SSL [Hint: SSLCertificateFile] ?

Well I must be missing something because every time I try and restart apache it returns with [fail] but it doesn't tell me what the error was. I've checked and rechecked my file paths to the various SSL files, but I'm stumped. I'm still very new to server administration and this is the first time I've tried getting a commercial SSL certificate to work. I have two other sites enabled using self-signed certificates and they seem to work just fine. Any idea where I've gone wrong with this commercial certificate? It's from Comodo if that makes any difference.

My server

Ubuntu 10.04 with Apache 2

What seems like relevant info from my /var/log/apache2/error.log

[error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/apache2/sites-enabled/domain.com:60)

[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

My /etc/apache2/ports.conf

NameVirtualHost xxx.xxx.xxx.xxx:443
NameVirtualHost xxx.xxx.xxx.xxx:80
Listen 80

 <ifmodule mod_ssl.c="">Listen 443</ifmodule> 

 <ifmodule mod_gnutls.c="">Listen 443</ifmodule> 

My /etc/apache2/sites-available/mydomain.com

 <virtualhost xxx.xxx.xxx.xxx:80="">ServerAdmin webmaster@localhost
    ServerName www.domain.com
    ServerAlias domain.com
    DocumentRoot /var/www/domain.com/public
     <directory>Options FollowSymLinks
        AllowOverride None</directory> 
     <directory var="" www="" domain.com="" public="">Options -Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from All</directory> 

        <directory usr="" share="" phpmyadmin="">Options -Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order deny,allow
                Deny from all</directory> 

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
     <directory "="" usr="" lib="" cgi-bin"="">AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all</directory> 

    ErrorLog /var/log/apache2/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/log/apache2/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <directory "="" usr="" share="" doc="">Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128</directory> 

 <ifmodule mod_rewrite.c="">RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]</ifmodule></virtualhost> 

 <ifmodule mod_ssl.c=""><virtualhost xxx.xxx.xxx.xxx:443="">ServerAdmin webmaster@localhost
    ServerName www.domain.com
    ServerAlias domain.com
    DocumentRoot /var/www/domain.com/public/ssl
     <directory>Options FollowSymLinks
        AllowOverride None</directory> 

        <directory var="" www="" domain.com="" public="" ssl="">Options -Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order deny,allow
                Deny from all</directory> 

     <directory usr="" share="" phpmyadmin="">Options -Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order deny,allow
                Deny from all
        Allow from XXX.XXX.XXX.XXX</directory>  

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
     <directory "="" usr="" lib="" cgi-bin"="">AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all</directory> 

    ErrorLog /var/log/apache2/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/log/apache2/ssl_access.log combined

    Alias /doc/ "/usr/share/doc/"
     <directory "="" usr="" share="" doc="">Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128</directory> 

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on

    #   Server Certificate Chain:
    #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
     SSLCertificateChainFile /etc/ssl/localcerts/ssl.domain.com/www.domain.ca-bundle

    #   Certificate Authority (CA):
    #SSLCACertificatePath /etc/ssl/certs/
       SSLCACertificatePath /etc/ssl/localcerts/ssl.domain.com
     SSLCACertificateFile /etc/ssl/localcerts/ssl.domain.com/www.domain.com.crt
     SSLCACertificateFile /etc/ssl/localcerts/ssl.domain.com/www.domain.com.key

     <filesmatch "\.(cgi|shtml|phtml|php)$"="">SSLOptions +StdEnvVars</filesmatch> 
     <directory usr="" lib="" cgi-bin="">SSLOptions +StdEnvVars</directory> 

    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown</virtualhost></ifmodule> 

4 Replies

Try this:

SSLCertificateFile /etc/ssl/localcerts/ssl.domain.com/www.domain.com.crt
SSLCertificateKeyFile /etc/ssl/localcerts/ssl.domain.com/www.domain.com.key

The default spelling is “SSLCACertificate…..” but changing it to “SSLCertificate…..” totally worked! - Strange. I guess I should have taken the error logs ‘HINT’ more literal. Thanks hybinet.

Another question along the lines of SSL. Maybe someone can help me better understand this. I have three enabled websites, two with self-signed certificates and the one with the commercial certificate. I’ve notice there seems to be an alphabetical precedence with the SSL certificates. Meaning even though I go to the commercial certificated ssl page it still come up with the self-sighed certificate. Does this has something to do with one ip address per certificate and my commercial cert not being a ’wildcard’ or…..?

"SSLCACertificateFile" is for verifying client certificates. It's rarely used in public websites. Your own certificates and keys should be specified using "SSLCertificateFile" and "SSLCertificateKeyFile". The "chain" certificate is only used if the certificate issuer says you should. If the issuer says it's "single root", then you don't need chain certificates. If it's a self-signed certificate, then you don't need chain certificates.

Yes, normally you need one IP address per certificate. You can add another IP address in the "Extras" menu. SSL counts as a valid justification for using more than 2 IP addresses, so if you need more than 2, you should open a support ticket and ask for another IP address. But if you're only using SSL for your own needs, you might want to get around this by having your SSL sites on different ports of the same IP address. (That's what "Listen 443" does.)

Wildcard certificates only work if all your sites are subdomains of the same domain, e.g. clients.domain.com, forum.domain.com, blog.domain.dom. They also cost 10x more, so don't bother unless you need 10 SSL websites all belonging to the same domain.

And now I know. Thanks again! :D

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct