This tutorial will show you how to acquire and install an SSL certificate from a trusted, commercial Certificate Authority (CA). SSL certificates allow web servers to encrypt their traffic, and also offer a mechanism to validate server identities to their visitors. Websites using SSL are accessed via the https://
protocol.
Before the mid-2010s, many smaller websites did not always use SSL or HTTPS. Since then, expectations of security have increased, and the Let’s Encrypt project was created to provide free, trusted SSL certificates at scale, allowing almost everyone to use HTTPS as needed.
However, there are some limitations to Let’s Encrypt’s certificates. They expire every 3 months, typically requiring you to have a functioning auto-renewal script in place, and can be awkward to use in environments where this is not possible. Let’s Encrypt also does not provide Extended Validation certificates which validate the legal ownership of your web presence, or Wildcard Certificates that will automatically match every possible subdomain of your website (such as shop.example.com) without you having to register each of them manually.
For most users, these will not be significant limitations. Let’s Encrypt is a popular option for many personal and commercial websites. However, if you have particular enterprise software requirements, or a very large commercial operation, you should consider purchasing a certificate from a commercial CA.
This tutorial covers how to select and deploy an SSL certificate from a trusted certificate authority. After you have acquired your SSL certificate, this tutorial will cover installing it on the Nginx and Apache web servers.
There are several prerequisites to attempting to obtain an SSL certificate from a commercial CA:
A registered domain name. This tutorial will use example.com
throughout. You can purchase a domain name from Namecheap, get one for free with Freenom, or use the domain registrar of your choice.
Access to one of the email addresses on your domain’s WHOIS record or to an “admin type” email address at the domain itself. Certificate authorities that issue SSL certificates will typically validate domain control by sending a validation email to one of the addresses on the domain’s WHOIS record, or to a generic admin email address at the domain itself. To be issued an Extended Validation certificate, you will also be required to provide the CA with paperwork to establish the legal identity of the website’s owner, among other things.
DNS records set up for your server. If you are using DigitalOcean, please see our DNS documentation for details on how to add them.
This tutorial will provide configuration instructions for a Ubuntu 22.04 server set up by following this initial server setup for Ubuntu 22.04 tutorial, including a sudo-enabled non-root user and a firewall. Most modern Linux flavors will work similarly.
You should also have a web server like Nginx or Apache installed, following How To Install Nginx on Ubuntu 22.04 or How To Install the Apache Web Server on Ubuntu 22.04. Be sure that you have a server block (or Apache virtual host) for your domain.
If you are not sure which Certificate Authority to use, there are a few factors to consider.
The most crucial point is that the CA that you choose is a member of the root certificate programs of the most commonly used operating systems and web browsers, i.e. it is a “trusted” CA, and its root certificate is trusted by common browsers and other software. If your website’s SSL certificate is signed by a trusted CA, its identity is considered to be valid by software that trusts the CA.
Most commercial CAs that you will encounter will be members of the common root CA programs, but it does not hurt to check before making your certificate purchase. For example, Apple publishes its list of trusted SSL root certificates.
Ensure that you choose a CA that offers the certificate type that you require. Many CAs offer variations of these certificate types under a variety of names and pricing structures. Here is a short description of each type:
example.com
. Note that additional subdomains, such as www.example.com
, are not included*.example.com
can also be used for www.example.com
and store.example.com
example.com
, www.example.com
, and example.net
In addition to the aforementioned certificate types, there are different levels of validations that CAs offer:
Many CAs offer a large variety of “bonus” features to differentiate themselves from the rest of the SSL certificate-issuing vendors. Some of these features can end up saving you money, so it is important that you weigh your needs against the offerings before making a purchase. Example of features to look out for include free certificate reissues or a single domain-priced certificate that works for www.
and the domain basename, e.g. www.example.com
with a SAN of example.com
After you have your prerequisites sorted, and you know the type of certificate you need, it’s time to generate a certificate signing request (CSR) and private key.
If you are planning on using Apache HTTP or Nginx as your web server, you can use the openssl
command to generate your private key and CSR on your web server. In this tutorial, you can keep all of the relevant files in your home directory, but feel free to store them in any secure location on your server:
To generate a private key, called example.com.key
, and a CSR, called example.com.csr
, run this command (replace the example.com
with the name of your domain):
At this point, you will be prompted for several lines of information that will be included in your certificate request. The most important part is the Common Name
field, which should match the name that you want to use your certificate with – for example, example.com
, www.example.com
, or (for a wildcard certificate request) *.example.com
. If you are planning on getting an OV or EV certificate, ensure that all of the other fields accurately reflect your organization or business details. Providing a “challenge password” is not necessary.
For example:
OutputCountry Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:sammy@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
This will generate a .key
and .csr
file. The .key
file is your private key, and should be kept secure. The .csr
file is what you will send to the CA to request your SSL certificate.
Outputexample.com.csr example.com.key
You will need to copy and paste your CSR when submitting your certificate request to your CA. To print the contents of your CSR, use cat
:
cat example.com.csr
Now you are ready to buy a certificate from a CA.
There are many commercial CA providers, and you can compare and contrast the most appropriate options for your own setup. For example, Namecheap acts as an SSL certificate reseller, and has changed upstream CA providers in the past to provide the best value. Currently, they offer certificates from Comodo CA. Here is a sample of their offerings as of December 2022:
After making a selection, you will need to upload the CSR that you generated in the previous step. Your CA provider will also likely have an “Approver” step, which will send a validation request email to an address in your domain’s WHOIS record or to an administrator type address of the domain that you are getting a certificate for.
After approving the certificate, the certificate will be emailed to the named administrator. Copy and save them to your server in the same location that you generated your private key and CSR. Name the certificate with the domain name and a .crt
extension, e.g. example.com.crt
, and name the intermediate certificate intermediate.crt
.
The certificate is now ready to be installed on your web server, but first, you may have to make some changes to your firewall.
If you have the ufw
firewall enabled as recommended by our Ubuntu 22.04 setup guide, you’ll need to adjust the settings to allow for HTTPS traffic. Nginx and Apache both register a few profiles with ufw
upon installation.
You can see the current setting by typing:
If you receive output containing just Nginx HTTP
or Apache
, only HTTP traffic is allowed to the web server:
OutputStatus: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
To additionally let in HTTPS traffic, allow the Nginx Full
or Apache
Full` profile and delete the redundant HTTP profile allowance:
That should produce a result like this:
OutputStatus: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
In the final step, you’ll install the certificate.
After acquiring your certificate from the CA of your choice, you need to install it on your web server. This involves adding a few SSL-related lines to your web server software configuration.
This tutorial will cover configuring Nginx and Apache on Ubuntu 22.04, but most modern Linux flavors will work similarly. This tutorial also makes these assumptions:
/home/sammy
example.com.key
example.com.crt
intermediate.crt
Note: In a production environment, these files should be stored somewhere that only the web server process (usually root
) can access, and the private key should be kept secure. For example, Let’s Encrypt stores the certificates it generates in /etc/letsencrypt
. Production examples will vary due to the complexity of multi-server configurations.
These are the steps to manually deploy an SSL certificate on Nginx.
If your CA returned only an intermediate certificate, you must create a single “chained” certificate file that contains your certificate and the CA’s intermediate certificates.
Assuming your certificate file is called example.com.crt
, you can use the cat
command to append files together to create a combined file called example.com.chained.crt
:
Using nano
or your favorite text editor, open your default Nginx server block file for editing:
Find the listen
directive, and modify it to listen 443 ssl
:
…
server {
listen 443 ssl;
…
Next, find the server_name
directive within that same server block, and make sure that its value matches the common name of your certificate. Also, add the ssl_certificate
and ssl_certificate_key
directives to specify the paths of your certificate and private key files:
…
server_name example.com;
ssl_certificate /home/sammy/example.com.chained.crt;
ssl_certificate_key /home/sammy/example.com.key;
…
To allow only the most secure SSL protocols and ciphers, add the following lines to the file:
…
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
…
Finally, to redirect HTTP requests to HTTPS by default, you can add an additional server block at the top of the file:
server {
listen 80;
server_name example.com;
rewrite ^/(.*) https://example.com/$1 permanent;
}
…
Save and close the file. If you are using nano
, press Ctrl+X
, then when prompted, Y
and then Enter.
Before restarting Nginx, you can validate your configuration by using nginx -t
:
If there aren’t any problems, restart Nginx to enable SSL over HTTPS:
Test it out by accessing your site via HTTPS, e.g. https://example.com
. You will also want to try connecting via HTTP, e.g. http://example.com
to ensure that the redirect is working properly.
These are the steps to manually deploy an SSL certificate on Apache.
Using nano
or your favorite text editor, open your default Apache virtual host file for editing:
Find the <VirtualHost *:80>
entry and modify it so your web server will listen on port 443
:
…
<VirtualHost *:443>
…
Next, add the ServerName
directive, if it doesn’t already exist:
…
ServerName example.com
…
Then add the following lines to specify your certificate and key paths:
…
SSLEngine on
SSLCertificateFile /home/sammy/example.com.crt
SSLCertificateKeyFile /home/sammy/example.com.key
SSLCACertificateFile /home/sammy/intermediate.crt
…
At this point, your server is configured to listen on HTTPS only (port 443), so requests to HTTP (port 80) will not be served. To redirect HTTP requests to HTTPS, add the following to the top of the file (substitute the name in both places):
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
…
Save and close the file. If you are using nano
, press Ctrl+X
, then when prompted, Y
and then Enter.
Enable the Apache SSL module by running this command:
Now, restart Apache to load the new configuration and enable TLS/SSL over HTTPS.
Test it out by accessing your site via HTTPS, e.g. https://example.com
. You will also want to try connecting via HTTP, e.g. http://example.com
to ensure that the redirect is working properly.
In this tutorial, you learned how to determine when you might need to purchase an SSL certificate from a commercial CA, and how to compare and contrast the available options. You also learned how to configure Nginx or Apache for HTTPS support, and how to adapt their configurations for production.
Next, you may want to read about other SSL use cases, such as when working with load balancers.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hi, when I try and run:
$ openssl req -newkey rsa:2048 -nodes -keyout mydomain.com.key -out mydomain.com.csr
I get:
WARNING: can’t open config file: /usr/lib/ssl/openssl.cnf Unable to load config info from /usr/lib/ssl/openssl.cnf
Please help!
The error indicates that OpenSSL can’t find its configuration file (
openssl.cnf
). Here’s how to fix this:openssl.cnf
File: On some systems,openssl.cnf
might be located elsewhere, like/etc/ssl/openssl.cnf
. Run this command to locate it:If it exists in a different location, use that path with OpenSSL.
openssl.cnf
exists in another location, you can create a symlink to where OpenSSL expects it:openssl.cnf
in the command itself:If
openssl.cnf
is missing altogether, reinstalling OpenSSL should replace it:These steps should resolve the issue with the missing configuration file.
Regards
I am now unable to access the domain without HTTPS, is there a way to fix this?
Great guide btw.
Thanks
What Web Server are you using?
This comment has been deleted
nginx, I solved it by adding an additional server directive.
Here’s the link to the stack page: http://serverfault.com/questions/67316/in-nginx-how-can-i-rewrite-all-http-requests-to-https-while-maintaining-sub-dom
I’d recommend adding this to the guide as it it’s a PITA if it only accepts https and does not force a re-direct.
That’s already in the guide, by the way.
In my opinion the tutorial should onclude compatbility with a non-ssl version of the web.
When I run the following setup
I receive the following response
Any ideas? I’m trying to chain a GoDaddy EV SSL, which I downloaded as Apache server type.
Removed the
<^>
from the command, and it appears to have worked correctly now.Looks like that was actually just a typo in the article. I’ve fixed it above. Thanks!
This comment has been deleted
My site is coming up as internal server error (https://rynopower.com/) Even though the SSL appears to be working. (Green lock is showing) Using PositiveSSL from Namecheap. SSL checking: https://www.sslchecker.com/sslchecker
Running off of the Wordpress Ubuntu 14.04 Image.
Created the ca-bundle with the four files provided by Namecheap:
cat rynopower_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > rynopower.ca-bundle
All files are currently in /etc/ssl/
CSR and Key that was generated are in the same folder currently.
Relevant lines for default-ssl.conf:
<IfModule mod_ssl.c> <VirtualHost default:443> ServerAdmin webmaster@localhost ServerName rynopower.com:443 SSLEngine on SSLCertificateFile /etc/ssl/rynopower_com.crt SSLCertificateKeyFile /etc/ssl/rynopower.key SSLCertificateChainFile /etc/ssl/rynopower.ca-bundle
Any idea why my site wouldn’t work on https? It still works fine on http, and the lock comes up for https, just no content
Is the rest of your default-ssl.conf correct?
I don’t see anything in particularly wrong. But maybe you might.
Here is the full file.
http://pastebin.com/ERz5ppr7
When trying to restart I get this:
Output of config test was: AH00526: Syntax error on line 34 of /etc/apache2/sites-enabled/default-ssl.conf: SSLCertificateFile: file ‘/etc/apache2/ssl/certs/teampunt.co.uk.crt’ does not exist or is empty Action ‘configtest’ failed. The Apache error log may have more information.
does anyone know why? I bought the cert from godaddy
The error message indicates that Apache is unable to find or access the SSL certificate file specified in your configuration. Here’s how to troubleshoot:
/etc/apache2/ssl/certs/teampunt.co.uk.crt
). Run:If the file is not there or the path is incorrect, update the path in your configuration file (
default-ssl.conf
).Re-download or Reinstall the Certificate: Sometimes, certificate files are empty if there was an issue with the download. You can re-download the certificate from your GoDaddy account and replace the existing one.
Update Apache Configuration: Confirm that the certificate path in your
default-ssl.conf
file matches the location of the actual certificate. The configuration should look like this:Regards
HI there, thank you for this great article… when my ssl-provider issued my ssl certification i got with the certification two more files, first : COMODORSAAddTrustCA, second : COMODORSADomainValidationSecureServerCA
but in your article you did’t mention anything about those more certifications, so can you give me some explanation about those more certifications ? where would i use them ?
Best regards
Are you using Nginx? If so, you will want to combine the files into the “chained” certificate file in a particular order:
example.com.crt
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
AddTrustExternalCARoot.crt
Or you can run this command to do the same thing (substitute the name of your certificate):
This was the correct order for me for cert from COMODO, though the exact file names vary slightly.
This comment has been deleted
What about apache ?
Did you figure this out for apache?
Any help would be appreciated.
Place the intermediate certificates into
intermediate.crt
, then follow the instructions in the Apache section of this tutorial.Hmm, do you have any evidence of that? I’m getting an A+ rating from the Qualisys test with a free StartSSL certificate, and I’ve never heard of any current browser rejected a startSSL certificate.
Might also be worth mentioning Cloudflare’s free Universal SSL offering, which “hides” a free server-signed key behind a “valid” key for “end to end” SSL, or even offers to make ANY website SSL, without a server-side certificate needed. https://blog.cloudflare.com/introducing-universal-ssl/
There are some evidence. Have you ever heard of CACert? They offer free SSL certificates under their own root - not all major browsers support it though (not in their trust store/storage).
Thanks for help
gdd
Thank you for your guide I managed to work but I changed the directory of the ssl files and now y cannot make it work. I have 2 domains tilabmx.com (default) and dianamejia.tk on LEMP with ubuntu 14.04. When I enter to tilabmx.com the server shows me dianamejia.tk (before setting up SSL everything was working fine) My conf file is: server { listen 443 ssl default_server; listen [::]:443 default_server ipv6only=on;
}
any idea? Thank you in advance!
Check the Nginx error log (
/var/log/nginx/error.log
). It probably has to do with permissions of the files and their containing directories.Thank you very much for your answer! What are the appropiate permissions? When I run “sudo cat /var/log/nginx/error.log” nothing opens, like if there is no file
Regarding the permissions, the SSL certs and keys need to be readable by the user that is starting the Nginx master process. It sounds like Nginx isn’t reporting any errors, so that is probably not the issue.
Are you accessing your site with
https
instead ofhttp
?You probably delete
rewrite ^/(.*) https://tilabmx.com/$1 permanent;
Then add this to the top of your config file (if you want http to redirect to https):
Again thank you manicas! And sorry for all the questions. I really appreciate your help. Finally it’s working! My conf file is as follows:
after that I added
I don’t know why if I put everything in the same server block it doesn’t work.
Regarding your setup, it’s typical to use separate server blocks for HTTP (port 80) and HTTPS (port 443) because they handle traffic differently. The HTTP block uses the
rewrite
directive to redirect traffic to HTTPS, while the HTTPS block manages secure connections. Combining them into one block often doesn’t work due to these differences.As for your SSL cipher configuration, you’re using
AES256+EECDH:AES256+EDH:!aNULL
, which is strong and modern, focusing on forward secrecy. The default setting (HIGH:!aNULL:!MD5:!3DES
) is broader and includes more ciphers for compatibility but disables weak ones. Your setup prioritizes stronger encryption, though it might limit compatibility with older clients.The separation of blocks is necessary because NGINX processes HTTP and HTTPS differently, and keeping them apart ensures smooth handling of both protocols.
You can also test your SSL configuration for security and compatibility using tools like SSL Labs.
I think you forgot mention that we have to put
SSLEngine on
statement inside Apache config file. It didn’t work for me unless I added that on Apache v2.4.7.+1 for this.
Need
SSLEngine on
for Apache v2.4.7Thanks! Updated.
Yes, adding
SSLEngine on
in the Apache configuration is crucial for enabling SSL. Without this directive, Apache won’t handle SSL connections even if you have everything else configured properly. It’s easy to overlook, but it’s a vital part of enabling HTTPS on your server. Glad you caught that!Very comprehensive guide, thanks.
One command that helped me debug was:
That tests your config to make sure it is valid and will report any errors.
This is a valid point. You can always check the syntax of your Apache or Nginx config using the same command, difference will be the service name
nginx -t
orapachectl -t
/apachectl configtest
Regards
I am at the end of it but cannot run SSLCACertificateFile /home/abc/intermediate.crt and SSLCertificateChainFile /home/abc/intermediate.crt. both returns command not found error on Ubuntu 14.04 with apache 2.4.7.
Those aren’t commands that you should run. Add those to Apache configuration file.
This comment has been deleted
Hello , am not able to redirect http to https . Am using apache2 . Could you please verify .
To redirect HTTP to HTTPS in Apache, you can follow tho methods:
Edit the HTTP Virtual Host: Open your site’s HTTP virtual host configuration file, usually located in
/etc/apache2/sites-available/
Using
.htaccess
for HTTP to HTTPS redirects is also effective, especially if you prefer to manage redirects at a directory level rather than in the main Apache configuration. I’ll usually recommend this way, you can edit the site’s .htaccess file and use the following snippet:Regards
Hi I’m trying to setup a SSL cert and getting this error:
SSL_CTX_use_PrivateKey_file(“/home///example.com.key”) failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
I am having the same issue were you able to solve this?
This comment has been deleted
Did you ever figure this out? I’m having the same issue
Not sure where to begin to be honest. I am using a WordPress droplet with Apache and Ubuntu 14.04. I have a Comodo SSL certificate with a .crt file and .bundle file. I followed the instructions, making adjustments to the naming. I tried the instructions here regarding the default conf file and I tried the instructions from Comodo at https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/637/37/ for Apache & mod_ssl.
I have keys and crt and bundle files in both /home/myusername/ and in the /etc/ssl/ directory
My modified 000-default.conf features the following:
I added the Listen command after seeing it on a Ubuntu forum.
I get the following error in Firefox when I try to connect via https://www.digitera.com
In the comments section, Mitchell mentioned the default-ssl.conf file, but that is not part of the core tutorial.
Which instructions should I be following ? The instructions from Comodo, the ones here ? Should I be modyifying just the 000-default.conf file or the default-ssl.conf one as well ? Should I be leaving the .bundle file name alone or should I rename it to match the convention that is indicated in the base tutorial ?
Help !!!
Ken
Which version of Apache are you using? If it’s a 2.4.x, try replacing
SSLCertificateChainFile
with:Thank you for your guide I managed to work but I changed the directory of the ssl files and now y cannot make it work. I have 2 domains tilabmx.com (default) and dianamejia.tk on LEMP with ubuntu 14.04. When I enter to tilabmx.com the server shows me dianamejia.tk (before setting up SSL everything was working fine) My conf file is: server { listen 443 ssl default_server; listen [::]:443 default_server ipv6only=on;
}
any idea? Thank you in advance!
Check the Nginx error log (
/var/log/nginx/error.log
). It probably has to do with permissions of the files and their containing directories.Thank you very much for your answer! What are the appropiate permissions? When I run “sudo cat /var/log/nginx/error.log” nothing opens, like if there is no file
Regarding the permissions, the SSL certs and keys need to be readable by the user that is starting the Nginx master process. It sounds like Nginx isn’t reporting any errors, so that is probably not the issue.
Are you accessing your site with
https
instead ofhttp
?You probably delete
rewrite ^/(.*) https://tilabmx.com/$1 permanent;
Then add this to the top of your config file (if you want http to redirect to https):
Again thank you manicas! And sorry for all the questions. I really appreciate your help. Finally it’s working! My conf file is as follows:
after that I added
I don’t know why if I put everything in the same server block it doesn’t work.
Regarding your setup, it’s typical to use separate server blocks for HTTP (port 80) and HTTPS (port 443) because they handle traffic differently. The HTTP block uses the
rewrite
directive to redirect traffic to HTTPS, while the HTTPS block manages secure connections. Combining them into one block often doesn’t work due to these differences.As for your SSL cipher configuration, you’re using
AES256+EECDH:AES256+EDH:!aNULL
, which is strong and modern, focusing on forward secrecy. The default setting (HIGH:!aNULL:!MD5:!3DES
) is broader and includes more ciphers for compatibility but disables weak ones. Your setup prioritizes stronger encryption, though it might limit compatibility with older clients.The separation of blocks is necessary because NGINX processes HTTP and HTTPS differently, and keeping them apart ensures smooth handling of both protocols.
You can also test your SSL configuration for security and compatibility using tools like SSL Labs.
I think you forgot mention that we have to put
SSLEngine on
statement inside Apache config file. It didn’t work for me unless I added that on Apache v2.4.7.+1 for this.
Need
SSLEngine on
for Apache v2.4.7Thanks! Updated.
Yes, adding
SSLEngine on
in the Apache configuration is crucial for enabling SSL. Without this directive, Apache won’t handle SSL connections even if you have everything else configured properly. It’s easy to overlook, but it’s a vital part of enabling HTTPS on your server. Glad you caught that!Very comprehensive guide, thanks.
One command that helped me debug was:
That tests your config to make sure it is valid and will report any errors.
This is a valid point. You can always check the syntax of your Apache or Nginx config using the same command, difference will be the service name
nginx -t
orapachectl -t
/apachectl configtest
Regards
I am at the end of it but cannot run SSLCACertificateFile /home/abc/intermediate.crt and SSLCertificateChainFile /home/abc/intermediate.crt. both returns command not found error on Ubuntu 14.04 with apache 2.4.7.
Those aren’t commands that you should run. Add those to Apache configuration file.
This comment has been deleted
Hello , am not able to redirect http to https . Am using apache2 . Could you please verify .
To redirect HTTP to HTTPS in Apache, you can follow tho methods:
Edit the HTTP Virtual Host: Open your site’s HTTP virtual host configuration file, usually located in
/etc/apache2/sites-available/
Using
.htaccess
for HTTP to HTTPS redirects is also effective, especially if you prefer to manage redirects at a directory level rather than in the main Apache configuration. I’ll usually recommend this way, you can edit the site’s .htaccess file and use the following snippet:Regards
Hi I’m trying to setup a SSL cert and getting this error:
SSL_CTX_use_PrivateKey_file(“/home///example.com.key”) failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
I am having the same issue were you able to solve this?
This comment has been deleted
Did you ever figure this out? I’m having the same issue
Not sure where to begin to be honest. I am using a WordPress droplet with Apache and Ubuntu 14.04. I have a Comodo SSL certificate with a .crt file and .bundle file. I followed the instructions, making adjustments to the naming. I tried the instructions here regarding the default conf file and I tried the instructions from Comodo at https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/637/37/ for Apache & mod_ssl.
I have keys and crt and bundle files in both /home/myusername/ and in the /etc/ssl/ directory
My modified 000-default.conf features the following:
I added the Listen command after seeing it on a Ubuntu forum.
I get the following error in Firefox when I try to connect via https://www.digitera.com
In the comments section, Mitchell mentioned the default-ssl.conf file, but that is not part of the core tutorial.
Which instructions should I be following ? The instructions from Comodo, the ones here ? Should I be modyifying just the 000-default.conf file or the default-ssl.conf one as well ? Should I be leaving the .bundle file name alone or should I rename it to match the convention that is indicated in the base tutorial ?
Help !!!
Ken
Which version of Apache are you using? If it’s a 2.4.x, try replacing
SSLCertificateChainFile
with:Just a note about doing this if you have a one-click Drupal install:
The file to edit won’t be
But rather
Then what you edit is not just one line but rather you need to edit this:
into this:
FInally you won’t find the ‘server_name’ line. So right below the above lines, insert it like so:
The rest works as described in the tutorial.
Thanks for sharing this! We’ll look into updating the article with the latest revision if necessary!
Regards
I was trying to generate a CSR and private key…
Got to this point in the tutorial:
"<^>This will generate a .key and .csr file. The .key file is your private key, and should be kept secure. The .csr file is what you will send to the CA to request your SSL certificate.
You will need to copy and paste your CSR when submitting your certificate request to your CA. To print the contents of your CSR, use this command (replace the filename with your own):
cat example.com.csr<^>"
I was able to get the CSR, but where did the KEY go? Newbie here, any help appreciated. Thanks.
The KEY should be in a file in the same directory as the CSR, with a name like
example.com.key
.This comment has been deleted
Thank you for the quick reply. Couldn’t find it, I probably deleted/misplaced it somehow. So decided to generate a new CSR & Key and request a re-issue of a new SSL certificate instead. Got a new cert emailed from Comodo minutes later.
Thanks for the tutorial. Any help is always apreciated.
I will say though that I had to spend quite a while figuring out why I was getting the following browser errors.
Google Chrome:
Error code: ERR_SSL_PROTOCOL_ERROR
Firefox:
In the end I had to enable the configuration using:
sudo a2ensite 000-default.conf
Thank you for sharing your solution, and I’m glad you figured it out! The
ERR_SSL_PROTOCOL_ERROR
andssl_error_rx_record_too_long
errors often indicate that Apache is listening for HTTPS traffic on a port where SSL isn’t configured correctly, or that the configuration itself isn’t fully enabled.Enabling your configuration with
sudo a2ensite 000-default.conf
was crucial because Apache requires the site configuration to be both enabled and active for SSL settings to take effect. Without that step, Apache can’t apply any SSL directives defined in the configuration file, which leads to SSL-related browser errors like the ones you experienced.Thanks again for the feedback! This will be helpful for anyone else troubleshooting similar issues!
