 9 months

ServerAdmin webmaster@localhost ServerName debt-x.com:443 DocumentRoot /var/www Options FollowSymLinksAllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from allScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Orderallow,deny Allow from all ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error,crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /doc/ "/usr/share/doc/"Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from127.0.0.0/255.0.0.0 ::1/128 SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile/etc/apache2/ssl/apache.key

Reply

commerce 9 months

don't worry i fixed it

Reply

drmad 8 months

Great tutorial. Plain and simple.I love it. Thank you very much ! What is interesting is that I can access my SSL server via 2different IP adresses (2 different ADSL boxes) and it still works. That means to me that the Common Name field entered for thecertificate is useless when using self certificates. I obviously get the warning message, but it still connects through either box. Mysetup is: Box 1 Router SSL server or Box 2 Router SSL server with Box1 and Box2 having 2 different WAN IP addresses. Normal?

Reply

drmad 8 months

Sorry the arrow signs didn't show in my previous most. I meant: Box1 -- Router -- SSL Server or Box2 -- Router -- SSL Server ie Ihave an extra router in the way on top of my ADSL box

Reply


@dmad: Your browser is warning you that you're using an SSL cert assigned to another hostname, but you can ignore it andcontinue browsing normally.

Reply

tiago.pcodelico 8 months

Hello, I did this, trying to put my ip in the servername, I bought a RapidSSL of ssl, but they do not accept generate the CSR by IPaddress. So I went back to my normal settings file / etc/apache2/sites-available/default: ServerAdmin webmaster @ localhost(...) and ran the command "sudo a2ensite default" and "sudo service apache2 reload", but my server is off, lookhttp://198.199.78.146. Does anyone know how to get back to normal (as before)?

Reply


my file / etc/apache2/sites-available/default: {{ VirtualHost *:80 }} ServerAdmin webmaster@localhost (...)

Reply


That's ok for me. I want did this: $ sudo nano /etc/apache2/sites-available/default I edit the servername to localhost ServerNamelocalhost and restart apache: sudo /etc/init.d/apache2 restart

Reply

sean 8 months

Thanks for the instructions. I'm stuck, maybe someone can point me in the right direction. Inside /etc/apache2/sites-available I have3 files: default, default-ssl, and mysite.com. My site is up and functional, I am trying to add an https version that admins can use tosecurely administer the site. I have tried modifying all three files with the above directives to no avail. What might I be missing?

Reply


@sean: Did you restart apache? "service apache2 restart"

Reply

dagomnet 8 months

HI. Where could be my problem. I get this, when i wanted to restart apache after all above command. root@dago:/etc/apache2#service apache2 restart * Restarting web server apache2 Action 'start' failed. The Apache error log may have more information.

Reply

dagomnet 8 months

the error.log showed this: ue Jul 30 10:21:37 2013] [warn] Init: (82.196.8.151:443) You configured HTTP(80) on the standardHTTPS(443) port! [Tue Jul 30 10:21:37 2013] [warn] Init: (82.196.8.151:443) You configured HTTP(80) on the standardHTTPS(443) port! [Tue Jul 30 10:21:37 2013] [warn] Init: (82.196.8.151:443) You configured HTTP(80) on the standardHTTPS(443) port! [Tue Jul 30 10:21:37 2013] [warn] Init: (82.196.8.151:443) You configured HTTP(80) on the standardHTTPS(443) port! [Tue Jul 30 10:21:37 2013] [notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.6 with Suhosin-Patchmod_scgi/1.13 mod_ssl/2.2.22 OpenSSL/1.0.1 configured -- $ [Tue Jul 30 10:26:13 2013] [notice] Graceful restart requested, doingrestart [Tue Jul 30 10:26:13 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jul30 10:26:13 2013] [error] Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in globalscope.) [Tue Jul 30 10:27:02 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jul30 10:27:02 2013] [error] Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in globalscope.) [Tue Jul 30 10:33:29 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jul30 10:33:29 2013] [error] Illegal attempt to re-initialise SSL for server (SSLEngine On should go in the VirtualHost, not in globalscope.)

