Linux, Web development

Apache Virtual Hosts with SNI and SSL on Ubuntu 12.04 in Rackspace

Here’s a little howto: I was having the devil of a time earlier today configuring an SSL cert for a site Lorraine and I are working on right now. My problem is that I’ve never configured an SSL cert before, and proceeded to jump right on in with a whole lot of enthusiasm and zero knowhow.

It turns out that because the site we’re working on is on a Rackspace cloud server, and we’re hosting several sites on the same server using Apache virtual hosts to configure http requests via hostname as opposed to IP address, there is some extra configuration to be done. Add to that the fact that we’re serving secure and insecure content at the same hostname, and you have a recipe for a headache. So, here’s the way I did it.

First, let me list the useful tutorials and links, and then I’ll post the config files and examples that worked.

The most useful: http://www.tc.umn.edu/~brams006/selfsign_ubuntu.html

http://en.wikipedia.org/wiki/Server_Name_Indication

http://en.gentoo-wiki.com/wiki/Apache2/SSL_and_Name_Based_Virtual_Hosts

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html

http://www.sslshopper.com/article-most-common-openssl-commands.html

Read this to understand why you’re doing this and what a certificate is: http://httpd.apache.org/docs/2.2/ssl/ssl_intro.html

Pro tips:

  1. You don’t need to turn on the ”
    Listen 443″ switch in apache2.conf; that’s already on and enabled with mod_ssl, the Apache module that handles SSL.
  2. If you keep seeing people telling you to edit your ssl.conf, what they mean in Ubuntu is /etc/apache2/sites-available/default-ssl. There’s already the stub there.
  3. Generate a CSR easily and simply by pasting this into a bash shell: openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
  4. You have to create a symbolic link between the default-ssl in sites-available and sites-enabled like this:
  5. sudo ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl

Ok, now here’s the example default-ssl file:




ServerAdmin webmaster@localhost
DocumentRoot /path/to/your/website/root/
r

Options FollowSymLinks
AllowOverride None


Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all

ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

Alias /doc/ "/usr/share/doc/"

Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128

SSLEngine on
SSLCertificateFile /path/to/cert
SSLCertificateKeyFile /path/to/key/generated/from/CSR
SSLCertificateChainFile /path/to/bundled/certs/
from/your/issuer


SSLOptions +StdEnvVars


SSLOptions +StdEnvVars

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown



And here’s the trippy part: you actually don’t need to edit your current virtual host file (presuming you have it correctly configured to serve nonsecure content via port 80) which should be living in sites-available. I have the feeling that if I was trying to serve more than one secure site on this server that I’d need to configure a NameVirtualHost, but since I don’t, all requests on port 443 can just get shoved to the document root of the secured site. I’ll explore that later, I suppose.

2 thoughts on “Apache Virtual Hosts with SNI and SSL on Ubuntu 12.04 in Rackspace

  1. Amazing speech of the writing shared it is !!! After reading your stuff, I have already made an appointment to start lessons. Above description about virtual host s info, there is lots of allocation that is really useful. Thanks for giving the encouragement to continue it for long. Carry on !

Leave a Reply