Regards
Thanks Mitch
Worked perfectly for me. I had absolutely no problems installing a wildcard SSL certificate from NameCheap on my Ubuntu 13.10 Apache 2.4.6 droplet.
Hi there,
I was trying to install SSL certificate on Apache 2.4.7 on Ubuntu 14.04 x64 following above instructions. I have purchased certificate from GoDaddy. After finishing all the steps of installation when I try to restart Apache server, I get error message saying ‘Apache start failed’ and my site becomes inaccessible. I have got the following message on my server error log file:
[Tue Apr 14 07:31:14.140280 2015] [ssl:emerg] [pid 1192] AH02238: Unable to configure RSA server private key [Tue Apr 14 07:31:14.140478 2015] [ssl:emerg] [pid 1192] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch [Tue Apr 14 07:31:14.140496 2015] [ssl:emerg] [pid 1192] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
My server configuration file (000-default.conf) contains following lines:
I am kind of lost and can’t figure out where the actual problem is. Can you please help me here and let me know what the problem is? Thanks in advance.
That means that your cert and key aren’t matching.
To verify this, run the following commands:
If the output doesn’t match exactly, you probably aren’t using the proper key file. You can either find the proper key file, or just create a new key and CSR and reissue the cert.
Mitchell, this article was extremely helpful.
However I have one question, in the section about “Install Certificate On Web Server,” you state that "the private key, SSL certificate, and, if applicable, the CA’s intermediate certificates are located in a home directory at /home/sammy"
Is the “sammy” folder necessary for the process or is that an example name?
Thank you for your clarification. This is my first time setting up an SSL.
It’s an example username. The username that you should use is the one that you logged into the server as (and has
sudo
access).What if we don’t want to redirect all pages to https? If we are running a store and only want https on the checkout page would we set up the virtualhost *:80 and then copy everything from there into virtualhost *:443 to enable both without the redirect?
There are a lot of different ways to do what you want.
The problem with doing it the way you described is that your store will be accessible via HTTP. If you do it that way, you should at least redirect the directory of the store to the 443 VirtuaHost.
I should probably give more detail. I’m using Wordpress/WooCommerce which has a checkbox to “force SSL on checkout” and “force http upon leaving checkout”. So the checkout page will be safe (assuming the SSL certificate gets installed correctly of course).
What are the rammifications of having the shop pages accessible via http? Since it’s Wordpress I don’t think I can redirect certain directories although I could do a php redirect on all store pages I guess.
Thanks for this great article and all the comments!
I wanted to share some tips and trouble shooting techniques:
Check that the SSL.crt and mydomain.key are owned by root. Make sure to protect your private key
chmod 600 mydomain.key
Contact Support
Is the SSL certificate installed?
openssl s_client -CApath /etc/ssl/ -showcerts -connect mydomain.com:443 -servername mydomain.com
What webserver am I running?
wget --save-headers mydomain.com
What port is nginx listening on?
netstat -tulpn | grep "nginx"
Open up the 443 port:
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
Thanks for sharing this. Also if you’re using UFW you can use
sudo ufw allow 443
Regards
So weird enough I got a comodo cert loaded it up on a default apache droplet ubuntu 14.04, getting the following when i hit the site with ssl enabled…
Secure Connection Failed
An error occurred during a connection to www.mycibt.com. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)
Here is my config file:
<VirtualHost www.mysite.com:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
<VirtualHost www.mysite.com:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/apache2/ssl/certs/mysite.com.crt SSLCACertificateFile /etc/apache2/ssl/certs/intermediate.crt SSLCertificateKeyFile /etc/apache2/ssl/certs/mysite.com.key </VirtualHost>
Any ideas on this?
That error can be caused by a variety of things (usually misconfigured Apache). Check the Apache error log for more hints:
sudo tail -f /var/log/apache2/error_log
, then open the site in a browser.The tutorial is missing a command that needs to be sent before restarting the apache server: a2ensite default-ssl
I have installed the Rapid ssl in my Ubuntu 14.04.2 LTS. But the website is not loading after that. I am getting following message in browser “The page isn’t redirecting properly”
my apache version is apache 2.4.7
The conf file is available in /etc/apache2/sites-available/magento.conf is as follows
<VirtualHost *:80> ServerName mysite.co.uk Redirect permanent / https://mysite.co.uk/ </VirtualHost> <VirtualHost *:443> ServerName www.mysite.co.uk SSLEngine on SSLProtocol all SSLCertificateFile /etc/apache2/ssl/rapidssl_publickey_2015.crt SSLCertificateKeyFile /etc/apache2/ssl/private.key SSLCertificateChainFile /etc/apache2/ssl/rapidssl_intermediateca_2015.crt ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined <Directory /var/www/html/magento> AllowOverride All Require all granted </Directory>
</VirtualHost>
vim: syntax=apache ts=4 sw=4 sts=4 sr noet
The ports.conf available in /etc/apache2/ports.conf as follows
Listen 80
<IfModule ssl_module> Listen 443 </IfModule>
<IfModule mod_gnutls.c> Listen 443 </IfModule>
vim: syntax=apache ts=4 sw=4 sts=4 sr noet
The apache error log I could see as follows: [Fri May 29 23:42:51.054552 2015] [ssl:warn] [pid 2048] AH01909: RSA certificate configured for www.funnfrolic.co.uk:443 does NOT include an ID which matches the server name [Fri May 29 23:42:51.054975 2015] [ssl:warn] [pid 2048] AH01909: RSA certificate configured for www.funnfrolic.co.uk:443 does NOT include an ID which matches the server name [Fri May 29 23:42:51.055076 2015] [ssl:warn] [pid 2048] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Fri May 29 23:42:51.222699 2015] [ssl:warn] [pid 2053] AH01909: RSA certificate configured for www.funnfrolic.co.uk:443 does NOT include an ID which matches the server name [Fri May 29 23:42:51.223298 2015] [ssl:warn] [pid 2053] AH01909: RSA certificate configured for www.funnfrolic.co.uk:443 does NOT include an ID which matches the server name [Fri May 29 23:42:51.223512 2015] [ssl:warn] [pid 2053] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Fri May 29 23:42:51.227454 2015] [mpm_prefork:notice] [pid 2053] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.6 OpenSSL/1.0.1f configured – resuming normal operations [Fri May 29 23:42:51.227484 2015] [core:notice] [pid 2053] AH00094: Command line: ‘/usr/sbin/apache2’
Can you please guide me how we can resolve this? I have hosted the website in Digital Ocean. Also- everytime when I restart the apache- I could see following message and I am giving passphrase everytime. Is that something have any impact in the process?
Apache needs to decrypt your SSL Keys for www.funnfrolic.co.uk:443 (RSA) Please enter passphrase:
@rickthomas:
“The page isn’t redirecting properly” is usually caused by a misconfigured application. Review your application’s settings that have to do with the URL or clear its cache.
The
ServerName
directive in the :443 VirtualHost must match the CN (Common Name) that you set when you generated your key and CSR. This is probably causing the error in the Apache log.The passphrase prompt occurs because you encrypted your key with one when you created it. This can cause an issue if the process restarts automatically (e.g. after boot) and you aren’t there to enter the passphrase—Apache won’t start. You can create key without a passphrase by using the
-nodes
option. There are other ways around this, but this is the simplest. You will have to regenerate the key/CSR and get RapidSSL to issue a new certificate.Great Tutorial Thanks
Help!
I’m trying to get SSL to work on a client’s website (http://crsupplements.com/) and it doesn’t seem to be working. I am using DO’s one click Wordpress with Ubuntu 14.04 image, using Apache 2.4.7
Here is my Apache Host configuration file. (/etc/apache2/sites-available/000-default.conf)
Going to https://crsupplements.com/ just says that the connection is untrusted and is a self-signed certificate. I can add an exception but it then says 403 Forbidden, you can’t access / on this server. I bought the domain and cert from register.com and they told me in what order to put the intermediate certs in, so I am pretty sure that is correct. What am I missing? Do I need to do something to WordPress? Thanks!
Is
000-default.conf
the only file that is linked in/etc/apache2/sites-enabled
?Did you get this fixed? I’m having the same problem now.
my default-ssl.conf is the only linked file in /sites-enabled
Is this where the problem is?
Hello. I am having the same problem as well. How did you manage to fix your error? Thank you.
A couple of good resources to test the certificate is all ‘clean & green’ :
https://www.sslshopper.com/ssl-checker.html https://www.whynopadlock.com
These will spot any problems with your SSL chain, and the last link will also identify non secure content.
I’ve used both sites in the past for test purposes and they work just fine. Another option will be to run a
curl
from the command line as well.Regards
Hello, what application should I chose when I am using Nginx as a Reverse Proxy for Apache that I followed in this tutorials How To Configure Nginx as a Reverse Proxy for Apache.
Thank you
This was super, super helpful. Thank you!
Awesome tutorial, Mitchell! But I have a problem. I am running a wordpress multisite, currently with 4 blogs. Two of them need SSL Certification. I successfully ran the tutorial to install the certificate for the main blog. Great. But than, all the blogs are pointing to the main url. Well, that was obvious, since the tutorial are redirecting *:80 to a single url. ( Important to say that I am using domain mapping, and before ssl config, the redirection was working properly. )
I tried some configurations in the 000-default.conf, but none of them worked. Let me try some logic… yeah, I believe I’m wrong, but… Let’s say I have mainurl.ssl.com, that should have some subdomains, like store.mainurl.ssl.com. Also I have secondary.ssl.com, and thirdurl.nossl.com
And here is the 000-default.conf I came up with:
I use the ’ * ’ in <VirtualHost *.mainurl.ssl.com:80>, thinking in it’s the subdomains. I tried that, and other configurations, but none of them worked.
Is there a way to setup SSL certificates for blogs in wordpress multisites? I would love some help on this.
Thanks a lot!
I Tried this tutorial too: https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04
But at the end, it result in error, apache said that de site did not exist. =P
And I realized another problem, very serious one btw… Using permalink like url.com/category/my-post the browser did load the page at all, saying that was not possible to establish a segure connection. :(
Mitchell,
Excellent write up! TLS/SSL configuration instructions for Nginx was great, wanted to share config for Apache 2.4.x too for those of you who are concerned about SSLv3 and the poodle vulnerability.
Edit: /etc/apache2/mods-available/ssl.conf
–to something like–
sudo service apache2 reload
Thanks for sharing this!
As with the latest 1.3 version you can also add:
Regards
Hi Guys! I need a help:
I have already a ssl certificate from godaddy installed in my domain >> mydomain.com.br Thats ok! working fine.
But, now I need to setup another single cert in a subdomain (for my mobile version) >> m.mydomain.com.br
How can I do this configuration in my droplet? I have a Ubuntu 12.10 x64 Server with Nginx
The certificate is already in the right folder. I just need do setup the nginx configuration.
Thanks!!!
You can add a new server block in the
/etc/nginx/sites-enabled
directory.For example, open a new file called
mobile
:Then add a new server block. It might look something like this:
Then be sure to add the rest of your configuration in that server block.
I followed the Apache instructions. Managed to break the site.
Do you see anything in the error logs?
I abandoned this approach and modified the desfault-ssl.conf file, which is really where this configuration should be done.
I have followed these instructions and am no just timing out. If I point directly to the HTTPS version of the IP address it resolves, but obviously the cert shows an unmatching domain error.
Any idea why the live site would be a white - timedout page?
Which web server are you using? If the HTTP to HTTPS redirect isn’t working, try focusing on the port 80 VirtualHost or server block.
I was able to fix the time out, but not have redirect loop errors. using the wordpress droplet, so apache. This is my 000-default.conf file: http://pastebin.com/PyxvBZDL
I used a2dissite on all other confs, if that makes sense.
Make sure you don’t have a stray redirect somewhere else, like an
.htaccess
file, and check your Wordpress permalink settings.After creating mydomain.ssl.conf do I need do keep mydomain.cont too, or may I delete it?
I’m not sure what you mean. Could you clarify your question?
sorry, I mixed your text with another I was reading about that. Let me clarify for you. Maybe you can help.
My Nginx was installed with the default package from serverpilot.io. They install Nginx-sp, then my server block stays under this folder:
/etc/nginx-sp/vhosts.d/mydomain/
When I first went in this folder, there was a file called “mydomain.conf”. Then, I created another called “mydomain.ssl.conf” with all intructions you wrote in this article: listen 443 ssl; server_name example.com; ssl_certificate /home/sammy/example.com.chained.crt; ssl_certificate_key /home/sammy/example.com.key; AND ALL YOU MENTIONED…
My question is if do I have to keep both files: original : /etc/nginx-sp/vhosts.d/mydomain/mydomain.conf and new : /etc/nginx-sp/vhosts.d/mydomain/mydomain.ssl.conf ???
In the original file original : mydomain.conf there is the defaul configuration from Nginx-sp such as:
server { listen 80; liste [::]80; server_name mydomain www.mydomain; root xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/public/; access_log xxxxxxxxxxx error_log xxxxxxxxx … }
Thank you very much!
It looks like your
mydomain.conf
file is configured to allow HTTP connections. If you want your users to be able to access your site through HTTP (in addition to HTTPS), you should keep the file. If you want HTTPS-only, you should probably redirect the HTTP traffic to HTTPS.I followed the tut exactly and I get secure connection failed when trying the URL via FF. I purchase a positive SSL from namecheap.com and this is my config file:
Is there a more specific error code after the “Secure Connection Failed” line? That will usually help you pinpoint the issue. If not, you can check the Apache error log (
sudo tail /var/log/apache2/error.log
). Please post the error code.If I have more than 1 CA certificates how would I need to name them? I have 3
The names are arbitrary. If you have three intermediate certificates from different providers, you should probably name them based on the CAs that they belong to.
If you have three different sites with separate SSL certificates, you will probably want to name them after the domains that they cover.
After configuring apache for my SSL certificate (all certificates created and uploaded successfully) I’m still finding that https web requests are completely ignoring the certificates or are unable to find it. What do I need to do with my .conf files or my virtual hosts in order to use the settings in “/000-default.conf” ???
I’ve already disabled the default “self-signed” ssl by changing the virtualhost in “default-ssl.conf” to:
<VirtualHost 127.0.0.1:443>
(before ssl labs site test was showing the default self-signed ssl)
It looks like this has to do with the default settings that the wordpress ubuntu package comes with, so any help or direction would be great, thanks so much.
Graham
To ensure Apache is using your new SSL certificate and not falling back to the self-signed one, here are some adjustments you can make:
/etc/apache2/sites-available/000-default.conf
or create a new SSL virtual host file if needed), and add theSSLEngine
,SSLCertificateFile
, andSSLCertificateKeyFile
directives to specify your certificate paths:default-ssl.conf
, ensure it’s disabled to avoid conflicts:000-default.conf
is your custom SSL virtual host file, enable it to make sure Apache reads it:ssl
andrewrite
modules are enabled, then restart Apache:000-default.conf
to be the default, ensure no other configurations are intercepting HTTPS traffic.After these changes, try running an SSL test again. Let me know if this resolves it or if more details are needed on the WordPress package configuration!
Regards
Don’t forget you may have previously used iptables to lock down your server. After setting up the SSL and then getting a timeout with no errors in the logs;
In Ubuntu sudo ufw allow 443
This is a valid point. You should make sure that port 443 is open and allowed in your Firewall configuration.
Regards
This comment has been deleted
This is an excellent guide!! Thank you for explaining not just the technical details, but also some of the background regarding different SSL products and certificate types. This has really been enlightening.
Thanks for the great tutorial. I just set this up on my server using Namecheap’s SSL certificate but there was a major disconnect in the article for me. I wasn’t able to complete the installation without referring to other sources. Hopefully this comment will help others with the same issue and get the author to modify the original article.
With Namecheap, I received two files/keys, but it was unclear to me which file is the ‘site certificate’ and which is the one to be renamed to ‘intermediate.crt’. In hindsight it seems obvious but when going through the tutorial I got stuck.
In the downloaded package from Namecheap, one file is in the form of *.crt and the other *.ca-bundle. *The .crt file is the ‘site certificate’, and the .ca-bundle file is the ‘CA intermediate certificate’, which should be renamed to ‘intermediate.crt’.
When you combine the site certificate (.crt file) and the intermediate certificate (.ca-bundle file), in that order, you create the chained certificate (.chained.crt file), which can be used in conjunction with the private key (created in the beginning) to serve the site with Nginx.
I received three files: example_com.crt example_com.p7b example_com.ca-bundle
I am running wordpress on Ubuntu 14.0 with nginx. How do I proceed with regards to intermediate.crt?
Rename example_com.ca-bundle to intermediate.crt and follow the instructions above. You do not need the p7b file. The examplecom.crt is your site certificate.
Thanks. It worked. I found that I actually did not need to rename the files I got from my CA. I have a PositiveSSL from comodo via namecheap. I did the following command, if you have a .crt and .ca-bundle:
cat www_yourdomain_com.crt www_yourdomain_com.ca-bundle > example.com.chained.crt
After the
sudo service apache2 restart
command, I get the following message.and I still can access to the http but not https with error saying “SSL connection error ERR_SSL_PROTOCOL_ERROR”
any suggestion?
well, I figure it out by myself.
helpful link :apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName … waiting apache2:
So I checked /etc/hosts file where it said
and I changed
127.0.1.1 Robobu Robobu
to127.0.1.1 robobu.io robobu
no more error aftersudo service apache2 restart
command!tho I still couldn’t get https working…
to be continued… Receiving FATAL ERROR for mod_ssl
I have the same error message, the only difference is that I’m using Nginx
First, ensure mod_ssl is enabled. You can do this by running
sudo a2enmod ssl
and then restarting Apache withsudo service apache2 restart
to make sure mod_ssl is active.Next, check your SSL configuration file. If there’s an error in your SSL configuration, that could trigger the issue. Review your SSL virtual host file, typically located at
/etc/apache2/sites-available/default-ssl.conf
, for any mistakes in the paths to your SSL certificate files.It’s important to verify that the paths for
SSLCertificateFile
,SSLCertificateKeyFile
, andSSLCertificateChainFile
in your configuration point to the correct and valid certificates.Sometimes, other Apache modules, such as old mod_ssl versions or incorrect mod_rewrite rules, can conflict with your SSL setup. Check for duplicate configurations in your Apache virtual hosts or conflicting modules.
Lastly, examine the Apache logs. Apache logs often provide detailed clues. You can check the logs for any FATAL errors in
/var/log/apache2/error.log
or similar log files.If mod_ssl is properly configured and active, these steps should help resolve the FATAL error you’re seeing.
Excellent work, thanks so much!!
Please, I need some help.
I’m trying to install my SSL and to use Nginx as frontend of my Tomcat application I got my SSL certificate from GoDaddy, I struggled a lot but I managed to generate it. After I installed Nginx and set everything up I noticed that I had a key values mismatch. I spent a lot of time but I managed to get their modules to match and then I finally got Nginx to start. Now I just can’t reach my domain with HTTPS as desired, I receive on Chrome the message
<^> SSL connection error
ERR_SSL_PROTOCOL_ERROR Hide details Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don’t have. <^>
The log files (access and error) at /var/log/nginx are completely empty and here is my nginx.conf file which I got as sample from here https://github.com/loftuxab/alfresco-ubuntu-install/blob/master/nginx/nginx.conf
As nobody knows and/or doesn’t seem to want to help, there’s nothing to do other than return the SSL to the CA.
I know it’s been a while since the question was asked, however I still want to address the issue.
The error you’re encountering often stems from issues with the SSL handshake between the client and server, which could be caused by misconfigurations in Nginx. First, make sure that the paths to your SSL certificate and key in your Nginx configuration are correct. Verify that the files exist at those paths and have the right permissions.
Additionally, ensure you’ve properly combined your certificate chain. Browsers need a complete chain of trust, so concatenate your domain certificate, intermediate certificate, and root certificate in the correct order, then update your Nginx config to point to this full certificate chain.
It’s also important to use compatible and secure SSL protocols and ciphers. Update your Nginx configuration with widely accepted protocols like TLSv1.2 and modern ciphers. If you’ve been making several changes to the configuration, clearing your browser cache or testing the site in incognito mode might help resolve any issues with cached SSL settings.
Check your Nginx log files after restarting the service to see if any additional errors are being recorded. Finally, testing the SSL connection using
openssl
can help you see the certificate chain and identify handshake issues. Disabling any client certificate requirements in the Nginx configuration might also resolve the issue if the server is unexpectedly asking for one.Set up a web server of your choice. For example, a LEMP (Nginx) or LAMP (Apache) server–be sure to configure the web server software to use the name of your registered domain Thanks for the guide it will be very useful Im sure Am I right in assuming therefore thats it not possible to fully test ssl operation on a test site (eg a clone of the original) that is accessed only by IP address before applying ssl to the live site?
Yes, you’re correct in assuming that SSL certificates are typically bound to domain names, not IP addresses. SSL certificates validate the ownership of a specific domain, so you can’t fully test SSL on a site that is accessed solely by its IP address. When accessing via an IP address, the browser won’t find a domain name match for the SSL certificate, leading to errors or warnings.
However, there are a few workarounds to test SSL on a staging or clone environment before applying it to the live site:
Set up a subdomain for testing: You can create a subdomain (like
test.yourdomain.com
) and apply an SSL certificate to it. Many SSL certificate providers allow adding subdomains at no extra cost. This lets you test everything with a real domain while keeping your main site untouched.Use a self-signed certificate: For internal testing, you can generate a self-signed SSL certificate. While this will show warnings in browsers because it’s not trusted by a Certificate Authority (CA), it allows you to test the SSL setup and ensure everything works technically before moving to production.
Hosts file modification: If you want to test using the same domain as the live site but without making DNS changes, you can edit the
hosts
file on your local machine. This allows you to map the domain name to the IP address of your test server locally, and the browser will load the test site when you enter the domain name. You can install the SSL certificate and check if everything is working before applying it to your live environment. However, this only works on your local machine.Use a test CA: Some certificate authorities offer test certificates that you can use in development environments. These are not trusted by browsers, but they allow you to configure SSL and test everything thoroughly without using the actual live certificate.
While you can’t test the exact certificate on an IP address alone, these methods let you get close to a full SSL simulation without applying changes to the live site
Regards
Hi,
Am trying to install SSL on sub-domain app.topnotepad.com.
It’s a Comodo PositveSSL.
I created the intermediate.crt file by manually appending (in notepad editor), in the following order COMODORSADomainValidationSecureServerCA+COMODORSAAddTrustCA+AddTrustExternalCARoot and placed it in /etc/ssl/
Here is how 000-default.conf file looks like:
<VirtualHost *:80>
ServerName app.topnotepad.com Redirect permanent / https://app.topnotepad.com/
</VirtualHost>
<VirtualHost *:443>
</VirtualHost>
When I try to connect to https://app.topnotepad.com, none of the browsers connect, PLEASE HELP!
Note, without HTTPS it takes me to the site, not sure what am I missing…
The
SSLCertificateChainFile
should be used for the intermediate certificates, not theSSLCertificateFile
. You need to ensure that the entire certificate chain is correctly referenced.Here’s the corrected version of your
000-default.conf
:Ensure the
SSLCertificateFile
points to your domain’s certificate (the one issued toapp.topnotepad.com
), theSSLCertificateKeyFile
points to the private key file that matches your certificate, and theSSLCertificateChainFile
points to the intermediate certificate (the one you manually created).After making these changes, restart Apache with the command
sudo service apache2 restart
. Once restarted, check again if the site loads with HTTPS.If you still face issues, check the Apache error logs located at
/var/log/apache2/error.log
for specific errors that can help identify the problem.awesome tutorial. thanks :)
Upon completion of this tutorial I was left with a redirect loop (partially my own fault but I discovered a needed improvement) and most importantly this leaves known insecure ssl_ciphers in use. :|
So the redirect loop was caused by two errors. One placing the redirect in the existing server { } block and not a separate one (my fault, derp). :/ Also the use of a taxing rewrite, see this link for details.
But basically instead of
rewrite ^/(.*)$ http://example.com/$1 permanent;
do thisreturn 301 http://example.com$request_uri;
you can also use$server_name
with this in place ofexample.com
or even$host$
if you need multi-domain redirects. I’m using nginx so if you are using apache you’ll want to do your own research.Now the ssl_ciphers issue I discovered using the ssl test at SSL Labs, here instead of the very narow instruction set used above. To ensure maximum security use the monstrosity of an ssl cipher rule below. I don’t understand the full implications of this rule as written but the link below it explains things a little more clearly and the results are plain to see with the test suite.
For more information about the ssl ciphers check out this link they’ve got instructions for just about every web server. :)
The redirect loop you encountered likely stemmed from having an improperly placed or overly taxing redirect rule. To fix this in Nginx, a simpler and more efficient approach can be used for redirection:
Instead of using:
You can optimize it with:
This method is lighter and reduces unnecessary overhead. Additionally,
$server_name
or$host$
can be used for multi-domain setups. For Apache users, a similar approach can be applied, but with their syntax.Regarding SSL security, the narrow set of SSL ciphers in your original configuration may expose your site to security vulnerabilities. To improve this, use a stronger SSL cipher suite.
For more detailed explanations of SSL cipher configurations for various web servers, you can refer to resources like the SSL Labs Test Suite. This tool can give you a clearer insight into how secure your SSL implementation is and what changes may be needed.
Regards
Hi thanks for the tutorial: I wanted to add my 2 cents in case someone might find it useful. I’m running apache2 using Comodo PositiveSSL.
Using the
find
command is a practical way to locate your configuration files when they aren’t where you expect. As for thePositiveSSLCA2.crt
andAddTrustExternalCARoot.crt
, using the former as the intermediate is typically fine, especially if your setup works without the root certificate. In some cases, including both certificates in the chain can help ensure broader compatibility across different browsers and systems, but it’s good to know you had success without it.The command
apache2 -v
to check your Apache version is useful for ensuring you follow the correct version-specific instructions. Thanks again for sharing your tips—they’re sure to help others navigating similar setups!Regards
I can not install SSL for my domain https://www.vietnamtourbooking.com/en/ with the tutorial: http://blog.cs-cart.com/2015/11/27/pay-5-for-hosting-on-digitalocean-and-get-92-google-pagespeed-points-for-your-cs-cart-store-out-of-the-box/
I really want to install SSL for that site, using cscart, for some website of us!
please help me!
Recommended to used Let’s encrypt SSL certificate. I have Setup on my website redbox tv
Thanks & Regards, James
You can either purchase one or use Let’s Encrypt, which is free.