Reply

dagomnet 8 months

Sorry , I've found the error. Actually, i put the last three lines on wrong place. I made SSLEngine on SSLCertificateFile/etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key The correct form is like this: SSLEngine onSSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key Now it's OK.

Reply

dagomnet 8 months

Gravatar dagomnet Sorry , I've found the error. Actually, i put the last three lines on wrong place. I made " SSLEngine onSSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key" The correct form is like this:"SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key " Now it's OK.

Reply


The certificate requires that bought the key CSR, and the tutorial how to create a key CRT. How to proceed to create a key CSRrequired by the certificate purchased? Just change the extension?

Reply


@tiago.pcodelico: Follow steps 2 and 3 from this article: https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-nginx-for-ubuntu-12-04

Reply


Thanks @Kamal, is what I thought to do! I am a layman in ssl =)

Reply

misterxx64 7 months

Hey guys, anyone know if it works with varnish 1.1 installed? Thank you:)

Reply


@misterxx64: Yes. Varnish does not support SSL natively so you'll have to set up a reverse proxy in front of it:http://plone.org/documentation/kb/plone-behind-varnish-using-pound-for-ssl

Reply

tytung 7 months

The easier configuration of a self-signed certificate is as follows. $ sudo a2enmod ssl $ sudo a2ensite default-ssl $ sudo serviceapache2 restart Now you have both http://example.com/ and https://example.com/ at the same time. Reference:http://d.klwe.info/ubuntu-12-04-setting-up-apache2-and-ssl-with-self-signed-certificate/ Option 1: Type the following command ifyou update your hostname/DNS. $ sudo make-ssl-cert generate-default-snakeoil force-overwrite It creates the following files:/etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/certs/ssl-cert-snakeoil.pem $ sudo service apache2 restart Option 2: Type the followingcommands if you want to set more things. $ sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout/etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt Update the SSL site setting $ sudo nano /etc/apache2/sites-enabled/default-ssl SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key $ sudoservice apache2 restart Next, you could further secure some services, e.g., phpmyadmin, by enforcing SSL connection. $ sudoa2enmod rewrite $ sudo nano /usr/share/phpmyadmin/.htaccess =============== Edit .htaccess and add the following content=============== RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} =============== $ sudo service apache2 reload Now when you type http://example.com/phpmyadmin/ , theApache will redirect it to https//example.com/phpmyadmin/.

Reply

felix.johnson 7 months

I have followed this tut till the end...and when I view it on the browser it says: my domail(example.com) is not configured toconnect to port https. What should I do? or what am I doing wrong?

Reply


@felix.johnson: Did you restart apache after editing the virtualhost configs? Do you have your actual domain or literallyexample.com?

Reply

ismail.eltahawy 7 months

Thanks alot for the simple and nice post, i wonder did anybody tried to decrypt the ssl traffic using the "apache.key" generated asmentioned in this post ? i tried to decrypt the captured traffic in the wireshark but it didn't work, i have followed the same stepsmentioned in the following link http://wiki.wireshark.org/SSL and this also http://www.youtube.com/watch?v=vQtur8fqErI , itworks only in the snakoil .cap file provided by wireshark.org but didn't work in my captured SSL traffic under apache2 , any ideas?

Reply

deekin 6 months

OMG, I have been knocking my head on this forever!!! Gah I'm close to giving up on the idea. This is what I have:me@foo:/etc/apache2/ssl$ ll total 32 drwxr-xr-x 2 root root 4096 Sep 4 02:16 ./ drwxr-xr-x 8 root root 4096 Sep 4 01:48 ../ -rw-r--r-- 1 root root 1407 Sep 4 01:50 apache.crt -rw-r--r-- 1 root root 1704 Sep 4 01:50 apache.key -rw-r--r-- 1 root root 1903 Sep 402:15 foo.com.crt -rw-r--r-- 1 root root 1123 Sep 4 01:57 foo.csr -rw-r--r-- 1 root root 1704 Sep 4 01:57 foo.key -rw-r--r-- 1 rootroot 3192 Sep 4 02:16 sf_bundle-g2.crt I followed the directions at GoDaddy, regenerated the info, and slapped it in here, and nadaafter following the guide posted above. Restarted apache, set virtual host to port 443, renamed the conf info to the proper names, etcetc: ServerAdmin [email protected] ServerName foo.com:443 DocumentRoot /var/www Options FollowSymLinksAllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from allScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Orderallow,deny Allow from all ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error,crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /doc/ "/usr/share/doc/"Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from127.0.0.0/255.0.0.0 ::1/128 SSLEngine on SSLCertificateFile /etc/apache2/ssl/foo.com.crt SSLCertificateKeyFile/etc/apache2/ssl/foo.com.key Dear Great Beings in the sky, someone help me out here :( - on testing at https://www.foo.com and athttps://foo.com I get: Google Chrome's connection attempt to foo.com was rejected. The website may be down, or your networkmay not be properly configured.

Reply

mehul.bhandari 6 months

* Restarting web server apache2 [Wed Sep 04 12:50:57 2013] [warn] NameVirtualHost *:80 has no VirtualHosts [Wed Sep 0412:50:58 2013] [warn] NameVirtualHost *:80 has no VirtualHosts Action 'start' failed. The Apache error log may have more

information. [fail]

Reply


@deekin: Is there anything listening on port 443? Did you try restarting apache?sudo netstat -plutn | grep :443

Reply


@mehul.bhandari: Check apache's error logs:tail /var/log/apache2/error.log

Reply

usavp.suvarna 6 months

how does ssl certificate nam appears in browser url eg ur connected to :example.com which is run by: example inc

Reply


@usavp.suvarna: That is only possible with an EV SSL certificate: http://en.wikipedia.org/wiki/Extended_Validation_Certificate

Reply

technicallyblue 6 months

Hello, What can I do to correct this? When I restart apache I get this: NameVirtualHost *:80 has no VirtualHosts Action 'start'failed In the browser it tells me: Can't establish a connection to the server at ###.###.###.###

Reply


@technicallyblue: Comment out (add # in the beginning) the NameVirtualHost *:80 line in /etc/apache2/ports.conf

Reply

king_himself88 5 months

Got the following error message after the final command "sudo service apache2 reload" "apache2: Could not reliably determine theserver's fully qualified domain name, using 127.0.0.1 for ServerName [warn] NameVirtualHost *:80 has no VirtualHosts" I usedthe server IP for common name. Will this cover all the add on domain?

Reply


@king_himself88: See http://www.cyberciti.biz/faq/apache2-namevirtualhost-80-has-no-virtualhosts/ andhttp://stackoverflow.com/questions/9541460/httpd-could-not-reliably-determine-the-servers-fully-qualified-domain-name-us

Reply

detrix42 5 months

Ok, after reading all this excellent help, I still did not see the answer I need. My site novasector.net:4280 (port 4280 is requiredbecause my ISP blocks port 80 to residential accounts) is working at http:// level. I do not have my web site located at the defaultlocation of /var/www, its it /www/novasector.net. I have a debian setup. My question is this: I do not use the default vertualhost file

in /etc/apache2/sites-available. I have made a novasector.net-ssl with what has described in this tutorial. How do I set this up , notusing the default file?

Reply


@detrix42: Please pastebin all of the files in /etc/apache2/sites-enabled

Reply

detrix42 5 months

I pasted 2 files: the site-enabled one, and the site-available ssl verson. http://pastebin.com/1LVaEvUR Thanks for the help

Reply


@detrix42: You can enable the SSL virtualhost by running sudo a2ensite novasector.net-ssl followed by sudo serviceapache2 reload Does that fix it?

Reply

Duane Adam 5 months

Hello everyone, I am a bit confused on this article. How do I install SSL if let's say I am using EssentialSSL

Reply


@duaneadam: Please create a new question (https://www.digitalocean.com/community/questions) if you haven't managed to dothat yet.

