Unable to get SSL to work on my Udnutu Apache2

I am trying to enable SSL on my Ubuntu server running Apache2, but when I restart the Apache2 service it crashes silently.

I have a cloned copy of the Ubuntu server in my Dev location and I was able to apply this without any issues.

I made, what I think is the correct edits to the /etc/apache2/sites-enable/site-name.com.conf file.
Can someone please shed some light on this for me.

<VIRTUALHOST *:443>
    ServerAdmin webmaster@localhost
    ServerName www.contoso.com
    ServerAlias  contoso.com
    DocumentRoot /var/www/www.contoso.com/web
    SSLEngine on    
    SSLCertificateFile /etc/apache2/cert/contoso.crt
    SSLCertificateKeyFile /etc/apache2/cert/contoso.key
    SSLCertificateFile /etc/apache2/cert/gd_bundle-g2-g1.crt
    <DIRECTORY />
        Options FollowSymLinks
        AllowOverride All
    </DIRECTORY>
    <DIRECTORY /var/www/www.contoso.com/web>
        Options +FollowSymLinks
        AllowOverride All
        #AuthType Basic
        #AuthName "Restricted Content"
        #AuthUserFile /etc/apache2/.htpasswd
        #Require valid-user

        # <IfModule mod_rewrite.c>
        # RewriteEngine On
        # RewriteBase /
        # RewriteCond %{REQUEST_FILENAME} -f [OR]
        # RewriteCond %{REQUEST_FILENAME} -d
        # RewriteRule ^.*$ - [S=40]
        # RewriteRule (.*)/(.*)/$ /index.php?page=$1&id=$2 [QSA,L]
        # RewriteRule (.*)/$ /index.php?page=$1 [QSA,L]
        # </IfModule>
        # php_value auto_prepend_file /var/www/www.contoso.com/prepend.php
    </DIRECTORY>
    ErrorLog ${APACHE_LOG_DIR}/www.haugpartners.com_error.log
    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/www.haugpartners.com_access.log combined
</VIRTUALHOST>

Open in new window


Edit:
attached it the log.  ApacheLog.txt
It is saying that a Private Key not found.  
This is a GoDaddy wildcard cert that was exported PFX from a IIS server and converted to a .KEY file using OPENSSL.
LVL 25
yo_beeDirector of Information TechnologyAsked:
Who is Participating?
 
yo_beeConnect With a Mentor Director of Information TechnologyAuthor Commented:
Found my issue in the CONF file.  
I needed to remark out the intermediate crt file path and I was able to start the site with the Crt for the wildcard cert along with the converted PFX to KEY file.

<VIRTUALHOST *:443>
    ServerAdmin webmaster@localhost
    #ServerName www.NewDomain.com
    ServerAlias NewDomain.com
    DocumentRoot /var/www/www.NewDomain.com/web
    SSLEngine on    
    SSLCertificateFile /etc/apache2/cert/359dc02304e01eae.crt    
    SSLCertificateKeyFile /etc/apache2/cert/hp.key
    SSLCertificateChainFile  /etc/apache2/cert/gd_bundle-g2-g1.crt
 
</VIRTUALHOST>

Open in new window

0
 
nociSoftware EngineerCommented:
If you requested a certificate then you also created a private/public keypair before that. The public one got into the CSR.
The public key is signed inside the certificate.  The private key you still have on your system.

The webserver needs the certificate (to send to the client) , the private key to encrypt (the client can decrypt) using the certificate (containing the public key).
So this needs to be a valid key: /etc/apache2/cert/contoso.key  (private key) which wasn't in any certificate file....
and you config specifies 2 time SSLCertificateFile, only one can be specified.
The certificate file is needed onto which all intermediate certificate need to be APPENDED.
(so you need to do:     cat /etc/apache2/cert/contoso.crt /etc/apache2/cert/gd_bundle-g2-g1.crt > /etc/apache2/cert/contoso.full.crt )
and use:    /etc/apache2/cert/contoso.full.crt   for SSLCertificateFile
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
Let me try that.

Should the conf read like this :

<VIRTUALHOST *:443>
    ServerAdmin webmaster@localhost
    ServerName www.contoso.com
    ServerAlias  contoso.com
    DocumentRoot /var/www/www.contoso.com/web
    SSLEngine on    
    #SSLCertificateFile /etc/apache2/cert/contoso.crt
    #SSLCertificateKeyFile /etc/apache2/cert/contoso.key
    #SSLCertificateFile /etc/apache2/cert/gd_bundle-g2-g1.crt
    SSLCertificateFile /etc/apache2/cert/contoso.full.crt
</VIRTUALHOST>

Open in new window

0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
nociSoftware EngineerCommented:
That contoso.full.crt ONLY contains the certificate chain....
You still need the contoso.key file.

When you created the CSR for go-daddy you created a key.... and the key was used to create the CSR, CSR was sent to Go-Daddy.
That initial key is required.
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
The .KEY part is the part I do not know.  This is a wildcard cert and the CSR may have been created by an IIS server.  I do not know for sure
0
 
nociSoftware EngineerCommented:
Ok the the certificate you received from Go-Daddy needs to be loaded into the IIS server which created the CSR, then you can export the certificate WITH Key and allow exports i think(i have no windows systems). the thus created .PFX file can be sent to the Ubuntu system.

There you can extract the .key file using openssl pkcs12 -in contoso.pfx -out contoso.key -nocerts
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
I did all that and still does not work, but will try it again
0
 
nociSoftware EngineerCommented:
You can easily verify if you have the right files:
(the files are regular text files.)

head -n 1 contoso.key  
should give:
-----BEGIN RSA PRIVATE KEY-----

head -n 1 contoso.full.crt
should give:
-----BEGIN CERTIFICATE-----

(tail -n 1 for the same files should read --- END .... ---)
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
I will pick this up on later in the weekend and follow up.

Nothing seems to be working.
I should be able to export a cert from IIS and import into apache2 ?
0
 
nociSoftware EngineerCommented:
(not IIS, you need the certutil mms applet iirc)
But it needs to be doneon the IIS server that made the CSR.....
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
My bad.  I meant it is the wildcard cert that is used by the IIS server and the PFX was exported from the cert store MMC
0
 
nociSoftware EngineerCommented:
Was it exported from the IIS server with exportable key?
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
Yes
0
 
nociSoftware EngineerCommented:
The the key file should be extractable from the .pfx..., and you can read the keyfile in text editors (Not Microsoft word, Libreoffice etc.) like notepad, vi etc.  Or on linux: cat contoso.key
The key file must be readable by apache f.e.  chmod 640  contoso.key ; chgrp apache contoso.key  same goes for the directory where the file is.
Also the directory must be accessible by apache.
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
I want to thank you for your effort, but none of the solutions you recommended was a solution to my issue
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.