Tutorial

How To Install an SSL Certificate from a Commercial Certificate Authority

Updated on December 2, 2022
How To Install an SSL Certificate from a Commercial Certificate Authority

Introduction

This tutorial will show you how to acquire and install an SSL certificate from a trusted, commercial Certificate Authority (CA). SSL certificates allow web servers to encrypt their traffic, and also offer a mechanism to validate server identities to their visitors. Websites using SSL are accessed via the https:// protocol.

Before the mid-2010s, many smaller websites did not always use SSL or HTTPS. Since then, expectations of security have increased, and the Let’s Encrypt project was created to provide free, trusted SSL certificates at scale, allowing almost everyone to use HTTPS as needed.

However, there are some limitations to Let’s Encrypt’s certificates. They expire every 3 months, typically requiring you to have a functioning auto-renewal script in place, and can be awkward to use in environments where this is not possible. Let’s Encrypt also does not provide Extended Validation certificates which validate the legal ownership of your web presence, or Wildcard Certificates that will automatically match every possible subdomain of your website (such as shop.example.com) without you having to register each of them manually.

For most users, these will not be significant limitations. Let’s Encrypt is a popular option for many personal and commercial websites. However, if you have particular enterprise software requirements, or a very large commercial operation, you should consider purchasing a certificate from a commercial CA.

This tutorial covers how to select and deploy an SSL certificate from a trusted certificate authority. After you have acquired your SSL certificate, this tutorial will cover installing it on the Nginx and Apache web servers.

Prerequisites

There are several prerequisites to attempting to obtain an SSL certificate from a commercial CA:

  • A registered domain name. This tutorial will use example.com throughout. You can purchase a domain name from Namecheap, get one for free with Freenom, or use the domain registrar of your choice.

  • Access to one of the email addresses on your domain’s WHOIS record or to an “admin type” email address at the domain itself. Certificate authorities that issue SSL certificates will typically validate domain control by sending a validation email to one of the addresses on the domain’s WHOIS record, or to a generic admin email address at the domain itself. To be issued an Extended Validation certificate, you will also be required to provide the CA with paperwork to establish the legal identity of the website’s owner, among other things.

  • DNS records set up for your server. If you are using DigitalOcean, please see our DNS documentation for details on how to add them.

This tutorial will provide configuration instructions for a Ubuntu 22.04 server set up by following this initial server setup for Ubuntu 22.04 tutorial, including a sudo-enabled non-root user and a firewall. Most modern Linux flavors will work similarly.

You should also have a web server like Nginx or Apache installed, following How To Install Nginx on Ubuntu 22.04 or How To Install the Apache Web Server on Ubuntu 22.04. Be sure that you have a server block (or Apache virtual host) for your domain.

Step 1 – Choosing Your Certificate Authority

If you are not sure which Certificate Authority to use, there are a few factors to consider.

Root Certificate Program Memberships

The most crucial point is that the CA that you choose is a member of the root certificate programs of the most commonly used operating systems and web browsers, i.e. it is a “trusted” CA, and its root certificate is trusted by common browsers and other software. If your website’s SSL certificate is signed by a trusted CA, its identity is considered to be valid by software that trusts the CA.

Most commercial CAs that you will encounter will be members of the common root CA programs, but it does not hurt to check before making your certificate purchase. For example, Apple publishes its list of trusted SSL root certificates.

Certificate Types

Ensure that you choose a CA that offers the certificate type that you require. Many CAs offer variations of these certificate types under a variety of names and pricing structures. Here is a short description of each type:

  • Single Domain: Used for a single domain, e.g. example.com. Note that additional subdomains, such as www.example.com, are not included
  • Wildcard: Used for a domain and any of its subdomains. For example, a wildcard certificate for *.example.com can also be used for www.example.com and store.example.com
  • Multiple Domain: Known as a SAN or UC certificate, these can be used with multiple domains and subdomains that are added to the Subject Alternative Name field. For example, a single multi-domain certificate could be used with example.com, www.example.com, and example.net

In addition to the aforementioned certificate types, there are different levels of validations that CAs offer:

  • Domain Validation (DV): DV certificates are issued after the CA validates that the requestor owns or controls the domain in question
  • Organization Validation (OV): OV certificates can be issued only after the issuing CA validates the legal identity of the requestor
  • Extended Validation (EV): EV certificates can be issued only after the issuing CA validates the legal identity, among other things, of the requestor, according to a strict set of guidelines. The purpose of this type of certificate is to provide additional assurance of the legitimacy of your organization’s identity to your site’s visitors. EV certificates can be single or multiple domain, but not wildcard

Additional Features

Many CAs offer a large variety of “bonus” features to differentiate themselves from the rest of the SSL certificate-issuing vendors. Some of these features can end up saving you money, so it is important that you weigh your needs against the offerings before making a purchase. Example of features to look out for include free certificate reissues or a single domain-priced certificate that works for www. and the domain basename, e.g. www.example.com with a SAN of example.com

Step 2 – Generating a CSR and Private Key

After you have your prerequisites sorted, and you know the type of certificate you need, it’s time to generate a certificate signing request (CSR) and private key.

If you are planning on using Apache HTTP or Nginx as your web server, you can use the openssl command to generate your private key and CSR on your web server. In this tutorial, you can keep all of the relevant files in your home directory, but feel free to store them in any secure location on your server:

To generate a private key, called example.com.key, and a CSR, called example.com.csr, run this command (replace the example.com with the name of your domain):

  1. openssl req -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr

At this point, you will be prompted for several lines of information that will be included in your certificate request. The most important part is the Common Name field, which should match the name that you want to use your certificate with – for example, example.com, www.example.com, or (for a wildcard certificate request) *.example.com. If you are planning on getting an OV or EV certificate, ensure that all of the other fields accurately reflect your organization or business details. Providing a “challenge password” is not necessary.

For example:

Output
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) []:New York Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:example.com Email Address []:sammy@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

This will generate a .key and .csr file. The .key file is your private key, and should be kept secure. The .csr file is what you will send to the CA to request your SSL certificate.

  1. ls example.com*
Output
example.com.csr example.com.key

You will need to copy and paste your CSR when submitting your certificate request to your CA. To print the contents of your CSR, use cat:

cat example.com.csr

Now you are ready to buy a certificate from a CA.

Step 3 – Purchasing and Obtaining a Certificate

There are many commercial CA providers, and you can compare and contrast the most appropriate options for your own setup. For example, Namecheap acts as an SSL certificate reseller, and has changed upstream CA providers in the past to provide the best value. Currently, they offer certificates from Comodo CA. Here is a sample of their offerings as of December 2022:

Namecheap SSL Offerings

After making a selection, you will need to upload the CSR that you generated in the previous step. Your CA provider will also likely have an “Approver” step, which will send a validation request email to an address in your domain’s WHOIS record or to an administrator type address of the domain that you are getting a certificate for.

After approving the certificate, the certificate will be emailed to the named administrator. Copy and save them to your server in the same location that you generated your private key and CSR. Name the certificate with the domain name and a .crt extension, e.g. example.com.crt, and name the intermediate certificate intermediate.crt.

The certificate is now ready to be installed on your web server, but first, you may have to make some changes to your firewall.

Step 4 – Updating your Firewall to Allow HTTPS

If you have the ufw firewall enabled as recommended by our Ubuntu 22.04 setup guide, you’ll need to adjust the settings to allow for HTTPS traffic. Nginx and Apache both register a few profiles with ufw upon installation.

You can see the current setting by typing:

  1. sudo ufw status

If you receive output containing just Nginx HTTP or Apache, only HTTP traffic is allowed to the web server:

Output
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx HTTP ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx HTTP (v6) ALLOW Anywhere (v6)

To additionally let in HTTPS traffic, allow the Nginx Full or Apache Full` profile and delete the redundant HTTP profile allowance:

  1. sudo ufw allow 'Nginx Full'
  2. sudo ufw delete allow 'Nginx HTTP'

That should produce a result like this:

  1. sudo ufw status
Output
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)

In the final step, you’ll install the certificate.

Step 5 – Installing a Certificate On Your Server

After acquiring your certificate from the CA of your choice, you need to install it on your web server. This involves adding a few SSL-related lines to your web server software configuration.

This tutorial will cover configuring Nginx and Apache on Ubuntu 22.04, but most modern Linux flavors will work similarly. This tutorial also makes these assumptions:

  • The private key, SSL certificate, and, if applicable, the CA’s intermediate certificates are located in a home directory, at /home/sammy
  • The private key is called example.com.key
  • The SSL certificate is called example.com.crt
  • The CA intermediate certificate(s) returned by your provider are in a file called intermediate.crt

Note: In a production environment, these files should be stored somewhere that only the web server process (usually root) can access, and the private key should be kept secure. For example, Let’s Encrypt stores the certificates it generates in /etc/letsencrypt. Production examples will vary due to the complexity of multi-server configurations.

Nginx

These are the steps to manually deploy an SSL certificate on Nginx.

If your CA returned only an intermediate certificate, you must create a single “chained” certificate file that contains your certificate and the CA’s intermediate certificates.

Assuming your certificate file is called example.com.crt, you can use the cat command to append files together to create a combined file called example.com.chained.crt:

  1. cat example.com.crt intermediate.crt > example.com.chained.crt

Using nano or your favorite text editor, open your default Nginx server block file for editing:

  1. sudo nano /etc/nginx/sites-enabled/default

Find the listen directive, and modify it to listen 443 ssl:

/etc/nginx/sites-enabled/default
…
server {
    listen 443 ssl;
…

Next, find the server_name directive within that same server block, and make sure that its value matches the common name of your certificate. Also, add the ssl_certificate and ssl_certificate_key directives to specify the paths of your certificate and private key files:

/etc/nginx/sites-enabled/default
…
    server_name example.com;
    ssl_certificate /home/sammy/example.com.chained.crt;
    ssl_certificate_key /home/sammy/example.com.key;
…

To allow only the most secure SSL protocols and ciphers, add the following lines to the file:

/etc/nginx/sites-enabled/default
…
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
…

Finally, to redirect HTTP requests to HTTPS by default, you can add an additional server block at the top of the file:

/etc/nginx/sites-enabled/default
server {
    listen 80;
    server_name example.com;
    rewrite ^/(.*) https://example.com/$1 permanent;
}
…

Save and close the file. If you are using nano, press Ctrl+X, then when prompted, Y and then Enter.

Before restarting Nginx, you can validate your configuration by using nginx -t:

  1. sudo nginx -t

If there aren’t any problems, restart Nginx to enable SSL over HTTPS:

  1. sudo systemctl restart nginx

Test it out by accessing your site via HTTPS, e.g. https://example.com. You will also want to try connecting via HTTP, e.g. http://example.com to ensure that the redirect is working properly.

Apache

These are the steps to manually deploy an SSL certificate on Apache.

Using nano or your favorite text editor, open your default Apache virtual host file for editing:

  1. sudo nano /etc/apache2/sites-available/000-default.conf

Find the <VirtualHost *:80> entry and modify it so your web server will listen on port 443:

/etc/apache2/sites-available/000-default.conf
…
<VirtualHost *:443>
…

Next, add the ServerName directive, if it doesn’t already exist:

/etc/apache2/sites-available/000-default.conf
…
ServerName example.com

Then add the following lines to specify your certificate and key paths:

/etc/apache2/sites-available/000-default.conf
…
SSLEngine on
SSLCertificateFile /home/sammy/example.com.crt
SSLCertificateKeyFile /home/sammy/example.com.key
SSLCACertificateFile /home/sammy/intermediate.crt

At this point, your server is configured to listen on HTTPS only (port 443), so requests to HTTP (port 80) will not be served. To redirect HTTP requests to HTTPS, add the following to the top of the file (substitute the name in both places):

/etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
   ServerName example.com
   Redirect permanent / https://example.com/
</VirtualHost>
…

Save and close the file. If you are using nano, press Ctrl+X, then when prompted, Y and then Enter.

Enable the Apache SSL module by running this command:

  1. sudo a2enmod ssl

Now, restart Apache to load the new configuration and enable TLS/SSL over HTTPS.

  1. sudo systemctl restart apache2

Test it out by accessing your site via HTTPS, e.g. https://example.com. You will also want to try connecting via HTTP, e.g. http://example.com to ensure that the redirect is working properly.

Conclusion

In this tutorial, you learned how to determine when you might need to purchase an SSL certificate from a commercial CA, and how to compare and contrast the available options. You also learned how to configure Nginx or Apache for HTTPS support, and how to adapt their configurations for production.

Next, you may want to read about other SSL use cases, such as when working with load balancers.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors

Default avatar

Senior DevOps Technical Writer


Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
127 Comments
Leave a comment...

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Hi, when I try and run:

$ openssl req -newkey rsa:2048 -nodes -keyout mydomain.com.key -out mydomain.com.csr

I get:

WARNING: can’t open config file: /usr/lib/ssl/openssl.cnf Unable to load config info from /usr/lib/ssl/openssl.cnf

Please help!

alexdo
Site Moderator
Site Moderator badge
October 30, 2024

The error indicates that OpenSSL can’t find its configuration file (openssl.cnf). Here’s how to fix this:

  1. Locate the openssl.cnf File: On some systems, openssl.cnf might be located elsewhere, like /etc/ssl/openssl.cnf. Run this command to locate it:
find / -name openssl.cnf 2>/dev/null

If it exists in a different location, use that path with OpenSSL.

  1. Create a Symlink if Necessary: If openssl.cnf exists in another location, you can create a symlink to where OpenSSL expects it:
sudo ln -s /etc/ssl/openssl.cnf /usr/lib/ssl/openssl.cnf
  1. Specify the Config File Directly: You can also specify the path to openssl.cnf in the command itself:
openssl req -newkey rsa:2048 -nodes -keyout mydomain.com.key -out mydomain.com.csr -config /etc/ssl/openssl.cnf

If openssl.cnf is missing altogether, reinstalling OpenSSL should replace it:

sudo apt-get install --reinstall openssl

These steps should resolve the issue with the missing configuration file.

Regards

I am now unable to access the domain without HTTPS, is there a way to fix this?

Great guide btw.

Thanks

What Web Server are you using?

This comment has been deleted

    nginx, I solved it by adding an additional server directive.

    server {
        listen      80;
    
        location / {
          rewrite     ^(.*)   https://mysite.com$1 permanent;
        }
    

    Here’s the link to the stack page: http://serverfault.com/questions/67316/in-nginx-how-can-i-rewrite-all-http-requests-to-https-while-maintaining-sub-dom

    I’d recommend adding this to the guide as it it’s a PITA if it only accepts https and does not force a re-direct.

    Mitchell Anicas
    DigitalOcean Employee
    DigitalOcean Employee badge
    December 1, 2014

    That’s already in the guide, by the way.

    In my opinion the tutorial should onclude compatbility with a non-ssl version of the web.

    When I run the following setup

    root@example:/etc/ssl/nginx# cat www.example.com.crt intermediate.crt > www.example.com.chained.crt<^>
    

    I receive the following response

    -bash: syntax error near unexpected token `newline'
    

    Any ideas? I’m trying to chain a GoDaddy EV SSL, which I downloaded as Apache server type.

    Removed the <^> from the command, and it appears to have worked correctly now.

    Andrew SB
    DigitalOcean Employee
    DigitalOcean Employee badge
    December 11, 2014

    Looks like that was actually just a typo in the article. I’ve fixed it above. Thanks!

    This comment has been deleted

      My site is coming up as internal server error (https://rynopower.com/) Even though the SSL appears to be working. (Green lock is showing) Using PositiveSSL from Namecheap. SSL checking: https://www.sslchecker.com/sslchecker

      Running off of the Wordpress Ubuntu 14.04 Image.

      Created the ca-bundle with the four files provided by Namecheap:

      cat rynopower_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > rynopower.ca-bundle

      All files are currently in /etc/ssl/

      CSR and Key that was generated are in the same folder currently.

      Relevant lines for default-ssl.conf:

      <IfModule mod_ssl.c> <VirtualHost default:443> ServerAdmin webmaster@localhost ServerName rynopower.com:443 SSLEngine on SSLCertificateFile /etc/ssl/rynopower_com.crt SSLCertificateKeyFile /etc/ssl/rynopower.key SSLCertificateChainFile /etc/ssl/rynopower.ca-bundle

      Any idea why my site wouldn’t work on https? It still works fine on http, and the lock comes up for https, just no content

      Mitchell Anicas
      DigitalOcean Employee
      DigitalOcean Employee badge
      December 17, 2014

      Is the rest of your default-ssl.conf correct?

      I don’t see anything in particularly wrong. But maybe you might.

      Here is the full file.

      http://pastebin.com/ERz5ppr7

      When trying to restart I get this:

      Output of config test was: AH00526: Syntax error on line 34 of /etc/apache2/sites-enabled/default-ssl.conf: SSLCertificateFile: file ‘/etc/apache2/ssl/certs/teampunt.co.uk.crt’ does not exist or is empty Action ‘configtest’ failed. The Apache error log may have more information.

      does anyone know why? I bought the cert from godaddy

      alexdo
      Site Moderator
      Site Moderator badge
      October 30, 2024

      The error message indicates that Apache is unable to find or access the SSL certificate file specified in your configuration. Here’s how to troubleshoot:

      1. Check Certificate Path: Verify that the certificate file exists at the specified location (/etc/apache2/ssl/certs/teampunt.co.uk.crt). Run:
      ls -l /etc/apache2/ssl/certs/teampunt.co.uk.crt
      

      If the file is not there or the path is incorrect, update the path in your configuration file (default-ssl.conf).

      1. Ensure File Permissions: Make sure Apache has permission to read the certificate file. Set appropriate permissions:
      sudo chmod 644 /etc/apache2/ssl/certs/teampunt.co.uk.crt sudo chown root:root /etc/apache2/ssl/certs/teampunt.co.uk.crt
      
      1. Re-download or Reinstall the Certificate: Sometimes, certificate files are empty if there was an issue with the download. You can re-download the certificate from your GoDaddy account and replace the existing one.

      2. Update Apache Configuration: Confirm that the certificate path in your default-ssl.conf file matches the location of the actual certificate. The configuration should look like this:

      SSLCertificateFile /etc/apache2/ssl/certs/teampunt.co.uk.crt
      SSLCertificateKeyFile /etc/apache2/ssl/private/teampunt.co.uk.key
      SSLCertificateChainFile /etc/apache2/ssl/certs/teampunt.co.uk.chain.pem  # Optional, if required
      
      1. Run Config Test Again: After verifying the path and permissions, rerun the Apache configuration test to ensure there are no errors:
      sudo apachectl configtest
      
      1. Restart Apache: If the config test passes, restart Apache:
      sudo systemctl restart apache2
      

      Regards

      HI there, thank you for this great article… when my ssl-provider issued my ssl certification i got with the certification two more files, first : COMODORSAAddTrustCA, second : COMODORSADomainValidationSecureServerCA

      but in your article you did’t mention anything about those more certifications, so can you give me some explanation about those more certifications ? where would i use them ?

      Best regards

      Mitchell Anicas
      DigitalOcean Employee
      DigitalOcean Employee badge
      January 6, 2015

      Are you using Nginx? If so, you will want to combine the files into the “chained” certificate file in a particular order:

      1. example.com.crt
      2. COMODORSADomainValidationSecureServerCA.crt
      3. COMODORSAAddTrustCA.crt
      4. AddTrustExternalCARoot.crt

      Or you can run this command to do the same thing (substitute the name of your certificate):

      cat example.com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt  AddTrustExternalCARoot.crt > example.com.chained.crt
      

      This was the correct order for me for cert from COMODO, though the exact file names vary slightly.

      This comment has been deleted

        What about apache ?

        Did you figure this out for apache?

        Any help would be appreciated.

        Mitchell Anicas
        DigitalOcean Employee
        DigitalOcean Employee badge
        April 21, 2015

        Place the intermediate certificates into intermediate.crt, then follow the instructions in the Apache section of this tutorial.

        “free StartSSL certificates are not trusted by some browsers”.

        Hmm, do you have any evidence of that? I’m getting an A+ rating from the Qualisys test with a free StartSSL certificate, and I’ve never heard of any current browser rejected a startSSL certificate.

        Might also be worth mentioning Cloudflare’s free Universal SSL offering, which “hides” a free server-signed key behind a “valid” key for “end to end” SSL, or even offers to make ANY website SSL, without a server-side certificate needed. https://blog.cloudflare.com/introducing-universal-ssl/

        There are some evidence. Have you ever heard of CACert? They offer free SSL certificates under their own root - not all major browsers support it though (not in their trust store/storage).

        Thanks for help

        gdd

        Thank you for your guide I managed to work but I changed the directory of the ssl files and now y cannot make it work. I have 2 domains tilabmx.com (default) and dianamejia.tk on LEMP with ubuntu 14.04. When I enter to tilabmx.com the server shows me dianamejia.tk (before setting up SSL everything was working fine) My conf file is: server { listen 443 ssl default_server; listen [::]:443 default_server ipv6only=on;

            root /var/www/tilabmx.com/html;
            index index.php index.html index.htm;
        
            # Make site accessible from http://localhost/
            server_name tilabmx.com www.tilabmx.com;
            rewrite ^/(.*) https://tilabmx.com/$1 permanent;
            ssl_certificate /home/stiuvert0007/tilabmx.com.chained.crt;
            ssl_certificate_key /home/stiuvert0007/tilabmx.com.key;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_prefer_server_ciphers on;
            ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
        

        }

        any idea? Thank you in advance!

        Mitchell Anicas
        DigitalOcean Employee
        DigitalOcean Employee badge
        January 23, 2015

        Check the Nginx error log (/var/log/nginx/error.log). It probably has to do with permissions of the files and their containing directories.

        Thank you very much for your answer! What are the appropiate permissions? When I run “sudo cat /var/log/nginx/error.log” nothing opens, like if there is no file

        Mitchell Anicas
        DigitalOcean Employee
        DigitalOcean Employee badge
        January 26, 2015

        Regarding the permissions, the SSL certs and keys need to be readable by the user that is starting the Nginx master process. It sounds like Nginx isn’t reporting any errors, so that is probably not the issue.

        Are you accessing your site with https instead of http?

        You probably delete rewrite ^/(.*) https://tilabmx.com/$1 permanent;

        Then add this to the top of your config file (if you want http to redirect to https):

        server {
            listen 80;
            server_name tilabmx.com;
            rewrite ^/(.*) https://tilabmx.com/$1 permanent;
        }
        

        Again thank you manicas! And sorry for all the questions. I really appreciate your help. Finally it’s working! My conf file is as follows:

        server {
                listen 80 default_server;
                listen [::]:80 default_server ipv6only=on;
        
                root /var/www/tilabmx.com/html;
                index index.php index.html index.htm;
        
                server_name tilabmx.com www.tilabmx.com;
                rewrite ^/(.*) https://tilabmx.com/$1 permanent;
        }
        
        

        after that I added

        server {
                listen 443;
                server_name tilabmx.com www.tilabmx.com;
        
                root /var/www/tilabmx.com/html;
                index index.php index.html index.htm;
        
                ssl on;
                ssl_certificate /home/stiuvert0007/tilabmx.com.chained.crt;
                ssl_certificate_key /home/stiuvert0007/tilabmx.com.key;
        
                ssl_session_timeout 5m;
        
                ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        #      ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; **<<<This is the default ssl_ciphers value. Is there any diference between this and the recommended in this tutorial?**
                ssl_prefer_server_ciphers on;
                ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
        
                location / {
                        try_files $uri $uri/ =404;
                }
        }
        

        I don’t know why if I put everything in the same server block it doesn’t work.

        alexdo
        Site Moderator
        Site Moderator badge
        September 30, 2024

        Regarding your setup, it’s typical to use separate server blocks for HTTP (port 80) and HTTPS (port 443) because they handle traffic differently. The HTTP block uses the rewrite directive to redirect traffic to HTTPS, while the HTTPS block manages secure connections. Combining them into one block often doesn’t work due to these differences.

        As for your SSL cipher configuration, you’re using AES256+EECDH:AES256+EDH:!aNULL, which is strong and modern, focusing on forward secrecy. The default setting (HIGH:!aNULL:!MD5:!3DES) is broader and includes more ciphers for compatibility but disables weak ones. Your setup prioritizes stronger encryption, though it might limit compatibility with older clients.

        The separation of blocks is necessary because NGINX processes HTTP and HTTPS differently, and keeping them apart ensures smooth handling of both protocols.

        You can also test your SSL configuration for security and compatibility using tools like SSL Labs.

        I think you forgot mention that we have to put SSLEngine on statement inside Apache config file. It didn’t work for me unless I added that on Apache v2.4.7.

        +1 for this.

        Need SSLEngine on for Apache v2.4.7

        Mitchell Anicas
        DigitalOcean Employee
        DigitalOcean Employee badge
        February 23, 2015

        Thanks! Updated.

        alexdo
        Site Moderator
        Site Moderator badge
        September 30, 2024

        Yes, adding SSLEngine on in the Apache configuration is crucial for enabling SSL. Without this directive, Apache won’t handle SSL connections even if you have everything else configured properly. It’s easy to overlook, but it’s a vital part of enabling HTTPS on your server. Glad you caught that!

        Very comprehensive guide, thanks.

        One command that helped me debug was:

        sudo nginx -t 
        

        That tests your config to make sure it is valid and will report any errors.

        alexdo
        Site Moderator
        Site Moderator badge
        September 28, 2024

        This is a valid point. You can always check the syntax of your Apache or Nginx config using the same command, difference will be the service name nginx -t or apachectl -t / apachectl configtest

        Regards

        I am at the end of it but cannot run SSLCACertificateFile /home/abc/intermediate.crt and SSLCertificateChainFile /home/abc/intermediate.crt. both returns command not found error on Ubuntu 14.04 with apache 2.4.7.

        Mitchell Anicas
        DigitalOcean Employee
        DigitalOcean Employee badge
        March 3, 2015

        Those aren’t commands that you should run. Add those to Apache configuration file.

        This comment has been deleted

          Hello , am not able to redirect http to https . Am using apache2 . Could you please verify .

          alexdo
          Site Moderator
          Site Moderator badge
          October 30, 2024

          To redirect HTTP to HTTPS in Apache, you can follow tho methods:

          1. Edit the HTTP Virtual Host: Open your site’s HTTP virtual host configuration file, usually located in /etc/apache2/sites-available/

          2. Using .htaccess for HTTP to HTTPS redirects is also effective, especially if you prefer to manage redirects at a directory level rather than in the main Apache configuration. I’ll usually recommend this way, you can edit the site’s .htaccess file and use the following snippet:

          RewriteEngine On 
          RewriteCond %{HTTPS} !=on 
          RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
          

          Regards

          Hi I’m trying to setup a SSL cert and getting this error:

          SSL_CTX_use_PrivateKey_file(“/home///example.com.key”) failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

          I am having the same issue were you able to solve this?

          This comment has been deleted

            Did you ever figure this out? I’m having the same issue

            Not sure where to begin to be honest. I am using a WordPress droplet with Apache and Ubuntu 14.04. I have a Comodo SSL certificate with a .crt file and .bundle file. I followed the instructions, making adjustments to the naming. I tried the instructions here regarding the default conf file and I tried the instructions from Comodo at https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/637/37/ for Apache & mod_ssl.

            I have keys and crt and bundle files in both /home/myusername/ and in the /etc/ssl/ directory

            My modified 000-default.conf features the following:

            Listen 443 http
            
            
            <VirtualHost *:80>
               ServerName www.digitera.com
               Redirect permanent / https://www.digitera.com/
            </VirtualHost>
            
            <VirtualHost *:443>
            ServerName www.digitera.com
            SSLEngine on
                    SSLCertificateFile /etc/ssl/digitera_com.crt
                    SSLCertificateKeyFile /etc/ssl/digitera.com.key
                    SSLCertificateChainFile /etc/ssl/digitera_com.ca-bundle
            
            ServerAdmin webmaster@localhost
                    DocumentRoot /var/www/html
            ErrorLog ${APACHE_LOG_DIR}/error.log
                    CustomLog ${APACHE_LOG_DIR}/access.log combined
            </VirtualHost>
            

            I added the Listen command after seeing it on a Ubuntu forum.

            I get the following error in Firefox when I try to connect via https://www.digitera.com

            An error occurred during a connection to www.digitera.com. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) 
            

            In the comments section, Mitchell mentioned the default-ssl.conf file, but that is not part of the core tutorial.

            Which instructions should I be following ? The instructions from Comodo, the ones here ? Should I be modyifying just the 000-default.conf file or the default-ssl.conf one as well ? Should I be leaving the .bundle file name alone or should I rename it to match the convention that is indicated in the base tutorial ?

            Help !!!

            Ken

            Mitchell Anicas
            DigitalOcean Employee
            DigitalOcean Employee badge
            March 23, 2015

            Which version of Apache are you using? If it’s a 2.4.x, try replacing SSLCertificateChainFile with:

            SSLCACertificateFile /etc/ssl/digitera_com.ca-bundle
            

            Just a note about doing this if you have a one-click Drupal install:

            The file to edit won’t be

            sudo vi default
            

            But rather

            sudo vi drupal
            

            Then what you edit is not just one line but rather you need to edit this:

              listen 80 default_server;
              listen [::]:80 default_server ipv6only=on;
            

            into this:

              listen 443 ssl;
              listen [::]:443 ssl ipv6only=on;
            

            FInally you won’t find the ‘server_name’ line. So right below the above lines, insert it like so:

            server_name example.com;
            

            The rest works as described in the tutorial.

            alexdo
            Site Moderator
            Site Moderator badge
            October 30, 2024

            Thanks for sharing this! We’ll look into updating the article with the latest revision if necessary!

            Regards

            I was trying to generate a CSR and private key…

            Got to this point in the tutorial:

            "<^>This will generate a .key and .csr file. The .key file is your private key, and should be kept secure. The .csr file is what you will send to the CA to request your SSL certificate.

            You will need to copy and paste your CSR when submitting your certificate request to your CA. To print the contents of your CSR, use this command (replace the filename with your own):

            cat example.com.csr<^>"

            I was able to get the CSR, but where did the KEY go? Newbie here, any help appreciated. Thanks.

            Mitchell Anicas
            DigitalOcean Employee
            DigitalOcean Employee badge
            April 2, 2015

            The KEY should be in a file in the same directory as the CSR, with a name like example.com.key.

            Mitchell Anicas
            DigitalOcean Employee
            DigitalOcean Employee badge
            April 2, 2015

            This comment has been deleted

              Thank you for the quick reply. Couldn’t find it, I probably deleted/misplaced it somehow. So decided to generate a new CSR & Key and request a re-issue of a new SSL certificate instead. Got a new cert emailed from Comodo minutes later.

              Thanks for the tutorial. Any help is always apreciated.

              I will say though that I had to spend quite a while figuring out why I was getting the following browser errors.

              Google Chrome:

              SSL connection error
              
              Unable to make a secure connection to the server. This may be a problem with the server or it may be requiring a client authentication certificate that you don't have.
              

              Error code: ERR_SSL_PROTOCOL_ERROR

              Firefox:

              An error occurred during a connection to mymurdermystery.party. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)
              
              The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
              Please contact the web site owners to inform them of this problem.
              

              In the end I had to enable the configuration using:

              sudo a2ensite 000-default.conf

              alexdo
              Site Moderator
              Site Moderator badge
              October 30, 2024

              Thank you for sharing your solution, and I’m glad you figured it out! The ERR_SSL_PROTOCOL_ERROR and ssl_error_rx_record_too_long errors often indicate that Apache is listening for HTTPS traffic on a port where SSL isn’t configured correctly, or that the configuration itself isn’t fully enabled.

              Enabling your configuration with sudo a2ensite 000-default.conf was crucial because Apache requires the site configuration to be both enabled and active for SSL settings to take effect. Without that step, Apache can’t apply any SSL directives defined in the configuration file, which leads to SSL-related browser errors like the ones you experienced.

              Thanks again for the feedback! This will be helpful for anyone else troubleshooting similar issues!

              Regards

              Thanks Mitch

              Worked perfectly for me. I had absolutely no problems installing a wildcard SSL certificate from NameCheap on my Ubuntu 13.10 Apache 2.4.6 droplet.

              Hi there,

              I was trying to install SSL certificate on Apache 2.4.7 on Ubuntu 14.04 x64 following above instructions. I have purchased certificate from GoDaddy. After finishing all the steps of installation when I try to restart Apache server, I get error message saying ‘Apache start failed’ and my site becomes inaccessible. I have got the following message on my server error log file:

              [Tue Apr 14 07:31:14.140280 2015] [ssl:emerg] [pid 1192] AH02238: Unable to configure RSA server private key [Tue Apr 14 07:31:14.140478 2015] [ssl:emerg] [pid 1192] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch [Tue Apr 14 07:31:14.140496 2015] [ssl:emerg] [pid 1192] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information

              My server configuration file (000-default.conf) contains following lines:

              <VirtualHost *:80>
                 ServerName foodoli.com
                 Redirect permanent / https://mysite.com/
              </VirtualHost>
              
              <VirtualHost *:443>
                  ServerName foodoli.com
                  SSLEngine on
                  SSLCertificateFile /etc/ssl/mysite.com.crt
                  SSLCertificateKeyFile /etc/ssl/mysite.com.key
                  SSLCertificateChainFile /etc/ssl/intermediate.crt
              
                   ServerAdmin webmaster@localhost
                   DocumentRoot /var/www/html
              
                   <Directory /var/www/html/ >
                         Options Indexes FollowSymLinks MultiViews
                         AllowOverride All
                         Order allow,deny
                          allow from all
                    </Directory>
              </VirtualHost>
              
              

              I am kind of lost and can’t figure out where the actual problem is. Can you please help me here and let me know what the problem is? Thanks in advance.

              Mitchell Anicas
              DigitalOcean Employee
              DigitalOcean Employee badge
              April 14, 2015

              That means that your cert and key aren’t matching.

              To verify this, run the following commands:

              cd /etc/ssl
              openssl x509 -noout -modulus -in mysite.com.crt | openssl md5
              openssl rsa -noout -modulus -in mysite.com.key | openssl md5
              

              If the output doesn’t match exactly, you probably aren’t using the proper key file. You can either find the proper key file, or just create a new key and CSR and reissue the cert.

              Mitchell, this article was extremely helpful.

              However I have one question, in the section about “Install Certificate On Web Server,” you state that "the private key, SSL certificate, and, if applicable, the CA’s intermediate certificates are located in a home directory at /home/sammy"

              Is the “sammy” folder necessary for the process or is that an example name?

              Thank you for your clarification. This is my first time setting up an SSL.

              Mitchell Anicas
              DigitalOcean Employee
              DigitalOcean Employee badge
              April 16, 2015

              It’s an example username. The username that you should use is the one that you logged into the server as (and has sudo access).

              What if we don’t want to redirect all pages to https? If we are running a store and only want https on the checkout page would we set up the virtualhost *:80 and then copy everything from there into virtualhost *:443 to enable both without the redirect?

              Mitchell Anicas
              DigitalOcean Employee
              DigitalOcean Employee badge
              April 30, 2015

              There are a lot of different ways to do what you want.

              The problem with doing it the way you described is that your store will be accessible via HTTP. If you do it that way, you should at least redirect the directory of the store to the 443 VirtuaHost.

              I should probably give more detail. I’m using Wordpress/WooCommerce which has a checkbox to “force SSL on checkout” and “force http upon leaving checkout”. So the checkout page will be safe (assuming the SSL certificate gets installed correctly of course).

              What are the rammifications of having the shop pages accessible via http? Since it’s Wordpress I don’t think I can redirect certain directories although I could do a php redirect on all store pages I guess.

              Thanks for this great article and all the comments!

              I wanted to share some tips and trouble shooting techniques:

              1. Check that the SSL.crt and mydomain.key are owned by root. Make sure to protect your private key chmod 600 mydomain.key

              2. Contact Support

              3. Is the SSL certificate installed? openssl s_client -CApath /etc/ssl/ -showcerts -connect mydomain.com:443 -servername mydomain.com

              4. What webserver am I running? wget --save-headers mydomain.com

              5. What port is nginx listening on? netstat -tulpn | grep "nginx"

              6. Open up the 443 port: iptables -I INPUT -p tcp --dport 443 -j ACCEPT

              alexdo
              Site Moderator
              Site Moderator badge
              September 28, 2024

              Thanks for sharing this. Also if you’re using UFW you can use sudo ufw allow 443

              Regards

              So weird enough I got a comodo cert loaded it up on a default apache droplet ubuntu 14.04, getting the following when i hit the site with ssl enabled…

              Secure Connection Failed

              An error occurred during a connection to www.mycibt.com. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

              The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
              Please contact the website owners to inform them of this problem.
              

              Here is my config file:

              <VirtualHost www.mysite.com:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>

              <VirtualHost www.mysite.com:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/apache2/ssl/certs/mysite.com.crt SSLCACertificateFile /etc/apache2/ssl/certs/intermediate.crt SSLCertificateKeyFile /etc/apache2/ssl/certs/mysite.com.key </VirtualHost>

              Any ideas on this?

              Mitchell Anicas
              DigitalOcean Employee
              DigitalOcean Employee badge
              May 13, 2015

              That error can be caused by a variety of things (usually misconfigured Apache). Check the Apache error log for more hints: sudo tail -f /var/log/apache2/error_log, then open the site in a browser.

              The tutorial is missing a command that needs to be sent before restarting the apache server: a2ensite default-ssl

              I have installed the Rapid ssl in my Ubuntu 14.04.2 LTS. But the website is not loading after that. I am getting following message in browser “The page isn’t redirecting properly”

              my apache version is apache 2.4.7

              The conf file is available in /etc/apache2/sites-available/magento.conf is as follows

              <VirtualHost *:80> ServerName mysite.co.uk Redirect permanent / https://mysite.co.uk/ </VirtualHost> <VirtualHost *:443> ServerName www.mysite.co.uk SSLEngine on SSLProtocol all SSLCertificateFile /etc/apache2/ssl/rapidssl_publickey_2015.crt SSLCertificateKeyFile /etc/apache2/ssl/private.key SSLCertificateChainFile /etc/apache2/ssl/rapidssl_intermediateca_2015.crt ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined <Directory /var/www/html/magento> AllowOverride All Require all granted </Directory>

              </VirtualHost>

              vim: syntax=apache ts=4 sw=4 sts=4 sr noet

              The ports.conf available in /etc/apache2/ports.conf as follows

              Listen 80

              <IfModule ssl_module> Listen 443 </IfModule>

              <IfModule mod_gnutls.c> Listen 443 </IfModule>

              vim: syntax=apache ts=4 sw=4 sts=4 sr noet

              The apache error log I could see as follows: [Fri May 29 23:42:51.054552 2015] [ssl:warn] [pid 2048] AH01909: RSA certificate configured for www.funnfrolic.co.uk:443 does NOT include an ID which matches the server name [Fri May 29 23:42:51.054975 2015] [ssl:warn] [pid 2048] AH01909: RSA certificate configured for www.funnfrolic.co.uk:443 does NOT include an ID which matches the server name [Fri May 29 23:42:51.055076 2015] [ssl:warn] [pid 2048] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Fri May 29 23:42:51.222699 2015] [ssl:warn] [pid 2053] AH01909: RSA certificate configured for www.funnfrolic.co.uk:443 does NOT include an ID which matches the server name [Fri May 29 23:42:51.223298 2015] [ssl:warn] [pid 2053] AH01909: RSA certificate configured for www.funnfrolic.co.uk:443 does NOT include an ID which matches the server name [Fri May 29 23:42:51.223512 2015] [ssl:warn] [pid 2053] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Fri May 29 23:42:51.227454 2015] [mpm_prefork:notice] [pid 2053] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.6 OpenSSL/1.0.1f configured – resuming normal operations [Fri May 29 23:42:51.227484 2015] [core:notice] [pid 2053] AH00094: Command line: ‘/usr/sbin/apache2’

              Can you please guide me how we can resolve this? I have hosted the website in Digital Ocean. Also- everytime when I restart the apache- I could see following message and I am giving passphrase everytime. Is that something have any impact in the process?