Reply

jntslvdrt 4 months

Hey, I have a problem. I followed all over the tutorial and I'm getting this error " ERR_SSL_PROTOCOL_ERROR" I'm usingChrome, Ubuntu 13.04 X64 Desktop and a Ubuntu 12.04.3 X64 Deploy.

Reply

jfgodin 4 months

I'm having the same error as @jntslvdrt however I'm using Ubuntu 12.04.3 LTS. Firefox error states: "SSL received a record thatexceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)". Chrome error is"ERR_SSL_PROTOCOL_ERROR".

Reply

null 4 months

I have the same issue like the guys above ( jntslvdrt, jfgodin) "ERR_SSL_PROTOCOL_ERROR".

Reply


@jntslvdrt, jfgodin, null: Please see if http://stackoverflow.com/a/4762977 helps.

Reply

null 4 months

Thank dear Kamal Finally, I got it running, here what I've done: executed this command: sudo a2ensite default-ssl and then: sudoservice apache2 reload :)

Reply

erwin.de.laat 4 months

When I go to my address https://mydomain.com I get : An error occurred during a connection to cleveridge.org. SSL received arecord that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

Reply


I believe I tried all the above

Reply


Found it... I use Zpanel and I had to change httpd-vhosts.conf in /etc/zpanel/configs/apache. It seems like it is working but FireFoxtells me the Connection is untrusted (The certificate is not trusted because it is self-signed.)

Reply

alfredo 4 months

Step 5 "sudo a2ensite default" should be changed to "sudo a2ensite default-ssl". Thank you.

Reply

will-v-king 4 months

with the https:// my website can't display completely. the background picture is missing.

Reply


@will-v-king: See https://developer.mozilla.org/en-US/docs/Security/MixedContent/fix_website_with_mixed_content

Reply

yadavrajesh25june 4 months

i am using ubuntu after following this step i am getting this message on browser "Secure Connection Failed An error occurredduring a connection to www.gohna.com. SSL received a record that exceeded the maximum permissible length. (Error code:ssl_error_rx_record_too_long) "

Reply

yadavrajesh25june 4 months

@Gravatar : Thank you It work for me now after running "sudo a2ensite default-ssl"

Reply

ludensen 4 months

Thank you for your great tutorials! :-) BUT this one still have one error - as others already has pointed out. When you in step 4make changes to the /etc/apache2/sites-available/default-ssl then in step 5 you should also enable default-ssl and not defaultPLEASE take a look at this :-) Linux Regards Tom Ludensen

Reply

ludensen 4 months

If you follow the above tutorial and execute "sudo a2ensite default" instead of "sudo a2ensite default-ssl" you will probably get thefollowing error when trying to open a https-connection: "SSL received a record that exceeded the maximum permissible length.(Error code: ssl_error_rx_record_too_long)"

Reply


Thanks, I've updated the article.

Reply

jamied_uk 3 months

find? on what file be specific please SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile/etc/apache2/ssl/apache.key

Reply

akshayjain07 3 months

Thanks it's working. But when I visit my site I get the error: On Chrome: The site's security certificate is not trusted! and similarerror on Firefox. I know this is the free version of Openssl but is there anyway of preventing this error from coming up in front ofnew visitors to my site? (They do get an option of proceeding anyway, but I'd rather that this error is not displayed at all)

Reply

akshayjain07 3 months

I found the answer in the comments. Guess I'll have to switch to StartSSL or some other provider to avoid this error.

Reply

trevor 3 months

So I setup the default file which works great but how to I make SSL enabled for each of my vhosts? The default site will only letme set one DocumentRoot which is problematic since I have vhosts with separate folders for each set of content per site. Is there away to account for this make these SSL settings carry through to all sites? Thanks.

Reply


@trevor: You will need to create a separate ssl-enabled vhost for each existing non-ssl vhost, replacing *:80 with *:443 and addingthe appropriate SSL directives (Step Four).

Reply

kato223 2 months

Worked perfect. Thank you very much!

