intertwingly

It’s just data

Apache2, https, and Gutsy Gibbon


Ideally, reconfiguring your Apache installation under Ubuntu to support TLS/SSL (a.k.a. https) would be as easy as:

sudo a2enmod ssl
sudo apache2ctl restart

Unfortunately, there are additional steps involved.  There used to be a package named apache-ssl which did part of this work for you, but it mysteriously disappeared.  Essentially you need to either obtain (or create) a certificate, and configure apache to use that certificate.  Much of the ground work was done by Paul Bramscher and Michael R Head, but the results need to be updated for a number of reasons.

First, you enable the ssl module:

sudo a2enmod ssl

Next, you need to tailor the configuration file used to produce your certificate.  If you attempt to use the template directly, you will see something like the following error:

problems making Certificate Request
13237:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=2

Instead, copy the configuration file to /tmp and edit it there.  I used sed, but you can use your favorite editor.  Just make sure that the country code selected is only two characters, or you will continue to see an error like the one above.

cp /usr/share/ssl-cert/ssleay.cnf /tmp
sed -i "s/@CountryName@/US/" /tmp/ssleay.cnf
sed -i "s/@StateName@/North Carolina/" /tmp/ssleay.cnf
sed -i "s/@LocalityName@/Raleigh/" /tmp/ssleay.cnf
…

Now, generate the certificate.  Note: in the original script, $@ referred to the script arguments, and you need to specify the same file for -out and -keyout.

sudo mkdir /etc/apache2/ssl
sudo openssl req -config /tmp/ssleay.cnf -new -x509 -days 1460 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem
sudo chmod 600 /etc/apache2/ssl/apache.pem
rm /tmp/ssleay.cnf

To complete the configuration you need to create a second website.  Your current default website will need to be modified from specifying * to specifying *:80, limiting it to port 80.  A new ssl configuration will need to be created, based on the default and differing only in that it specifies port 443, and is configured with SSLEngine On and told where to locate your SSLCertificateFile.  Note the step to modify ports.conf is no longer necessary.

cd /etc/apache2/sites-available
sudo sed -i '1,2s/\*/*:80/' default
sudo cp default ssl
sudo sed -i '1,2s/\*:80/*:443/' ssl
sudo sed -i "3a\\\tSSLEngine On\n\tSSLCertificateFile /etc/apache2/ssl/apache.pem" ssl
sudo a2ensite ssl

Finally, restart Apache:

sudo apache2ctl restart