Apache2, https, and Gutsy Gibbon
Ideally, reconfiguring your Apache installation under Ubuntu to support TLS/SSL (a.k.a. https) would be as easy as:
sudo a2enmod ssl sudo apache2ctl restart
Unfortunately, there are additional steps involved. There used to be a package named apache-ssl which did part of this work for you, but it mysteriously disappeared. Essentially you need to either obtain (or create) a certificate, and configure apache to use that certificate. Much of the ground work was done by Paul Bramscher and Michael R Head, but the results need to be updated for a number of reasons.
First, you enable the ssl module:
sudo a2enmod ssl
Next, you need to tailor the configuration file used to produce your certificate. If you attempt to use the template directly, you will see something like the following error:
problems making Certificate Request 13237:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=2
Instead, copy the configuration file to /tmp
and edit it there. I used sed
, but you can use your favorite editor. Just make sure that the country code selected is only two characters, or you will continue to see an error like the one above.
cp /usr/share/ssl-cert/ssleay.cnf /tmp sed -i "s/@CountryName@/US/" /tmp/ssleay.cnf sed -i "s/@StateName@/North Carolina/" /tmp/ssleay.cnf sed -i "s/@LocalityName@/Raleigh/" /tmp/ssleay.cnf …
Now, generate the certificate. Note: in the original script, $@
referred to the script arguments, and you need to specify the same file for -out
and -keyout
.
sudo mkdir /etc/apache2/ssl sudo openssl req -config /tmp/ssleay.cnf -new -x509 -days 1460 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem sudo chmod 600 /etc/apache2/ssl/apache.pem rm /tmp/ssleay.cnf
To complete the configuration you need to create a second website. Your current default
website will need to be modified from specifying *
to specifying *:80
, limiting it to port 80. A new ssl
configuration will need to be created, based on the default and differing only in that it specifies port 443
, and is configured with SSLEngine On
and told where to locate your SSLCertificateFile
. Note the step to modify ports.conf
is no longer necessary.
cd /etc/apache2/sites-available sudo sed -i '1,2s/\*/*:80/' default sudo cp default ssl sudo sed -i '1,2s/\*:80/*:443/' ssl sudo sed -i "3a\\\tSSLEngine On\n\tSSLCertificateFile /etc/apache2/ssl/apache.pem" ssl sudo a2ensite ssl
Finally, restart Apache:
sudo apache2ctl restart