Reply

alexander 2 months

i thought you could only buy ssl certs.how can you make one? please reply: [email protected]. thank you.

Reply

kurtulus.m about 1 month

Worked on Debian 7! Which SSL is the best to buy for a Wordpress website? maybe in the future i could open an online shop too.Thanks!

Reply

tim about 1 month

I too had this error: SSLEngine On should go in the VirtualHost, not in global scope. Eventually, by adding SSLEngine On to mynew file httpd-ssl.conf (which is included in httpd.conf) with the address of my server certificate and server key, the problem wasresolved.

Reply

rmaiolo 22 days

I followed these steps for an aws instance ...everything from the cli seemed to go ok..but every https request times out and cant findanything helpful in the logs..if there's any advice you have, I'd love it

Reply

dahalpi 19 days

Hello, i installed on my server following the guide and can't recognize the certeificate yet, what can i do? https://www.cultura-libre.cl/# PD: it's a vps on digitalocean see ya!

Reply

bitlather 18 days

Correction: sudo vim /etc/apache2/sites-available/default-ssl --> sudo vim /etc/apache2/sites-available/default-ssl.conf Works forme.

Reply

Kamal Nasser 18 days

@dahalpi: Make sure port 443 is open. I believe AWS has an external firewall (it's called "security groups" if I recall correctly).

Reply

bitlather 18 days

My correction above of using default-ssl.conf was for the LAMP install instructions from digital ocean. I noted that plain default-ssl worked on my dev machine.

Reply

ctefanos.t 15 days

Hello, I installed the certificate but the browser says the certificate is untrusted, what can I do?

Reply

stephen 12 days

comodo gives you three files the .key a .crt and a .ca-bundle how does one install in the apache /etc/apache2/sites-available/default-ssl or are we supposed to add the 443 instruction the individual site virtual host file? thanks!

Reply


@ctefanos.t: See Etel's comment above (January 18th, 2013 20:05).

Reply


@stephen:SSLEngine OnSSLCertificateFile /path/to/.crtSSLCertificateChainFile /path/to/.ca-bundleSSLCertificateKeyFile /path/to/.key

Make sure you secure the private key file:sudo chown root:root /path/to/.keysudo chmod 400 /path/to/.key

Reply

stephen 10 days

@kamal Thank you! Just to clarify - if this certificate is issued for a domain that is one virtual host on an IP, does one put theVirtualHost _default_:443 block into the /etc/apache2/sites-available/somSSLsite.com file ? e.g. and NOT the /etc/apache2/sites-available/default-ssl?

Reply

Kamal Nasser 9 days

@stephen: It doesn't matter as long as ServerName is properly set.

Reply

deeptigp9 8 days

Hi, I am trying to get https://localhost to work. When I followed all of the above steps, running https://localhost still gives me "site'ssecurity certificate is not trusted!" warning. Thus, I a) edited my /etc/hosts file to include 127.0.0.1 classifyimagedistortions.com inthe first line b) Then went to http://www.cacert.org/ and tried to generate a certificate for the domain name"classifyimagedistortions.com" . However, it asks for a valid email address with this domain and because that doesn't exist. thisgives me "Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the emailaddress as invalid Failed to make a connection to the mail server" error. Any idea where I am going wrong and how to enable httpsto localhost? Thanks!

Reply

Leave a Comment

Leave a comment...

Create an account or login:EmailPassword

Submit Comment

Copyright 2014

DigitalOcean Inc.Proudly Made in NYTerms, Privacy, & Copyright Security

ProductPricingFeaturesCustomersOne-Click AppsAPI

CompanyAbout UsBlogJobsPressLogos & BadgesEventsContact

HelpKnowledgebaseGetting StartedFeedbackReferral ProgramNetwork Status

CommunityDashboardOverviewTutorial SuggestionsGet Paid to WriteIRC Chat

ConnectTwitterFacebookLinkedInGoogle+Instagram

1,284,337 Droplets Launched

Documents

How To Create a SSL Certificate on Apache for Ubuntu 12.04 | DigitalOcean