              Apache needs to decrypt your SSL Keys for www.funnfrolic.co.uk:443 (RSA) Please enter passphrase:

              Mitchell Anicas
              DigitalOcean Employee
              DigitalOcean Employee badge
              June 1, 2015

              @rickthomas:

              1. “The page isn’t redirecting properly” is usually caused by a misconfigured application. Review your application’s settings that have to do with the URL or clear its cache.

              2. The ServerName directive in the :443 VirtualHost must match the CN (Common Name) that you set when you generated your key and CSR. This is probably causing the error in the Apache log.

              3. The passphrase prompt occurs because you encrypted your key with one when you created it. This can cause an issue if the process restarts automatically (e.g. after boot) and you aren’t there to enter the passphrase—Apache won’t start. You can create key without a passphrase by using the -nodes option. There are other ways around this, but this is the simplest. You will have to regenerate the key/CSR and get RapidSSL to issue a new certificate.

              Great Tutorial Thanks

              Help!

              I’m trying to get SSL to work on a client’s website (http://crsupplements.com/) and it doesn’t seem to be working. I am using DO’s one click Wordpress with Ubuntu 14.04 image, using Apache 2.4.7

              Here is my Apache Host configuration file. (/etc/apache2/sites-available/000-default.conf)

              <VirtualHost *:80>
                 ServerName crsupplements.com
                 Redirect permanent / https://crsupplements.com/
              </VirtualHost>
              <VirtualHost *:443>
               	ServerName crsupplements.com
              	SSLEngine on
              	SSLCertificateFile /home/elijah/CRSUPPLEMENTS.COM.crt
              	SSLCertificateKeyFile /home/elijah/crsupplements.com.key
              	SSLCertificateChainFile	/home/elijah/intermediate.crt
              
              	ServerAdmin admin@crsupplements.com
              	DocumentRoot /var/www/html
              
              	ErrorLog ${APACHE_LOG_DIR}/error.log
              	CustomLog ${APACHE_LOG_DIR}/access.log combined
              </VirtualHost>
              
              # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
              

              Going to https://crsupplements.com/ just says that the connection is untrusted and is a self-signed certificate. I can add an exception but it then says 403 Forbidden, you can’t access / on this server. I bought the domain and cert from register.com and they told me in what order to put the intermediate certs in, so I am pretty sure that is correct. What am I missing? Do I need to do something to WordPress? Thanks!

              Mitchell Anicas
              DigitalOcean Employee
              DigitalOcean Employee badge
              June 15, 2015

              Is 000-default.conf the only file that is linked in /etc/apache2/sites-enabled ?

              Did you get this fixed? I’m having the same problem now.

              my default-ssl.conf is the only linked file in /sites-enabled

              Is this where the problem is?

              Hello. I am having the same problem as well. How did you manage to fix your error? Thank you.

              A couple of good resources to test the certificate is all ‘clean & green’ :

              https://www.sslshopper.com/ssl-checker.html https://www.whynopadlock.com

              These will spot any problems with your SSL chain, and the last link will also identify non secure content.

              alexdo
              Site Moderator
              Site Moderator badge
              September 28, 2024

              I’ve used both sites in the past for test purposes and they work just fine. Another option will be to run a curl from the command line as well.

              Regards

              Hello, what application should I chose when I am using Nginx as a Reverse Proxy for Apache that I followed in this tutorials How To Configure Nginx as a Reverse Proxy for Apache.

              Thank you

              This was super, super helpful. Thank you!

              Awesome tutorial, Mitchell! But I have a problem. I am running a wordpress multisite, currently with 4 blogs. Two of them need SSL Certification. I successfully ran the tutorial to install the certificate for the main blog. Great. But than, all the blogs are pointing to the main url. Well, that was obvious, since the tutorial are redirecting *:80 to a single url. ( Important to say that I am using domain mapping, and before ssl config, the redirection was working properly. )

              I tried some configurations in the 000-default.conf, but none of them worked. Let me try some logic… yeah, I believe I’m wrong, but… Let’s say I have mainurl.ssl.com, that should have some subdomains, like store.mainurl.ssl.com. Also I have secondary.ssl.com, and thirdurl.nossl.com

              And here is the 000-default.conf I came up with:

              <VirtualHost *.mainurl.ssl.com:80>
                      ServerName mainurl.ssl.com
                      Redirect permanent / https://mainurl.ssl.com
              </VirtualHost>
              
              <VirtualHost secondaryurl.ssl.com:80>
                      #ServerName secondaryurl.ssl.com
                      Redirect 11.22.219.234 #my server ip
              </VirtualHost>
              
              <VirtualHost thirdurl.nossl.com:80>
                      ServerName thirdurl.nossl.com
                      Redirect 11.22.219.234
              </VirtualHost>
              
              
              <VirtualHost *.mainurl.ssl.com:443>
                      ServerName mainurl.ssl.com
                      SSLEngine on
                      SSLCertificateFile /home/paulo/mainurl.ssl.com.crt
                      SSLCertificateKeyFile /home/paulo/mainurl.ssl.com.key
                      SSLCACertificateFile /home/paulo/mainurl.ssl.com.ca-bundle
              
                      ServerAdmin webmaster@localhost
                      DocumentRoot /var/www/html
              
                      ErrorLog ${APACHE_LOG_DIR}/error.log
                      CustomLog ${APACHE_LOG_DIR}/access.log combined
              </VirtualHost>
              
              <VirtualHost secondaryurl.ssl.com:443>
                      ServerName secondaryurl.ssl.com
                      SSLEngine on
                      SSLCertificateFile /home/paulo/secondaryurl.ssl.com.crt
                      SSLCertificateKeyFile /home/paulo/secondaryurl.ssl.com.key
                      SSLCACertificateFile /home/paulo/secondaryurl.ssl.com.ca-bundle
              
                      ServerAdmin webmaster@localhost
                      DocumentRoot /var/www/html
              
                      ErrorLog ${APACHE_LOG_DIR}/error.log
                      CustomLog ${APACHE_LOG_DIR}/access.log combined
              </VirtualHost>
              
              <VirtualHost thirdurl.nossl.com:443>
                      #ServerName secondaryurl.ssl.com
                      
                      ServerAdmin webmaster@localhost
                      DocumentRoot /var/www/html
              
                      ErrorLog ${APACHE_LOG_DIR}/error.log
                      CustomLog ${APACHE_LOG_DIR}/access.log combined
              </VirtualHost>
              
              # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
              
              

              I use the ’ * ’ in <VirtualHost *.mainurl.ssl.com:80>, thinking in it’s the subdomains. I tried that, and other configurations, but none of them worked.

              Is there a way to setup SSL certificates for blogs in wordpress multisites? I would love some help on this.

              Thanks a lot!

              I Tried this tutorial too: https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04

              But at the end, it result in error, apache said that de site did not exist. =P

              And I realized another problem, very serious one btw… Using permalink like url.com/category/my-post the browser did load the page at all, saying that was not possible to establish a segure connection. :(

              Mitchell,

              Excellent write up! TLS/SSL configuration instructions for Nginx was great, wanted to share config for Apache 2.4.x too for those of you who are concerned about SSLv3 and the poodle vulnerability.

              Edit: /etc/apache2/mods-available/ssl.conf

              SSLProtocol all
              

              –to something like–

              SSLProtocol TLSv1 TLSv1.1 TLSv1.2
              

              sudo service apache2 reload

              alexdo
              Site Moderator
              Site Moderator badge
              October 30, 2024

              Thanks for sharing this!

              As with the latest 1.3 version you can also add:

              SSLProtocol TLSv1.3
              

              Regards

              Hi Guys! I need a help:

              I have already a ssl certificate from godaddy installed in my domain >> mydomain.com.br Thats ok! working fine.

              But, now I need to setup another single cert in a subdomain (for my mobile version) >> m.mydomain.com.br

              How can I do this configuration in my droplet? I have a Ubuntu 12.10 x64 Server with Nginx

              The certificate is already in the right folder. I just need do setup the nginx configuration.

              Thanks!!!

              Mitchell Anicas
              DigitalOcean Employee
              DigitalOcean Employee badge
              July 23, 2015

              You can add a new server block in the /etc/nginx/sites-enabled directory.

              For example, open a new file called mobile:

              sudo vi /etc/nginx/sites-enabled/mobile
              

              Then add a new server block. It might look something like this:

              server {
                  listen 443 ssl;
                  server_name m.mydomain.com.br;
                  ssl_certificate /cert/path/m.mydomain.com.br.chained.crt;
                  ssl_certificate_key /cert/path/m.mydomain.com.br.key;
              ...
              }
              

              Then be sure to add the rest of your configuration in that server block.

              I followed the Apache instructions. Managed to break the site.

              Mitchell Anicas
              DigitalOcean Employee
              DigitalOcean Employee badge
              July 30, 2015

              Do you see anything in the error logs?

              I abandoned this approach and modified the desfault-ssl.conf file, which is really where this configuration should be done.

              I have followed these instructions and am no just timing out. If I point directly to the HTTPS version of the IP address it resolves, but obviously the cert shows an unmatching domain error.

              Any idea why the live site would be a white - timedout page?

              Mitchell Anicas
              DigitalOcean Employee
              DigitalOcean Employee badge
              July 31, 2015

              Which web server are you using? If the HTTP to HTTPS redirect isn’t working, try focusing on the port 80 VirtualHost or server block.

              I was able to fix the time out, but not have redirect loop errors. using the wordpress droplet, so apache. This is my 000-default.conf file: http://pastebin.com/PyxvBZDL

              I used a2dissite on all other confs, if that makes sense.

              Mitchell Anicas
              DigitalOcean Employee
              DigitalOcean Employee badge
              July 31, 2015

              Make sure you don’t have a stray redirect somewhere else, like an .htaccess file, and check your Wordpress permalink settings.

              After creating mydomain.ssl.conf do I need do keep mydomain.cont too, or may I delete it?

              Mitchell Anicas
              DigitalOcean Employee
              DigitalOcean Employee badge
              August 7, 2015

              I’m not sure what you mean. Could you clarify your question?

              sorry, I mixed your text with another I was reading about that. Let me clarify for you. Maybe you can help.

              My Nginx was installed with the default package from serverpilot.io. They install Nginx-sp, then my server block stays under this folder:

              /etc/nginx-sp/vhosts.d/mydomain/

              When I first went in this folder, there was a file called “mydomain.conf”. Then, I created another called “mydomain.ssl.conf” with all intructions you wrote in this article: listen 443 ssl; server_name example.com; ssl_certificate /home/sammy/example.com.chained.crt; ssl_certificate_key /home/sammy/example.com.key; AND ALL YOU MENTIONED…

              My question is if do I have to keep both files: original : /etc/nginx-sp/vhosts.d/mydomain/mydomain.conf and new : /etc/nginx-sp/vhosts.d/mydomain/mydomain.ssl.conf ???

              In the original file original : mydomain.conf there is the defaul configuration from Nginx-sp such as:

              server { listen 80; liste [::]80; server_name mydomain www.mydomain; root xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/public/; access_log xxxxxxxxxxx error_log xxxxxxxxx … }

              Thank you very much!

              Mitchell Anicas
              DigitalOcean Employee
              DigitalOcean Employee badge
              August 7, 2015

              It looks like your mydomain.conf file is configured to allow HTTP connections. If you want your users to be able to access your site through HTTP (in addition to HTTPS), you should keep the file. If you want HTTPS-only, you should probably redirect the HTTP traffic to HTTPS.

              I followed the tut exactly and I get secure connection failed when trying the URL via FF. I purchase a positive SSL from namecheap.com and this is my config file:

              <VirtualHost *:443>
              	# The ServerName directive sets the request scheme, hostname and port that
              	# the server uses to identify itself. This is used when creating
              	# redirection URLs. In the context of virtual hosts, the ServerName
              	# specifies what hostname must appear in the request's Host: header to
              	# match this virtual host. For the default virtual host (this file) this
              	# value is not decisive as it is used as a last resort host regardless.
              	# However, you must set it for any further virtual host explicitly.
              	ServerName gifthero.co.uk
              
              	# SSL setting
              	SSLEngine on
              	SSLCertificateFile /etc/apache2/ssl/gifthero_co_uk.crt
              	SSLCertificateKeyFile /etc/apache2/ssl/gifthero.co.uk.key
              	SSLCACertificateFile /etc/apache2/ssl/COMODORSAAddTrustCA.crt	
              
              	ServerAdmin i@gifthero.co.uk
              	DocumentRoot /var/www/html
              
              	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
              	# error, crit, alert, emerg.
              	# It is also possible to configure the loglevel for particular
              	# modules, e.g.
              	#LogLevel info ssl:warn
              
              	ErrorLog ${APACHE_LOG_DIR}/error.log
              	CustomLog ${APACHE_LOG_DIR}/access.log combined
              
              	# For most configuration files from conf-available/, which are
              	# enabled or disabled at a global level, it is possible to
              	# include a line for only one particular virtual host. For example the
              	# following line enables the CGI configuration for this host only
              	# after it has been globally disabled with "a2disconf".
              	#Include conf-available/serve-cgi-bin.conf
              </VirtualHost>
              # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
              
              Mitchell Anicas
              DigitalOcean Employee
              DigitalOcean Employee badge
              August 13, 2015

              Is there a more specific error code after the “Secure Connection Failed” line? That will usually help you pinpoint the issue. If not, you can check the Apache error log (sudo tail /var/log/apache2/error.log). Please post the error code.

              If I have more than 1 CA certificates how would I need to name them? I have 3

              Mitchell Anicas
              DigitalOcean Employee
              DigitalOcean Employee badge
              August 13, 2015

              The names are arbitrary. If you have three intermediate certificates from different providers, you should probably name them based on the CAs that they belong to.

              If you have three different sites with separate SSL certificates, you will probably want to name them after the domains that they cover.

              After configuring apache for my SSL certificate (all certificates created and uploaded successfully) I’m still finding that https web requests are completely ignoring the certificates or are unable to find it. What do I need to do with my .conf files or my virtual hosts in order to use the settings in “/000-default.conf” ???

              I’ve already disabled the default “self-signed” ssl by changing the virtualhost in “default-ssl.conf” to:

              <VirtualHost 127.0.0.1:443>

              (before ssl labs site test was showing the default self-signed ssl)

              It looks like this has to do with the default settings that the wordpress ubuntu package comes with, so any help or direction would be great, thanks so much.

              Graham

              alexdo
              Site Moderator
              Site Moderator badge
              October 30, 2024

              To ensure Apache is using your new SSL certificate and not falling back to the self-signed one, here are some adjustments you can make:

              1. Specify the SSL Certificate in Virtual Host: Open your SSL virtual host file (e.g., /etc/apache2/sites-available/000-default.conf or create a new SSL virtual host file if needed), and add the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile directives to specify your certificate paths:
              <VirtualHost *:443>
                  ServerName yourdomain.com
                  DocumentRoot /path/to/your/site
              
                  SSLEngine on
                  SSLCertificateFile /path/to/your/certificate.crt
                  SSLCertificateKeyFile /path/to/your/private.key
                  SSLCertificateChainFile /path/to/your/chainfile.pem  # Optional, if needed
              
                  # Additional configuration (e.g., for WordPress)
                  <Directory /path/to/your/site>
                      AllowOverride All
                  </Directory>
              </VirtualHost>
              
              1. Disable the Default SSL Configuration: Since you modified default-ssl.conf, ensure it’s disabled to avoid conflicts:
              sudo a2dissite default-ssl
              
              1. Enable Your Custom SSL Configuration: If 000-default.conf is your custom SSL virtual host file, enable it to make sure Apache reads it:
              sudo a2ensite 000-default.conf
              
              1. Verify Modules and Reload: Make sure the ssl and rewrite modules are enabled, then restart Apache:
              sudo a2enmod ssl rewrite 
              sudo systemctl restart apache2
              
              1. Check Apache’s Default SSL Host: Apache may need a specific default SSL host for HTTPS requests. If you want 000-default.conf to be the default, ensure no other configurations are intercepting HTTPS traffic.

              After these changes, try running an SSL test again. Let me know if this resolves it or if more details are needed on the WordPress package configuration!

              Regards

              Don’t forget you may have previously used iptables to lock down your server. After setting up the SSL and then getting a timeout with no errors in the logs;

              In Ubuntu sudo ufw allow 443

              alexdo
              Site Moderator
              Site Moderator badge
              September 28, 2024

              This is a valid point. You should make sure that port 443 is open and allowed in your Firewall configuration.

              Regards

              This comment has been deleted

                This is an excellent guide!! Thank you for explaining not just the technical details, but also some of the background regarding different SSL products and certificate types. This has really been enlightening.

                Thanks for the great tutorial. I just set this up on my server using Namecheap’s SSL certificate but there was a major disconnect in the article for me. I wasn’t able to complete the installation without referring to other sources. Hopefully this comment will help others with the same issue and get the author to modify the original article.

                With Namecheap, I received two files/keys, but it was unclear to me which file is the ‘site certificate’ and which is the one to be renamed to ‘intermediate.crt’. In hindsight it seems obvious but when going through the tutorial I got stuck.

                In the downloaded package from Namecheap, one file is in the form of *.crt and the other *.ca-bundle. *The .crt file is the ‘site certificate’, and the .ca-bundle file is the ‘CA intermediate certificate’, which should be renamed to ‘intermediate.crt’.

                When you combine the site certificate (.crt file) and the intermediate certificate (.ca-bundle file), in that order, you create the chained certificate (.chained.crt file), which can be used in conjunction with the private key (created in the beginning) to serve the site with Nginx.

                I received three files: example_com.crt example_com.p7b example_com.ca-bundle

                I am running wordpress on Ubuntu 14.0 with nginx. How do I proceed with regards to intermediate.crt?

                Rename example_com.ca-bundle to intermediate.crt and follow the instructions above. You do not need the p7b file. The examplecom.crt is your site certificate.

                Thanks. It worked. I found that I actually did not need to rename the files I got from my CA. I have a PositiveSSL from comodo via namecheap. I did the following command, if you have a .crt and .ca-bundle:

                cat www_yourdomain_com.crt www_yourdomain_com.ca-bundle > example.com.chained.crt

                After the sudo service apache2 restart command, I get the following message.

                AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/ports.conf:5
                AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
                

                and I still can access to the http but not https with error saying “SSL connection error ERR_SSL_PROTOCOL_ERROR”

                any suggestion?

                well, I figure it out by myself.

                helpful link :apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName … waiting apache2:

                So I checked /etc/hosts file where it said

                " 127.0.0.1 localhost 
                127.0.1.1 Robobu Robobu
                
                # The following lines are desirable for IPv6 capable hosts
                ::1 ip6-localhost ip6-loopback
                fe00::0 ip6-localnet
                ff00::0 ip6-mcastprefix
                ff02::1 ip6-allnodes
                ff02::2 ip6-allrouters
                

                and I changed 127.0.1.1 Robobu Robobu to 127.0.1.1 robobu.io robobu no more error after sudo service apache2 restart command!

                tho I still couldn’t get https working…

                to be continued… Receiving FATAL ERROR for mod_ssl

                I have the same error message, the only difference is that I’m using Nginx

                alexdo
                Site Moderator
                Site Moderator badge
                October 4, 2024

                First, ensure mod_ssl is enabled. You can do this by running sudo a2enmod ssl and then restarting Apache with sudo service apache2 restart to make sure mod_ssl is active.

                Next, check your SSL configuration file. If there’s an error in your SSL configuration, that could trigger the issue. Review your SSL virtual host file, typically located at /etc/apache2/sites-available/default-ssl.conf, for any mistakes in the paths to your SSL certificate files.

                It’s important to verify that the paths for SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile in your configuration point to the correct and valid certificates.

                Sometimes, other Apache modules, such as old mod_ssl versions or incorrect mod_rewrite rules, can conflict with your SSL setup. Check for duplicate configurations in your Apache virtual hosts or conflicting modules.

                Lastly, examine the Apache logs. Apache logs often provide detailed clues. You can check the logs for any FATAL errors in /var/log/apache2/error.log or similar log files.

                If mod_ssl is properly configured and active, these steps should help resolve the FATAL error you’re seeing.

                Excellent work, thanks so much!!

                Please, I need some help.

                I’m trying to install my SSL and to use Nginx as frontend of my Tomcat application I got my SSL certificate from GoDaddy, I struggled a lot but I managed to generate it. After I installed Nginx and set everything up I noticed that I had a key values mismatch. I spent a lot of time but I managed to get their modules to match and then I finally got Nginx to start. Now I just can’t reach my domain with HTTPS as desired, I receive on Chrome the message

                <^> SSL connection error

                ERR_SSL_PROTOCOL_ERROR Hide details Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don’t have. <^>

                The log files (access and error) at /var/log/nginx are completely empty and here is my nginx.conf file which I got as sample from here https://github.com/loftuxab/alfresco-ubuntu-install/blob/master/nginx/nginx.conf

                user www-data;
                worker_processes 2;
                pid /run/nginx.pid;
                
                events {
                	worker_connections 1024;
                	# multi_accept on;
                }
                
                http {
                
                	##
                	# Basic Settings
                	##
                
                	sendfile on;
                	tcp_nopush on;
                	tcp_nodelay on;
                	keepalive_timeout 65;
                	types_hash_max_size 2048;
                	server_tokens off;
                
                	server_names_hash_bucket_size 64;
                
                	include /etc/nginx/mime.types;
                	default_type application/octet-stream;
                
                	##
                	# Logging Settings
                	##
                
                	access_log on;
                	access_log /var/log/nginx/access.log;
                	error_log /var/log/nginx/error.log;
                
                	##
                	# Gzip Settings
                	##
                
                	gzip                on;
                	gzip_disable        "msie6";
                	gzip_http_version   1.1;
                	gzip_comp_level     6;
                	#gzip_min_length    256;
                	gzip_buffers        16 8k;
                	gzip_proxied		any;
                	gzip_types          text/xml text/plain application/json text/javascript application/javascript application/x-javascript text/css text/csv text/x-markdown text/x-web-markdown application/atom+xml application/rss+xml application/atomsvc+xml;
                	#gzip_vary           on;
                
                	# Set proxy cache path
                	proxy_cache_path /var/cache/nginx/alfresco levels=1 keys_zone=alfrescocache:256m max_size=512m inactive=1440m;
                
                	# Main website Tomcat instance
                	upstream alfresco {
                		server localhost:8080;
                	}
                
                	# Uncomment if you want redirect to https
                	server {
                		listen        80 default_server ;
                		listen   [::]:80 default_server ipv6only=on;
                		server_name mydomain.com  www.mydomain.com;
                		server_name_in_redirect off;
                		rewrite ^ https://mydomain.com permanent;
                	}
                
                	# Default server config. Update servername.
                	server {
                		#listen        80 default_server ;
                		#listen   [::]:80 default_server ipv6only=on;
                		listen        443 default_server ssl;
                		#listen        443 ssl spdy default_server;
                		server_name www.mydomain.com;
                
                		root /opt/alfresco/www;
                		index index.html index.htm;
                
                		# Redirecto root requests to Share
                		rewrite ^/$	/share;
                
                		ssl		    on;
                		ssl_certificate       /etc/nginx/ssl/a.crt;
                		ssl_certificate_key   /etc/nginx/ssl/a.key;
                
                		ssl_session_timeout  15m;
                
                		ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
                		ssl_prefer_server_ciphers on;
                		ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
                
                		# spdy Support, use add_header if you do not use redirection from http to https
                		#add_header        Alternate-Protocol  443:npn-spdy/2;
                		#spdy_headers_comp 4;
                
                		location / {
                			# First attempt to serve request as file, then
                			# as directory, then fall back to displaying a 404.
                			try_files $uri $uri/ /index.html;
                			# Uncomment to enable naxsi on this location
                			# include /etc/nginx/naxsi.rules
                		}
                
                		# redirect server error pages to the static page /50x.html
                		#
                		error_page 502 503 504 /maintenance.html;
                			location = /maintenance.html {
                			root   /opt/alfresco/www;
                		}
                
                		# Access to old Alfresco web client. Remove this location if not needed.
                		location /alfresco {
                
                			# Allow for large file uploads
                			client_max_body_size 0;
                
                			# Proxy all the requests to Tomcat
                			proxy_http_version 1.1;
                			#proxy_buffering off;
                			proxy_pass http://alfresco;
                			proxy_set_header Host $http_host;
                			proxy_set_header X-Real-IP $remote_addr;
                			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                			proxy_set_header X-Forwarded-Host $http_host;
                			proxy_set_header X-Forwarded-Server $host;
                		}
                
                		location /share {
                
                			# Allow for large file uploads
                			client_max_body_size 0;
                
                			# Proxy all the requests to Tomcat
                			proxy_http_version 1.1;
                			#proxy_buffering off;
                			proxy_pass http://alfresco;
                			proxy_set_header Host $http_host;
                			proxy_set_header X-Real-IP $remote_addr;
                			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                			proxy_set_header X-Forwarded-Host $http_host;
                			proxy_set_header X-Forwarded-Server $host;
                		}
                
                		location /share/proxy/alfresco {
                			# This section is for allowing to rewrite 50x response to 401 on Ajax req.
                			# This forces Share to reload page, and thus display maintenance page
                
                			# Allow for large file uploads
                			client_max_body_size 0;
                
                			# Proxy all the requests to Tomcat
                			proxy_http_version 1.1;
                			#proxy_buffering off;
                			proxy_pass http://alfresco;
                			proxy_set_header Host $http_host;
                			proxy_set_header X-Real-IP $remote_addr;
                			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                			proxy_set_header X-Forwarded-Host $http_host;
                			proxy_set_header X-Forwarded-Server $host;
                			proxy_intercept_errors on;
                			error_page 502 503 504 =401 /maintenance.html;
                		}
                
                		location /share/res/ {
                
                			# Proxy all the requests to Tomcat
                			proxy_http_version 1.1;
                			proxy_pass http://alfresco;
                			proxy_set_header  Host $http_host;
                
                			proxy_cache alfrescocache;
                			proxy_cache_min_uses 1;
                			proxy_cache_valid  200 302 1440m;
                			proxy_cache_valid  404 1m;
                			proxy_cache_use_stale updating error timeout invalid_header http_500 http_502 http_503 http_504;
                		}
                	}
                

                As nobody knows and/or doesn’t seem to want to help, there’s nothing to do other than return the SSL to the CA.

                alexdo
                Site Moderator
                Site Moderator badge
                October 4, 2024

                I know it’s been a while since the question was asked, however I still want to address the issue.

                The error you’re encountering often stems from issues with the SSL handshake between the client and server, which could be caused by misconfigurations in Nginx. First, make sure that the paths to your SSL certificate and key in your Nginx configuration are correct. Verify that the files exist at those paths and have the right permissions.

                Additionally, ensure you’ve properly combined your certificate chain. Browsers need a complete chain of trust, so concatenate your domain certificate, intermediate certificate, and root certificate in the correct order, then update your Nginx config to point to this full certificate chain.

                It’s also important to use compatible and secure SSL protocols and ciphers. Update your Nginx configuration with widely accepted protocols like TLSv1.2 and modern ciphers. If you’ve been making several changes to the configuration, clearing your browser cache or testing the site in incognito mode might help resolve any issues with cached SSL settings.

                Check your Nginx log files after restarting the service to see if any additional errors are being recorded. Finally, testing the SSL connection using openssl can help you see the certificate chain and identify handshake issues. Disabling any client certificate requirements in the Nginx configuration might also resolve the issue if the server is unexpectedly asking for one.

                Set up a web server of your choice. For example, a LEMP (Nginx) or LAMP (Apache) server–be sure to configure the web server software to use the name of your registered domain Thanks for the guide it will be very useful Im sure Am I right in assuming therefore thats it not possible to fully test ssl operation on a test site (eg a clone of the original) that is accessed only by IP address before applying ssl to the live site?

                alexdo
                Site Moderator
                Site Moderator badge
                October 4, 2024

                Yes, you’re correct in assuming that SSL certificates are typically bound to domain names, not IP addresses. SSL certificates validate the ownership of a specific domain, so you can’t fully test SSL on a site that is accessed solely by its IP address. When accessing via an IP address, the browser won’t find a domain name match for the SSL certificate, leading to errors or warnings.

                However, there are a few workarounds to test SSL on a staging or clone environment before applying it to the live site:

                1. Set up a subdomain for testing: You can create a subdomain (like test.yourdomain.com) and apply an SSL certificate to it. Many SSL certificate providers allow adding subdomains at no extra cost. This lets you test everything with a real domain while keeping your main site untouched.

                2. Use a self-signed certificate: For internal testing, you can generate a self-signed SSL certificate. While this will show warnings in browsers because it’s not trusted by a Certificate Authority (CA), it allows you to test the SSL setup and ensure everything works technically before moving to production.

                3. Hosts file modification: If you want to test using the same domain as the live site but without making DNS changes, you can edit the hosts file on your local machine. This allows you to map the domain name to the IP address of your test server locally, and the browser will load the test site when you enter the domain name. You can install the SSL certificate and check if everything is working before applying it to your live environment. However, this only works on your local machine.

                4. Use a test CA: Some certificate authorities offer test certificates that you can use in development environments. These are not trusted by browsers, but they allow you to configure SSL and test everything thoroughly without using the actual live certificate.

                While you can’t test the exact certificate on an IP address alone, these methods let you get close to a full SSL simulation without applying changes to the live site

                Regards

                Hi,

                Am trying to install SSL on sub-domain app.topnotepad.com.

                It’s a Comodo PositveSSL.

                I created the intermediate.crt file by manually appending (in notepad editor), in the following order COMODORSADomainValidationSecureServerCA+COMODORSAAddTrustCA+AddTrustExternalCARoot and placed it in /etc/ssl/

                Here is how 000-default.conf file looks like:

                <VirtualHost *:80>

                ServerName app.topnotepad.com Redirect permanent / https://app.topnotepad.com/

                </VirtualHost>

                <VirtualHost *:443>

                    ServerName app.topnotepad.com
                    SSLEngine on
                    SSLCertificateFile /etc/ssl/app.topnotepad.com.crt
                    SSLCertificateKeyFile /etc/ssl/app.topnotepad.com.key
                    SSLCertificateFile /etc/ssl/intermediate.crt
                    ServerAdmin webmaster@localhost
                    DocumentRoot /var/www/html
                
                
                    ErrorLog ${APACHE_LOG_DIR}/error.log
                    CustomLog ${APACHE_LOG_DIR}/access.log combined
                

                </VirtualHost>

                When I try to connect to https://app.topnotepad.com, none of the browsers connect, PLEASE HELP!

                Note, without HTTPS it takes me to the site, not sure what am I missing…

                alexdo
                Site Moderator
                Site Moderator badge
                October 4, 2024

                The SSLCertificateChainFile should be used for the intermediate certificates, not the SSLCertificateFile. You need to ensure that the entire certificate chain is correctly referenced.

                Here’s the corrected version of your 000-default.conf:

                <VirtualHost *:80>
                    ServerName app.topnotepad.com
                    Redirect permanent / https://app.topnotepad.com/
                </VirtualHost>
                
                <VirtualHost *:443>
                    ServerName app.topnotepad.com
                    SSLEngine on
                    SSLCertificateFile /etc/ssl/app.topnotepad.com.crt
                    SSLCertificateKeyFile /etc/ssl/app.topnotepad.com.key
                    SSLCertificateChainFile /etc/ssl/intermediate.crt
                
                    ServerAdmin webmaster@localhost
                    DocumentRoot /var/www/html
                
                    ErrorLog ${APACHE_LOG_DIR}/error.log
                    CustomLog ${APACHE_LOG_DIR}/access.log combined
                </VirtualHost>
                

                Ensure the SSLCertificateFile points to your domain’s certificate (the one issued to app.topnotepad.com), the SSLCertificateKeyFile points to the private key file that matches your certificate, and the SSLCertificateChainFile points to the intermediate certificate (the one you manually created).

                After making these changes, restart Apache with the command sudo service apache2 restart. Once restarted, check again if the site loads with HTTPS.

                If you still face issues, check the Apache error logs located at /var/log/apache2/error.log for specific errors that can help identify the problem.

                awesome tutorial. thanks :)

                Upon completion of this tutorial I was left with a redirect loop (partially my own fault but I discovered a needed improvement) and most importantly this leaves known insecure ssl_ciphers in use. :|

                So the redirect loop was caused by two errors. One placing the redirect in the existing server { } block and not a separate one (my fault, derp). :/ Also the use of a taxing rewrite, see this link for details.

                But basically instead of rewrite ^/(.*)$ http://example.com/$1 permanent; do this return 301 http://example.com$request_uri; you can also use $server_name with this in place of example.com or even $host$ if you need multi-domain redirects. I’m using nginx so if you are using apache you’ll want to do your own research.

                Now the ssl_ciphers issue I discovered using the ssl test at SSL Labs, here instead of the very narow instruction set used above. To ensure maximum security use the monstrosity of an ssl cipher rule below. I don’t understand the full implications of this rule as written but the link below it explains things a little more clearly and the results are plain to see with the test suite.

                ssl_ciphers
                'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256
                :ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256
                :DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:
                !EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
                

                For more information about the ssl ciphers check out this link they’ve got instructions for just about every web server. :)

                alexdo
                Site Moderator
                Site Moderator badge
                October 3, 2024

                The redirect loop you encountered likely stemmed from having an improperly placed or overly taxing redirect rule. To fix this in Nginx, a simpler and more efficient approach can be used for redirection:

                Instead of using:

                rewrite ^/(.*)$ http://example.com/$1 permanent;
                

                You can optimize it with:

                return 301 http://example.com$request_uri;
                

                This method is lighter and reduces unnecessary overhead. Additionally, $server_name or $host$ can be used for multi-domain setups. For Apache users, a similar approach can be applied, but with their syntax.

                Regarding SSL security, the narrow set of SSL ciphers in your original configuration may expose your site to security vulnerabilities. To improve this, use a stronger SSL cipher suite.

                For more detailed explanations of SSL cipher configurations for various web servers, you can refer to resources like the SSL Labs Test Suite. This tool can give you a clearer insight into how secure your SSL implementation is and what changes may be needed.

                Regards

                Hi thanks for the tutorial: I wanted to add my 2 cents in case someone might find it useful. I’m running apache2 using Comodo PositiveSSL.

                1. my 000-default.conf was not where the tutorial said it was so I ran this command to find it " find ./ -name “000-default
                2. I did not have an intermediate.crt but I did have two other crt, PositiveSSLCA2.crt and AddTrustExternalCARoot.crt, so I just chose the positivesslca2.crt as my intermediate but left out the other one.
                3. also I ran “apache2 -v” to find my exact version of apache.
                alexdo
                Site Moderator
                Site Moderator badge
                October 3, 2024

                Using the find command is a practical way to locate your configuration files when they aren’t where you expect. As for the PositiveSSLCA2.crt and AddTrustExternalCARoot.crt, using the former as the intermediate is typically fine, especially if your setup works without the root certificate. In some cases, including both certificates in the chain can help ensure broader compatibility across different browsers and systems, but it’s good to know you had success without it.

                The command apache2 -v to check your Apache version is useful for ensuring you follow the correct version-specific instructions. Thanks again for sharing your tips—they’re sure to help others navigating similar setups!

                Regards

                I can not install SSL for my domain https://www.vietnamtourbooking.com/en/ with the tutorial: http://blog.cs-cart.com/2015/11/27/pay-5-for-hosting-on-digitalocean-and-get-92-google-pagespeed-points-for-your-cs-cart-store-out-of-the-box/

                I really want to install SSL for that site, using cscart, for some website of us!

                please help me!

                Recommended to used Let’s encrypt SSL certificate. I have Setup on my website redbox tv

                Thanks & Regards, James

                alexdo
                Site Moderator
                Site Moderator badge
                October 3, 2024

                You can either purchase one or use Let’s Encrypt, which is free.

                Next, SSH into your droplet and update your package lists using sudo apt update.

                If you’re using Apache, install Certbot with sudo apt install certbot python3-certbot-apache. If you’re using Nginx, install the Nginx plugin by running sudo apt install certbot python3-certbot-nginx.

                To request the SSL certificate for Apache, run sudo certbot --apache. For Nginx, run sudo certbot --nginx. Certbot will guide you through the process, prompting you to select your domain.

                Once the certificate is installed, redirect all HTTP traffic to HTTPS. For Apache, Certbot will give you the option to do this automatically. For Nginx, you can add a manual redirect by creating a server block for port 80 and redirecting traffic to HTTPS.

                Finally, restart your web server. For Apache, use sudo systemctl restart apache2. For Nginx, use sudo systemctl restart nginx.

                Ensure that the automatic renewal is set up since Let’s Encrypt certificates last for 90 days.

                Regards

                If you use example.com as the common name, does this add SSL to both example.com(https://example.com) and www.example.com(https://www.example.com)? If not, how do you add SSL to both example.com and www.example.com?

                I use www.example.com for SSL :(

                Dear TerryR,

                Can you tell me why I can not using the cscart install and SSL?

                Mitchell Anicas
                DigitalOcean Employee
                DigitalOcean Employee badge
                January 7, 2016

                It depends on the specific CA that you use. Some of them automatically give you both (www and non-www), while others require both to be added in the CSR.

                Hi manicas,

                I buy ssl from ssls.com: rapidssl or geotrust.

                https://www.example.com and https://example.com are working fine with cpanel, plesk 12. But, when I want to transfer website to Digital Ocean (reissue SSL), the SSL not working. I try a new SSL but your host still not working :(

                Please tell me how to?

                Mitchell Anicas
                DigitalOcean Employee
                DigitalOcean Employee badge
                January 8, 2016

                Hi @haongz,

                You don’t need to reissue the SSL certificate if you’re moving to a different server and IP address. You simply need to copy the certificate, chain, and key files to your new server, then configure it.

                Hi @manicas,

                ok, but how to configure it? I try with your tutorial but not ok :(

                hmm… please check after install cartomatic…

                Hi @manicas,

                can you tell me where to put the the certificate, chain, and key files and how to configure it?

                Many thanks!

                Instructions for using RapidSSL via Namecheap should probably change as the intermediate certs are bundled into 1 file, e.g., this command: cat yourdomainname.crt yourdomainname.ca-bundle >> cert_chain.crt

                alexdo
                Site Moderator
                Site Moderator badge
                October 3, 2024

                Thanks for sharing this.

                You can also check their docs as they’ve covered pretty much every possible server setup scenario for installing the SSL:

                https://www.rapidsslonline.com/ssl-questions/install-ssl.aspx

                Regards

                Very good post.

                Thanks

                Hi Mitchell. Great tutorial, thank you so much. I have a quick question: What about moving an existing certificate? Should I just copy .key and .crt files from etc/ssl folder Ubuntu with nginx and paste to new Ubuntu with nginx? Or more?

                alexdo
                Site Moderator
                Site Moderator badge
                October 2, 2024

                Yes, you can move an existing SSL certificate to a new server by copying the .key and .crt files, but there are a few more things to consider for the process to be smooth. Here’s what you should do:

                1. Copy the .key, .crt, and any intermediary certificate files (such as .ca-bundle or intermediate.crt) from the existing server to the new server. You can use scp or another file transfer tool like SFTP.