Next, SSH into your droplet and update your package lists using
sudo apt update
.If you’re using Apache, install Certbot with
sudo apt install certbot python3-certbot-apache
. If you’re using Nginx, install the Nginx plugin by runningsudo apt install certbot python3-certbot-nginx
.To request the SSL certificate for Apache, run
sudo certbot --apache
. For Nginx, runsudo certbot --nginx
. Certbot will guide you through the process, prompting you to select your domain.Once the certificate is installed, redirect all HTTP traffic to HTTPS. For Apache, Certbot will give you the option to do this automatically. For Nginx, you can add a manual redirect by creating a server block for port 80 and redirecting traffic to HTTPS.
Finally, restart your web server. For Apache, use
sudo systemctl restart apache2
. For Nginx, usesudo systemctl restart nginx
.Ensure that the automatic renewal is set up since Let’s Encrypt certificates last for 90 days.
Regards
If you use example.com as the common name, does this add SSL to both example.com(https://example.com) and www.example.com(https://www.example.com)? If not, how do you add SSL to both example.com and www.example.com?
I use www.example.com for SSL :(
Dear TerryR,
Can you tell me why I can not using the cscart install and SSL?
It depends on the specific CA that you use. Some of them automatically give you both (www and non-www), while others require both to be added in the CSR.
Hi manicas,
I buy ssl from ssls.com: rapidssl or geotrust.
https://www.example.com and https://example.com are working fine with cpanel, plesk 12. But, when I want to transfer website to Digital Ocean (reissue SSL), the SSL not working. I try a new SSL but your host still not working :(
Please tell me how to?
Hi @haongz,
You don’t need to reissue the SSL certificate if you’re moving to a different server and IP address. You simply need to copy the certificate, chain, and key files to your new server, then configure it.
Hi @manicas,
ok, but how to configure it? I try with your tutorial but not ok :(
hmm… please check after install cartomatic…
Hi @manicas,
can you tell me where to put the the certificate, chain, and key files and how to configure it?
Many thanks!
Instructions for using RapidSSL via Namecheap should probably change as the intermediate certs are bundled into 1 file, e.g., this command: cat yourdomainname.crt yourdomainname.ca-bundle >> cert_chain.crt
Thanks for sharing this.
You can also check their docs as they’ve covered pretty much every possible server setup scenario for installing the SSL:
https://www.rapidsslonline.com/ssl-questions/install-ssl.aspx
Regards
Very good post.
Thanks
Hi Mitchell. Great tutorial, thank you so much. I have a quick question: What about moving an existing certificate? Should I just copy .key and .crt files from etc/ssl folder Ubuntu with nginx and paste to new Ubuntu with nginx? Or more?
Yes, you can move an existing SSL certificate to a new server by copying the
.key
and.crt
files, but there are a few more things to consider for the process to be smooth. Here’s what you should do:Copy the
.key
,.crt
, and any intermediary certificate files (such as.ca-bundle
orintermediate.crt
) from the existing server to the new server. You can usescp
or another file transfer tool like SFTP.On the new server, ensure that the directory structure is similar to the old server, typically
/etc/ssl/certs/
for certificates and/etc/ssl/private/
for the key file. Update the file paths in the Nginx configuration accordingly.If the certificate was issued based on a specific private key, ensure the
.key
file you transfer matches the certificate. Otherwise, the certificate won’t work.Update the Nginx configuration on the new server. Ensure that the SSL-related directives, such as
ssl_certificate
andssl_certificate_key
, point to the correct file paths of the moved certificate and key.If you’re using any intermediate certificate files, update those paths in the configuration as well.
After updating the configuration, restart Nginx with
sudo systemctl restart nginx
to apply the changes.Once done, test the site to ensure the SSL certificate works correctly on the new server. This process should replicate the SSL configuration successfully as long as the paths are correctly set.
I am migrating a website from another host to Digital Ocean. The older host, which I only have access to the ftp, has a SSL certificate. In the hosting control panel, all it let me do is download the certificate .pem file. Does it has both .key and .csr parts in it? How can I convert it to a proper .key and .csr?
You can open the
.pem
file in a text editor and see if it also contains the private key. Look for lines that look like this:You can also use this command to see information about the cert and its issuer:
You don’t really need a CSR once you have the signed certificate. But you can create a new CSR if you have the private key. You may also want to check out this tutorial: OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs
Thanks for the awesome blog. Very helpful.
If I destroy my droplet with all my SSL certificates, will I be able to reissue it to a new droplet (using the same domain)?
Yes, as long as you haven’t reached the rate limit set by Let’s Encrypt CA. You also need to make sure all of your DNS records are updated, and omit the renew option when you run the command.
Umm… I actually have Comodo RSA certificate. Is it the same? Basically just validate that you own the domain again and go through the same process?
Whoops. Sorry, I thought I was commenting on a different tutorial. You already validated that you own the domain so you should just be able to send a new CSR with the same
CN
to get the reissue.Heya,
You can re-install the SSL on a new droplet later on, there is no issues with that.
Regards
I am using Comodo Positive SSL +Wildcard +Multi-Domain but looks like its not working. Also they have two intermediate certs. Which one do I use on Apache 2.4.7
Connecting to …:443… Status: Connection established, waiting for welcome message… Error: Connection timed out after 20 seconds of inactivity Error: Could not connect to server
Using filezilla tried all available protocols and encrytpions. It worked fine before ssl… Any ideas.? Thank you
Perhaps you should be trying to connect to port 22 (SSH/SFTP)?
I installed the Comodo SSL and realised that my whole website if now being forced to load with HTTPS protocol. As I would only like the checkout page to be SSL secured not the whole website, I was just wondering if you can help in fixing this problem as redirecting every HTTP page to HTTPS on my website is creating page load issues and I don’t really want SSL on every page of the website.
I spent numerous hours to rectify this issue but I cannot seem to find a solution to it.
URL: missbettina.com.au
Followed these forums: https://www.digitalocean.com/community/tutorials/how-to-create-temporary-and-permanent-redirects-with-apache-and-nginx
http://stackoverflow.com/questions/7133599/redirect-http-to-https-for-one-page
Regards
Running: Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-71-generic x86_64)
You’ll need to make adjustments to your Apache configuration. Start by removing any global redirects from HTTP to HTTPS that apply to the whole site. Check your Apache configuration or
.htaccess
file for anyRedirect
orRewriteRule
related to HTTPS and comment them out or remove them.Next, you’ll need to configure Apache to only apply HTTPS to the checkout page. In your virtual host configuration for port 80, ensure that no global HTTPS redirects are present. If you’d like to specifically redirect only the checkout page to HTTPS, you can use the
RewriteCond
directive to check for the/checkout
URI and redirect just that path to HTTPS.Then, create a separate virtual host for port 443 with SSL enabled, ensuring that the SSL certificates are correctly configured. Within this virtual host, you can specify the
<Location /checkout>
directive to force SSL only for the checkout page, leaving other pages to load over HTTP.Make sure that both
mod_ssl
andmod_rewrite
are enabled in your Apache setup. After making these changes, restart Apache and test the site to verify that only the checkout page is redirected to HTTPS. If further issues persist, review your.htaccess
file for any conflicting rewrite rules.I have tried starting apache after setting virtual host but got error
Action ‘start’ failed. The Apache error log may have more information.
here is my virtual host
. Ensure that the files are located in the specified directories and that there are no typographical errors in your configuration.
Next, check the Apache error log for details about the failure. You can do this by running the command
tail -f /var/log/apache2/error.log
, which will display any errors that might provide more context on why the service isn’t starting.It’s also a good idea to run a configuration syntax check before attempting to restart Apache. You can do this by running
apachectl configtest
. If there are any syntax issues, this command will highlight them, allowing you to make necessary corrections.Additionally, verify that the
Redirect
rule pointing frombnistore.in
tosample.com
is properly set up, as incorrect configuration could lead to redirection problems or errors.Once you’ve addressed any issues, restart Apache with
sudo systemctl restart apache2
. If problems persist, the error log will guide you further.Hi Manicas, Your guide very helpful,
I have the certificate of Godaddy and the server is Apche. They have provided the example.crt and intermediat.crt. How do I generate the private key with this. I am using windows . . Pl
To generate a private key along with the CSR using OpenSSL on Windows, you need to follow these steps:
Open the command prompt or PowerShell on your Windows machine.
Navigate to the directory where you want to generate the private key and CSR.
Run the following command to generate a new private key and a CSR at the same time:
Replace “example” with your desired filename. This command will create a new private key file named “example.key” and a CSR file named “example.csr”.
You will be prompted to enter information about your organization. This information will be included in your certificate.
After generating the private key and CSR, you will need to provide the CSR to GoDaddy for your SSL certificate issuance.
Once your SSL certificate is issued, you can install it on your Apache server by placing the provided certificate files (example.crt and intermediate.crt) along with the private key file you generated.
In your Apache configuration file, you will need to set the following directives in the VirtualHost section for port 443:
Make sure to replace
/path/to/
with the actual path where you saved your certificate and key files.Finally, restart Apache to apply the changes:
Regards
Hi, after follow this tuto, would like having some help. I did all of this, exept one thing, my indermediate is an .pem not .crt …
When i want to restart apache, LAMP config on digitalocean, it give me :
In frontend, i’ve got an error 500… thanks
navigate to /etc/apache2/apache2.conf (using nano, vi or whatever text editor you use)
at the very top or bottom paste this ServerName localhost
make sure there is no # in front of it either
Save the file and restart apache and you are good to go
Hello! After this installation, I am getting the following error:
“ERR_TOO_MANY_REDIRECTS” on chrome, I read that there is something generating a ‘loop’ to my address.
What do you think I have to see to solve this?
Thanks! (And sorry about my english)
Ensure that your Nginx or Apache configuration doesn’t create a redirect loop. Look for conflicting rules in your configuration files, especially in the server blocks handling HTTP and HTTPS traffic.
If you’re using both HTTP and HTTPS, make sure the HTTP server block is set to redirect properly to the HTTPS version without causing a conflict. For instance, if your HTTP block redirects to HTTPS, the HTTPS block should serve the content without attempting to redirect back to HTTP.
Check your application’s settings as well. Some applications have their own redirect rules that may conflict with server configurations.
To troubleshoot, you can temporarily comment out the redirect rules in your configuration and check if the site loads correctly. This will help identify if the redirect rules are causing the issue.
BITSFIRE PERÙ SERVICIOS DE HOSTING: http://www.bitsfire.com/: web hosting servicies; Desarrollo Web Perú, diseño gráfico Perú, reserva de dominios Perú, dominios Perú, web hosting, Posicionamiento seo Perú.
Hi, I just configured Godaddy’s EV certificate. I am now unable to access my domain with http and example.com it simply taking me to apache home, My config is like this:
<VirtualHost *:80> ServerName example.com Redirect permanent / https://example.com/ </VirtualHost> <VirtualHost *:443> ServerName example.com SSLEngine on SSLCertificateFile /home/developer/example.com.crt SSLCertificateKeyFile /home/developer/example.com.key SSLCertificateChainFile /home/developer/intermediate.crt ProxyRequests On ProxyPass / http://localhost:8080/example.com/ ProxyPassReverse / http://localhost:8080/example.com/ </VirtualHost>
Make sure your Apache configuration for the VirtualHost on port 80 is correctly set up to redirect traffic to HTTPS. Your current configuration looks correct, but you might want to ensure there are no conflicting configurations that could be affecting it. Check if the
000-default.conf
file or other VirtualHost configurations are overriding your settings.In the VirtualHost for port 443, ensure that the document root is properly set. The
ProxyPass
andProxyPassReverse
directives are meant to forward requests to another server running on localhost. Make sure that the server is up and running on the specified port (8080) and that the application is correctly configured to respond to requests.If you’re still having issues, you can check the Apache error logs for any errors that could provide more insight. The logs are usually located at
/var/log/apache2/error.log
.After making any changes to your configuration files, remember to restart Apache to apply the changes using
sudo systemctl restart apache2
orsudo service apache2 restart
.If you continue to experience issues, please provide the content of your Apache error logs to help diagnose the problem further.
Hello! My SSL works fine, but when i enabled the http -> https redirect Google Chrome show me the ERR_TOO_MANY_REDIRECTS error message. This is my /etc/nginx/sites-enabled/default file:
The ERR_TOO_MANY_REDIRECTS error typically occurs when there’s a misconfiguration in your redirect rules, causing a loop between HTTP and HTTPS requests. In your Nginx configuration, it seems that the problem may stem from the fact that you have both the
listen 80
andlisten 443
directives in the same server block, which can lead to confusion about how requests are being handled.To resolve the issue, you should separate the HTTP and HTTPS server configurations into distinct blocks. Here’s how you can modify your
/etc/nginx/sites-enabled/default
file:Separate Server Blocks: Created one server block for HTTP (port 80) and another for HTTPS (port 443). This helps to avoid confusion and keeps your configuration cleaner.
Redirect with
return
: Usedreturn 301 https://$host$request_uri;
in the HTTP server block. This is a more straightforward way to handle redirections compared to using therewrite
directive.After making these changes, save the file and test your Nginx configuration using the command
nginx -t
to check for any syntax errors. If everything is fine, reload Nginx withsudo systemctl reload nginx
to apply the changes. This should resolve the redirection issue you’re experiencing.This works perfectly fine for my front end upstream, but when my front end makes a request to my backend server, I get an error. The nginx error logs show:
*1 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol)
. The backend server is just an upstream Unicorn process on the same server as the front end (and as the nginx server).Here is my nginx configuration:
What do I have to do to resolve this?
