JA T3 Framework

Fast. Flexible. Powerful


Setting up SSL on Apache 2

If you already have installed ssl on Apache and just need to change certificates, you should follow only point 2 and 8.

(1) Preliminaries
If you have a registered DNS name, be sure that you properly set it up.

(2) Copy the server.crt and server.key files into position
This step suggests putting certificate-related files in this location: /etc/apache2/ssl. If the ssl directory doesn't already exist there, go ahead and mkdir it now

Then copy the server.key and server.crt files into position:

$ cp server.key /etc/apache2/ssl
$ cp server.crt /etc/apache2/ssl

(3) Enable ssl
You'll want to run the /usr/sbin/a2enmod script. If you look at this script, it's simply a general purpose utility to establish a symlink between a module in /etc/apache2/mods-available to /etc/apache2/mods-enabled (or give a message to the effect that a given module doesn't exist or that it's already symlinked for loading).

$ a2enmod ssl

(4) Create a stub SSL conf. file and establish a necessary symlink
The first command copies the default configuration file for port 80, to use it as a stub configuration file for 443. The second command establishes a symlink from the 'available' ssl file to the 'enabled' file. The symlinking methodology between those two directories is similar in philosophy to mods-available and mods-enabled (previous step). The general idea is that enabled files exist as symlinks created to their available counterparts.

$ cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
$ ln -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/ssl

(5) Set up the document roots
The default location for HTML pages with an initial install of Ubuntu is /var/www and there exists no separate place for ssl files. I prefer to serve up basic HTML pages in /var/www/html and SSL pages in /var/www-ssl/html. Whatever works for you. But at this point I create the directories.

$ cd /var/www
$ mkdir html
$ cd /var
$ mkdir www-ssl
$ cd www-ssl
$ mkdir html

(6) Configure virtual hosts
su to the superuser and make a backup of the original Apache configuration file. Call it whatever you want. My practice is to add "_original" to any default configuration file before I make changes — in case I need to revert. You should not make a backup of the following file in the sites-enabled directory, since both the original and backup will be loaded when you restart Apache. Also note that a symlink exists from /etc/apache2/sites-enabled/000-default to /etc/apache2/sites-available/default. Back it up in the sites-available directory or some other location outside of Apache altogether.

$ sudo su
$ cd /etc/apache2/sites-available
$ cp /etc/apache2/sites-available/default default_original

Now you need to declare the IP of your box (or FQDN/DNS name) and document roots you created in a previous step. 

To configure HTTP over port 80 (edit /etc/apache2/sites-available/default):

NameVirtualHost *:80

(Note: Look down just a bit and make a change to the virtual host settings.)

<VirtualHost *:80>
ServerName localhost
DocumentRoot /var/www/html/

(Note: Use your assigned IP or DNS name followed with ":80" if you have one for ServerName).

Similar procedure for HTTPS over port 443 (edit /etc/apache2/sites-available/ssl):

NameVirtualHost *:443

(Note: Look down just a bit and make a change to the virtual host settings.)

<VirtualHost *:443>
ServerName localhost
DocumentRoot /var/www-ssl/html/

(Note: Again, use your assigned IP or a DNS name followed with ":443" if you have one for ServerName.)

(7) Instruct Apache to listen to 443
Go to this file /etc/apache2/ports.conf and add the following to it:

Listen 443

I noted that starting with Ubuntu 7.10 (or thereabouts), the ports.conf may already have an IfModule clause in it for the SSL portion. If you see this, you can just leave it as-is:

<IfModule mod_ssl.c>
Listen 443

(8) Turn on the SSL engine
For example, in the middle of /etc/apache2/sites-available/ssl file, after the commented area which says "# Possible values include: debug, info, notice, warn, error, crit..." add the following.

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

(9) Make an /etc/hosts tweak (if need be) — and restart Apache
When starting and stopping Apache there may be a complaint such as "Could not determine the server's fully qualified domain name, using for ServerName". You may encounter this if you don't have a DNS name for your server, and are just using an IP. If this applies to you, go into your /etc/hosts file and make the following changes. Basically, we'll be adding "localhost.localdomain" to the IP and whatever system name you chose when you installed Ubuntu (assuming you've not changed it). The final line below should be there if you have a static IP, and corresponding DNS name registered to it. If this is the case, earlier steps that wanted ServerName should have a value which corresponds to the DNS name also indicated here. localhost localhost.localdomain {your system name} {your system name}
{static IP if you you have one} {fully qualified DNS host name if you have one}

It may be that I first noticed additional behavior with Ubuntu 8.04 Hardy Heron. If you don't have a fully qualified domain name (FQDN) for your box, you may need to make an additional tweak. In your /etc/apache2/apache2.conf file, you may want to add the following line at the very end of the file if Apache is still complaining about lacking a fully qualified domain name at startup:

ServerName localhost

Restart Apache.

$ cd /etc/init.d
$ ./apache2 restart

WAYF – Where Are You From
Asmussens Allé, bygning 305
2800 Kgs. Lyngby


You are here