                2. On the new server, ensure that the directory structure is similar to the old server, typically /etc/ssl/certs/ for certificates and /etc/ssl/private/ for the key file. Update the file paths in the Nginx configuration accordingly.

                3. If the certificate was issued based on a specific private key, ensure the .key file you transfer matches the certificate. Otherwise, the certificate won’t work.

                4. Update the Nginx configuration on the new server. Ensure that the SSL-related directives, such as ssl_certificate and ssl_certificate_key, point to the correct file paths of the moved certificate and key.

                5. If you’re using any intermediate certificate files, update those paths in the configuration as well.

                6. After updating the configuration, restart Nginx with sudo systemctl restart nginx to apply the changes.

                Once done, test the site to ensure the SSL certificate works correctly on the new server. This process should replicate the SSL configuration successfully as long as the paths are correctly set.

                I am migrating a website from another host to Digital Ocean. The older host, which I only have access to the ftp, has a SSL certificate. In the hosting control panel, all it let me do is download the certificate .pem file. Does it has both .key and .csr parts in it? How can I convert it to a proper .key and .csr?

                Mitchell Anicas
                DigitalOcean Employee
                DigitalOcean Employee badge
                January 25, 2016

                You can open the .pem file in a text editor and see if it also contains the private key. Look for lines that look like this:

                -----BEGIN PRIVATE KEY-----
                MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCs5IIUqBUr7wJR
                ...
                G5ov0UrXWlu4N8QWruynbBxSkRsXQ1eSdTNjF4IjOhIWBLAHlYK0hDGHqOfOod6U
                -----END PRIVATE KEY-----
                

                You can also use this command to see information about the cert and its issuer:

                1. openssl x509 -text -noout -in your_cert.pem

                You don’t really need a CSR once you have the signed certificate. But you can create a new CSR if you have the private key. You may also want to check out this tutorial: OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs

                Thanks for the awesome blog. Very helpful.

                If I destroy my droplet with all my SSL certificates, will I be able to reissue it to a new droplet (using the same domain)?

                Mitchell Anicas
                DigitalOcean Employee
                DigitalOcean Employee badge
                February 1, 2016

                Yes, as long as you haven’t reached the rate limit set by Let’s Encrypt CA. You also need to make sure all of your DNS records are updated, and omit the renew option when you run the command.

                Umm… I actually have Comodo RSA certificate. Is it the same? Basically just validate that you own the domain again and go through the same process?

                Mitchell Anicas
                DigitalOcean Employee
                DigitalOcean Employee badge
                February 2, 2016

                Whoops. Sorry, I thought I was commenting on a different tutorial. You already validated that you own the domain so you should just be able to send a new CSR with the same CN to get the reissue.

                alexdo
                Site Moderator
                Site Moderator badge
                October 2, 2024

                Heya,

                You can re-install the SSL on a new droplet later on, there is no issues with that.

                Regards

                I am using Comodo Positive SSL +Wildcard +Multi-Domain but looks like its not working. Also they have two intermediate certs. Which one do I use on Apache 2.4.7

                Connecting to …:443… Status: Connection established, waiting for welcome message… Error: Connection timed out after 20 seconds of inactivity Error: Could not connect to server

                Using filezilla tried all available protocols and encrytpions. It worked fine before ssl… Any ideas.? Thank you

                Mitchell Anicas
                DigitalOcean Employee
                DigitalOcean Employee badge
                February 25, 2016

                Perhaps you should be trying to connect to port 22 (SSH/SFTP)?

                I installed the Comodo SSL and realised that my whole website if now being forced to load with HTTPS protocol. As I would only like the checkout page to be SSL secured not the whole website, I was just wondering if you can help in fixing this problem as redirecting every HTTP page to HTTPS on my website is creating page load issues and I don’t really want SSL on every page of the website.

                I spent numerous hours to rectify this issue but I cannot seem to find a solution to it.

                URL: missbettina.com.au

                Followed these forums: https://www.digitalocean.com/community/tutorials/how-to-create-temporary-and-permanent-redirects-with-apache-and-nginx

                http://stackoverflow.com/questions/7133599/redirect-http-to-https-for-one-page

                Regards

                Running: Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-71-generic x86_64)

                alexdo
                Site Moderator
                Site Moderator badge
                October 2, 2024

                You’ll need to make adjustments to your Apache configuration. Start by removing any global redirects from HTTP to HTTPS that apply to the whole site. Check your Apache configuration or .htaccess file for any Redirect or RewriteRule related to HTTPS and comment them out or remove them.

                Next, you’ll need to configure Apache to only apply HTTPS to the checkout page. In your virtual host configuration for port 80, ensure that no global HTTPS redirects are present. If you’d like to specifically redirect only the checkout page to HTTPS, you can use the RewriteCond directive to check for the /checkout URI and redirect just that path to HTTPS.

                Then, create a separate virtual host for port 443 with SSL enabled, ensuring that the SSL certificates are correctly configured. Within this virtual host, you can specify the <Location /checkout> directive to force SSL only for the checkout page, leaving other pages to load over HTTP.

                Make sure that both mod_ssl and mod_rewrite are enabled in your Apache setup. After making these changes, restart Apache and test the site to verify that only the checkout page is redirected to HTTPS. If further issues persist, review your .htaccess file for any conflicting rewrite rules.

                I have tried starting apache after setting virtual host but got error

                • Restarting web server apache2
                  Action ‘start’ failed. The Apache error log may have more information.

                here is my virtual host

                <VirtualHost *:80>
                   ServerName bnistore.in
                   Redirect permanent / https://sample.com/
                </VirtualHost>
                
                <VirtualHost *:443>
                    ServerName bnistore.in
                    SSLEngine on
                    SSLCertificateFile /etc/ssl/certs/sample.com.crt
                    SSLCertificateKeyFile /etc/ssl/private/sample.com.key
                    SSLCertificateChainFile /etc/ssl/intermediate.crt
                
                     ServerAdmin webmaster@localhost
                     DocumentRoot /var/www/html
                     .......
                </VirtualHost>
                
                
                alexdo
                Site Moderator
                Site Moderator badge
                October 2, 2024

                . Ensure that the files are located in the specified directories and that there are no typographical errors in your configuration.

                Next, check the Apache error log for details about the failure. You can do this by running the command tail -f /var/log/apache2/error.log, which will display any errors that might provide more context on why the service isn’t starting.

                It’s also a good idea to run a configuration syntax check before attempting to restart Apache. You can do this by running apachectl configtest. If there are any syntax issues, this command will highlight them, allowing you to make necessary corrections.

                Additionally, verify that the Redirect rule pointing from bnistore.in to sample.com is properly set up, as incorrect configuration could lead to redirection problems or errors.

                Once you’ve addressed any issues, restart Apache with sudo systemctl restart apache2. If problems persist, the error log will guide you further.

                Hi Manicas, Your guide very helpful,

                I have the certificate of Godaddy and the server is Apche. They have provided the example.crt and intermediat.crt. How do I generate the private key with this. I am using windows . . Pl

                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                To generate a private key along with the CSR using OpenSSL on Windows, you need to follow these steps:

                Open the command prompt or PowerShell on your Windows machine.

                Navigate to the directory where you want to generate the private key and CSR.

                Run the following command to generate a new private key and a CSR at the same time:

                openssl req -new -newkey rsa:2048 -nodes -keyout example.key -out example.csr
                

                Replace “example” with your desired filename. This command will create a new private key file named “example.key” and a CSR file named “example.csr”.

                You will be prompted to enter information about your organization. This information will be included in your certificate.

                After generating the private key and CSR, you will need to provide the CSR to GoDaddy for your SSL certificate issuance.

                Once your SSL certificate is issued, you can install it on your Apache server by placing the provided certificate files (example.crt and intermediate.crt) along with the private key file you generated.

                In your Apache configuration file, you will need to set the following directives in the VirtualHost section for port 443:

                SSLCertificateFile /path/to/example.crt SSLCertificateKeyFile /path/to/example.key SSLCertificateChainFile /path/to/intermediate.crt
                

                Make sure to replace /path/to/ with the actual path where you saved your certificate and key files.

                Finally, restart Apache to apply the changes:

                apachectl restart
                

                Regards

                Hi, after follow this tuto, would like having some help. I did all of this, exept one thing, my indermediate is an .pem not .crt …

                When i want to restart apache, LAMP config on digitalocean, it give me :

                AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
                
                

                In frontend, i’ve got an error 500… thanks

                navigate to /etc/apache2/apache2.conf (using nano, vi or whatever text editor you use)

                at the very top or bottom paste this ServerName localhost

                make sure there is no # in front of it either

                Save the file and restart apache and you are good to go

                Hello! After this installation, I am getting the following error:

                “ERR_TOO_MANY_REDIRECTS” on chrome, I read that there is something generating a ‘loop’ to my address.

                What do you think I have to see to solve this?

                Thanks! (And sorry about my english)

                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                Ensure that your Nginx or Apache configuration doesn’t create a redirect loop. Look for conflicting rules in your configuration files, especially in the server blocks handling HTTP and HTTPS traffic.

                If you’re using both HTTP and HTTPS, make sure the HTTP server block is set to redirect properly to the HTTPS version without causing a conflict. For instance, if your HTTP block redirects to HTTPS, the HTTPS block should serve the content without attempting to redirect back to HTTP.

                Check your application’s settings as well. Some applications have their own redirect rules that may conflict with server configurations.

                To troubleshoot, you can temporarily comment out the redirect rules in your configuration and check if the site loads correctly. This will help identify if the redirect rules are causing the issue.

                BITSFIRE PERÙ SERVICIOS DE HOSTING: http://www.bitsfire.com/: web hosting servicies; Desarrollo Web Perú, diseño gráfico Perú, reserva de dominios Perú, dominios Perú, web hosting, Posicionamiento seo Perú.

                Hi, I just configured Godaddy’s EV certificate. I am now unable to access my domain with http and example.com it simply taking me to apache home, My config is like this:

                <VirtualHost *:80> ServerName example.com Redirect permanent / https://example.com/ </VirtualHost> <VirtualHost *:443> ServerName example.com SSLEngine on SSLCertificateFile /home/developer/example.com.crt SSLCertificateKeyFile /home/developer/example.com.key SSLCertificateChainFile /home/developer/intermediate.crt ProxyRequests On ProxyPass / http://localhost:8080/example.com/ ProxyPassReverse / http://localhost:8080/example.com/ </VirtualHost>

                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                Make sure your Apache configuration for the VirtualHost on port 80 is correctly set up to redirect traffic to HTTPS. Your current configuration looks correct, but you might want to ensure there are no conflicting configurations that could be affecting it. Check if the 000-default.conf file or other VirtualHost configurations are overriding your settings.

                In the VirtualHost for port 443, ensure that the document root is properly set. The ProxyPass and ProxyPassReverse directives are meant to forward requests to another server running on localhost. Make sure that the server is up and running on the specified port (8080) and that the application is correctly configured to respond to requests.

                If you’re still having issues, you can check the Apache error logs for any errors that could provide more insight. The logs are usually located at /var/log/apache2/error.log.

                After making any changes to your configuration files, remember to restart Apache to apply the changes using sudo systemctl restart apache2 or sudo service apache2 restart.

                If you continue to experience issues, please provide the content of your Apache error logs to help diagnose the problem further.

                Hello! My SSL works fine, but when i enabled the http -> https redirect Google Chrome show me the ERR_TOO_MANY_REDIRECTS error message. This is my /etc/nginx/sites-enabled/default file:

                
                server {
                    listen 80 default_server;
                    listen [::]:80 default_server ipv6only=on;
                
                    listen 443 ssl;
                
                    root /var/www/laravel/public;
                    index index.php index.html index.htm;
                    #server_name 123.456.789;
                
                    server_name example.com;
                    rewrite ^/(.*) https://example.com/$1 permanent;
                
                    ssl_certificate /etc/nginx/ssl/example.com.chained.crt;
                    ssl_certificate_key /etc/nginx/ssl/example.key;
                
                    location / {
                        try_files $uri $uri/ /index.php?$query_string;
                    }
                    error_page 404 /404.html;
                    error_page 500 502 503 504 /50x.html;
                    location = /50x.html {
                        root /usr/share/nginx/html;
                    }
                    location ~ \.php$ {
                        try_files $uri /index.php =404;
                        fastcgi_split_path_info ^(.+\.php)(/.+)$;
                        fastcgi_pass unix:/var/run/php5-fpm.sock;
                        fastcgi_index index.php;
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                        include fastcgi_params;
                    }
                }
                
                
                
                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                The ERR_TOO_MANY_REDIRECTS error typically occurs when there’s a misconfiguration in your redirect rules, causing a loop between HTTP and HTTPS requests. In your Nginx configuration, it seems that the problem may stem from the fact that you have both the listen 80 and listen 443 directives in the same server block, which can lead to confusion about how requests are being handled.

                To resolve the issue, you should separate the HTTP and HTTPS server configurations into distinct blocks. Here’s how you can modify your /etc/nginx/sites-enabled/default file:

                # HTTP server block
                server {
                    listen 80 default_server;
                    listen [::]:80 default_server ipv6only=on;
                
                    server_name example.com;
                    return 301 https://$host$request_uri;  # Redirect all HTTP requests to HTTPS
                }
                
                # HTTPS server block
                server {
                    listen 443 ssl;
                    listen [::]:443 ssl;
                
                    root /var/www/laravel/public;
                    index index.php index.html index.htm;
                
                    server_name example.com;
                
                    ssl_certificate /etc/nginx/ssl/example.com.chained.crt;
                    ssl_certificate_key /etc/nginx/ssl/example.key;
                
                    location / {
                        try_files $uri $uri/ /index.php?$query_string;
                    }
                
                    error_page 404 /404.html;
                    error_page 500 502 503 504 /50x.html;
                
                    location = /50x.html {
                        root /usr/share/nginx/html;
                    }
                
                    location ~ \.php$ {
                        try_files $uri /index.php =404;
                        fastcgi_split_path_info ^(.+\.php)(/.+)$;
                        fastcgi_pass unix:/var/run/php5-fpm.sock;
                        fastcgi_index index.php;
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                        include fastcgi_params;
                    }
                }
                
                1. Separate Server Blocks: Created one server block for HTTP (port 80) and another for HTTPS (port 443). This helps to avoid confusion and keeps your configuration cleaner.

                2. Redirect with return: Used return 301 https://$host$request_uri; in the HTTP server block. This is a more straightforward way to handle redirections compared to using the rewrite directive.

                After making these changes, save the file and test your Nginx configuration using the command nginx -t to check for any syntax errors. If everything is fine, reload Nginx with sudo systemctl reload nginx to apply the changes. This should resolve the redirection issue you’re experiencing.

                This works perfectly fine for my front end upstream, but when my front end makes a request to my backend server, I get an error. The nginx error logs show: *1 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol). The backend server is just an upstream Unicorn process on the same server as the front end (and as the nginx server).

                Here is my nginx configuration:

                upstream app_server {
                    server unix:/var/run/unicorn.sock fail_timeout=0;
                }
                
                upstream frontend_server {
                    server 198.211.116.68:8080;
                }
                
                server {
                    listen 80;
                    server_name dailydownbeat.com;
                    rewrite ^/(.*) https://dailydownbeat.com/$1 permanent;
                }
                
                server {
                    listen   443 ssl;
                    root /home/rails/dailydownbeat;
                    server_name dailydownbeat.com;
                    ssl_certificate /home/rails/dailydownbeat/config/ssl/dailydownbeat.com.chained.crt;
                    ssl_certificate_key /home/rails/dailydownbeat/config/ssl/dailydownbeat.com.key;
                    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                    ssl_prefer_server_ciphers on;
                    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
                
                    location / {
                            proxy_pass http://frontend_server/;
                            proxy_http_version 1.1;
                	    proxy_set_header X-Real-IP $remote_addr;
                            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                            proxy_set_header Upgrade $http_upgrade;
                            proxy_set_header Connection 'upgrade';
                            proxy_set_header Host $host;
                	    proxy_redirect off;
                	    proxy_set_header X-NginX-Proxy true;
                            proxy_cache_bypass $http_upgrade;
                	    proxy_max_temp_file_size 0;
                	    proxy_read_timeout 240s;
                    }
                
                    location ^~ /api/ {
                            proxy_pass http://app_server/api/;
                    }
                }
                

                What do I have to do to resolve this?

                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                The error message you’re encountering, suggests that there might be a mismatch between the protocols being used for SSL connections. Since your backend server is an upstream Unicorn process and not configured for SSL, you should ensure that the proxy_pass directive for the backend points to the correct protocol.

                In your Nginx configuration, you should change the proxy_pass directive for your backend server to use HTTP instead of HTTPS. Here’s the adjustment you need to make in the location ^~ /api/ block:

                location ^~ /api/ {
                    proxy_pass http://app_server/api/; # Ensure this uses HTTP
                }
                

                Additionally, confirm that your Unicorn server is indeed listening for HTTP connections, and check that it’s configured correctly to accept requests on the specified socket. If it’s set to run on a specific port, update the upstream app_server block accordingly.

                After making these changes, test your configuration with nginx -t to ensure there are no syntax errors, and then reload Nginx with sudo systemctl reload nginx to apply the updates. This should resolve the handshake error you’re experiencing.

                i have Ubuntu servers running Apache with goddady “Standard SSL” i follow this steps and i got this errors from apache error logs

                [Wed Oct 05 03:42:08.986881 2016] [mpm_prefork:notice] [pid 1060] AH00169: caught SIGTERM, shutting down
                [Wed Oct 05 03:42:10.011970 2016] [ssl:warn] [pid 6821] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
                [Wed Oct 05 03:42:10.013567 2016] [ssl:emerg] [pid 6821] AH02561: Failed to configure certificate dott.com:443:0, check /etc/ssl/gdssl/dott_com.crt
                [Wed Oct 05 03:42:10.013618 2016] [ssl:emerg] [pid 6821] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
                [Wed Oct 05 03:42:10.013661 2016] [ssl:emerg] [pid 6821] SSL Library Error: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
                AH00016: Configuration Failed
                
                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                The error messages you’re seeing suggest a few potential problems.

                The warning about the server certificate not matching the server name indicates that the common name (CN) or subject alternative names (SAN) in your SSL certificate do not match the domain name you’re using (e.g., dott.com). Make sure the certificate you obtained from GoDaddy is specifically for dott.com or includes it in its SAN.

                The error indicating “no start line” suggests that Apache is unable to read your certificate file properly. This usually happens if the file is either empty or not formatted correctly. Check the contents of /etc/ssl/gdssl/dott_com.crt to ensure it begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----.

                Verify that the path to your SSL certificate and key file in the Apache configuration is correct. You might also need to check if the private key file (SSLCertificateKeyFile) is specified correctly and corresponds to the public certificate.

                If you haven’t done so already, restart Apache after making these changes using sudo systemctl restart apache2. If the problem persists, ensure that the certificate files are readable by the Apache user (usually www-data).

                Additionally, check the permissions on your SSL certificate and key files. They should be set so that the Apache user can read them, while ensuring that they are not overly permissive. A common approach is to set the certificate files to 644 and the private key to 600.

                Any tutorial for nginx in Freebsd 10.1?

                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                Heya,

                You can check this tutorial for more information:

                https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-letsencrypt-freebsd

                Regards

                Help! Hi, I want to setup ssl but ı get error “Forbidden,You don’t have permission to access / on this server.” /etc/apache2/apache2.conf file:

                <Directory /var/www/artunkids.com>
                	Options Indexes FollowSymLinks MultiViews 
                	AllowOverride All
                	Order allow,deny
                	Allow from all
                	Require all granted
                </Directory>
                

                /etc/apache2/sites-available/artunkids.com.conf file:

                <VirtualHost *:80>	
                	
                	ServerName artunkids.com
                	DocumentRoot /var/www.artunkids.com/public_html
                	Redirect permanent / https://www.artunkids.com/
                 
                
                
                	# For most configuration files from conf-available/, which are
                	# enabled or disabled at a global level, it is possible to
                	# include a line for only one particular virtual host. For example the
                	# following line enables the CGI configuration for this host only
                	# after it has been globally disabled with "a2disconf".
                	#Include conf-available/serve-cgi-bin.conf
                </VirtualHost>
                
                # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
                <VirtualHost *:443>
                	ServerAdmin tayfun.ylz@gmail.com
                	ServerName artunkids.com
                
                	DocumentRoot /var/www.artunkids.com/public_html
                	ErrorLog ${APACHE_LOG_DIR}/error.log
                	CustomLog ${APACHE_LOG_DIR}/access.log combined	
                	SSLEngine on
                	SSLCertificateFile /home/taifun/artunkids.com.crt
                	SSLCertificateKeyFile /home/taifun/artunkids.com.key
                	SSLCACertificateFile /home/taifun/intermediate.crt
                	SSLCertificateChainFile /home/taifun/intermediate.crt
                
                </VirtualHost>
                
                

                Where i am make the error ? What i am must the fixed to this error ? I’am using codeigniter. codeigniter .htaccess file

                <IfModule mod_rewrite.c>
                    RewriteEngine On
                    RewriteBase /
                    RewriteCond %{REQUEST_URI} ^system.*
                    RewriteRule ^(.*)$ /index.php?/$1 [L]
                    RewriteCond %{REQUEST_URI} ^application.*
                    RewriteRule ^(.*)$ /index.php?/$1 [L]
                    RewriteCond %{REQUEST_FILENAME} !-f
                    RewriteCond %{REQUEST_FILENAME} !-d
                    RewriteRule ^(.*)$ /index.php?/$1 [L]
                </IfModule>
                

                Thanks!

                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                Make sure the /var/www/artunkids.com/public_html directory has the correct permissions. Run the following command to ensure that the Apache user can read the directory:

                sudo chown -R www-data:www-data /var/www/artunkids.com/public_html 
                sudo chmod -R 755 /var/www/artunkids.com/public_html
                

                Your Apache configuration for the /var/www/artunkids.com directory looks fine, but ensure that the following directive is included in your /etc/apache2/apache2.conf file to allow access:

                <Directory /var/www/artunkids.com/public_html>                  AllowOverride All
                Require all granted 
                </Directory>
                

                In your artunkids.com.conf file, verify that the DocumentRoot directive matches the correct path to your CodeIgniter application’s public directory:

                <VirtualHost *:443>
                    ServerAdmin tayfun.ylz@gmail.com
                    ServerName artunkids.com
                    DocumentRoot /var/www/artunkids.com/public_html
                    ErrorLog ${APACHE_LOG_DIR}/error.log
                    CustomLog ${APACHE_LOG_DIR}/access.log combined    
                    SSLEngine on
                    SSLCertificateFile /home/taifun/artunkids.com.crt
                    SSLCertificateKeyFile /home/taifun/artunkids.com.key
                    SSLCACertificateFile /home/taifun/intermediate.crt
                </VirtualHost>
                

                After making these changes, restart Apache:

                sudo systemctl restart apache2
                

                Also, check the Apache error logs for more detailed error messages:

                tail -f /var/log/apache2/error.log
                

                This will help you identify any other potential issues. Make sure that the SSL certificate paths are also correct and accessible by the Apache user.

                What does it mean "Copy and save them to your server in the same location that you generated your private key and CSR. "

                Do I do it with sftp ?

                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                The instruction “Copy and save them to your server in the same location that you generated your private key and CSR” means that after you generate your SSL certificate and related files, you should upload them to the same directory on your server where your private key and Certificate Signing Request (CSR) are stored. This is typically for organizational purposes and to ensure easy access.

                Using SFTP ensures that your certificate files are securely transferred to your server.

                This didn’t work for me UNTIL I put the key file in /etc/ssl/private/ and the crt files in /etc/ssl/certs/ and of course edited the 000-default.conf file with those paths. This and other tutorials I read seemed to indicate it’d be fine putting the key and crt files into /etc/ssl/ or even into /home/user/. Maybe the correct location to put those files is obvious to most people, but being brand new to Ubuntu and SSL it sure as hell wasn’t obvious to me. Would have been nice if this tutorial had specified those pathways, would have saved me some hours of frustration.

                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                It’s common to experience confusion regarding where to place SSL certificate files on a Linux system like Ubuntu. The standard practice is to place private key files in /etc/ssl/private/ and certificate files in /etc/ssl/certs/. This separation helps maintain proper permissions and security.

                Move your certificate and key files to the appropriate directories. Place your .crt files in /etc/ssl/certs/ and your .key file in /etc/ssl/private/. For example, you can move the certificate with sudo mv /path/to/your.crt /etc/ssl/certs/ and the private key with sudo mv /path/to/your.key /etc/ssl/private/.

                Ensure the private key file has the correct permissions for security. The key file should only be readable by the root user, which you can set using sudo chmod 600 /etc/ssl/private/your.key.

                Update your Apache configuration file, like 000-default.conf, with the new paths. For example, you can use SSLEngine on, SSLCertificateFile /etc/ssl/certs/your.crt, and SSLCertificateKeyFile /etc/ssl/private/your.key.

                If you haven’t already, enable the SSL module by running sudo a2enmod ssl. After making changes, restart Apache to apply the new configuration with sudo systemctl restart apache2.

                You can also check for syntax errors in your configuration by running sudo apachectl configtest.

                I have installed the SSL certificate on my NGINX server and it is properly installed. However, the green bar is not showing on my website. my website url is https:// dailysoftwaregiveaway.com how to solve this issue?

                Great tutorial, easy to follow. One issue, my subdomains don’t work now, they all point to the same main domain page. What should I do to fix this? (I’m using a LAMP configuration on ubuntu)

                Thank you in advance,

                Robert

                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                If your subdomains are pointing to the main domain page in a LAMP configuration on Ubuntu, it’s likely that Apache is defaulting to the wrong virtual host. This usually happens when a wildcard or default virtual host is being used.

                To fix this, ensure that each subdomain has its own virtual host configuration. First, check the virtual host files located in the /etc/apache2/sites-available/ directory. Make sure each subdomain has its own .conf file. For example, for sub1.example.com, you should have something like this:

                <VirtualHost *:80>     
                ServerName sub1.example.com     
                DocumentRoot /var/www/sub1     
                # Other directives for subdomain 
                </VirtualHost>
                

                Next, make sure there is no default virtual host (like 000-default.conf) catching all subdomains. The default virtual host should be configured to handle only the main domain, not subdomains.

                After editing or creating the subdomain .conf files, enable them using the command sudo a2ensite sub1.example.com.conf for each subdomain. Then, restart Apache with sudo systemctl restart apache2.

                Lastly, ensure that each subdomain has the correct DNS configuration (A or CNAME records) pointing to your server’s IP.

                for those of you who are getting Nginx (using python/flask) welcome page or connection refused or page not found when visiting either https://www.domain.com or http://domain.com

                This is what is working for me…

                server {
                    listen 80;
                    server_name domain.co.uk www.domain.co.uk;
                    rewrite ^/(.*) https://domain.co.uk/$1 permanent;
                }
                
                server {
                    listen 443 ssl;
                    server_name domain.co.uk www.domain.co.uk;
                    ssl_certificate /home/sammy/dsp_ssl/domain.com.chained.crt;
                    ssl_certificate_key /home/sammy/dsp_ssl/domain.com.key;
                    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                    ssl_prefer_server_ciphers on;
                    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
                
                    location / {
                        include uwsgi_params;
                        uwsgi_pass unix:/home/sammy/domain/domain.sock;
                    }
                
                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                The Nginx configuration you’ve shared looks good overall, but ensure that the paths and details are correct for your setup.

                Your first server block redirects all HTTP traffic to HTTPS using the rewrite directive:

                server {
                    listen 80;
                    server_name domain.co.uk www.domain.co.uk;
                    rewrite ^/(.*) https://domain.co.uk/$1 permanent;
                }
                

                In your SSL configuration, ensure the certificate paths are correct:

                server {
                    listen 443 ssl;
                    server_name domain.co.uk www.domain.co.uk;
                
                    ssl_certificate /home/sammy/dsp_ssl/domain.com.chained.crt;
                    ssl_certificate_key /home/sammy/dsp_ssl/domain.com.key;
                
                    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                    ssl_prefer_server_ciphers on;
                    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
                }
                

                In your Flask application block, ensure that your app is running and the socket file /home/sammy/domain/domain.sock exists. It’s important that the socket has the correct permissions for Nginx to access it, and that the Flask app is properly configured to use uWSGI and bind to the socket:

                location / {
                    include uwsgi_params;
                    uwsgi_pass unix:/home/sammy/domain/domain.sock;
                }
                

                If you’re still facing errors, check Nginx error logs at /var/log/nginx/error.log for any specific issues. Also, ensure that uWSGI is properly configured and running by checking the uWSGI logs and making sure your domain resolves correctly to your server’s IP.

                Regards

                Hello, I completed it successfully. But I used to access phpMyAdmin via ip/phpMyAdmin. But now Ip redirects to the main site. Can you please tell me how can I access PHPmyadmin ? I am using apache2 and Ubuntu 16.04. thanks

                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                To access phpMyAdmin after your IP has been redirected to the main site, you need to modify the Apache configuration to exclude /phpMyAdmin from the redirection.

                First, open the Apache virtual host configuration file by running the command sudo nano /etc/apache2/sites-available/000-default.conf.

                Inside the <VirtualHost> block for your site, modify the redirect rule to exclude /phpMyAdmin by using the following rule:

                <VirtualHost *:80>
                   ServerName yourdomain.com
                   RedirectMatch 301 ^/(?!phpMyAdmin).* https://yourdomain.com$0
                </VirtualHost>
                

                After making this change, restart Apache to apply the changes using sudo service apache2 restart. Now, you should be able to access phpMyAdmin via http://your_ip/phpMyAdmin without being redirected to the main site.

                Regards

                If my wildcard cert is installed on one server, but one of my sub-domains is hosted on a different server, will I need to install it on both machines in order for it to work? Thanks!

                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                Yes, you’ll need to install the wildcard certificate on both servers for it to work with the subdomain hosted on a different server.

                A wildcard SSL certificate allows you to secure multiple subdomains under the same domain, like *.example.com, with a single certificate. However, the certificate must be installed on each server that hosts a subdomain. If one server hosts sub1.example.com and another hosts sub2.example.com, both need the certificate.

                Each server handling HTTPS requests needs access to the SSL certificate and private key to encrypt and decrypt traffic. This means you must install the certificate on both machines.

                You can securely transfer the wildcard certificate and private key from the first server to the second. After copying, configure the web server (such as Apache or Nginx) on the second machine to use the wildcard certificate for the subdomain it hosts.

                So, to secure subdomains on multiple servers using a wildcard certificate, it must be installed on each server hosting a subdomain.

                This worked great for http to https redirection but the app is not running anymore, now I get an Index Of/ page in the browser. This is a Koha Integrated Library System website. It worked fine using http but it vanished when I did the change to https. I’m using Apache 2.4 and Linux Debian 3.16. Thanks for any help.

                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                When Apache shows an “Index Of/” page, it’s typically because it can’t find the appropriate index.php, index.html, or similar file to serve, or the directory isn’t properly set up.

                Here’s how you can troubleshoot and fix the issue:

                First, check the DocumentRoot directive in your virtual host configuration for HTTPS to ensure that it points to the correct directory where your Koha ILS application files are stored. For example:

                <VirtualHost *:443>
                    ServerName your-koha-site.com
                    DocumentRoot /path/to/koha/root  # Update this to your Koha application path
                
                    SSLEngine on
                    SSLCertificateFile /path/to/your/certificate.crt
                    SSLCertificateKeyFile /path/to/your/private.key
                    SSLCertificateChainFile /path/to/your/chainfile.crt
                
                    <Directory /path/to/koha/root>  # Ensure this is correct
                        AllowOverride All
                        Options FollowSymLinks
                        Require all granted
                    </Directory>
                
                    ErrorLog ${APACHE_LOG_DIR}/error.log
                    CustomLog ${APACHE_LOG_DIR}/access.log combined
                </VirtualHost>
                

                Next, ensure that Apache has permission to access the directory where your Koha application files are stored. You can set proper permissions by running:

                sudo chown -R www-data:www-data /path/to/koha/root 
                sudo chmod -R 755 /path/to/koha/root
                

                These commands ensure that the www-data user (or your web server user) can access and serve the files.

                Make sure Apache knows what the default file is for your site. In the virtual host file, ensure there’s a DirectoryIndex directive:

                <Directory /path/to/koha/root>
                    DirectoryIndex index.php index.html
                 </Directory>
                

                If your Koha application uses a specific file as its entry point (e.g., main.php), make sure to add it here.

                If your Koha installation depends on an .htaccess file for URL rewriting or other directives, ensure that AllowOverride All is set in the <Directory> section of your virtual host configuration to allow .htaccess rules to function.

                If you don’t want Apache to list directory contents, you can turn off directory indexing with:

                <Directory /path/to/koha/root>
                    Options -Indexes 
                </Directory>
                

                This will prevent Apache from showing the “Index Of” page when the index.php or index.html file isn’t found.

                After making any changes, restart Apache for the changes to take effect:

                sudo systemctl restart apache2
                

                Finally, check Apache’s error log for more details on what might be going wrong:

                sudo tail -f /var/log/apache2/error.log
                

                Look for specific errors related to file access, permissions, or SSL setup that could give you more insights.

                If you are using Wordpress like I am, and keep breaking your site after following these steps…

                Make sure to swap the url in Settings < General as a prerequisite to performing the above.

                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                Heya,

                You can also refer to this article if you’re using WordPress

                https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu

                Regards

                Hello

                thanks for the great article

                I am facing some issues for my website. the site works with https://example.com and with http://example.com

                But with www. its not loading what can be the reason? Am on a LAMP server and i have created the CRT using *.example.com

                thank you

                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                Make sure you have a DNS record for www.example.com pointing to the same IP address as example.com. You can typically do this by creating a CNAME record for www that points to example.com.

                Check your Apache configuration files to ensure you have a virtual host set up for the www subdomain. You should have something like this in your configuration:

                <VirtualHost *:80>
                    ServerName www.example.com
                    Redirect permanent / https://www.example.com/
                </VirtualHost>
                
                <VirtualHost *:443>
                    ServerName www.example.com
                    DocumentRoot /var/www/html
                
                    SSLEngine on
                    SSLCertificateFile /path/to/your/certificate.crt
                    SSLCertificateKeyFile /path/to/your/private.key
                    SSLCertificateChainFile /path/to/your/chainfile.crt
                
                    <Directory /var/www/html>
                        AllowOverride All
                        Require all granted
                    </Directory>
                
                    ErrorLog ${APACHE_LOG_DIR}/error.log
                    CustomLog ${APACHE_LOG_DIR}/access.log combined
                </VirtualHost>
                

                Make sure to replace the paths with the actual paths to your SSL certificate files.

                Ensure that your wildcard SSL certificate (*.example.com) also covers www.example.com. Wildcard certificates should cover all subdomains, including www.

                If you’re using an .htaccess file, ensure that there are no conflicting rules that might prevent the www version from resolving properly. You can add a redirect from www to non-www or vice versa, depending on your preference:

                RewriteEngine On 
                RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC] 
                RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
                

                Check if there are any firewall rules that might be blocking traffic to www. Make sure that ports 80 and 443 are open for both www and non-www traffic.

                Sometimes, browsers cache DNS settings. Try clearing your browser cache or testing in incognito mode to see if that resolves the issue.

                After making changes to your Apache configuration, make sure to restart the Apache service for the changes to take effect:

                sudo systemctl restart apache2
                

                Regards

                Hello,
                One-click apps > wordpress

                I can’t port 443 active.

                I tried everything I could find.

                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                I know it’s been quite a while since this question was posted but I believe this should be addressed anyway.

                Ensure that Nginx is configured to listen on port 443. You can check this by looking for the relevant server block in your Nginx configuration files. Run the following command to check the active ports:

                sudo netstat -tuln | grep ':443'
                

                If you don’t see anything listening on port 443, you’ll need to ensure that your server block for HTTPS is configured correctly.

                Make sure you have installed your SSL certificate correctly. You should have directives like the following in your Nginx server block:

                server {
                    listen 443 ssl;
                    server_name yourdomain.com www.yourdomain.com;
                
                    ssl_certificate /path/to/your/certificate.crt;
                    ssl_certificate_key /path/to/your/private.key;
                    ssl_protocols TLSv1.2 TLSv1.3;
                    ssl_ciphers 'HIGH:!aNULL:!MD5';
                }
                

                Replace /path/to/your/certificate.crt and /path/to/your/private.key with the actual paths to your SSL certificate and private key.

                Check Firewall Settings Ensure that your firewall is allowing traffic on port 443. If you’re using UFW, run:

                sudo ufw status
                

                You should see that port 443 is allowed. If it’s not, you can allow it with:

                sudo ufw allow 443
                

                Verify Nginx Configuration Check the Nginx configuration for any syntax errors by running:

                sudo nginx -t
                

                If everything is okay, you should see a message indicating that the configuration file is valid.

                Restart Nginx After making any changes to the Nginx configuration, restart the Nginx service:

                sudo systemctl restart nginx
                

                Check Logs for Errors Check the Nginx error logs to see if there are any messages related to SSL or port 443. The log file is typically located at /var/log/nginx/error.log. You can view it with:

                sudo tail -f /var/log/nginx/error.log
                

                Verify Domain DNS Settings Ensure that your domain’s DNS settings are correctly pointing to your server’s IP address. You can use tools like dig or nslookup to check:

                dig yourdomain.com
                

                Make sure the returned IP address matches your server’s IP.

                Test with OpenSSL You can test the SSL connection using OpenSSL:

                openssl s_client -connect yourdomain.com:443
                

                This will provide information about the SSL handshake and any errors that may occur.

                If you’re using a self-signed certificate, browsers may reject the connection unless you add an exception. Ensure that you are using a certificate from a recognized Certificate Authority (CA).

                Clear your browser cache or try accessing the site in an incognito window to rule out caching issues.

                Using Wordpress on Nginx, Ubuntu 14.04. I’ve uploaded and concatenated the certificates from NameCheap but now my site hangs, getting “takes too long to respond” error. There are no syntax errors as far as nginx can tell me.

                I can still access my domain via http with no issues. Port 443 open.

                Is there anything I need to change since this is not the default server block? I don’t know how to debug this…

                Here is the server block:

                server {
                       listen         80;
                       server_name    mydomain.com www.mydomain.com;
                       return         301 https://$server_name$request_uri;
                       }
                
                server {
                        listen 443 ssl;
                        listen [::]:443 ssl;
                        server_name mydomain.com www.mydomain.com;
                        ssl on;
                        ssl_certificate /etc/nginx/ssl/mydomain_com/ssl-bundle.crt;
                        ssl_certificate_key /etc/nginx/ssl/mydomain_com/mydomain.com.key;
                        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                        ssl_prefer_server_ciphers on;
                        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
                
                        # listen [::]:80;
                        error_log    /var/log/nginx/mydomain.com.error.log debug;
                
                        root /var/www/mydomain.com/html;
                        index index.php;
                
                        set $cache_uri $request_uri;
                
                	# POST requests and urls with a query string should always go to PHP
                	if ($request_method = POST) {
                		set $cache_uri 'null cache';
                	}   
                	if ($query_string != "") {
                		set $cache_uri 'null cache';
                	} 
                
                        # Use cached or actual file if they exists, otherwise pass request to WordPress
                	location / {
                		try_files /wp-content/cache/page_enhanced/${host}${cache_uri}_index.html $uri $uri/ /index.php?$args ;
                        }
                
                        location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
                        expires max; log_not_found off; access_log off;
                        add_header Pragma public;
                        add_header Cache-Control "public";
                        }
                
                        error_page 404 /404.html;
                
                        error_page 500 502 503 504 /50x.html;
                        location = /50x.html {
                                root /usr/share/nginx/html;
                        }
                
                        location ~ \.php$ {
                                try_files $uri =404;
                                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                                fastcgi_pass unix:/var/run/php5-fpm.sock;
                                fastcgi_index index.php;
                                include fastcgi_params;
                                fastcgi_buffer_size 128k;
                                fastcgi_buffers 4 256k;
                                fastcgi_busy_buffers_size 256k;
                        }
                }
                
                
                
                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                I know it’s been quite a while since this question was posted but I believe this should be addressed anyway.

