Ubuntu Gutsy - Apache, SSL and vhosts

So you have a new SSL certificate (see here for self signed certs) and you want to configure Apache to serve your site on the standard HTTPS port (443).

No problem, it's easily done with a new Apache vhosts configuration file.


mod_ssl

First thing we need to do is enable Apache's mod_ssl:

sudo a2enmod ssl

As directed, restart Apache:

sudo /etc/init.d/apache2 force-reload

You will get a warning like this:

[warn] NameVirtualHost *:443 has no VirtualHosts

Don't worry, the reason NameVirtualHost 443 has no VirtualHosts is because we haven't created any yet. We'll do just that in a moment.

ports.conf

With Ubuntu Gutsy, Apache has a conditional setting to listen on port 443 but let's double check the ports.conf file:

sudo nano /etc/apache2/ports.conf

The default entries are as follows:

Listen 80

<IfModule mod_ssl.c>
    Listen 443
</IfModule>

Well, we've enabled mod_ssl so that looks good.

Virtual Hosts

Now we get to configuring the virtual hosts to enable secure connections.

If you followed the Apache Virtual Hosts article, you will have created NameVirtualHost settings in the main apache2.conf.

If not, we can set that up now. Open apache2.conf:

sudo nano /etc/apache2/apache2.conf

At the bottom of the file add the following:

NameVirtualHost *:80

<IfModule mod_ssl.c>
    NameVirtualHost *:443
</IfModule>

We also changed the <VirtualHost> setting in the default vhost to listen to port 80.

sudo nano /etc/apache2/sites-available/default

The beginning of the default vhost file should now look like:

<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/

Port 443

Having refreshed our memory on the NameVirtualHost settings and which port the default vhost listens to (port 80), it follows that all we need to do is to create a vhost to listen to port 443.

It really is as simple as that in some ways.

So lets extend the default vhost file to include configs for port 443.

Going through it logically, we need to copy the settings for port 80 and then adjust them for port 443.

So open the default vhost:

sudo nano /etc/apache2/sites-available/default

And start the process by copying the default port 80 vhost settings which begin and end with this:

<VirtualHost *:80>
...
...
</VirtualHost>

and paste them at the bottom of the file with the port changed to *:443 as follows:

<VirtualHost *:443>
...
...
</VirtualHost>

One final tweak to the pasted settings is the addition of these two lines:

SSLEngine on
SSLCertificateFile /etc/ssl/certs/selfsigned.pem

Done

It really is as simple as that.

I've put up an example 443 vhost file if you want to take a look. All I have done is copy the default port 80 vhost config, copy and paste it, change the port and add the certificate location.

Reload

At this point, reload Apache for the new settings to take effect:

sudo /etc/init.d/apache2 force-reload

Check

Check the config by navigating to your IP address but use the HTTPS prefix:

https://123.45.67.890

If all went well, you will view your default vhost setting via SSL - also note any warnings you receive as any visitors/users will see the same warnings.

Other virtual hosts

You can extend and create different vhosts content for port 443 - all you need to do is specify which port the config is listening to and ensure you define where the certificate is located.

Summary

Adding Apache virtual hosts for HTTPS connections is not a daunting as you may have felt.

Once you have an initial directory structure and vhosts file, all you need to do is define the port the vhost refers to and ensure it includes the certificate location.

PickledOnion.

Article Comments:

Don commented Mon Feb 04 20:41:37 UTC 2008:

I'm really appreciating these articles. They've really helped get started with my VPS.

However, I'm not sure what went wrong but when I updated my default file as directed in this article, and reloaded, it complained that there was no selfsigned.pem file.

I found a .pem file in the directory specified, and renamed it selfsigned.pem, but then all my sites went offline.

I removed the edit from the default file and restarted the server, and it seems to be working. Except that https doesn't work.

Don commented Mon Feb 04 21:11:59 UTC 2008:

D'oh! I'd missed your previous article:

http://articles.slicehost.com/2007/11/26/ubuntu-gutsy-generating-a-self-signed-ssl-certificate

Works nicely.

Peter commented Tue Feb 26 13:39:48 UTC 2008:

Thanks a lot for all of these articles! They're very easy to follow and extremely helpful for someone just get started.

MikeJ commented Thu Sep 04 09:14:19 UTC 2008:

Ruled out the day to sort this out and it took me 20 mintes. Great work.

Smashing.

Thanks,

Mike

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)