Ubuntu Apache https / SSL



  • sudo a2enmod ssl
  • cd /etc/apache2/
  • mkdir ssl
  • cd ssl
  • openssl req -new -nodes -keyout server.key -out server.csr -newkey rsa:4096
  • Request certificate and copy files to /etc/apache2/ctl
    • server.crt
    • sub.class2.server.ca.pem (or class1)
    • ca.pem
  • chmod 600 *
  • cd ..
  • vi default
    • NameVirtualHost *:80
  • vi company1
    • If https only, redirect to https site
    • <VirtualHost *:80>
        ServerName ullright.example.com
        RewriteEngine On
        # This will enable the Rewrite capabilities
        RewriteCond %{HTTPS} !=on
        # This checks to make sure the connection is not already HTTPS
        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
        # This rule will redirect users from their original location, to the same location but using HTTPS.
        # i.e.  http://www.example.com/foo/ to https://www.example.com/foo/
        # The leading slash is made optional so that this will work either in httpd.conf
        # or .htaccess context
  • vi company1-ssl
    • <IfModule mod_ssl.c>
      NameVirtualHost *:443
      <VirtualHost *:443>
        ServerName ullright.example.com
        DocumentRoot /var/www/ullright/web
          <Directory /var/www/ullright/web>
              AllowOverride All
              Allow from All
          <Directory /var/www/ullright/web/uploads>
              # Disable rewrite in upload dir (fix to get FCKeditor uploads working)
              RewriteEngine off
              # Disable script execution
              AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi
              Options -ExecCGI
        SSLEngine on
        SSLCertificateFile    /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.key
        SSLCertificateChainFile /etc/apache2/ssl/sub.class2.server.ca.pem
        SSLCACertificateFile /etc/apache2/ssl/ca.pem
  • sudo service apache2 force-reload


Make sure the virtual host definitions are clean. So only one NameVirtualHost *:443 and <VirtualHost *:443>.


Test SNI with Openssl

openssl s_client -tls1_2 -connect myserver.com:443 -servername www.myvhost.net