                Make sure that your Nginx configuration file is syntactically correct and has no errors. You can do this with the following command:

                sudo nginx -t
                

                If there are no errors, you should see a message indicating that the configuration file is valid.

                Check that the SSL certificates are properly concatenated and valid. You can verify the certificates with:

                openssl x509 -in /etc/nginx/ssl/mydomain_com/ssl-bundle.crt -text -noout openssl rsa -in /etc/nginx/ssl/mydomain_com/mydomain.com.key -check
                

                Make sure the certificate is not expired and corresponds to your domain.

                Consider the following adjustments to your server block:

                Remove ssl on;: This directive is not necessary in recent versions of Nginx. You can just specify listen 443 ssl;.

                Update SSL Protocols and Ciphers: Ensure you’re using up-to-date protocols and ciphers. The following configuration is more secure:

                ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:!aNULL:!MD5:!3DES';
                

                Remove Comments: Clean up any commented-out lines that are unnecessary for clarity.

                Here’s a refined version of your server block:

                server {
                    listen 80;
                    server_name mydomain.com www.mydomain.com;
                    return 301 https://$server_name$request_uri;
                }
                
                server {
                    listen 443 ssl;
                    listen [::]:443 ssl;
                    server_name mydomain.com www.mydomain.com;
                    
                    ssl_certificate /etc/nginx/ssl/mydomain_com/ssl-bundle.crt;
                    ssl_certificate_key /etc/nginx/ssl/mydomain_com/mydomain.com.key;
                    ssl_protocols TLSv1.2 TLSv1.3;
                    ssl_prefer_server_ciphers on;
                    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:!aNULL:!MD5:!3DES';
                
                    error_log /var/log/nginx/mydomain.com.error.log debug;
                
                    root /var/www/mydomain.com/html;
                    index index.php;
                
                    set $cache_uri $request_uri;
                
                    if ($request_method = POST) {
                        set $cache_uri 'null cache';
                    }   
                    if ($query_string != "") {
                        set $cache_uri 'null cache';
                    } 
                
                    location / {
                        try_files /wp-content/cache/page_enhanced/${host}${cache_uri}_index.html $uri $uri/ /index.php?$args;
                    }
                
                    location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
                        expires max; log_not_found off; access_log off;
                        add_header Pragma public;
                        add_header Cache-Control "public";
                    }
                
                    error_page 404 /404.html;
                    error_page 500 502 503 504 /50x.html;
                    location = /50x.html {
                        root /usr/share/nginx/html;
                    }
                
                    location ~ \.php$ {
                        try_files $uri =404;
                        fastcgi_split_path_info ^(.+\.php)(/.+)$;
                        fastcgi_pass unix:/var/run/php5-fpm.sock;
                        fastcgi_index index.php;
                        include fastcgi_params;
                        fastcgi_buffer_size 128k;
                        fastcgi_buffers 4 256k;
                        fastcgi_busy_buffers_size 256k;
                    }
                }
                

                After making changes, restart Nginx:

                sudo systemctl restart nginx
                

                If your site is still not reachable via HTTPS, you can enable debugging for Nginx by adding the following line to your configuration:

                error_log /var/log/nginx/mydomain.com.error.log debug;
                

                This will generate detailed logs that might help identify the issue.

                Since you mentioned that port 443 is open, double-check your firewall rules to ensure nothing is blocking HTTPS traffic. If you’re using UFW, check the status with:

                sudo ufw status
                

                Clear your browser cache and try accessing the site in an incognito window to rule out caching issues. Additionally, check your DNS settings to ensure they are pointing to the correct IP address.

                Sometimes server performance issues or other misconfigurations could cause timeouts. Monitor your server’s resource usage (CPU, memory) and check for any other services that might be impacting performance.

                If none of these steps resolve the issue, consider checking with your hosting provider or support resources for more in-depth troubleshooting tailored to your server environment. Let me know if you need further assistance!

                Any Video Tutorial to Add SSL Certification to my site in Digital Ocean http://www.rrbrecruitmentresult.com/

                I’ve been fighting this battle for a day now without success – my site hdpowerequipment.com is not reachable via https.

                I generated my CSR and private key without issue. I downloaded the certificate info from Godaddy and placed it on my server (via ftp):

                root@server:~# cd /home
                root@server:~# ls
                hdpowerequipment.com.crt  hdpowerequipment.com.key
                hdpowerequipment.com.csr  intermediate.crt
                
                root@server:~# apache2 -v
                Server version: Apache/2.4.18 (Ubuntu)
                Server built:   2017-09-18T15:09:02
                
                root@server:~# ufw status
                Status: active
                
                To                         Action      From
                --                         ------      ----
                22                         ALLOW       Anywhere                  
                443                        ALLOW       Anywhere                  
                80                         ALLOW       Anywhere                  
                22 (v6)                    ALLOW       Anywhere (v6)             
                443 (v6)                   ALLOW       Anywhere (v6)             
                80 (v6)                    ALLOW       Anywhere (v6)   
                
                root@server:/etc/apache2/sites-available# ls
                000-default.conf            000-default.conf.orig
                000-default.conf.dpkg-dist  default-ssl.conf
                
                root@server:~# nano 000-default.conf
                
                <VirtualHost *:80>
                   ServerName hdpowerequipment.com
                   Redirect permanent / https://www.hdpowerequipment.com/
                </VirtualHost>
                <VirtualHost *:443>
                        ServerAdmin webmaster@localhost
                        DocumentRoot /var/www/html
                        ServerName hdpowerequipment.com
                        SSLEngine on
                        SSLCertificateFile /home/hdpowerequipment.com.crt
                        SSLCertificateKeyFile /home/hdpowerequipment.com.key
                        SSLCertificateChainFile /home/intermediate.crt
                        <Directory /var/www/html/>
                            Options Indexes FollowSymLinks
                            AllowOverride All
                            Require all granted
                        </Directory>
                
                        ErrorLog ${APACHE_LOG_DIR}/error.log
                        CustomLog ${APACHE_LOG_DIR}/access.log combined
                </VirtualHost>
                

                I have restarted Apache multiple times. I rebooted the server. I disabled ufw. I tried SSLCACertificateFile (instead of using SSLCertificateChainFile)

                Am I supposed to edit default-ssl.conf?

                I’m at the end of my rope here. At this point I have no choice but to cancel my Godaddy SSL certificate and lose $100 (too late for a refund).

                I am desperate for help.

                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                I know it’s been quite a while since this question was posted but I believe this should be addressed anyway.

                First Make sure that the certificate files are not corrupted. You can verify their contents by running:

                openssl x509 -in /home/hdpowerequipment.com.crt -text -noout 
                openssl rsa -in /home/hdpowerequipment.com.key -check 
                openssl x509 -in /home/intermediate.crt -text -noout
                

                Your Apache configuration looks mostly correct, but ensure that you are using the correct file paths. Also, check for any typos in your virtual host configuration:

                <VirtualHost *:80>
                   ServerName hdpowerequipment.com
                   Redirect permanent / https://www.hdpowerequipment.com/
                </VirtualHost>
                
                <VirtualHost *:443>
                    ServerAdmin webmaster@localhost
                    DocumentRoot /var/www/html
                    ServerName hdpowerequipment.com
                    SSLEngine on
                    SSLCertificateFile /home/hdpowerequipment.com.crt
                    SSLCertificateKeyFile /home/hdpowerequipment.com.key
                    SSLCertificateChainFile /home/intermediate.crt
                
                    <Directory /var/www/html/>
                        Options Indexes FollowSymLinks
                        AllowOverride All
                        Require all granted
                    </Directory>
                
                    ErrorLog ${APACHE_LOG_DIR}/error.log
                    CustomLog ${APACHE_LOG_DIR}/access.log combined
                </VirtualHost>
                

                The default-ssl.conf is typically used for SSL configurations. If you are not using it, ensure that it does not conflict with your main configuration. You can either comment it out or ensure that it does not define another VirtualHost for port 443 that conflicts with yours.

                Make sure that the SSL module is enabled in Apache. Run the following command:

                sudo a2enmod ssl
                

                Then restart Apache:

                sudo systemctl restart apache2
                

                Check if Apache is running correctly. Look for any errors in the logs that might give you more insight into what’s going wrong:

                sudo systemctl status apache2 tail -f /var/log/apache2/error.log
                

                You mentioned disabling UFW. If you have other firewall rules in place, ensure that they are not blocking port 443.

                Ensure that your DNS settings are correct and that www.hdpowerequipment.com is pointing to the correct IP address.

                After making changes, clear your browser’s cache or try accessing the site in an incognito window to rule out cached issues.

                You can use online tools like SSL Labs to analyze your SSL setup and get detailed feedback about potential issues.

                You can also test the SSL connection with:

                openssl s_client -connect hdpowerequipment.com:443
                

                This will give you detailed information about the SSL handshake and any errors that might be occurring.

                Conclusion

                If you’ve gone through all of these steps and still can’t get your SSL working, consider reaching out to GoDaddy’s support team for assistance, as they may be able to provide additional insights based on their records and your account.

                Guys what is wrong here. Not showing secure site. Default config file nginx server { listen [::]:80; listen 80;

                server_name mthingsonline.com www.mthingsonline.com;

                redirect http to https www

                return 301 https://www.mthingsonline.com$request_uri; }

                server { listen [::]:443 ssl http2; listen 443 ssl http2;

                server_name mthingsonline.com;

                SSL code\

                ssl_certificate /etc/nginx/ssl/api.mcarefit.com/api_mcarefit.com.chained.crt; ssl_certificate_key /etc/nginx/ssl/mcarefit.com/mcarefit.key;

                redirect https non-www to https www

                return 301 https://www.mthingsonline.com$request_uri; }

                server {

                listen [::]:443 ssl http2; listen 443 ssl http2;

                server_name www.mthingsonline.com;

                SSL code

                ssl_certificate /etc/nginx/ssl/api.mcarefit.com/api_mcarefit.com.chained.crt; ssl_certificate_key /etc/nginx/ssl/newMthingsonline/www.mthingsonline.com.key;

                other code

                root  /home/ec2-user/Bitbucket/mthingsangularweb/src;
                
                #charset koi8-r;
                #access_log  /var/log/nginx/host.access.log  main;
                    index  index.html index.htm;
                
                location / {
                    proxy_pass http://localhost:8081;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection 'upgrade';
                    proxy_set_header Host $host;
                    proxy_cache_bypass $http_upgrade;
                
                  
                
                }
                

                }

                alexdo
                Site Moderator
                Site Moderator badge
                September 30, 2024

                It looks like you might have a few configuration issues in your Nginx setup. Here’s a revised version of your configuration and some points to consider:

                1. Server Block for HTTP: Your current HTTP server block does not correctly redirect traffic to HTTPS. It should include the return directive correctly.
                2. SSL Configuration: Make sure the SSL certificate paths are correct for both server blocks, especially since you have two different certificates for www and non-www domains.
                3. Redirection: The redirection logic should ideally be in the non-SSL block.

                Here’s a cleaned-up version of your Nginx configuration:

                server {
                    listen 80;
                    listen [::]:80;
                    server_name mthingsonline.com www.mthingsonline.com;
                
                    # Redirect all HTTP traffic to HTTPS
                    return 301 https://www.mthingsonline.com$request_uri;
                }
                
                server {
                    listen 443 ssl http2;
                    listen [::]:443 ssl http2;
                
                    server_name www.mthingsonline.com;
                
                    # SSL certificate files
                    ssl_certificate /etc/nginx/ssl/api.mcarefit.com/api_mcarefit.com.chained.crt;
                    ssl_certificate_key /etc/nginx/ssl/newMthingsonline/www.mthingsonline.com.key;
                
                    # Root directory
                    root /home/ec2-user/Bitbucket/mthingsangularweb/src;
                    index index.html index.htm;
                
                    location / {
                        proxy_pass http://localhost:8081;
                        proxy_http_version 1.1;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection 'upgrade';
                        proxy_set_header Host $host;
                        proxy_cache_bypass $http_upgrade;
                    }
                }
                
                server {
                    listen 443 ssl http2;
                    listen [::]:443 ssl http2;
                
                    server_name mthingsonline.com;
                
                    # SSL certificate files
                    ssl_certificate /etc/nginx/ssl/api.mcarefit.com/api_mcarefit.com.chained.crt;
                    ssl_certificate_key /etc/nginx/ssl/mcarefit.com/mcarefit.key;
                
                    # Redirect from non-www to www
                    return 301 https://www.mthingsonline.com$request_uri;
                }
                

                Key Points to Check:

                • SSL Certificate Paths: Ensure that the paths to your SSL certificate and key files are correct and that the files are accessible by the Nginx process.
                • Firewall Configuration: Ensure that your firewall allows traffic on ports 80 and 443.
                • Test Configuration: Run nginx -t to test your configuration for any syntax errors.
                • Reload Nginx: After making changes, make sure to reload Nginx using sudo systemctl reload nginx.
                • Check Logs: Look at the error logs (/var/log/nginx/error.log) for any issues that may be preventing the site from loading securely.

                Regards

                This comment has been deleted

                  This comment has been deleted

                    I have downloaded the .crt files on my local mac desktop, and I want to copy these two files to the Nginx server through terminal, whats the command to do that. THanks

                    I followed the instructions above with a GoDaddy SSL for a single site and installed on Apache. It worked perfectly. Now when I followed the instructions to do it again for another site on the same server, everything on SSL went down. When I removed the new lines from the second .conf file. Everything came back. What am I missing? Certs for both are in two separate folders.

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    It sounds like you might be facing a configuration issue when setting up the second SSL site on Apache. Here are a few things to check to help resolve the problem:

                    Ensure that each site has its own <VirtualHost> block in separate configuration files, typically found in /etc/apache2/sites-available/. Each configuration should listen on port 443 for SSL. Double-check that the paths to the SSL certificate and key files in the second site’s configuration file are correct and point to the right certificates. Run apachectl configtest to check for any syntax errors in your configuration files, as this command will provide details about any issues. Make sure the SSL module is enabled in Apache by running sudo a2enmod ssl.

                    Look into Apache’s error logs (typically found in /var/log/apache2/error.log) for any specific messages that could indicate what went wrong when you attempted to restart the service. After making any changes, be sure to restart Apache to apply them with sudo service apache2 restart. Ensure that your server’s firewall allows traffic on port 443 by checking with sudo ufw status.

                    If you’ve checked all these points and it’s still not working, you can share the relevant configuration snippets for both sites, and I can help you troubleshoot further.

                    I want to install SSL certificate with https v2. So how can I proceed with it?

                    And also tell how can I upgrade https 1.1 to https 2 without deleting my droplet.

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    To install an SSL certificate with HTTPS/2 and upgrade from HTTPS/1.1 to HTTPS/2, follow these steps:

                    1. Install the SSL Certificate:
                    • If you haven’t already obtained an SSL certificate, get one from a trusted provider (like Let’s Encrypt, GoDaddy, etc.).
                    • After obtaining the certificate files (.crt and .key), place them in a secure directory on your server, such as /etc/ssl/certs/ for the certificate and /etc/ssl/private/ for the private key.
                    1. Configure Apache for SSL:
                    • Edit your Apache configuration file for your site, often found at /etc/apache2/sites-available/000-default.conf or a similar path.
                    • Add or modify the following lines in your <VirtualHost *:443> block to include the SSL certificate details:
                    SSLEngine on 
                    SSLCertificateFile /etc/ssl/certs/your_certificate.crt SSLCertificateKeyFile /etc/ssl/private/your_private.key SSLCertificateChainFile /etc/ssl/certs/your_chain.crt
                    
                    • Ensure that your DocumentRoot points to the correct directory.
                    1. Enable HTTPS/2:
                    • In your Apache configuration, add the following directive to enable HTTPS/2:
                    Protocols h2 http/1.1
                    
                    • Ensure that you have the mod_http2 module enabled. You can enable it by running:
                    sudo a2enmod http2
                    
                    1. Restart Apache:
                    • After making these changes, restart Apache to apply the configuration:
                    sudo service apache2 restart
                    
                    1. Upgrade from HTTPS/1.1 to HTTPS/2:
                    • Ensure that your Apache version is up-to-date, as HTTPS/2 support is only available in Apache 2.4.17 and later.
                    • If your current version is outdated, you can upgrade Apache without deleting your droplet by following these steps:
                    • Update your package list:
                    sudo apt update
                    
                    • Upgrade Apache:
                    sudo apt upgrade apache2
                    

                    You can use online tools like SSL Labs’ SSL Test to verify your SSL installation and HTTP/2 support.

                    Regards

                    I found this blog, very helpful thank you so much for adding this in your website.

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    We’re glad that the article have helped you! Always feel free to reach in our community as well:

                    https://www.digitalocean.com/community/questions

                    can i ask u? i tried to run “sudo service apache2 restart” in terminal returns “job for apache2.service failed…” how can i fix it? error. thanks

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    If you’re getting the error “Job for apache2.service failed” when trying to restart Apache, it usually indicates a configuration issue or another problem preventing the service from starting. Start by checking the Apache error logs for more details using sudo tail -n 50 /var/log/apache2/error.log. Look for any specific error messages indicating what’s wrong.

                    Before restarting Apache, it’s a good idea to test the configuration files for syntax errors by running sudo apachectl configtest. If there are any syntax errors, the command will output them, and you’ll need to fix the reported issues before trying to restart Apache again.

                    Ensure that no other service is using port 80 or 443 by running sudo netstat -tuln | grep ':80\|:443'. If you find another service using these ports, you may need to stop it or change its configuration.

                    Verify that the SSL certificate files specified in your Apache configuration exist and have the correct permissions. If the paths to your SSL files are incorrect, Apache will fail to start.

                    Make sure the ssl module is enabled. You can enable it with sudo a2enmod ssl. After addressing any issues identified in the previous steps, try restarting Apache again with sudo service apache2 restart.

                    If it still fails, you can check the system status for Apache for more insights using sudo systemctl status apache2. If you follow these steps and are still having trouble, please share any specific error messages or details from the logs, and I’ll help you troubleshoot further.

                    I followed this instruction - ubuntu 16.04, apache, godaddy- but website is unable to reach i dont understand what is my problem? can anyone help me?

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    First, check your Apache configuration files to ensure they are set up correctly. Verify that your 000-default.conf (or the specific virtual host file for your site) includes the necessary SSL directives and points to the correct certificate files. Confirm that the paths to your SSL certificate, private key, and intermediate certificate in your Apache configuration are correct, which should look something like this:

                    SSLEngine on 
                    SSLCertificateFile /path/to/your/certificate.crt 
                    SSLCertificateKeyFile /path/to/your/private.key 
                    SSLCertificateChainFile /path/to/your/intermediate.crt
                    

                    Next, check your server’s firewall settings to ensure that port 443 (HTTPS) is open. You can check the status of your firewall with sudo ufw status. If it’s not open, you can allow it with sudo ufw allow 443/tcp. After making any changes to the configuration files, restart Apache to apply the changes using sudo systemctl restart apache2.

                    Review the Apache error logs for any messages that might indicate what’s going wrong. The logs are usually located at /var/log/apache2/error.log. Also, ensure that your domain’s DNS settings are correctly pointing to your server’s IP address. You can use tools like dig or nslookup to verify this.