The error message you’re encountering, suggests that there might be a mismatch between the protocols being used for SSL connections. Since your backend server is an upstream Unicorn process and not configured for SSL, you should ensure that the
proxy_pass
directive for the backend points to the correct protocol.In your Nginx configuration, you should change the
proxy_pass
directive for your backend server to use HTTP instead of HTTPS. Here’s the adjustment you need to make in thelocation ^~ /api/
block:Additionally, confirm that your Unicorn server is indeed listening for HTTP connections, and check that it’s configured correctly to accept requests on the specified socket. If it’s set to run on a specific port, update the
upstream app_server
block accordingly.After making these changes, test your configuration with
nginx -t
to ensure there are no syntax errors, and then reload Nginx withsudo systemctl reload nginx
to apply the updates. This should resolve the handshake error you’re experiencing.i have Ubuntu servers running Apache with goddady “Standard SSL” i follow this steps and i got this errors from apache error logs
The error messages you’re seeing suggest a few potential problems.
The warning about the server certificate not matching the server name indicates that the common name (CN) or subject alternative names (SAN) in your SSL certificate do not match the domain name you’re using (e.g.,
dott.com
). Make sure the certificate you obtained from GoDaddy is specifically fordott.com
or includes it in its SAN.The error indicating “no start line” suggests that Apache is unable to read your certificate file properly. This usually happens if the file is either empty or not formatted correctly. Check the contents of
/etc/ssl/gdssl/dott_com.crt
to ensure it begins with-----BEGIN CERTIFICATE-----
and ends with-----END CERTIFICATE-----
.Verify that the path to your SSL certificate and key file in the Apache configuration is correct. You might also need to check if the private key file (
SSLCertificateKeyFile
) is specified correctly and corresponds to the public certificate.If you haven’t done so already, restart Apache after making these changes using
sudo systemctl restart apache2
. If the problem persists, ensure that the certificate files are readable by the Apache user (usuallywww-data
).Additionally, check the permissions on your SSL certificate and key files. They should be set so that the Apache user can read them, while ensuring that they are not overly permissive. A common approach is to set the certificate files to
644
and the private key to600
.Any tutorial for nginx in Freebsd 10.1?
Heya,
You can check this tutorial for more information:
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-letsencrypt-freebsd
Regards
Help! Hi, I want to setup ssl but ı get error “Forbidden,You don’t have permission to access / on this server.” /etc/apache2/apache2.conf file:
/etc/apache2/sites-available/artunkids.com.conf file:
Where i am make the error ? What i am must the fixed to this error ? I’am using codeigniter. codeigniter .htaccess file
Thanks!
Make sure the
/var/www/artunkids.com/public_html
directory has the correct permissions. Run the following command to ensure that the Apache user can read the directory:Your Apache configuration for the
/var/www/artunkids.com
directory looks fine, but ensure that the following directive is included in your/etc/apache2/apache2.conf
file to allow access:In your
artunkids.com.conf
file, verify that theDocumentRoot
directive matches the correct path to your CodeIgniter application’s public directory:After making these changes, restart Apache:
Also, check the Apache error logs for more detailed error messages:
This will help you identify any other potential issues. Make sure that the SSL certificate paths are also correct and accessible by the Apache user.
What does it mean "Copy and save them to your server in the same location that you generated your private key and CSR. "
Do I do it with sftp ?
The instruction “Copy and save them to your server in the same location that you generated your private key and CSR” means that after you generate your SSL certificate and related files, you should upload them to the same directory on your server where your private key and Certificate Signing Request (CSR) are stored. This is typically for organizational purposes and to ensure easy access.
Using SFTP ensures that your certificate files are securely transferred to your server.
This didn’t work for me UNTIL I put the key file in /etc/ssl/private/ and the crt files in /etc/ssl/certs/ and of course edited the 000-default.conf file with those paths. This and other tutorials I read seemed to indicate it’d be fine putting the key and crt files into /etc/ssl/ or even into /home/user/. Maybe the correct location to put those files is obvious to most people, but being brand new to Ubuntu and SSL it sure as hell wasn’t obvious to me. Would have been nice if this tutorial had specified those pathways, would have saved me some hours of frustration.
It’s common to experience confusion regarding where to place SSL certificate files on a Linux system like Ubuntu. The standard practice is to place private key files in
/etc/ssl/private/
and certificate files in/etc/ssl/certs/
. This separation helps maintain proper permissions and security.Move your certificate and key files to the appropriate directories. Place your
.crt
files in/etc/ssl/certs/
and your.key
file in/etc/ssl/private/
. For example, you can move the certificate withsudo mv /path/to/your.crt /etc/ssl/certs/
and the private key withsudo mv /path/to/your.key /etc/ssl/private/
.Ensure the private key file has the correct permissions for security. The key file should only be readable by the root user, which you can set using
sudo chmod 600 /etc/ssl/private/your.key
.Update your Apache configuration file, like
000-default.conf
, with the new paths. For example, you can useSSLEngine on
,SSLCertificateFile /etc/ssl/certs/your.crt
, andSSLCertificateKeyFile /etc/ssl/private/your.key
.If you haven’t already, enable the SSL module by running
sudo a2enmod ssl
. After making changes, restart Apache to apply the new configuration withsudo systemctl restart apache2
.You can also check for syntax errors in your configuration by running
sudo apachectl configtest
.I have installed the SSL certificate on my NGINX server and it is properly installed. However, the green bar is not showing on my website. my website url is https:// dailysoftwaregiveaway.com how to solve this issue?
Great tutorial, easy to follow. One issue, my subdomains don’t work now, they all point to the same main domain page. What should I do to fix this? (I’m using a LAMP configuration on ubuntu)
Thank you in advance,
Robert
If your subdomains are pointing to the main domain page in a LAMP configuration on Ubuntu, it’s likely that Apache is defaulting to the wrong virtual host. This usually happens when a wildcard or default virtual host is being used.
To fix this, ensure that each subdomain has its own virtual host configuration. First, check the virtual host files located in the
/etc/apache2/sites-available/
directory. Make sure each subdomain has its own.conf
file. For example, forsub1.example.com
, you should have something like this:Next, make sure there is no default virtual host (like
000-default.conf
) catching all subdomains. The default virtual host should be configured to handle only the main domain, not subdomains.After editing or creating the subdomain
.conf
files, enable them using the commandsudo a2ensite sub1.example.com.conf
for each subdomain. Then, restart Apache withsudo systemctl restart apache2
.Lastly, ensure that each subdomain has the correct DNS configuration (A or CNAME records) pointing to your server’s IP.
for those of you who are getting Nginx (using python/flask) welcome page or connection refused or page not found when visiting either https://www.domain.com or http://domain.com
This is what is working for me…
The Nginx configuration you’ve shared looks good overall, but ensure that the paths and details are correct for your setup.
Your first server block redirects all HTTP traffic to HTTPS using the rewrite directive:
In your SSL configuration, ensure the certificate paths are correct:
In your Flask application block, ensure that your app is running and the socket file
/home/sammy/domain/domain.sock
exists. It’s important that the socket has the correct permissions for Nginx to access it, and that the Flask app is properly configured to use uWSGI and bind to the socket:If you’re still facing errors, check Nginx error logs at
/var/log/nginx/error.log
for any specific issues. Also, ensure that uWSGI is properly configured and running by checking the uWSGI logs and making sure your domain resolves correctly to your server’s IP.Regards
Hello, I completed it successfully. But I used to access phpMyAdmin via ip/phpMyAdmin. But now Ip redirects to the main site. Can you please tell me how can I access PHPmyadmin ? I am using apache2 and Ubuntu 16.04. thanks
To access phpMyAdmin after your IP has been redirected to the main site, you need to modify the Apache configuration to exclude
/phpMyAdmin
from the redirection.First, open the Apache virtual host configuration file by running the command
sudo nano /etc/apache2/sites-available/000-default.conf
.Inside the
<VirtualHost>
block for your site, modify the redirect rule to exclude/phpMyAdmin
by using the following rule:After making this change, restart Apache to apply the changes using
sudo service apache2 restart
. Now, you should be able to access phpMyAdmin viahttp://your_ip/phpMyAdmin
without being redirected to the main site.Regards
If my wildcard cert is installed on one server, but one of my sub-domains is hosted on a different server, will I need to install it on both machines in order for it to work? Thanks!
Yes, you’ll need to install the wildcard certificate on both servers for it to work with the subdomain hosted on a different server.
A wildcard SSL certificate allows you to secure multiple subdomains under the same domain, like
*.example.com
, with a single certificate. However, the certificate must be installed on each server that hosts a subdomain. If one server hostssub1.example.com
and another hostssub2.example.com
, both need the certificate.Each server handling HTTPS requests needs access to the SSL certificate and private key to encrypt and decrypt traffic. This means you must install the certificate on both machines.
You can securely transfer the wildcard certificate and private key from the first server to the second. After copying, configure the web server (such as Apache or Nginx) on the second machine to use the wildcard certificate for the subdomain it hosts.
So, to secure subdomains on multiple servers using a wildcard certificate, it must be installed on each server hosting a subdomain.
This worked great for http to https redirection but the app is not running anymore, now I get an Index Of/ page in the browser. This is a Koha Integrated Library System website. It worked fine using http but it vanished when I did the change to https. I’m using Apache 2.4 and Linux Debian 3.16. Thanks for any help.
When Apache shows an “Index Of/” page, it’s typically because it can’t find the appropriate
index.php
,index.html
, or similar file to serve, or the directory isn’t properly set up.Here’s how you can troubleshoot and fix the issue:
First, check the DocumentRoot directive in your virtual host configuration for HTTPS to ensure that it points to the correct directory where your Koha ILS application files are stored. For example:
Next, ensure that Apache has permission to access the directory where your Koha application files are stored. You can set proper permissions by running:
These commands ensure that the
www-data
user (or your web server user) can access and serve the files.Make sure Apache knows what the default file is for your site. In the virtual host file, ensure there’s a
DirectoryIndex
directive:If your Koha application uses a specific file as its entry point (e.g.,
main.php
), make sure to add it here.If your Koha installation depends on an
.htaccess
file for URL rewriting or other directives, ensure thatAllowOverride All
is set in the<Directory>
section of your virtual host configuration to allow.htaccess
rules to function.If you don’t want Apache to list directory contents, you can turn off directory indexing with:
This will prevent Apache from showing the “Index Of” page when the
index.php
orindex.html
file isn’t found.After making any changes, restart Apache for the changes to take effect:
Finally, check Apache’s error log for more details on what might be going wrong:
Look for specific errors related to file access, permissions, or SSL setup that could give you more insights.
If you are using Wordpress like I am, and keep breaking your site after following these steps…
Make sure to swap the url in Settings < General as a prerequisite to performing the above.
Heya,
You can also refer to this article if you’re using WordPress
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu
Regards
Hello
thanks for the great article
I am facing some issues for my website. the site works with https://example.com and with http://example.com
But with www. its not loading what can be the reason? Am on a LAMP server and i have created the CRT using *.example.com
thank you
Make sure you have a DNS record for
www.example.com
pointing to the same IP address asexample.com
. You can typically do this by creating a CNAME record forwww
that points toexample.com
.Check your Apache configuration files to ensure you have a virtual host set up for the
www
subdomain. You should have something like this in your configuration:Make sure to replace the paths with the actual paths to your SSL certificate files.
Ensure that your wildcard SSL certificate (*.example.com) also covers
www.example.com
. Wildcard certificates should cover all subdomains, includingwww
.If you’re using an
.htaccess
file, ensure that there are no conflicting rules that might prevent thewww
version from resolving properly. You can add a redirect fromwww
to non-www
or vice versa, depending on your preference:Check if there are any firewall rules that might be blocking traffic to
www
. Make sure that ports 80 and 443 are open for bothwww
and non-www
traffic.Sometimes, browsers cache DNS settings. Try clearing your browser cache or testing in incognito mode to see if that resolves the issue.
After making changes to your Apache configuration, make sure to restart the Apache service for the changes to take effect:
Regards
Hello,
One-click apps > wordpress
I can’t port 443 active.
I tried everything I could find.
I know it’s been quite a while since this question was posted but I believe this should be addressed anyway.
Ensure that Nginx is configured to listen on port 443. You can check this by looking for the relevant server block in your Nginx configuration files. Run the following command to check the active ports:
If you don’t see anything listening on port 443, you’ll need to ensure that your server block for HTTPS is configured correctly.
Make sure you have installed your SSL certificate correctly. You should have directives like the following in your Nginx server block:
Replace
/path/to/your/certificate.crt
and/path/to/your/private.key
with the actual paths to your SSL certificate and private key.Check Firewall Settings Ensure that your firewall is allowing traffic on port 443. If you’re using UFW, run:
You should see that port 443 is allowed. If it’s not, you can allow it with:
Verify Nginx Configuration Check the Nginx configuration for any syntax errors by running:
If everything is okay, you should see a message indicating that the configuration file is valid.
Restart Nginx After making any changes to the Nginx configuration, restart the Nginx service:
Check Logs for Errors Check the Nginx error logs to see if there are any messages related to SSL or port 443. The log file is typically located at
/var/log/nginx/error.log
. You can view it with:Verify Domain DNS Settings Ensure that your domain’s DNS settings are correctly pointing to your server’s IP address. You can use tools like
dig
ornslookup
to check:Make sure the returned IP address matches your server’s IP.
Test with OpenSSL You can test the SSL connection using OpenSSL:
This will provide information about the SSL handshake and any errors that may occur.
