I am running ubuntu as a testing server on my laptop. I am attempting to set up some of the test sites with self signed ssl certificates. I think I have everything correct except perhaps the apache 2 conf files.
When creating the cerificates I gave the common name as *.hr4.mdev. "mdev" is what I have arbitrarily called my local dev environment.
So I modified my existing conf file to listen on 443 instead on 80 (line 1) and I added lines 6, 7 and 8.
<VirtualHost *:443>
ServerAdmin myemail#mydomain.com
ServerName marino.hr4.mdev
ServerAlias *.marino.hr4.mdev
DocumentRoot /var/www/marino.hr4/htdocs
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<Directory /var/www/marino.hr4/htdocs>
php_value include_path /var/www/marino.hr4/htdocs
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog /var/www/marino.hr4/logs/error.log
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel debug
CustomLog /var/www/marino.hr4/logs/access.log combined
</VirtualHost>
Now when I go to the site (https://marino.hr4.mdev) I am advised that "It works!" Which is reassuring on a certain level, but it is not the content that I expected to see.
Having referenced tremor's link, my conf file now looks like this:
<VirtualHost 192.168.73.128:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
ServerAdmin bernard#theminery.com
ServerName marino.hr4.mdev
ServerAlias *.marino.hr4.mdev
DocumentRoot /var/www/marino.hr4/htdocs
<Directory /var/www/marino.hr4/htdocs>
php_value include_path /var/www/marino.hr4/htdocs
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog /var/www/marino.hr4/logs/error.log
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel debug
CustomLog /var/www/marino.hr4/logs/access.log combined
</VirtualHost>
after restarting Apache I am asked to add a security exception, which is fine, but I am then kicked to another site I have set up on my machine.
Add NameVirtualHost directive, something like this perhaps?
NameVirtualHost *:443
Listen 443
Your apache server is obviously serving up it's default server "It works" instead of your website.
Here is some supporting information from apache: http://wiki.apache.org/httpd/NameBasedSSLVHosts
Edit:
Potentially move your virtual host to the first referenced vhost in the conf file, default is selected based on order.
So in the end I modified the ports.conf file and added 443 to the Listen directive, so now it reads:
Listen 80 443
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
listen 443
</IfModule>
I also changed the first line of my conf file from
<VirtualHost 192.168.73.128:443>
back to
<VirtualHost *:443>
Special thanks to tremor for pointing me in the right direction.
Related
So I have purchased an SSL certificate, and need to add it to my Ubuntu running apache2 web service, however for some reason, my .conf file shows me the same error over and over again.
After running the code apache2ctl configtest they mentioned...
AH00526: Syntax error on line 58 of /etc/apache2/sites-enabled/eblossom.conf:
Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
And in my .conf file...
<VirtualHost *:80>
#ServerName www.example.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
Alias /static /home/najaaz/eblossom/static
<Directory /home/najaaz/eblossom/static>
Require all granted
</Directory>
Alias /media /home/najaaz/eblossom/media
<Directory /home/najaaz/eblossom/media>
Require all granted
</Directory>
<Directory /home/najaaz/eblossom/eblossom>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIScriptAlias / /home/najaaz/eblossom/eblossom/wsgi.py
WSGIDaemonProcess eblossom python-path=/home/najaaz/eblossom python-home=/home/najaaz/eblossom/venv
WSGIProcessGroup eblossom
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /home/najaaz/eblossom/eblossom_lk.crt
SSLCertificateKeyFile /home/najaaz/eblossom/eblossom.lk.key
SSLCertificateChainFile /home/najaaz/eblossom/eblossom_lk.ca-bundle
</VirtualHost>
I a using a Django framework and I don't understand where and how this error is caused.
Could anyone help me with this?
Thanks!
Run the following, and try again:
a2enmod ssl && systemctl restart apache2
Basically what this command does is that, it enables mod_ssl.
My question is about SSL installation. I purchased a new SSL for a website that's hosted on a Ubuntu 16.04 box with Apache 2.4.29. I was able to get this installed and I'm not getting any errors but my page is not redirecting. I've followed some guides (DigitalOcean) but feel as I'm missing something.