                    To validate your SSL certificate installation, use an SSL checker (like SSL Labs). Finally, try accessing your site directly using https://yourdomain.com. If it doesn’t work, check if you can reach it via HTTP (http://yourdomain.com) and whether it redirects correctly.

                    If you continue to experience issues, providing more details about your Apache configuration and any error messages you’re encountering can help further diagnose the problem

                    I tried to install ssl certificate from godaddy I have many website on server all stopped working How to handle this ? I want to keep multiple website on same server but only one with ssl certificate

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    To handle multiple websites on a server while keeping only one with an SSL certificate, first identify which website you want to secure with the SSL certificate. Next, configure your web server. If you are using Apache, create a new VirtualHost entry for the website with SSL, ensuring you have a separate VirtualHost for port 80 (HTTP) and another for port 443 (HTTPS). For Nginx, set up a server block for the website, ensuring it listens on both ports.

                    Then, install the SSL certificate from GoDaddy for the specific website you want to secure, making sure the paths to the certificate and key files in your configuration files are correct. Disable SSL for the other sites on the server by keeping their configurations active for port 80 and omitting any SSL configuration.

                    After making these changes, restart your web server to apply the new settings and test your websites to ensure the SSL-secured site is accessible via HTTPS, while the other websites function correctly without SSL. Lastly, monitor your server’s error logs if you encounter any issues during this process to identify misconfigurations or other problems.

                    If you need more specific help, please provide details about the web server software you’re using.

                    I use a Mac min with OS X server as a webserver I recently purchase an ssl certificate and install in my webserver jmzcons.com I used the Mac OS X server as the platform. I see it there in the certificates and it’s active on the server but I cannot access the webpage . I still get the not safe site message Would appreciate some help please

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    First check that the SSL certificate is correctly installed in the OS X Server app and associated with your web service. Ensure that HTTPS is enabled for your website in the server settings and that port 443 (the default for HTTPS) is open in your firewall settings.

                    Next, verify your domain’s DNS settings to confirm they point to the correct IP address of your server. You can use tools like nslookup or dig for this purpose. Clear your browser cache or try accessing your site from a different browser or device to rule out caching issues.

                    Make sure you provide the full certificate chain, as sometimes intermediate certificates are needed for browsers to trust your certificate fully. You can test your SSL configuration with tools like SSL Labs to get insights into any potential issues. Finally, review the web server logs for errors or warnings related to SSL connections, which can usually be found in /var/log/apache2/error_log or a similar path based on your configuration.

                    If you still encounter issues after following these steps, feel free to share more details about any error messages or behaviors you’re observing, and I can help further!

                    I need the support of a technician to configure SSL on my Digiatl Ocean server Here is my email medbi2011@gmail.com

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    Heya,

                    You can always reach in our community whether you have question, information or require any assistance. We’ll be happy to help!

                    https://www.digitalocean.com/community/questions

                    Regards

                    Fantastic tutorial

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    We’re glad that the article have helped you! Always feel free to reach in our community as well:

                    https://www.digitalocean.com/community/questions

                    I’m no expert, and this took me a while to figure out. Broke my site several times before I cracked it. For anyone struggling, here is my setup. Hopefully it helps. Great tutorial btw! Blows the doors down on one of your main rival’s outdated and poorly written tutorials.

                    Ubuntu 18.04 Apache 2.4.29 Wildcard SSL from Ionos (via Geotrust)

                    Config files edited

                    /usr/lib/ssl/openssl.cnf    
                    /etc/apache2/sites-available/000-default.conf
                    

                    I followed the tutorial exactly, with exception of one thing. When I set up my SSL on Ionos, it never asked me for input from the .csr files generated in the tutorial using the following line.

                    openssl req -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
                    

                    This really confused me for a bit as every tutorial online states you must input .crt information when generating the SSL files. But each time at end of tutorial, my site was broke. To revert things back to normal, I went into FileZilla, connected to server via FTP, and manually deleted the three SSL files I got from Inonos, and then reverted the 000-default.conf back to it’s original file. Easy fix.

                    Part of the problem was the SSL from Ionos issues .cer files, instead of .crt files like those referenced in the tutorial. I was converting these .cer files to be .crt. Finally, I decided to just leave them as .cer files. However, I did rename the three SSL related files I got from Ionos to something more simple. Here is where I placed the three files from Ionos on my server. FYI, I had to create the /ca/ and /private/ folders inside of /root/ since they did not exist, but that’s where I wanted to store my SSL files.

                    /root/ca/example.com.cer
                    /root/ca/intermediate.cer
                    /root/ca/private/example.com.key
                    

                    At this point, it still wasn’t working, and then I found the following file

                    /usr/lib/ssl/openssl.cnf

                    I edited three lines in this file to match the directories and file names I was using on my server to store the SSL files and boom! https is served. :D

                    dir                 = /root/ca/                                       #Where everything is kept
                    private_key = $dir/private/example.com.key    #The private key
                    certificate    = $dir/example.com.cer                  #The CA certificate
                    

                    Here is what my edited 000-default.conf file looks like, without the comment lines.

                    <VirtualHost *:80>
                       ServerName example.com
                       Redirect permanent / https://www.example.com
                    </VirtualHost>
                    
                    <VirtualHost *:443>
                        ServerName example.com
                    	ServerAdmin webmaster@localhost
                    	DocumentRoot /var/www/html
                    	
                        SSLEngine on
                        SSLCertificateFile /root/ca/example.com.crt
                        SSLCertificateKeyFile /root/ca/private/example.com.key
                        SSLCertificateChainFile /root/ca/intermediate.crt
                    
                    	ErrorLog ${APACHE_LOG_DIR}/error.log
                    	CustomLog ${APACHE_LOG_DIR}/access.log combined
                    
                            <Directory /var/www/html/>
                                AllowOverride All
                            </Directory>
                    
                    </VirtualHost>
                    
                    # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
                    
                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    Heya,

                    Thanks for sharing this! Also I see that you’ve done this on a Ubuntu 18.04 confirming it works for this version as well.

                    Sidenote. Seems like it would be a lot better if comment section was reverse order, so the most recent comments were first? Looking for help in 5yr old comments is not encouraging. Nor is having to press that Load button 6x to get the bottom and most recent comments, which are much more likely to apply to more current setups. :)

                    Exactly my thinking, Hightide. Not the most intuitive comment system ever devised, is it? At the very least there should be a function available to sort by newest first.

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    Yes, sorting by the most recent comments first could save time and help users find relevant information more quickly.

                    You can always post suggestions in our Product Ideas Dashboard here:

                    https://ideas.digitalocean.com/

                    Regards

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    I completely understand that! Having the most recent comments at the top would make it much easier to find relevant and up-to-date information, especially in long threads. The “Load more” button can be quite tedious, too. I’ll pass your feedback internally to our team so we can check this.

                    Also you can always post suggestions in our Product Ideas Dashboard here:

                    https://ideas.digitalocean.com/

                    Regards

                    Great post! I am actually getting ready to across this information, is very helpful my friend. Also great blog here with all of the valuable information you have. Keep up the good work you are doing here.

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    We’re glad that the article have helped you! Always feel free to reach in our community as well:

                    https://www.digitalocean.com/community/questions

                    Thank you. Perfect.

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    We’re glad that the article have helped you! Always feel free to reach in our community as well:

                    https://www.digitalocean.com/community/questions

                    This is the most comprehensive article i have come across and was able to follow along without any issues… Thank you!

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    We’re glad that the article have helped you! Always feel free to reach in our community as well:

                    https://www.digitalocean.com/community/questions

                    how to install ssl on plex & Cpanel http://bit.do/msssl

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    Heya,

                    You can check the following link for installing SSL Certificate on a cPanel server

                    https://docs.cpanel.net/whm/ssl-tls/install-an-ssl-certificate-on-a-domain/

                    Plex requires certificates in PEM format, so you may need to convert your .crt and .key files. You can do this with the command cat your_certificate.crt your_private.key > plex_cert.pem.

                    Next, locate the Plex Media Server’s configuration file, typically found at /var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Preferences.xml. Edit this file to include <setting name="customCertificate" value="path/to/plex_cert.pem"/>, replacing path/to/plex_cert.pem with the actual path to your PEM file.

                    Finally, restart the Plex Media Server using sudo systemctl restart plexmediaserver to apply the changes.

                    Regards

                    how to install ssl on plex & Cpanel http://bit.do/msssl

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    Heya,

                    You can check the following link for installing SSL Certificate on a cPanel server

                    https://docs.cpanel.net/whm/ssl-tls/install-an-ssl-certificate-on-a-domain/

                    Plex requires certificates in PEM format, so you may need to convert your .crt and .key files. You can do this with the command cat your_certificate.crt your_private.key > plex_cert.pem.

                    Next, locate the Plex Media Server’s configuration file, typically found at /var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Preferences.xml. Edit this file to include <setting name="customCertificate" value="path/to/plex_cert.pem"/>, replacing path/to/plex_cert.pem with the actual path to your PEM file.

                    Finally, restart the Plex Media Server using sudo systemctl restart plexmediaserver to apply the changes.

                    Regards

                    To get free $100 credit on digitalocean, Please signup using this link https://m.do.co/c/cec3e77bb2b2

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    Here’s an updated link with $200 Credit for your 60 day trial

                    https://try.digitalocean.com/freetrialoffer/

                    Hi, Can someone guide setup SSL in tomcat 9 server, the above document explains about Nginx and Apache2 not the Tomcat9.

                    Certificate is downloaded from Godaddy for Tomcat webserver.

                    Regards Ram

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    First, prepare your SSL certificate files from GoDaddy, which typically include a primary certificate (e.g., your_domain.crt) and an intermediate certificate (e.g., gd_bundle.crt). You may need to convert these certificate files to PKCS12 format since Tomcat uses the Java KeyStore format. Use the command openssl pkcs12 -export -in your_domain.crt -inkey your_private_key.key -out your_domain.p12 -name tomcat -CAfile gd_bundle.crt -caname root, replacing your_private_key.key with the path to your private key file; you’ll be prompted for an export password.

                    Next, import the PKCS12 file into a Java Keystore using the command keytool -importkeystore -srckeystore your_domain.p12 -srcstoretype PKCS12 -destkeystore your_keystore.jks -deststoretype JKS, setting a password for the Keystore and providing it when prompted.

                    Then, configure Tomcat’s server.xml file located in the conf directory of your Tomcat installation. Add the following connector configuration:

                    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                               clientAuth="false" sslProtocol="TLS"
                               keystoreFile="path/to/your_keystore.jks" keystorePass="your_keystore_password" />
                    

                    Ensure to replace path/to/your_keystore.jks with the actual path to your Keystore file and your_keystore_password with the password you set earlier.

                    Make sure your firewall allows traffic on port 443 by using sudo ufw allow 443. After that, restart the Tomcat server to apply the changes with sudo systemctl restart tomcat.

                    Finally, verify your SSL installation by visiting your website using https://your_domain.com to check if SSL is functioning correctly. If you encounter issues, check the Tomcat logs located in the logs directory for any errors related to SSL configuration.

                    Followed steps for certificate from godaddy and installation on Apache server. but not able to access with https port, http is working.

                    Please help. I am new to ubuntu. My domain registered with godaddy & VM hosted on DigitalOcean droplet.

                    Does take time for the changes to be realized? Like i did everything thats mentioned here. But my website still doesn’t load as https

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    Yes, changes to your Apache configuration should take effect immediately after restarting the service. However, several factors might prevent your website from loading over HTTPS. First, browser cache can cause issues, so try clearing it or using incognito mode. If you recently changed DNS settings, it might take time for those changes to propagate. Also, ensure your firewall allows traffic on port 443 by checking with sudo ufw status.

                    It’s essential to double-check your default-ssl.conf file for syntax errors, which you can verify using sudo apachectl configtest. Ensure your SSL certificate files are correctly referenced and that the certificate is valid and not expired. Lastly, check for any network issues affecting your server’s ability to serve HTTPS requests. If problems persist, look at the Apache error logs with sudo tail -f /var/log/apache2/error.log for specific error messages that could provide further clues.

                    HI Thanks for writing this how to. As a Rookie I always need to follow such tutorials. Quick Info: I am using a Raspbian OS and all is working on http request. Ao I was following this howto to get my godaddy cert to be installed and used for https requests. Unfortunately I can’t access my sites (http and https) if I edit the 000-default.conf file. After changing the 000-default.con file to as it was and edited the default-ss.conf file the http access was working back. but still I can’t get access to my site via https. ERR_CONNECTION_REFUSED As well I have checked with “apachectl -s” command and can see this output:

                    VirtualHost configuration: *:80 www.emilymeier.ch (/etc/apache2/sites-enabled/000-default.conf:1) ServerRoot: “/etc/apache2” Main DocumentRoot: “/var/www/html” Main ErrorLog: “/var/log/apache2/error.log” Mutex default: dir=“/var/run/apache2/” mechanism=default Mutex mpm-accept: using_defaults Mutex watchdog-callback: using_defaults PidFile: “/var/run/apache2/apache2.pid” Define: DUMP_VHOSTS Define: DUMP_RUN_CFG User: name=“www-data” id=33 not_used Group: name=“www-data” id=33 not_used

                    Should there not be an entry for :443?

                    Any help is very welcome as I am really a rookie. sorry Regards mame

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    First, check your default-ssl.conf file to ensure it has the right configuration for port 443, including the correct paths for your SSL certificate files:

                    <VirtualHost *:443>
                    ServerName www.emilymeier.ch
                    DocumentRoot /var/www/html
                    SSLEngine on
                    SSLCertificateFile /path/to/your/certificate.crt     SSLCertificateKeyFile /path/to/your/private.key     SSLCACertificateFile /path/to/your/ca-bundle.crt
                    # Other settings </VirtualHost>
                    

                    Make sure the SSL module is enabled by running sudo a2enmod ssl. Then, check if the default-ssl.conf file is symlinked in the sites-enabled directory with ls /etc/apache2/sites-enabled/. If it’s missing, create it using sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/. After making these changes, restart Apache with sudo systemctl restart apache2.

                    Also, verify that port 443 is allowed in your firewall settings using sudo ufw status. If it’s not allowed, use sudo ufw allow 'Apache Full' to enable HTTPS traffic. Lastly, check Apache’s error log with sudo tail -f /var/log/apache2/error.log for any additional clues.

                    Ensure that there is a VirtualHost entry for port 443. If you still have issues, share any error messages or configurations for more assistance.

                    Funciona en Nginx en Ubuntu 18.04 julio 2020

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    ¡De nada! Me alegra saber que funciona en Nginx con Ubuntu 18.04. Si necesitas más ayuda o tienes alguna otra pregunta, no dudes en decírmelo. ¡Éxito con tu proyecto!

                    Funciona en Nginx con ubuntu 18.04 al día de hoy Gracias maestro!

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    ¡De nada! Me alegra saber que funciona en Nginx con Ubuntu 18.04. Si necesitas más ayuda o tienes alguna otra pregunta, no dudes en decírmelo. ¡Éxito con tu proyecto!

                    This is the only guide on DigitalOcean for installing SSL certificates from a commercial certificate authority, but it’s from 2014 using Ubuntu 14.04. It’s now 2020, most of us are using a much newer version of Ubuntu (20.04), and the options from both Namecheap and GoDaddy may have changed.

                    Isn’t it time someone updated this guide? Is it even applicable to Ubuntu 20.04?

                    Furthermore, I’m with commentor “Hightide” in finding this comment section to be a bit poorly implemented without a “sort by newest first” function.

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    You’re right that a guide from 2014 is outdated. While the basic principles of SSL installation remain the same, several steps, package versions, and best practices have evolved. Configuration paths are the same, but modern best practices should include more secure SSL protocols and updated cipher suites.

                    As for the comments section on that guide, having a “sort by newest” feature would be a practical improvement. It would make finding the most relevant and up-to-date user contributions easier, especially with the constantly evolving tech landscape. I’ll pass this recommendation internally.

                    what happens if the format is different, do we need to change it? I.e. it’s not example.com.key but example.com.p7b

                    the files from namecheap are: example.com.ca-bundle example.com.crt example.com.p7b

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    If the SSL certificate files you received are in a different format, such as .p7b instead of .crt or .key, you will need to convert them to the appropriate format for Apache.

                    A .p7b (or PKCS#7) file does not contain the private key and is usually used to bundle multiple certificates together. Apache typically requires .crt files for the certificate and .key files for the private key.

                    Here’s how to handle this:

                    1. Convert .p7b to .crt: You can use OpenSSL to convert the .p7b file into .crt format. Run this command:
                    openssl pkcs7 -print_certs -in example.com.p7b -out example.com.crt
                    
                    1. Get the private key: If you don’t have a .key file, you need to obtain the private key from the original server or the CSR (Certificate Signing Request) generation process. You can’t extract the private key from the .p7b file.

                    2. Configure Apache: Once you have the .crt and .key files, configure Apache to use them in the SSLCertificateFile and SSLCertificateKeyFile directives.

                    If the conversion works, there’s no need to change the filenames, but the format needs to be correct for Apache to use it.

                    Regards

                    I’m trying to install ZeroSSL certificate on Ubuntu 20.

                    I have downloaded ca bundle.crt and private.key, moved to /etc/ssl/ and /etc/ssl/private.

                    When I restart Apache I get the message:

                    Job for apache2.service failed because the control process exited with error code. See “systemctl status apache2.service” and “journalctl -xe” for details.

                    What is error or message? What can I do? Or what am I doing wrong?

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    First, check the error logs by running sudo journalctl -xe and sudo systemctl status apache2.service. This will provide more information about why Apache is failing to start.

                    Next, ensure that the certificate and key files in /etc/ssl/ and /etc/ssl/private/ have the correct ownership and permissions. The certificate should have chmod 644, and the private key should have chmod 600. Verify that your Apache SSL configuration is correct by editing /etc/apache2/sites-available/default-ssl.conf and ensuring the paths to the certificate and key are correctly specified with SSLCertificateFile and SSLCertificateKeyFile. Make sure SSLEngine on is present.

                    Afterward, ensure the ssl module is enabled by running sudo a2enmod ssl, and also enable the default-ssl site if needed. Test the configuration using sudo apachectl configtest to check for syntax errors, and finally restart Apache with sudo systemctl restart apache2. If there are still issues, check the status again and troubleshoot from the error messages provided.

                    what are the steps to renew a commercial certificate in apache server

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    Heya,

                    You need to replace/upload the new certificate files on the server and then make sure the paths are correct in the Apache Virtual hosts. A restart of the Apache service will be required too.

                    Regards

                    Can I run the above lines of code in the DigitalOcean Console? Cause each time I try “sudo nano /etc/nginx/sites-enabled/default” it gets me no where, And if I try connecting using GIT BASH, I get access denied (public key), is there a way I could do it over the console? my ssl has expired after 1 year and I have been trying for a week now to reinstall it to make my website safe again.

                    alexdo
                    Site Moderator
                    Site Moderator badge
                    September 30, 2024

                    Yes, you can run those commands in the DigitalOcean Console, but the console is typically intended for recovery purposes rather than everyday use. For routine server management, it’s best to stick with an SSH client like Git Bash or another terminal-based SSH tool. The console should be used as a backup if you’re unable to access your droplet via SSH.

                    Try DigitalOcean for free

                    Click below to sign up and get $200 of credit to try our products over 60 days!

                    Sign up

                    Join the Tech Talk
                    Success! Thank you! Please check your email for further details.

                    Please complete your information!

                    Become a contributor for community

                    Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

                    DigitalOcean Documentation

                    Full documentation for every DigitalOcean product.

                    Resources for startups and SMBs

                    The Wave has everything you need to know about building a business, from raising funding to marketing your product.

                    Get our newsletter

                    Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

                    New accounts only. By submitting your email you agree to our Privacy Policy

                    The developer cloud

                    Scale up as you grow — whether you're running one virtual machine or ten thousand.

                    Get started for free

                    Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

                    *This promotional offer applies to new accounts only.