Ubuntu: When does Ubuntu 16.04 use /etc/apache2/ssl/apache.crt?



Question:

I have some Ubuntu 16.04 server running and set up one vhost in apache2 which uses (or should use) ssl.

<IfModule mod_ssl.c>          <VirtualHost *:443>            ServerAdmin myemail@mailhoster.xx          ServerName my.domain.name.de          DocumentRoot /var/www/mysslsite            <Directory /var/www/mysslsite>                  Options FollowSymLinks MultiViews                  AllowOverride All                  Order allow,deny                  allow from all          </Directory>            ErrorLog ${APACHE_LOG_DIR}/mysite.ssl.error.log          CustomLog ${APACHE_LOG_DIR}/mysite.ssl.access.log combined            </VirtualHost>  </IfModule>  

I did NOT enable the standard sites-available/default-ssl.conf.

I am able now to browse to https://my.domain.name.de and it is asking in firefox to add some exception which is totally normal if i did not buy any certificate.

But I was wondering where it is set up that it should use the certificates in /etc/apache2/ssl/ directory. I can not find any config where it is told to use that. I all the time was thinking that it will use something from /etc/ssl folder.

Or did I maybe not activate SSL correctly?


Solution:1

According to some manuals the SSL certificate files must be placed under /etc/apache2/ssl/, but they can be placed in a different folder, depending on your own configuration.

To have HTTPS access to your site, you must enable the SSLEngine and provide a valid SSL certificate.

For this purpose you should use OpenSSL command line tool to generate your own certificate. Then you need to validate the certificate at any provider like as COMODO, StarSSL, your local DNS provider, etc. Usually they offer free certificates for few months. Regarding this way of certificate generation you may look at these guides: for 14.04 and 16.04.

Also you can use the software tool Let's Encrypt. From Let's Encrypt Getting Started page:

To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol, which typically runs on your web host.


I would suggest you to use Let's Encrypt, at this stage. So let's begin.

1st - install Let's Encrypt:

sudo apt install python-letsencrypt-apache  

2nd - generate the certificate. To generate SSL certificate compatible with Apache just type: letsencrypt --apache. This command will start interactive dialogue (where you must fill your site's personal data) and will generate HTTPS.conf file based on your existing HTTP.conf file.

You can use and some additional parameters, for example letsencrypt --apache certonly will do the same as above but will not generate HTTPS.conf file.

Also you can put all necessary parameters to avoid the dialogue. According to the information provided in the question our command should looks like:

sudo letsencrypt --apache certonly --rsa-key-size 4096 --email myemail@mailhoster.xx -d my.domain.name.de  

Let's assume you choose the last approach. The command will generate all necessary certificate files and they will be placed in the folder /etc/letsencrypt/archive/my.domain.name.de/. Also these files will be sym-linked into the folder /etc/letsencrypt/live/my.domain.name.de/. These symlinks will be updated automatically in the future, so we will use them.

3rd - configure (manually) your HTTPS VirtualHost. According to the above the configuration file should looks like:

<IfModule mod_ssl.c>      <VirtualHost _default_:443>           ServerAdmin myemail@mailhoster.xx         ServerName my.domain.name.de         DocumentRoot /var/www/mysslsite                       SSLEngine on          SSLCertificateFile /etc/letsencrypt/live/my.domain.name.de/cert.pem          SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.name.de/privkey.pem          SSLCertificateChainFile /etc/letsencrypt/live/my.domain.name.de/chain.pem            <Directory /var/www/mysslsite>              Options FollowSymLinks MultiViews              AllowOverride All              Order allow,deny              allow from all          </Directory>            ErrorLog ${APACHE_LOG_DIR}/mysite.ssl.error.log          CustomLog ${APACHE_LOG_DIR}/mysite.ssl.access.log combined        </VirtualHost>  </IfModule>  

4th - a2ensite the new VirtualHost, just in case a2enmod ssl and restart Apache. That's it. I hope now you will have HTTPS access to your site.

5th - renew your certificate into the future. For this purpose you can edit root's Crontab and add a job which will try to letsencrypt renew the certificates, every Sunday at 3:00 AM for example. Type sudo crontab -e and add this line at the bottom:

0 3 * * 0 /usr/bin/letsencrypt renew >> /var/log/letsencrypt-renew.log 2>&1  



This answer is based on this one.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »