SSL [Hint: SSLCertificateFile] ?
My server
Ubuntu 10.04 with Apache 2
What seems like relevant info from my /var/log/apache2/error.log
[error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/apache2/sites-enabled/domain.com:60)
[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
My /etc/apache2/ports.conf
NameVirtualHost xxx.xxx.xxx.xxx:443
NameVirtualHost xxx.xxx.xxx.xxx:80
Listen 80
<ifmodule mod_ssl.c="">Listen 443</ifmodule>
<ifmodule mod_gnutls.c="">Listen 443</ifmodule>
My /etc/apache2/sites-available/mydomain.com
<virtualhost xxx.xxx.xxx.xxx:80="">ServerAdmin webmaster@localhost
ServerName www.domain.com
ServerAlias domain.com
DocumentRoot /var/www/domain.com/public
<directory>Options FollowSymLinks
AllowOverride None</directory>
<directory var="" www="" domain.com="" public="">Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from All</directory>
<directory usr="" share="" phpmyadmin="">Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order deny,allow
Deny from all</directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<directory "="" usr="" lib="" cgi-bin"="">AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all</directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
Alias /doc/ "/usr/share/doc/"
<directory "="" usr="" share="" doc="">Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128</directory>
<ifmodule mod_rewrite.c="">RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]</ifmodule></virtualhost>
<ifmodule mod_ssl.c=""><virtualhost xxx.xxx.xxx.xxx:443="">ServerAdmin webmaster@localhost
ServerName www.domain.com
ServerAlias domain.com
DocumentRoot /var/www/domain.com/public/ssl
<directory>Options FollowSymLinks
AllowOverride None</directory>
<directory var="" www="" domain.com="" public="" ssl="">Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order deny,allow
Deny from all</directory>
<directory usr="" share="" phpmyadmin="">Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order deny,allow
Deny from all
Allow from XXX.XXX.XXX.XXX</directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<directory "="" usr="" lib="" cgi-bin"="">AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all</directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/ssl_access.log combined
Alias /doc/ "/usr/share/doc/"
<directory "="" usr="" share="" doc="">Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128</directory>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Server Certificate Chain:
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
SSLCertificateChainFile /etc/ssl/localcerts/ssl.domain.com/www.domain.ca-bundle
# Certificate Authority (CA):
#SSLCACertificatePath /etc/ssl/certs/
SSLCACertificatePath /etc/ssl/localcerts/ssl.domain.com
SSLCACertificateFile /etc/ssl/localcerts/ssl.domain.com/www.domain.com.crt
SSLCACertificateFile /etc/ssl/localcerts/ssl.domain.com/www.domain.com.key
<filesmatch "\.(cgi|shtml|phtml|php)$"="">SSLOptions +StdEnvVars</filesmatch>
<directory usr="" lib="" cgi-bin="">SSLOptions +StdEnvVars</directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown</virtualhost></ifmodule>
4 Replies
SSLCertificateFile /etc/ssl/localcerts/ssl.domain.com/www.domain.com.crt
SSLCertificateKeyFile /etc/ssl/localcerts/ssl.domain.com/www.domain.com.key
Another question along the lines of SSL. Maybe someone can help me better understand this. I have three enabled websites, two with self-signed certificates and the one with the commercial certificate. I’ve notice there seems to be an alphabetical precedence with the SSL certificates. Meaning even though I go to the commercial certificated ssl page it still come up with the self-sighed certificate. Does this has something to do with one ip address per certificate and my commercial cert not being a ’wildcard’ or…..?
Yes, normally you need one IP address per certificate. You can add another IP address in the "Extras" menu. SSL counts as a valid justification for using more than 2 IP addresses, so if you need more than 2, you should open a support ticket and ask for another IP address. But if you're only using SSL for your own needs, you might want to get around this by having your SSL sites on different ports of the same IP address. (That's what "Listen 443" does.)
Wildcard certificates only work if all your sites are subdomains of the same domain, e.g. clients.domain.com, forum.domain.com, blog.domain.dom. They also cost 10x more, so don't bother unless you need 10 SSL websites all belonging to the same domain.