I have checked the sites-available files (000-default.conf, default-ssl.conf & example.com.conf) and I'm not seeing anything that's catching my eye, but I feel I migtht be missing something. I've checked the status of Apache and I'm not getting any errors and I've restarted the services several times to no avail.
Here's a general breakdown of what I have. Am I missing something? Is additional information required for setting this up?
000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
Redirect "/" "https://example.com/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
SSLCertificateFile /root/example.com.crt
SSLCertificateKeyFile /root/www.example.com.key
SSLCACertificateFile /root/intermediate.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>4
mydomain.com.conf
<VirtualHost *:443>
ServerAdmin admin#somedomain.com
ServerName mydomain.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/html
Redirect permanent / https://example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Here is my attempt at a combined configuration. Note that I do not have your setup to test it, but I have used similar configurations on production servers.
First define your port 80 VirtualHost (000-default.conf in your setup):
Listen 80
<VirtualHost *:80>
Redirect "/" "https://example.com/"
LogLevel debug
ErrorLog "${APACHE_LOG_DIR}/80_error.log"
CustomLog "${APACHE_LOG_DIR}/80_access.log" combined
</VirtualHost>
No need for a DocumentRoot since you redirect everything.
Then comment out default-ssl.conf. This file is an example of what you could do to setup an SSL enabled VirtualHost. If you use that file AND another VirtualHost on port 443, this one will always be used, since Apache uses the first VirtualHost it finds that matches the client's request (here port 443).
Another point, VirtualHost are not "added" to one another. Each is independent of the others and must contain a complete configuration. This means you cannot put some configuration in on VirtualHost on port 443, and some in another and expect it to work.
Then create your example.com.conf file:
Listen 443
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin#example.com
SSLCertificateFile "/root/example.com.crt"
SSLCertificateKeyFile "/root/example.com.key"
SSLCACertificateFile "/root/intermediate.crt"
LogLevel debug
ErrorLog "logs/443_error_log"
CustomLog "logs/443_access_log" combined
DocumentRoot "/var/www/example.com/html"
DirectoryIndex index.html
<Directory "/var/www/example.com/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
Some notes:
I put the LogLevel at debug, so you can troubleshoot, but once it is working, change it to error. Otherwise you will have huge log files quickly!
For the same reason, I split the logs for port 80 and port 443. Each VirtualHost should have its own logs.
The certificate files must match the domain name. Not the filename (although it makes it easier to match), but the certificate itself.
If you want your certificate to cover example.com and www.example.com, both names must be added to the alternate names in the certificate.
I do not understand why you have Redirect permanent / https://example.com in your configuration. You are already in the https, port 443 VirtualHost.
The options based on <FilesMatch> directives in the default ssl configuration can be added if you want.
This setup will ensure that all http requests will be redirected to https://example.com. Then it will use the :443 VirtualHost, use the proper certificate for that domain and serve the content from the DocumentRoot directory.
I am having trouble configuring my apache with a new subdomain.
Its a ubuntu server with apache2 and graphite, I have graphite working on port 80 (installed via apt-get)
Now the apache server currently serves a website (https://subdomain1.domain.com) and I would like to set up apache to serve the graphite app on https://subdomain2.domain.com (port 443). This is so subdomain1 can access the charts from graphite.
This is my apache2-graphite.conf
<VirtualHost *:80>
WSGIDaemonProcess _graphite processes=5 threads=5 display-name='%{GROUP}' inactivity-timeout=120 user=_graphite group=_graphite
WSGIProcessGroup _graphite
WSGIImportScript /usr/share/graphite-web/graphite.wsgi process-group=_graphite application-group=%{GLOBAL}
WSGIScriptAlias / /usr/share/graphite-web/graphite.wsgi
Alias /content/ /usr/share/graphite-web/static/
<Location "/content/">
SetHandler None
</Location>
ErrorLog ${APACHE_LOG_DIR}/graphite-web_error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/graphite-web_access.log combined
</VirtualHost>
and the /usr/share/graphite-web/graphite.wsgi :
import os, sys
os.environ['DJANGO_SETTINGS_MODULE'] = 'graphite.settings'
import django.core.handlers.wsgi
application = django.core.handlers.wsgi.WSGIHandler()
from graphite.logger import log
log.info("graphite.wsgi - pid %d - reloading search index" % os.getpid())
import graphite.metrics.search
I have tried changing the port and setting a ServerName and ServerAlias, and enabling SSL, but I havent been able to get this working.
