Assumptions:
1. You’ve purchased and requested an SSL certificate to be issued from a known Certificate Authority (CA). You’ve gone through the entire process and now you have a bunch of text files sent over to you (or downloaded, whichever the case).
2. Open SSL has already been installed on the server.
Usually the files would be:
1. the main certificate, and with extension .crt, .pem or .
2. the certificate chain or intermediate key, and with extension .ca-bundle or .key
The other file you would need is the private key that used to make the Certificate Signing Request (CSR) to the CA. The extensions is also .key. On Ubuntu machines, this would be usually be located in the current user’s home directory or in a subdirectory within home (e.g. ~/, ~/.ssl or ~/ssl)
Copy the files from the CA to where the private key is as a matter of organization so they’re all together and can easily be found and referenced.
Next, confirm the exact location of the configuration files.
sudo apachectl -SThe configuration files would normally be found in:
/etc/apache2/sites-availableThere is another directory that may sometimes look identical but is actually a symlinked version of the files in sites-available
/etc/apache2/sites-enabledApache actually creates the symlinks when a site is enabled. DO NOT DIRECTLY CREATE OR EDIT CONFIG FILES HERE. Use the ones in sites-available.
If multiple sites are configured, locate the appropriate file for the domain the certificate has been issued for. If the domain is mycoolsite.com, the config file would normally be mycoolsite.com.conf. If there is only one site, then the config file would usually just be 000-default.conf.
Create another virtual host configuration file, marking it as an SSL counterpart. If the non-SSL config filename is mycoolsite.com.conf, make this one mycoolsite.com-ssl.conf. Doing so makes it easier to identify and to toggle SSL on and off down the line.
Open this new config file with your favorite editor. Key in the following and save:
sudo nano mycoolsite.com-ssl.conf<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin [admin email] #admin@mycoolsite.com
ServerName [domain name] #mycoolsite.com
ServerAlias [an alias] #www.mycoolsite.com
DocumentRoot [main public directory] /var/www/mycoolsite.com/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile [certificate file] #/home/coolguy/ssl/mycoolsite_com.crt
SSLCertificateKeyFile [certificate key]#/home/coolguy/ssl/mycoolsite_com.key
SSLCertificateChainFile [certificate chain file] #/home/coolguy/ssl/mycoolsite_com.ca-bundle
</VirtualHost>
</IfModule>Next enable SSL support:
sudo a2enmod Next enable the site:
sudo a2ensite mycoolsite.com-ssl.confApache then needs to be restarted for the new config files to be read and implemented. Make sure there are no syntax errors before restarting Apache:
apachectl -tIf the command returns “Syntax OK”, proceed to restart Apache. Otherwise, go back to the configuration files and make sure everything is in order.
systemctl restart apache2Test to see if it works fine by access the site with the HTTPS protocol.
https://mycoolsite.comNext, reconfigure the all traffic to access the site using SSL by modifying the other configuration file:
sudo nano mycoolsite.com.conf<VirtualHost *:80>
ServerName mycoolsite.com
Redirect permanent / https://mycoolsite.com/
</VirtualHost>
Restart Apache again.
systemctl restart apache2Check if this worked by accessing the site using regular HTTP on your browser.
http://mycoolsite.comIf this worked, notice the URL on the address bar will now be prefixed with HTTPS.
https://mycoolsite.comPitfalls:
Need to be meticulous with correct spellings, extra lines and extra spaces. Often times they are the reason for a configuration’s failure.
