We Keep Coding

Apache2 SSL Configuration with Virtual Hosts on Ubuntu 14.x

I would like to have ONLY https traffic. I want all of it to be driven to https://example.com and https://www.example.com.
At present this is what works and doesn't work:
https://www.example.com - ok!
http://www.example.com - shows a list of files in my webroot for some reason
https://example.com - This site can’t be reached / example.com refused to connect.
http://example.com - The example.com page isn’t working. example.com didn’t send any data.
I am using Ubuntu 14 (trusty) and here is my current enabled virtual host config:
<IfModule mod_ssl.c>
<VirtualHost xxx.xxx.xxx.xxx:443>
ServerAdmin info#example.com
ServerName www.example.com:443
ServerAlias example.com:443
DocumentRoot /var/www/example.com/public_html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
Any help much appreciated as going nuts!

Did you tried made permanent redirect? https://wiki.apache.org/httpd/RedirectSSL

Ubuntu 14.04 server can't open port

My case is quite specific.
My client uses one of my services (https://example.com/service.php) and I generated for them SSL client certificate, which they use for http requests. but they have requirement that they can only use 1024 bit certificates (I had no problem generating it). but since my CA root certificate is 2048 bit requests fail. Now they want me to open port 4000 for them and require access via SSL cleint certificate. (If that makes any sense).
I run Ubuntu 14.04 on DigitalOcean VPS
I opened port 4000 with
sudo iptables -A INPUT -p tcp --dport 4000 -j ACCEPT
I also allowed that port in ufw with
sudo ufw allow 4000
I also added record to
/etc/apache2/sites-available/default-ssl.conf
I added it to default-ssl.conf because I want port 4000 to be accessible via https (https://example.com:4000/service.php)
<VirtualHost *:4000>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /home/admin/conf/web/client.pem
SSLCertificateKeyFile /home/admin/conf/web/client.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
What Immediate problem I have is that when i try to telnet example.com:4000 it says that 4000 is closed. I need advice on trouble shooting.

You need to add
Listen 4000
somewhere in your apache configuration. Otherwise, apache will not open a socket for that port.
Usually, these settings are apart from the sites-enabled or sites-available directories found on Ubuntu derivatives, for example in the main httpd.conf. A good place would probably be a separate file in conf-available and symlinking that into conf-enabled.

How to install ssl certificate on Flask in apache2/ubuntu14.04 with different ports

i have installed ssl to my apache2 and created https for port of 443, its working. when i tried to install ssl to Flask i could not make it as successful. here are things i have done so far.
i have created file using sudo nano /etc/apache2/sites-available/flask.conf
VirtualHost *:80>
ServerName example.com
ServerAdmin admin#example.com
WSGIScriptAlias / /var/www/FlaskApp/flaskapp.wsgi
<Directory /var/www/FlaskApp/FlaskApp/>
Order allow,deny
Allow from all
</Directory>
Alias /static /var/www/FlaskApp/FlaskApp/static
<Directory /var/www/FlaskApp/FlaskApp/static/>
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:5000>
ServerName example.com
<Directory /var/www/FlaskApp/FlaskApp/>
Order allow,deny
Allow from all
</Directory>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/STAR_file.crt
SSLCertificateKeyFile /etc/apache2/ssl/STAR_file.key
SSLCertificateChainFile /etc/apache2/ssl/STAR_file_bundle.pem
<Location />
SSLRequireSSL On
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +StrictRequire
</Location>
ErrorLog ${APACHE_LOG_DIR}/sslerror.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/sslaccess.log combined
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>'
then i have done the enable example.com and restarted the apache2
but when i am check in browser its not working for the port 5000 and get error as
An error occurred during a connection
SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

I suggest separating the 2 virtual hosts (port 80 and port 5000) to different virtual host files, such as /etc/apache2/sites-available/flask.conf and /etc/apache2/sites-available/flask-ssl.conf. I suspect apache is confused and is serving an HTTP response to an HTTPS request, which can cause that error. It is also possible that you might have a local proxy that's misconfigured, if you use a proxy.
I didn't notice anything wrong with the config file other than that.

Unable to connect (trying to set up SSL in ubuntu)

I purchased an SSL certificate and had it validated. The vendor then sent me the files.
This is my first time adding an SSL to ubuntu.
In my sites enabled folder in Apache I added a new conf file example-ssl.conf
I then added the following
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin info#example.ie
ServerName example.ie
ServerAlias www.example.ie
DocumentRoot /var/www/html/example/
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.crt
SSLCertificateKeyFile /etc/ssl/private/example_private.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
I then ran sudo a2ensite example-ssl.conf
But got an error...
Site example-ssl not properly enabled: /etc/apache2/sites-enabled/example-ssl.conf is a real file, not touching it
So I decided to change default-ssl.conf with the same information as above,
I then ran sudo a2ensite default-ssl.conf which worked.
I restarted apache,
but when I go to https://www.example.com , I get an unable to connect error as if the site doesnt exist at all. "Firefox can't establish a connection to the server at www.example.ie."
Thank you
EDIT: A bit of background, I set this up using Digital Ocean. I've now realised this is happening with all my droplets when I try to use https. So perhaps its a more generic setting on linux I need to enable

You don't show any "Listen 443" directive. That's step one if you expect Apache to listen for connections on a new port.
Also everything you posted is a no-op if mod_ssl isn't loaded due to your ifModule.

hosting multiple SSL certs on apache

I hope someone can give me a hand with this. I have 2 IPs that I can use to do this and need to host 2 different secure (SSL) domains on the same Apache server. I've read that as of Apache 2.2.something that a single IP can be used, using some sort of add-in but I want to keep this as simple as possible and am willing to use both IPs to accomplish this task. I already have the 2 signed certificates for the domains.
This setup that I am posting here, works, but the issue I am having is that when I go to domain2.net, I receive a browser warning telling me that the cert does not match the domain but matches domain1.com
I'm using CentOS 5 and Apache 2.2.3. CentOS has a ssl.conf file and these lines are what I believe are giving me trouble:
SSLCertificateFile /etc/pki/tls/certs/domain1.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain1.com.key
I was under the impression that I could override these values in the virtual host containers and reference the keys that I need but it doesn't appear that way. When I comment these two lines out in the ssl.conf file, Apache won't restart. The ssl_log hints: SSLCertificateKeyFile
These are my virtual containers:
<VirtualHost 2.2.2.2:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/domain2.net.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain2.net.key
DocumentRoot "/var/www/domain2"
ServerName domain2.net
ServerAlias domain2.net
DirectoryIndex "index.php"
<Directory /var/www/html/domain2>
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost 1.1.1.1:444>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/domain1.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain1.com.key
DocumentRoot "/var/www/html"
ServerName domain1.com
ServerAlias domain1.com
DirectoryIndex "index.php"
<Directory /var/www/html>
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
How can I get these two domains to work using SSL? I've also tried to use the same port for the different IPs but again, Apache won't restart.
I'm truly lost on this so if someone could lend a hand, I'd really appreciate it.

Great question!
I was able to get two SSL certificates working on the same server. You should be able to do what you are trying to do.
The things in your configuration that stand out as odd to me:
I'd suggest using port 443 for both SSL-protected sites. You should have a specific instruction in apache's conf files somewhere for listening on port 443. For me it is located in /etc/apache2/ports.conf
Listen 443
.
It seems odd that you have ServerName and ServerAlias both using the same domain per virtual host. Try making the ServerAlias different or leaving it out:
ServerName domain1.com
ServerAlias www.domain1.com
.
I am assuming that you replaced your IPs and domains in your posted conf. Even if they are not the actual IPs you are using, you might want to double check that they can get you to the right place outside of SSL (since obviously SSL is not working).
.
Check the apache2 error log for more information. For me the log is located at: /var/log/apache2/error.log . You can set it with:
ErrorLog /var/log/apache2/error.log
And finally, for your reference here is my ssl-default (ssl.conf). I replaced my domains and IPs with the ones you used in your example conf. I have multiple subdomains working with NameVirtualHost since I have a wildcard cert:
<IfModule mod_ssl.c>
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
NameVirtualHost 1.1.1.1:443
NameVirtualHost 2.2.2.2:443
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/ssl_access.log combined
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
# 1.1.1.1 = domain1.com
<VirtualHost 1.1.1.1:443>
ServerName www.domain1.com
ServerAdmin admin#domain1.com
SSLEngine on
SSLCertificateKeyFile /var/www/ssl/domain1.key
SSLCertificateFile /var/www/ssl/wildcard.domain1.crt
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
DocumentRoot /var/www/domain1/www.domain1.com/web
DirectoryIndex index.php index.html
</VirtualHost>
<VirtualHost 1.1.1.1:443>
ServerName secure.domain1.com
ServerAdmin admin#domain1.com
SSLEngine on
SSLCertificateKeyFile /var/www/ssl/domain1.key
SSLCertificateFile /var/www/ssl/wildcard.domain1.crt
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
DocumentRoot /var/www/domain1/secure.domain1.com/
DirectoryIndex index.php index.html
</VirtualHost>
# 2.2.2.2 = *.domain2.com
<VirtualHost 2.2.2.2:443>
ServerName admin.domain2.com
ServerAdmin admin#domain2.com
SSLEngine on
SSLCertificateKeyFile /var/www/ssl/domain2.key
SSLCertificateFile /var/www/ssl/domain2.crt
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ErrorLog /var/log/apache2/error.log
DocumentRoot /var/www/domain2/secure.domain2.com/web
DirectoryIndex index.php index.html
php_flag display_errors on
php_value error_reporting 7
</VirtualHost>
</IfModule>
I hope this helps!!

You don't need a separate ssl.config file, but if you want to use one, then put your SSL <VirtualHost XXX:443> containers in your ssl.conf file rather than in your httpd,conf file.
The other option which we use on our site is to put the settings from the ssl.conf file in our httpd.conf file and rename the ssl.conf file to something like ssl.conf.bak (to keep it for reference).

It might help to put this Apache command before the first Virtual Host:
SSLStrictSNIVHostCheck on
This enabled me to have several different domains each with its own keys running on the same IP without getting confused.