Sample (not working):
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName graphite.<my_domain_here>
WSGIDaemonProcess _graphite processes=5 threads=5 display-name='%{GROUP}' inactivity-timeout=120 user=_graphite group=_graphite
WSGIProcessGroup _graphite
WSGIImportScript /usr/share/graphite-web/graphite.wsgi process-group=_graphite application-group=%{GLOBAL}
WSGIScriptAlias / /usr/share/graphite-web/graphite.wsgi
Alias /content/ /usr/share/graphite-web/static/
<Location "/content/">
SetHandler None
</Location>
ErrorLog ${APACHE_LOG_DIR}/graphite-web_error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/graphite-web_access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/public.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
SSLCACertificateFile /etc/apache2/ssl/ca.crt
</VirtualHost>
I found what I was doing incorrectly:
I added the subdomain to my /etc/hosts on my workstation and It worked!
Registered the subdomain with our web host and all OK now
Ill leave this here in case it helps someone else...
I know that similar questions have been asked over and over, however after looking at them I have still not been able to get my server working properly.
I have an SSL certificate installed on my server.
When i hit https://www.ashleyclarke.me -> all is good
when i hit http://www.ashleyclarke.me -> redirects to https://www.ashleyclarke.me
when i hit http://ashleyclarke.me -> redirects to https://www.ashleyclarke.me
My problem is when I hit https://ashleyclarke.me, I have tried to set a redirect but with no luck.
<VirtualHost *:443>
ServerAdmin me#ashleyclarke.me
ServerName www.ashleyclarke.me
ServerAlias ashleyclarke.me
DocumentRoot /var/www/ashleyclarke.me/public
<Directory /var/www/ashleyclarke.me/public>
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Order deny,allow
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/ashleyclarke.me-error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ashleyclarke.me-access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/ashleyclarke.me.crt
SSLCertificateKeyFile /etc/apache2/ssl/ashleyclarke.me.key
SSLCACertificateFile /etc/apache2/ssl/PositiveSSLCA2.crt
</VirtualHost>
<VirtualHost *:80>
ServerAdmin me#ashleyclarke.me
ServerName www.ashleyclarke.me
ServerAlias ashleyclarke.me
Redirect permanent / https://www.ashleyclarke.me
</VirtualHost>
Your advice is appreciated.
Just ran into a similar problem myself and found the answer here: https://stackoverflow.com/a/9945842/883960
SSL negotiation happens before the response from the server - so to actually do this you'll need an SSL certificate for ashleyclarke.me (without the www.) and setup a second :443 VirtualHost to just redirect.
I hope someone can give me a hand with this. I have 2 IPs that I can use to do this and need to host 2 different secure (SSL) domains on the same Apache server. I've read that as of Apache 2.2.something that a single IP can be used, using some sort of add-in but I want to keep this as simple as possible and am willing to use both IPs to accomplish this task. I already have the 2 signed certificates for the domains.
