I have some Ubuntu 16.04 server running and set up one vhost in apache2 which uses (or should use) ssl.
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin myemail@mailhoster.xx
ServerName my.domain.name.de
DocumentRoot /var/www/mysslsite
<Directory /var/www/mysslsite>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/mysite.ssl.error.log
CustomLog ${APACHE_LOG_DIR}/mysite.ssl.access.log combined
</VirtualHost>
</IfModule>
I did NOT enable the standard sites-available/default-ssl.conf.
I am able now to browse to https://my.domain.name.de and it is asking in firefox to add some exception which is totally normal if i did not buy any certificate.
But I was wondering where it is set up that it should use the certificates in /etc/apache2/ssl/ directory. I can not find any config where it is told to use that. I all the time was thinking that it will use something from /etc/ssl folder.
Or did I maybe not activate SSL correctly?
Best Answer
According to some manuals the SSL certificate files must be placed under
/etc/apache2/ssl/
, but they can be placed in a different folder, depending on your own configuration.To have HTTPS access to your site, you must enable the
SSLEngine
and provide a valid SSL certificate.For this purpose you should use OpenSSL command line tool to generate your own certificate. Then you need to validate the certificate at any provider like as COMODO, StarSSL, your local DNS provider, etc. Usually they offer free certificates for few months. Regarding this way of certificate generation you may look at these guides: for 14.04 and 16.04.
Also you can use the software tool Let's Encrypt. From Let's Encrypt Getting Started page:
I would suggest you to use Let's Encrypt, at this stage. So let's begin.
1st - install Let's Encrypt:
2nd - generate the certificate. To generate SSL certificate compatible with Apache just type:
letsencrypt --apache
. This command will start interactive dialogue (where you must fill your site's personal data) and will generateHTTPS.conf
file based on your existingHTTP.conf
file.You can use and some additional parameters, for example
letsencrypt --apache certonly
will do the same as above but will not generateHTTPS.conf
file.Also you can put all necessary parameters to avoid the dialogue. According to the information provided in the question our command should looks like:
Let's assume you choose the last approach. The command will generate all necessary certificate files and they will be placed in the folder
/etc/letsencrypt/archive/my.domain.name.de/
. Also these files will be sym-linked into the folder/etc/letsencrypt/live/my.domain.name.de/
. These symlinks will be updated automatically in the future, so we will use them.3rd - configure (manually) your HTTPS VirtualHost. According to the above the configuration file should looks like:
4th -
a2ensite
the new VirtualHost, just in casea2enmod ssl
and restart Apache. That's it. I hope now you will have HTTPS access to your site.5th - renew your certificate into the future. For this purpose you can edit root's Crontab and add a job which will try to
letsencrypt renew
the certificates, every Sunday at 3:00 AM for example. Typesudo crontab -e
and add this line at the bottom:Notes:
letsencrypt
/python-letsencrypt-apache
is available for Ubuntu 16.04 and above, for previous versions there iscertbot
which is almost the same - from Ubuntu Manuals.If you have few VirtualHosts you can use this syntax to generate their certificates (all together):
certbot.eff.org - Automatically enable HTTPS on your website with EFF's Certbot, deploying Let's Encrypt certificates.
The above answer is based on this one, where more details about the Apache's VH configuration are provided.
Read here how and why you should updatete your
letsecrypt
/certbot
until February 13th, 2019: Failed to upgrade certbot on Ubuntu Bionic