If you’re using a self-signed certificate, browsers may reject the connection unless you add an exception. Ensure that you are using a certificate from a recognized Certificate Authority (CA).
Clear your browser cache or try accessing the site in an incognito window to rule out caching issues.
Using Wordpress on Nginx, Ubuntu 14.04. I’ve uploaded and concatenated the certificates from NameCheap but now my site hangs, getting “takes too long to respond” error. There are no syntax errors as far as nginx can tell me.
I can still access my domain via http with no issues. Port 443 open.
Is there anything I need to change since this is not the default server block? I don’t know how to debug this…
Here is the server block:
I know it’s been quite a while since this question was posted but I believe this should be addressed anyway.
Make sure that your Nginx configuration file is syntactically correct and has no errors. You can do this with the following command:
If there are no errors, you should see a message indicating that the configuration file is valid.
Check that the SSL certificates are properly concatenated and valid. You can verify the certificates with:
Make sure the certificate is not expired and corresponds to your domain.
Consider the following adjustments to your server block:
Remove
ssl on;
: This directive is not necessary in recent versions of Nginx. You can just specifylisten 443 ssl;
.Update SSL Protocols and Ciphers: Ensure you’re using up-to-date protocols and ciphers. The following configuration is more secure:
Remove Comments: Clean up any commented-out lines that are unnecessary for clarity.
Here’s a refined version of your server block:
After making changes, restart Nginx:
If your site is still not reachable via HTTPS, you can enable debugging for Nginx by adding the following line to your configuration:
This will generate detailed logs that might help identify the issue.
Since you mentioned that port 443 is open, double-check your firewall rules to ensure nothing is blocking HTTPS traffic. If you’re using UFW, check the status with:
Clear your browser cache and try accessing the site in an incognito window to rule out caching issues. Additionally, check your DNS settings to ensure they are pointing to the correct IP address.
Sometimes server performance issues or other misconfigurations could cause timeouts. Monitor your server’s resource usage (CPU, memory) and check for any other services that might be impacting performance.
If none of these steps resolve the issue, consider checking with your hosting provider or support resources for more in-depth troubleshooting tailored to your server environment. Let me know if you need further assistance!
Any Video Tutorial to Add SSL Certification to my site in Digital Ocean http://www.rrbrecruitmentresult.com/
I’ve been fighting this battle for a day now without success – my site hdpowerequipment.com is not reachable via https.
I generated my CSR and private key without issue. I downloaded the certificate info from Godaddy and placed it on my server (via ftp):
I have restarted Apache multiple times. I rebooted the server. I disabled ufw. I tried SSLCACertificateFile (instead of using SSLCertificateChainFile)
Am I supposed to edit default-ssl.conf?
I’m at the end of my rope here. At this point I have no choice but to cancel my Godaddy SSL certificate and lose $100 (too late for a refund).
I am desperate for help.
I know it’s been quite a while since this question was posted but I believe this should be addressed anyway.
First Make sure that the certificate files are not corrupted. You can verify their contents by running:
Your Apache configuration looks mostly correct, but ensure that you are using the correct file paths. Also, check for any typos in your virtual host configuration:
The
default-ssl.conf
is typically used for SSL configurations. If you are not using it, ensure that it does not conflict with your main configuration. You can either comment it out or ensure that it does not define anotherVirtualHost
for port 443 that conflicts with yours.Make sure that the SSL module is enabled in Apache. Run the following command:
Then restart Apache:
Check if Apache is running correctly. Look for any errors in the logs that might give you more insight into what’s going wrong:
You mentioned disabling UFW. If you have other firewall rules in place, ensure that they are not blocking port 443.
Ensure that your DNS settings are correct and that
www.hdpowerequipment.com
is pointing to the correct IP address.After making changes, clear your browser’s cache or try accessing the site in an incognito window to rule out cached issues.
You can use online tools like SSL Labs to analyze your SSL setup and get detailed feedback about potential issues.
You can also test the SSL connection with:
This will give you detailed information about the SSL handshake and any errors that might be occurring.
Conclusion
If you’ve gone through all of these steps and still can’t get your SSL working, consider reaching out to GoDaddy’s support team for assistance, as they may be able to provide additional insights based on their records and your account.
Guys what is wrong here. Not showing secure site. Default config file nginx server { listen [::]:80; listen 80;
server_name mthingsonline.com www.mthingsonline.com;
redirect http to https www
return 301 https://www.mthingsonline.com$request_uri; }
server { listen [::]:443 ssl http2; listen 443 ssl http2;
server_name mthingsonline.com;
SSL code\
ssl_certificate /etc/nginx/ssl/api.mcarefit.com/api_mcarefit.com.chained.crt; ssl_certificate_key /etc/nginx/ssl/mcarefit.com/mcarefit.key;
redirect https non-www to https www
return 301 https://www.mthingsonline.com$request_uri; }
server {
listen [::]:443 ssl http2; listen 443 ssl http2;
server_name www.mthingsonline.com;
SSL code
ssl_certificate /etc/nginx/ssl/api.mcarefit.com/api_mcarefit.com.chained.crt; ssl_certificate_key /etc/nginx/ssl/newMthingsonline/www.mthingsonline.com.key;
other code
}
It looks like you might have a few configuration issues in your Nginx setup. Here’s a revised version of your configuration and some points to consider:
return
directive correctly.www
and non-www
domains.Here’s a cleaned-up version of your Nginx configuration:
Key Points to Check:
nginx -t
to test your configuration for any syntax errors.sudo systemctl reload nginx
./var/log/nginx/error.log
) for any issues that may be preventing the site from loading securely.Regards
This comment has been deleted
This comment has been deleted
I have downloaded the .crt files on my local mac desktop, and I want to copy these two files to the Nginx server through terminal, whats the command to do that. THanks
I followed the instructions above with a GoDaddy SSL for a single site and installed on Apache. It worked perfectly. Now when I followed the instructions to do it again for another site on the same server, everything on SSL went down. When I removed the new lines from the second .conf file. Everything came back. What am I missing? Certs for both are in two separate folders.
It sounds like you might be facing a configuration issue when setting up the second SSL site on Apache. Here are a few things to check to help resolve the problem:
Ensure that each site has its own
<VirtualHost>
block in separate configuration files, typically found in/etc/apache2/sites-available/
. Each configuration should listen on port 443 for SSL. Double-check that the paths to the SSL certificate and key files in the second site’s configuration file are correct and point to the right certificates. Runapachectl configtest
to check for any syntax errors in your configuration files, as this command will provide details about any issues. Make sure the SSL module is enabled in Apache by runningsudo a2enmod ssl
.Look into Apache’s error logs (typically found in
/var/log/apache2/error.log
) for any specific messages that could indicate what went wrong when you attempted to restart the service. After making any changes, be sure to restart Apache to apply them withsudo service apache2 restart
. Ensure that your server’s firewall allows traffic on port 443 by checking withsudo ufw status
.If you’ve checked all these points and it’s still not working, you can share the relevant configuration snippets for both sites, and I can help you troubleshoot further.
I want to install SSL certificate with https v2. So how can I proceed with it?
And also tell how can I upgrade https 1.1 to https 2 without deleting my droplet.
To install an SSL certificate with HTTPS/2 and upgrade from HTTPS/1.1 to HTTPS/2, follow these steps:
/etc/ssl/certs/
for the certificate and/etc/ssl/private/
for the private key./etc/apache2/sites-available/000-default.conf
or a similar path.<VirtualHost *:443>
block to include the SSL certificate details:DocumentRoot
points to the correct directory.mod_http2
module enabled. You can enable it by running:You can use online tools like SSL Labs’ SSL Test to verify your SSL installation and HTTP/2 support.
Regards
I found this blog, very helpful thank you so much for adding this in your website.
We’re glad that the article have helped you! Always feel free to reach in our community as well:
https://www.digitalocean.com/community/questions
can i ask u? i tried to run “sudo service apache2 restart” in terminal returns “job for apache2.service failed…” how can i fix it? error. thanks
If you’re getting the error “Job for apache2.service failed” when trying to restart Apache, it usually indicates a configuration issue or another problem preventing the service from starting. Start by checking the Apache error logs for more details using
sudo tail -n 50 /var/log/apache2/error.log
. Look for any specific error messages indicating what’s wrong.Before restarting Apache, it’s a good idea to test the configuration files for syntax errors by running
sudo apachectl configtest
. If there are any syntax errors, the command will output them, and you’ll need to fix the reported issues before trying to restart Apache again.Ensure that no other service is using port 80 or 443 by running
sudo netstat -tuln | grep ':80\|:443'
. If you find another service using these ports, you may need to stop it or change its configuration.Verify that the SSL certificate files specified in your Apache configuration exist and have the correct permissions. If the paths to your SSL files are incorrect, Apache will fail to start.
Make sure the
ssl
module is enabled. You can enable it withsudo a2enmod ssl
. After addressing any issues identified in the previous steps, try restarting Apache again withsudo service apache2 restart
.If it still fails, you can check the system status for Apache for more insights using
sudo systemctl status apache2
. If you follow these steps and are still having trouble, please share any specific error messages or details from the logs, and I’ll help you troubleshoot further.I followed this instruction - ubuntu 16.04, apache, godaddy- but website is unable to reach i dont understand what is my problem? can anyone help me?
First, check your Apache configuration files to ensure they are set up correctly. Verify that your
000-default.conf
(or the specific virtual host file for your site) includes the necessary SSL directives and points to the correct certificate files. Confirm that the paths to your SSL certificate, private key, and intermediate certificate in your Apache configuration are correct, which should look something like this:Next, check your server’s firewall settings to ensure that port 443 (HTTPS) is open. You can check the status of your firewall with
sudo ufw status
. If it’s not open, you can allow it withsudo ufw allow 443/tcp
. After making any changes to the configuration files, restart Apache to apply the changes usingsudo systemctl restart apache2
.Review the Apache error logs for any messages that might indicate what’s going wrong. The logs are usually located at
/var/log/apache2/error.log
. Also, ensure that your domain’s DNS settings are correctly pointing to your server’s IP address. You can use tools likedig
ornslookup
to verify this.To validate your SSL certificate installation, use an SSL checker (like SSL Labs). Finally, try accessing your site directly using
https://yourdomain.com
. If it doesn’t work, check if you can reach it via HTTP (http://yourdomain.com
) and whether it redirects correctly.If you continue to experience issues, providing more details about your Apache configuration and any error messages you’re encountering can help further diagnose the problem
I tried to install ssl certificate from godaddy I have many website on server all stopped working How to handle this ? I want to keep multiple website on same server but only one with ssl certificate
To handle multiple websites on a server while keeping only one with an SSL certificate, first identify which website you want to secure with the SSL certificate. Next, configure your web server. If you are using Apache, create a new VirtualHost entry for the website with SSL, ensuring you have a separate VirtualHost for port 80 (HTTP) and another for port 443 (HTTPS). For Nginx, set up a server block for the website, ensuring it listens on both ports.
Then, install the SSL certificate from GoDaddy for the specific website you want to secure, making sure the paths to the certificate and key files in your configuration files are correct. Disable SSL for the other sites on the server by keeping their configurations active for port 80 and omitting any SSL configuration.
After making these changes, restart your web server to apply the new settings and test your websites to ensure the SSL-secured site is accessible via HTTPS, while the other websites function correctly without SSL. Lastly, monitor your server’s error logs if you encounter any issues during this process to identify misconfigurations or other problems.
If you need more specific help, please provide details about the web server software you’re using.
I use a Mac min with OS X server as a webserver I recently purchase an ssl certificate and install in my webserver jmzcons.com I used the Mac OS X server as the platform. I see it there in the certificates and it’s active on the server but I cannot access the webpage . I still get the not safe site message Would appreciate some help please
First check that the SSL certificate is correctly installed in the OS X Server app and associated with your web service. Ensure that HTTPS is enabled for your website in the server settings and that port 443 (the default for HTTPS) is open in your firewall settings.
Next, verify your domain’s DNS settings to confirm they point to the correct IP address of your server. You can use tools like
nslookup
ordig
for this purpose. Clear your browser cache or try accessing your site from a different browser or device to rule out caching issues.Make sure you provide the full certificate chain, as sometimes intermediate certificates are needed for browsers to trust your certificate fully. You can test your SSL configuration with tools like SSL Labs to get insights into any potential issues. Finally, review the web server logs for errors or warnings related to SSL connections, which can usually be found in
/var/log/apache2/error_log
or a similar path based on your configuration.If you still encounter issues after following these steps, feel free to share more details about any error messages or behaviors you’re observing, and I can help further!
I need the support of a technician to configure SSL on my Digiatl Ocean server Here is my email medbi2011@gmail.com
Heya,
You can always reach in our community whether you have question, information or require any assistance. We’ll be happy to help!
https://www.digitalocean.com/community/questions
Regards
Fantastic tutorial
We’re glad that the article have helped you! Always feel free to reach in our community as well:
https://www.digitalocean.com/community/questions
I’m no expert, and this took me a while to figure out. Broke my site several times before I cracked it. For anyone struggling, here is my setup. Hopefully it helps. Great tutorial btw! Blows the doors down on one of your main rival’s outdated and poorly written tutorials.
Ubuntu 18.04 Apache 2.4.29 Wildcard SSL from Ionos (via Geotrust)
Config files edited
I followed the tutorial exactly, with exception of one thing. When I set up my SSL on Ionos, it never asked me for input from the .csr files generated in the tutorial using the following line.
