It’s just data

Apache2, https, and Gutsy Gibbon

Ideally, reconfiguring your Apache installation under Ubuntu to support TLS/SSL (a.k.a. https) would be as easy as:

sudo a2enmod ssl
sudo apache2ctl restart

Unfortunately, there are additional steps involved.  There used to be a package named apache-ssl which did part of this work for you, but it mysteriously disappeared.  Essentially you need to either obtain (or create) a certificate, and configure apache to use that certificate.  Much of the ground work was done by Paul Bramscher and Michael R Head, but the results need to be updated for a number of reasons.

First, you enable the ssl module:

sudo a2enmod ssl

Next, you need to tailor the configuration file used to produce your certificate.  If you attempt to use the template directly, you will see something like the following error:

problems making Certificate Request
13237:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=2

Instead, copy the configuration file to /tmp and edit it there.  I used sed, but you can use your favorite editor.  Just make sure that the country code selected is only two characters, or you will continue to see an error like the one above.

cp /usr/share/ssl-cert/ssleay.cnf /tmp
sed -i "s/@CountryName@/US/" /tmp/ssleay.cnf
sed -i "s/@StateName@/North Carolina/" /tmp/ssleay.cnf
sed -i "s/@LocalityName@/Raleigh/" /tmp/ssleay.cnf

Now, generate the certificate.  Note: in the original script, $@ referred to the script arguments, and you need to specify the same file for -out and -keyout.

sudo mkdir /etc/apache2/ssl
sudo openssl req -config /tmp/ssleay.cnf -new -x509 -days 1460 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem
sudo chmod 600 /etc/apache2/ssl/apache.pem
rm /tmp/ssleay.cnf

To complete the configuration you need to create a second website.  Your current default website will need to be modified from specifying * to specifying *:80, limiting it to port 80.  A new ssl configuration will need to be created, based on the default and differing only in that it specifies port 443, and is configured with SSLEngine On and told where to locate your SSLCertificateFile.  Note the step to modify ports.conf is no longer necessary.

cd /etc/apache2/sites-available
sudo sed -i '1,2s/\*/*:80/' default
sudo cp default ssl
sudo sed -i '1,2s/\*:80/*:443/' ssl
sudo sed -i "3a\\\tSSLEngine On\n\tSSLCertificateFile /etc/apache2/ssl/apache.pem" ssl
sudo a2ensite ssl

Finally, restart Apache:

sudo apache2ctl restart

There’s an easier way to do this. The ssl-cert package provided in Debian and Ubuntu is a quick frontend for the SSL key generation you’re doing by hand.

Replace your SSL generation steps with:

  sudo aptitude install ssl-cert
  sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/apache.pem

Posted by Stephen Touset at

Oh, and also change your apache configuration to point to /etc/ssl/private, which is the Debian/Ubuntu-standard location for your SSL keys.

Posted by Stephen Touset at

Sam Ruby: Apache2, https, and Gutsy Gibbon


Excerpt from at

Great reference: How to setup Subversion over WebDAV and…

Great reference: How to setup Subversion over WebDAV and How to setup Trac, both on Ubuntu Update: how timely, Sam Ruby’s Apache2, https, and Gutsy Gibbon...

Excerpt from Justinsomnia at

hey. i was using this as a reference. i used the ubuntu steps for the cert. the rest of the steps .. i mean create the ssl file under available sites I did. When I restart my server I see the following error

[Tue Nov 27 15:33:26 2007] [error] Init: Unable to read server certificate from file /etc/ssl/private/apache.pem
[Tue Nov 27 15:33:26 2007] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Tue Nov 27 15:33:26 2007] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

any ideas?

Posted by periferral at

To make the long story short: You have entered more than two characters into the country code field to the ssl certificate creator wrapper.  The make-ssl-cert wrapper swallows the error message of openssl, and simply does not put in the certificate code into apache.pem

Redo the process in any of the two ways, whit two character country code, and it will work.

Posted by ptorok at

Sam Ruby: Apache2, https, and Gutsy Gibbon

cd /etc/apache2/sites-available...

Excerpt from at

Apache2 SSL in Ubuntu 7.10 Gutsy

Here is a simple way to get apache2 installed with a self signed SSL cert in Gutsy. First install all the dependencies. sudo apt-get install apache2 sudo apt-get install openssl sudo apt-get install ssl-cert Now create a cert sudo make-ssl-cert...

Excerpt from The Offbytwo Blog at

Sam Ruby: Apache2, https, and Gutsy Gibbon

An easy way to create a self-signed SSL certificate in Ubuntu....

Excerpt from at

comment added

In an attempt to setup ssl I did this sudo apt-get install openssl sudo apt-get install ssl-cert cp /usr/share/ssl-cert/ssleay.cnf /tmp sed -i “s/@CountryName@/US/” /tmp/ssleay.cnf sed -i “s/@StateName@/Ohio/” /tmp/ssleay.cnf sed -i...

Excerpt from dogbowl: Ticket #16 at

Very nice tutorial.   I got this working on my server in 5 minutes flat.   Great Job!


Posted by Ben at

Bookmarking for future reference: How to get Apache to do both HTTP and HTTPS on one IP address?

Posted by Sam Ruby at

Add your comment