Setup SSL on Debian Apache Virtualhost

by · Published · Updated

Assuming:

Debian 7 Wheezy
You have more than one website on your server (therefore you are using Virtualhost files for each website)
You are on Apache2.2

https://www.debian-administration.org/article/349/Setting_up_an_SSL_server_with_Apache2

You should do this first : Generate SSL key, crt, csr files

Apache SSL Setup (what they say and what I did not do):

To enable SSL, type (as user root):

sudo a2ensite default-ssl

Apache Says > Adjust the SSLCertificateFile and SSLCertificateKeyFile directives in /etc/apache2/sites-available/default-ssl to point to your SSL certificate.

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Comment or remove these lines. Then add lines to point to the new Cert/Key files

I put my SSL keys and certs into /etc/apache2/ssl/ IN THIS ORDER was recommended

1) your private key
2) your certificate
3) intermediate CA certificate
…other CA certificates…

SSLCertificateKeyFile /etc/apache2/ssl/private/the.key
SSLCertificateFile /etc/apache2/ssl/the.crt
SSLCertificateChainFile /etc/apache2/ssl/Thawte_DV_SSL_CA_Bundle.crt
SSLCACertificateFile /etc/apache2/ssl/PrimaryRootCA.crt

The SSL key file should only be readable by root, the certificate file may be globally readable. These files are read by the Apache parent process which runs as root. Therefore it is not necessary to make the files readable by the www-data user.

This is the default permissions:

sudo chown root:ssl-cert
sudo chmod 600

I found that root:root also works – and some others out there say that only root needs access anyway.

/etc/apache2/sites-available/www.example.com

Pay attention to the log directives – without them my access logs were empty Appearently the log directives in default and default-ssl do not impact access.log and ssl_access.log (error.log was working fine but I explicitly put them in the virtualhost file anyway)

<VirtualHost *:80>
     ServerAdmin webmaster@seleads.com
     ServerName www.example.com
     ServerAlias example.com
     Redirect 301 http://example.com http://www.example.com/
     ErrorLog /var/log/apache2/error.log
     CustomLog /var/log/apache2/access.log combined
     DocumentRoot /var/www/www.example.com/
</VirtualHost>
<VirtualHost 101.101.101.101:443>
        SSLEngine on
        ServerName www.example.com
        SSLCertificateKeyFile /etc/apache2/ssl/private/the.key
        SSLCertificateFile /etc/apache2/ssl/the.crt
        SSLCertificateChainFile /etc/apache2/ssl/Thawte_DV_SSL_CA_Bundle.crt
        SSLCACertificateFile /etc/apache2/ssl/PrimaryRootCA.crt
        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/ssl_access.log combined
        DocumentRoot /var/www/www.example.com/
</VirtualHost>

If you do not change the hostname and hosts files you will get the WARNing (only an annoying, not mission critical warning) RSA server certificate CommonName (CN) www.example.com does NOT match server name!?

sudo vi /etc/hostname
add the line: www.example.com

sudo vi /etc/hosts
edit the line: 127.0.0.1 www.example.com localhost

Finally this may help a bit:

SSL keys and certs IN THIS ORDER
1) your private key
2) your certificate
3) intermediate CA certificate
…other CA certificates…

SSLCertificateKeyFile – This will need to point to the private key file associated with your certificate.

SSLCertificateKeyFile /etc/apache2/ssl/private/the.key

SSLCertificateFile – This will need to point to the end entity certificate.

SSLCertificateFile /etc/apache2/ssl/the.crt

SSLCertificateChainFile – This will need to point to the appropriate intermediate root CA certificates

SSLCertificateChainFile /etc/apache2/ssl/Thawte_DV_SSL_CA.crt

Tags:

You may also like...