Advertisements

Ubuntu, Apache, VirtualHosts, and SSL

The goal of this guide is to provide you with an Apache SSL configuration with a unique self-signed certificate for each VirtualHost.

These self-signed certificates are not intended for e-commerce or public-facing web sites. Rather, they are intended for SSL encryption of administration areas on personal websites or administration programs that have HTTP interfaces. Of course, if you have a commercially-signed certificate, you can skip the certificate-generation part of the guide, and proceed to implementing it in a VirtualHost configuration.

Written for Apache on Ubuntu Server 10.04.

First, install the base Apache SSL certificate and enable the Apache SSL module

sudo apt-get install ssl-cert
a2enmod ssl

This installs a base SSL certificate and a generic ‘default-ssl’ site configuration. We will be generating per-domain self-signed certificates later. We will also not be using the ‘default-ssl’ site configuration.

Generating Certificates

Generate a hostname-specfic SSL certificate by following these instructions quoted

— From /usr/share/doc/apache2.2-common/README.Debian.gz

To create more certificates with different host names, you can use
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /path/to/cert-file.crt
This will ask you for the hostname and place both SSL key and certificate in
the file /path/to/cert-file.crt . Use this file with the SSLCertificateFile
directive in the apache config (you don’t need the SSLCertificateKeyFile in
this case as it also contains the key). The file /path/to/cert-file.crt should
only be readable by root. A good directory to use for the additional
certificates/keys is /etc/ssl/private .

Example:

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/example.com.crt

Implementation

Now that the key is generated, we’re going to create an Apache VirtualHost configuration for SSL connection. Chdir to /etc/apache2/sites-available and copy (for example) example.com.conf to example.com-ssl.conf

Next, edit the example.com-ssl.conf file and make the following changes:

* At the beginning of the file (before the tag, add:

Example:


...

* Change the defined port number in the tag from 80 to 443

Example:

...

...

* At the end of the file, after the tag, add

Example:
...

* Within the tag, add the following directives:

SSLEngine On
# The following should point to your SSL cert file in /etc/ssl/private
SSLCertificateFile    /etc/ssl/private/example.com.crt

— From /etc/apache2/sites-available/default-ssl

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on
#   A self-signed (snakeoil) certificate can be created by installing
#   the ssl-cert package. See
#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
#   If both key and certificate are stored in the same file, only the
#   SSLCertificateFile directive is needed.
SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem

* Add the SSL workaround for MSIE in your section as follows:

BrowserMatch "MSIE [2-6]" 
nokeepalive ssl-unclean-shutdown 
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

— /usr/share/doc/apache2.2-common/README.Debian.gz

SSL workaround for MSIE
———————–
The SSL workaround for MS Internet Explorer needs to be added to your SSL
VirtualHost section (it was previously in ssl.conf but caused keepalive to be
disabled even for non-SSL connections):
BrowserMatch “MSIE [2-6]”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown
The default SSL virtual host in /etc/apache2/sites-available/default-ssl
already contains this workaround.

Lastly, enable the newly-created site and reload apache:

a2ensite example.com-ssl.conf

Enabling site example.com-ssl.conf.

Run '/etc/init.d/apache2 reload' to activate new configuration!

(This creates the symlink from /etc/apache2/sites-enabled to your config file in /etc/apache2/sites-available – you can also create it manually if your configuration requires it)

/etc/init.d/apache2 reload

* Reloading web server config apache2                                   [ OK ]

Of course, make sure after all of this that your firewall isn’t blocking port 443.

Questions, comments, and feedback regarding this guide and welcome!

Advertisements

, , , ,

  1. #1 by Thomas Winther on June 17, 2011 - 9:53 pm

    Hi, thank you for this guide. It worked perfectly for me :-)

  2. #2 by Magnus on July 26, 2011 - 5:03 am

    Hi, also a lot of thanks for the guide it worked perfectly. :)