Unable to get SSL to work on my Udnutu Apache2

I am trying to enable SSL on my Ubuntu server running Apache2, but when I restart the Apache2 service it crashes silently.

I have a cloned copy of the Ubuntu server in my Dev location and I was able to apply this without any issues.

I made, what I think is the correct edits to the /etc/apache2/sites-enable/site-name.com.conf file.
Can someone please shed some light on this for me.

    ServerAdmin webmaster@localhost
    ServerName www.contoso.com
    ServerAlias  contoso.com
    DocumentRoot /var/www/www.contoso.com/web
    SSLEngine on    
    SSLCertificateFile /etc/apache2/cert/contoso.crt
    SSLCertificateKeyFile /etc/apache2/cert/contoso.key
    SSLCertificateFile /etc/apache2/cert/gd_bundle-g2-g1.crt
        Options FollowSymLinks
        AllowOverride All
    <DIRECTORY /var/www/www.contoso.com/web>
        Options +FollowSymLinks
        AllowOverride All
        #AuthType Basic
        #AuthName "Restricted Content"
        #AuthUserFile /etc/apache2/.htpasswd
        #Require valid-user

        # <IfModule mod_rewrite.c>
        # RewriteEngine On
        # RewriteBase /
        # RewriteCond %{REQUEST_FILENAME} -f [OR]
        # RewriteCond %{REQUEST_FILENAME} -d
        # RewriteRule ^.*$ - [S=40]
        # RewriteRule (.*)/(.*)/$ /index.php?page=$1&id=$2 [QSA,L]
        # RewriteRule (.*)/$ /index.php?page=$1 [QSA,L]
        # </IfModule>
        # php_value auto_prepend_file /var/www/www.contoso.com/prepend.php
    ErrorLog ${APACHE_LOG_DIR}/www.haugpartners.com_error.log
    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/www.haugpartners.com_access.log combined

Open in new window

attached it the log.  ApacheLog.txt
It is saying that a Private Key not found.  
This is a GoDaddy wildcard cert that was exported PFX from a IIS server and converted to a .KEY file using OPENSSL.
LVL 29
yo_beeDirector of Information TechnologyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
If you requested a certificate then you also created a private/public keypair before that. The public one got into the CSR.
The public key is signed inside the certificate.  The private key you still have on your system.

The webserver needs the certificate (to send to the client) , the private key to encrypt (the client can decrypt) using the certificate (containing the public key).
So this needs to be a valid key: /etc/apache2/cert/contoso.key  (private key) which wasn't in any certificate file....
and you config specifies 2 time SSLCertificateFile, only one can be specified.
The certificate file is needed onto which all intermediate certificate need to be APPENDED.
(so you need to do:     cat /etc/apache2/cert/contoso.crt /etc/apache2/cert/gd_bundle-g2-g1.crt > /etc/apache2/cert/contoso.full.crt )
and use:    /etc/apache2/cert/contoso.full.crt   for SSLCertificateFile
yo_beeDirector of Information TechnologyAuthor Commented:
Let me try that.

Should the conf read like this :

    ServerAdmin webmaster@localhost
    ServerName www.contoso.com
    ServerAlias  contoso.com
    DocumentRoot /var/www/www.contoso.com/web
    SSLEngine on    
    #SSLCertificateFile /etc/apache2/cert/contoso.crt
    #SSLCertificateKeyFile /etc/apache2/cert/contoso.key
    #SSLCertificateFile /etc/apache2/cert/gd_bundle-g2-g1.crt
    SSLCertificateFile /etc/apache2/cert/contoso.full.crt

Open in new window

nociSoftware EngineerCommented:
That contoso.full.crt ONLY contains the certificate chain....
You still need the contoso.key file.

When you created the CSR for go-daddy you created a key.... and the key was used to create the CSR, CSR was sent to Go-Daddy.
That initial key is required.
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

yo_beeDirector of Information TechnologyAuthor Commented:
The .KEY part is the part I do not know.  This is a wildcard cert and the CSR may have been created by an IIS server.  I do not know for sure
nociSoftware EngineerCommented:
Ok the the certificate you received from Go-Daddy needs to be loaded into the IIS server which created the CSR, then you can export the certificate WITH Key and allow exports i think(i have no windows systems). the thus created .PFX file can be sent to the Ubuntu system.

There you can extract the .key file using openssl pkcs12 -in contoso.pfx -out contoso.key -nocerts
yo_beeDirector of Information TechnologyAuthor Commented:
I did all that and still does not work, but will try it again
nociSoftware EngineerCommented:
You can easily verify if you have the right files:
(the files are regular text files.)

head -n 1 contoso.key  
should give:

head -n 1 contoso.full.crt
should give:

(tail -n 1 for the same files should read --- END .... ---)
yo_beeDirector of Information TechnologyAuthor Commented:
I will pick this up on later in the weekend and follow up.

Nothing seems to be working.
I should be able to export a cert from IIS and import into apache2 ?
nociSoftware EngineerCommented:
(not IIS, you need the certutil mms applet iirc)
But it needs to be doneon the IIS server that made the CSR.....
yo_beeDirector of Information TechnologyAuthor Commented:
My bad.  I meant it is the wildcard cert that is used by the IIS server and the PFX was exported from the cert store MMC
nociSoftware EngineerCommented:
Was it exported from the IIS server with exportable key?
yo_beeDirector of Information TechnologyAuthor Commented:
nociSoftware EngineerCommented:
The the key file should be extractable from the .pfx..., and you can read the keyfile in text editors (Not Microsoft word, Libreoffice etc.) like notepad, vi etc.  Or on linux: cat contoso.key
The key file must be readable by apache f.e.  chmod 640  contoso.key ; chgrp apache contoso.key  same goes for the directory where the file is.
Also the directory must be accessible by apache.
yo_beeDirector of Information TechnologyAuthor Commented:
Found my issue in the CONF file.  
I needed to remark out the intermediate crt file path and I was able to start the site with the Crt for the wildcard cert along with the converted PFX to KEY file.

    ServerAdmin webmaster@localhost
    #ServerName www.NewDomain.com
    ServerAlias NewDomain.com
    DocumentRoot /var/www/www.NewDomain.com/web
    SSLEngine on    
    SSLCertificateFile /etc/apache2/cert/359dc02304e01eae.crt    
    SSLCertificateKeyFile /etc/apache2/cert/hp.key
    SSLCertificateChainFile  /etc/apache2/cert/gd_bundle-g2-g1.crt

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yo_beeDirector of Information TechnologyAuthor Commented:
I want to thank you for your effort, but none of the solutions you recommended was a solution to my issue
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.