This really confused me for a bit as every tutorial online states you must input .crt information when generating the SSL files. But each time at end of tutorial, my site was broke. To revert things back to normal, I went into FileZilla, connected to server via FTP, and manually deleted the three SSL files I got from Inonos, and then reverted the 000-default.conf back to it’s original file. Easy fix.
Part of the problem was the SSL from Ionos issues .cer files, instead of .crt files like those referenced in the tutorial. I was converting these .cer files to be .crt. Finally, I decided to just leave them as .cer files. However, I did rename the three SSL related files I got from Ionos to something more simple. Here is where I placed the three files from Ionos on my server. FYI, I had to create the /ca/ and /private/ folders inside of /root/ since they did not exist, but that’s where I wanted to store my SSL files.
At this point, it still wasn’t working, and then I found the following file
/usr/lib/ssl/openssl.cnf
I edited three lines in this file to match the directories and file names I was using on my server to store the SSL files and boom! https is served. :D
Here is what my edited 000-default.conf file looks like, without the comment lines.
Heya,
Thanks for sharing this! Also I see that you’ve done this on a Ubuntu 18.04 confirming it works for this version as well.
Sidenote. Seems like it would be a lot better if comment section was reverse order, so the most recent comments were first? Looking for help in 5yr old comments is not encouraging. Nor is having to press that Load button 6x to get the bottom and most recent comments, which are much more likely to apply to more current setups. :)
Exactly my thinking, Hightide. Not the most intuitive comment system ever devised, is it? At the very least there should be a function available to sort by newest first.
Yes, sorting by the most recent comments first could save time and help users find relevant information more quickly.
You can always post suggestions in our Product Ideas Dashboard here:
https://ideas.digitalocean.com/
Regards
I completely understand that! Having the most recent comments at the top would make it much easier to find relevant and up-to-date information, especially in long threads. The “Load more” button can be quite tedious, too. I’ll pass your feedback internally to our team so we can check this.
Also you can always post suggestions in our Product Ideas Dashboard here:
https://ideas.digitalocean.com/
Regards
Great post! I am actually getting ready to across this information, is very helpful my friend. Also great blog here with all of the valuable information you have. Keep up the good work you are doing here.
We’re glad that the article have helped you! Always feel free to reach in our community as well:
https://www.digitalocean.com/community/questions
Thank you. Perfect.
We’re glad that the article have helped you! Always feel free to reach in our community as well:
https://www.digitalocean.com/community/questions
This is the most comprehensive article i have come across and was able to follow along without any issues… Thank you!
We’re glad that the article have helped you! Always feel free to reach in our community as well:
https://www.digitalocean.com/community/questions
how to install ssl on plex & Cpanel http://bit.do/msssl
Heya,
You can check the following link for installing SSL Certificate on a cPanel server
https://docs.cpanel.net/whm/ssl-tls/install-an-ssl-certificate-on-a-domain/
Plex requires certificates in PEM format, so you may need to convert your
.crt
and.key
files. You can do this with the commandcat your_certificate.crt your_private.key > plex_cert.pem
.Next, locate the Plex Media Server’s configuration file, typically found at
/var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Preferences.xml
. Edit this file to include<setting name="customCertificate" value="path/to/plex_cert.pem"/>
, replacingpath/to/plex_cert.pem
with the actual path to your PEM file.Finally, restart the Plex Media Server using
sudo systemctl restart plexmediaserver
to apply the changes.Regards
how to install ssl on plex & Cpanel http://bit.do/msssl
Heya,
You can check the following link for installing SSL Certificate on a cPanel server
https://docs.cpanel.net/whm/ssl-tls/install-an-ssl-certificate-on-a-domain/
Plex requires certificates in PEM format, so you may need to convert your
.crt
and.key
files. You can do this with the commandcat your_certificate.crt your_private.key > plex_cert.pem
.Next, locate the Plex Media Server’s configuration file, typically found at
/var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Preferences.xml
. Edit this file to include<setting name="customCertificate" value="path/to/plex_cert.pem"/>
, replacingpath/to/plex_cert.pem
with the actual path to your PEM file.Finally, restart the Plex Media Server using
sudo systemctl restart plexmediaserver
to apply the changes.Regards
To get free $100 credit on digitalocean, Please signup using this link https://m.do.co/c/cec3e77bb2b2
Here’s an updated link with $200 Credit for your 60 day trial
https://try.digitalocean.com/freetrialoffer/
Hi, Can someone guide setup SSL in tomcat 9 server, the above document explains about Nginx and Apache2 not the Tomcat9.
Certificate is downloaded from Godaddy for Tomcat webserver.
Regards Ram
First, prepare your SSL certificate files from GoDaddy, which typically include a primary certificate (e.g.,
your_domain.crt
) and an intermediate certificate (e.g.,gd_bundle.crt
). You may need to convert these certificate files to PKCS12 format since Tomcat uses the Java KeyStore format. Use the commandopenssl pkcs12 -export -in your_domain.crt -inkey your_private_key.key -out your_domain.p12 -name tomcat -CAfile gd_bundle.crt -caname root
, replacingyour_private_key.key
with the path to your private key file; you’ll be prompted for an export password.Next, import the PKCS12 file into a Java Keystore using the command
keytool -importkeystore -srckeystore your_domain.p12 -srcstoretype PKCS12 -destkeystore your_keystore.jks -deststoretype JKS
, setting a password for the Keystore and providing it when prompted.Then, configure Tomcat’s
server.xml
file located in theconf
directory of your Tomcat installation. Add the following connector configuration:Ensure to replace
path/to/your_keystore.jks
with the actual path to your Keystore file andyour_keystore_password
with the password you set earlier.Make sure your firewall allows traffic on port 443 by using
sudo ufw allow 443
. After that, restart the Tomcat server to apply the changes withsudo systemctl restart tomcat
.Finally, verify your SSL installation by visiting your website using
https://your_domain.com
to check if SSL is functioning correctly. If you encounter issues, check the Tomcat logs located in thelogs
directory for any errors related to SSL configuration.Followed steps for certificate from godaddy and installation on Apache server. but not able to access with https port, http is working.
Please help. I am new to ubuntu. My domain registered with godaddy & VM hosted on DigitalOcean droplet.
Does take time for the changes to be realized? Like i did everything thats mentioned here. But my website still doesn’t load as https
Yes, changes to your Apache configuration should take effect immediately after restarting the service. However, several factors might prevent your website from loading over HTTPS. First, browser cache can cause issues, so try clearing it or using incognito mode. If you recently changed DNS settings, it might take time for those changes to propagate. Also, ensure your firewall allows traffic on port 443 by checking with
sudo ufw status
.It’s essential to double-check your
default-ssl.conf
file for syntax errors, which you can verify usingsudo apachectl configtest
. Ensure your SSL certificate files are correctly referenced and that the certificate is valid and not expired. Lastly, check for any network issues affecting your server’s ability to serve HTTPS requests. If problems persist, look at the Apache error logs withsudo tail -f /var/log/apache2/error.log
for specific error messages that could provide further clues.HI Thanks for writing this how to. As a Rookie I always need to follow such tutorials. Quick Info: I am using a Raspbian OS and all is working on http request. Ao I was following this howto to get my godaddy cert to be installed and used for https requests. Unfortunately I can’t access my sites (http and https) if I edit the 000-default.conf file. After changing the 000-default.con file to as it was and edited the default-ss.conf file the http access was working back. but still I can’t get access to my site via https. ERR_CONNECTION_REFUSED As well I have checked with “apachectl -s” command and can see this output:
VirtualHost configuration: *:80 www.emilymeier.ch (/etc/apache2/sites-enabled/000-default.conf:1) ServerRoot: “/etc/apache2” Main DocumentRoot: “/var/www/html” Main ErrorLog: “/var/log/apache2/error.log” Mutex default: dir=“/var/run/apache2/” mechanism=default Mutex mpm-accept: using_defaults Mutex watchdog-callback: using_defaults PidFile: “/var/run/apache2/apache2.pid” Define: DUMP_VHOSTS Define: DUMP_RUN_CFG User: name=“www-data” id=33 not_used Group: name=“www-data” id=33 not_used
Should there not be an entry for :443?
Any help is very welcome as I am really a rookie. sorry Regards mame
First, check your
default-ssl.conf
file to ensure it has the right configuration for port 443, including the correct paths for your SSL certificate files:Make sure the SSL module is enabled by running
sudo a2enmod ssl
. Then, check if thedefault-ssl.conf
file is symlinked in thesites-enabled
directory withls /etc/apache2/sites-enabled/
. If it’s missing, create it usingsudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/
. After making these changes, restart Apache withsudo systemctl restart apache2
.Also, verify that port 443 is allowed in your firewall settings using
sudo ufw status
. If it’s not allowed, usesudo ufw allow 'Apache Full'
to enable HTTPS traffic. Lastly, check Apache’s error log withsudo tail -f /var/log/apache2/error.log
for any additional clues.Ensure that there is a VirtualHost entry for port 443. If you still have issues, share any error messages or configurations for more assistance.
Funciona en Nginx en Ubuntu 18.04 julio 2020
¡De nada! Me alegra saber que funciona en Nginx con Ubuntu 18.04. Si necesitas más ayuda o tienes alguna otra pregunta, no dudes en decírmelo. ¡Éxito con tu proyecto!
Funciona en Nginx con ubuntu 18.04 al día de hoy Gracias maestro!
¡De nada! Me alegra saber que funciona en Nginx con Ubuntu 18.04. Si necesitas más ayuda o tienes alguna otra pregunta, no dudes en decírmelo. ¡Éxito con tu proyecto!
This is the only guide on DigitalOcean for installing SSL certificates from a commercial certificate authority, but it’s from 2014 using Ubuntu 14.04. It’s now 2020, most of us are using a much newer version of Ubuntu (20.04), and the options from both Namecheap and GoDaddy may have changed.
Isn’t it time someone updated this guide? Is it even applicable to Ubuntu 20.04?
Furthermore, I’m with commentor “Hightide” in finding this comment section to be a bit poorly implemented without a “sort by newest first” function.
You’re right that a guide from 2014 is outdated. While the basic principles of SSL installation remain the same, several steps, package versions, and best practices have evolved. Configuration paths are the same, but modern best practices should include more secure SSL protocols and updated cipher suites.
As for the comments section on that guide, having a “sort by newest” feature would be a practical improvement. It would make finding the most relevant and up-to-date user contributions easier, especially with the constantly evolving tech landscape. I’ll pass this recommendation internally.
what happens if the format is different, do we need to change it? I.e. it’s not example.com.key but example.com.p7b
the files from namecheap are: example.com.ca-bundle example.com.crt example.com.p7b
If the SSL certificate files you received are in a different format, such as
.p7b
instead of.crt
or.key
, you will need to convert them to the appropriate format for Apache.A
.p7b
(or PKCS#7) file does not contain the private key and is usually used to bundle multiple certificates together. Apache typically requires.crt
files for the certificate and.key
files for the private key.Here’s how to handle this:
.p7b
to.crt
: You can use OpenSSL to convert the.p7b
file into.crt
format. Run this command:Get the private key: If you don’t have a
.key
file, you need to obtain the private key from the original server or the CSR (Certificate Signing Request) generation process. You can’t extract the private key from the.p7b
file.Configure Apache: Once you have the
.crt
and.key
files, configure Apache to use them in theSSLCertificateFile
andSSLCertificateKeyFile
directives.If the conversion works, there’s no need to change the filenames, but the format needs to be correct for Apache to use it.
Regards
I’m trying to install ZeroSSL certificate on Ubuntu 20.
I have downloaded ca bundle.crt and private.key, moved to /etc/ssl/ and /etc/ssl/private.
When I restart Apache I get the message:
Job for apache2.service failed because the control process exited with error code. See “systemctl status apache2.service” and “journalctl -xe” for details.
What is error or message? What can I do? Or what am I doing wrong?
First, check the error logs by running
sudo journalctl -xe
andsudo systemctl status apache2.service
. This will provide more information about why Apache is failing to start.Next, ensure that the certificate and key files in
/etc/ssl/
and/etc/ssl/private/
have the correct ownership and permissions. The certificate should havechmod 644
, and the private key should havechmod 600
. Verify that your Apache SSL configuration is correct by editing/etc/apache2/sites-available/default-ssl.conf
and ensuring the paths to the certificate and key are correctly specified withSSLCertificateFile
andSSLCertificateKeyFile
. Make sureSSLEngine on
is present.Afterward, ensure the
ssl
module is enabled by runningsudo a2enmod ssl
, and also enable thedefault-ssl
site if needed. Test the configuration usingsudo apachectl configtest
to check for syntax errors, and finally restart Apache withsudo systemctl restart apache2
. If there are still issues, check the status again and troubleshoot from the error messages provided.what are the steps to renew a commercial certificate in apache server
Heya,
You need to replace/upload the new certificate files on the server and then make sure the paths are correct in the Apache Virtual hosts. A restart of the Apache service will be required too.
Regards
Can I run the above lines of code in the DigitalOcean Console? Cause each time I try “sudo nano /etc/nginx/sites-enabled/default” it gets me no where, And if I try connecting using GIT BASH, I get access denied (public key), is there a way I could do it over the console? my ssl has expired after 1 year and I have been trying for a week now to reinstall it to make my website safe again.
Yes, you can run those commands in the DigitalOcean Console, but the console is typically intended for recovery purposes rather than everyday use. For routine server management, it’s best to stick with an SSH client like Git Bash or another terminal-based SSH tool. The console should be used as a backup if you’re unable to access your droplet via SSH.