This setup that I am posting here, works, but the issue I am having is that when I go to domain2.net, I receive a browser warning telling me that the cert does not match the domain but matches domain1.com
I'm using CentOS 5 and Apache 2.2.3. CentOS has a ssl.conf file and these lines are what I believe are giving me trouble:
SSLCertificateFile /etc/pki/tls/certs/domain1.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain1.com.key
I was under the impression that I could override these values in the virtual host containers and reference the keys that I need but it doesn't appear that way. When I comment these two lines out in the ssl.conf file, Apache won't restart. The ssl_log hints: SSLCertificateKeyFile
These are my virtual containers:
<VirtualHost 2.2.2.2:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/domain2.net.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain2.net.key
DocumentRoot "/var/www/domain2"
ServerName domain2.net
ServerAlias domain2.net
DirectoryIndex "index.php"
<Directory /var/www/html/domain2>
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost 1.1.1.1:444>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/domain1.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain1.com.key
DocumentRoot "/var/www/html"
ServerName domain1.com
ServerAlias domain1.com
DirectoryIndex "index.php"
<Directory /var/www/html>
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
How can I get these two domains to work using SSL? I've also tried to use the same port for the different IPs but again, Apache won't restart.
I'm truly lost on this so if someone could lend a hand, I'd really appreciate it.
Great question!
I was able to get two SSL certificates working on the same server. You should be able to do what you are trying to do.
The things in your configuration that stand out as odd to me:
I'd suggest using port 443 for both SSL-protected sites. You should have a specific instruction in apache's conf files somewhere for listening on port 443. For me it is located in /etc/apache2/ports.conf
Listen 443
.
It seems odd that you have ServerName and ServerAlias both using the same domain per virtual host. Try making the ServerAlias different or leaving it out:
ServerName domain1.com
ServerAlias www.domain1.com
.
I am assuming that you replaced your IPs and domains in your posted conf. Even if they are not the actual IPs you are using, you might want to double check that they can get you to the right place outside of SSL (since obviously SSL is not working).
.
Check the apache2 error log for more information. For me the log is located at: /var/log/apache2/error.log . You can set it with:
ErrorLog /var/log/apache2/error.log
And finally, for your reference here is my ssl-default (ssl.conf). I replaced my domains and IPs with the ones you used in your example conf. I have multiple subdomains working with NameVirtualHost since I have a wildcard cert:
<IfModule mod_ssl.c>
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
NameVirtualHost 1.1.1.1:443
NameVirtualHost 2.2.2.2:443
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/ssl_access.log combined
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
# 1.1.1.1 = domain1.com
<VirtualHost 1.1.1.1:443>
ServerName www.domain1.com
ServerAdmin admin#domain1.com
SSLEngine on
SSLCertificateKeyFile /var/www/ssl/domain1.key
SSLCertificateFile /var/www/ssl/wildcard.domain1.crt
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
DocumentRoot /var/www/domain1/www.domain1.com/web
DirectoryIndex index.php index.html
</VirtualHost>
<VirtualHost 1.1.1.1:443>
ServerName secure.domain1.com
ServerAdmin admin#domain1.com
SSLEngine on
SSLCertificateKeyFile /var/www/ssl/domain1.key
SSLCertificateFile /var/www/ssl/wildcard.domain1.crt
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
DocumentRoot /var/www/domain1/secure.domain1.com/
DirectoryIndex index.php index.html
</VirtualHost>
# 2.2.2.2 = *.domain2.com
<VirtualHost 2.2.2.2:443>
ServerName admin.domain2.com
ServerAdmin admin#domain2.com
SSLEngine on
SSLCertificateKeyFile /var/www/ssl/domain2.key
SSLCertificateFile /var/www/ssl/domain2.crt
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ErrorLog /var/log/apache2/error.log
DocumentRoot /var/www/domain2/secure.domain2.com/web
DirectoryIndex index.php index.html
php_flag display_errors on
php_value error_reporting 7
</VirtualHost>
</IfModule>
I hope this helps!!
You don't need a separate ssl.config file, but if you want to use one, then put your SSL <VirtualHost XXX:443> containers in your ssl.conf file rather than in your httpd,conf file.
The other option which we use on our site is to put the settings from the ssl.conf file in our httpd.conf file and rename the ssl.conf file to something like ssl.conf.bak (to keep it for reference).
It might help to put this Apache command before the first Virtual Host:
SSLStrictSNIVHostCheck on
This enabled me to have several different domains each with its own keys running on the same IP without getting confused.