SSL on Ubuntu 14.04
I wanted to have a secure connection to my personal web server so I went online to find a tutorial on how to install an SSL (TSL these days) certificate and I found one on www.digitalocean.com.
I’m assuming that you already have Apache installed on your server. If not, see my post on Install Linux, Apache, MySQL, PHP on Ubuntu 14.04.
Step One — Activate the SSL Module
SSL support actually comes standard in the Ubuntu 14.04 Apache package. We simply need to enable it to take advantage of SSL on our system.
Enable the module by typing:
sudo a2enmod sslAfter you have enabled SSL, you’ll have to restart the web server for the change to be recognized:
sudo service apache2 restart
With that, our web server is now able to handle SSL if we configure it to do so.
Step Two — Create a Self-Signed SSL Certificate
Let’s start off by creating a subdirectory within Apache’s configuration hierarchy to place the certificate files that we will be making:
sudo mkdir /etc/apache2/ssl
Now that we have a location to place our key and certificate, we can create them both in one step by typing:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt (See www.digitalocean.com for an explanation of this code)
When you hit “ENTER”, you will be asked a number of questions.
The most important item that is requested is the line that reads “Common Name (e.g. server FQDN or YOUR name)”. You should enter the domain name you want to associate with the certificate, or the server’s public IP address if you do not have a domain name.
The questions portion looks something like this:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company
Organizational Unit Name (eg, section) []:Department of Kittens
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:your_email@domain.com
The key and certificate will be created and placed in your /etc/apache2/ssl directory.
Step Three — Configure Apache to Use SSL
Now that we have our certificate and key available, we can configure Apache to use these files in a virtual host file.
Instead of basing our configuration file off of the 000-default.conf file in the sites-available subdirectory, we’re going to base this configuration on the default-ssl.conf file that contains some default SSL configuration.
Open the file with root privileges now:
sudo nano /etc/apache2/sites-available/default-ssl.conf
With the comments removed, the file looks something like this:
<ifmodule mod_ssl.c>
<virtualhost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<filesmatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</filesmatch>
<directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</virtualhost>
</ifmodule>