Apache Virtual Hosts with SNI and SSL on Ubuntu 12.04 in Rackspace
Here’s a little howto: I was having the devil of a time earlier today configuring an SSL cert for a site Lorraine and I are working on right now. My problem is that I’ve never configured an SSL cert before, and proceeded to jump right on in with a whole lot of enthusiasm and zero knowhow.
It turns out that because the site we’re working on is on a Rackspace cloud server, and we’re hosting several sites on the same server using Apache virtual hosts to configure http requests via hostname as opposed to IP address, there is some extra configuration to be done. Add to that the fact that we’re serving secure and insecure content at the same hostname, and you have a recipe for a headache. So, here’s the way I did it.
First, let me list the useful tutorials and links, and then I’ll post the config files and examples that worked.
The most useful: http://www.tc.umn.edu/~brams006/selfsign_ubuntu.html
http://en.wikipedia.org/wiki/Server_Name_Indication
http://en.gentoo-wiki.com/wiki/Apache2/SSL_and_Name_Based_Virtual_Hosts
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
http://www.sslshopper.com/article-most-common-openssl-commands.html
Read this to understand why you’re doing this and what a certificate is: http://httpd.apache.org/docs/2.2/ssl/ssl_intro.html
Pro tips:
- You don’t need to turn on the “Listen 443″ switch in apache2.conf; that’s already on and enabled with mod_ssl, the Apache module that handles SSL.
- If you keep seeing people telling you to edit your ssl.conf, what they mean in Ubuntu is /etc/apache2/sites-available/default-ssl. There’s already the stub there.
- Generate a CSR easily and simply by pasting this into a bash shell:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key - You have to create a symbolic link between the default-ssl in sites-available and sites-enabled like this:
sudo ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl
Ok, now here’s the example default-ssl file:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /path/to/your/website/root/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /path/to/your/website/root/ >
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
SSLEngine on
SSLCertificateFile /path/to/cert
SSLCertificateKeyFile /path/to/key/generated/from/CSR
SSLCertificateChainFile /path/to/bundled/certs/from/your/issuer
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
And here’s the trippy part: you actually don’t need to edit your current virtual host file (presuming you have it correctly configured to serve nonsecure content via port 80) which should be living in sites-available. I have the feeling that if I was trying to serve more than one secure site on this server that I’d need to configure a NameVirtualHost, but since I don’t, all requests on port 443 can just get shoved to the document root of the secured site. I’ll explore that later, I suppose.
2 comments