Apache SSL Configuration Error (SSL Connection Error)

Question

I'm trying to configure Apache on my server to work with ssl, but everytime I visit my site, I get the following message in my browser:

SSL connection error. Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

The error message above seems to be native to Google Chrome. However, even though the messages are different, ssl for the site is not working on any browser.

Just some background on the situation: I am using Ubuntu 10.04 desktop edition.

I installed apache by installing zend server (it installed apache automatically). I then installed openssl. Non-https pages work fine on the site.
I tried getting trial certificates from multiple certificate sites but nothing is working (same error).
I was previously hosting my site on another server on which ssl worked just fine. I also tried using the key and cert file from that server, but I got the same error.

The domain name and IP are still the same though. My SSLCertificateFile and SSLCertificateKeyFile are pointing to the correct directory and files.

I also do not have SSLVerifyClient enabled.

If anyone has any suggestions, it would be most appreciated.

Answer 1

I had the same problem as @User39604, and had to follow VARIOUS advices. Since he doesnt remember the precise path he followed, let me list my path:

1. check if you have SSL YES using <?php echo phpinfo();?>

2. if necessary

   A. enable ssl on apache sudo a2enmod ssl

   B. install openssl sudo apt-get install openssl

   C. check if port 443 is open sudo netstat -lp

   D. if necessary, change /etc/apache2/ports.conf, this works

   NameVirtualHost *:80 Listen 80  <IfModule mod_ssl.c>     # If you add NameVirtualHost *:443 here, you will also have to change     # the VirtualHost statement in /etc/apache2/sites-available/default-ssl     # to <VirtualHost *:443>     # Server Name Indication for SSL named virtual hosts is currently not     # supported by MSIE on Windows XP.     NameVirtualHost *:443     Listen 443 </IfModule>  <IfModule mod_gnutls.c>     Listen 443 </IfModule> 

3. acquire a key and a certificate by

   A. paying a Certificating Authority (Comodo, GoDaddy, Verisign) for a pair

   B. generating your own* - see below (testing purposes ONLY)

4. change your configuration (in ubuntu12 /etc/apache2/httpd.conf - default is an empty file) to include a proper <VirtualHost> (replace MYSITE.COM as well as key and cert path/name to point to your certificate and key):

   <VirtualHost _default_:443>  ServerName MYSITE.COM:443 SSLEngine on SSLCertificateKeyFile /etc/apache2/ssl/MYSITE.COM.key SSLCertificateFile /etc/apache2/ssl/MYSITE.COM.cert ServerAdmin MYWEBGUY@localhost DocumentRoot /var/www <Directory />     Options FollowSymLinks     AllowOverride None </Directory> <Directory /var/www/>     Options Indexes FollowSymLinks MultiViews     AllowOverride None     Order allow,deny     allow from all </Directory>   ErrorLog ${APACHE_LOG_DIR}/errorSSL.log  # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn  CustomLog ${APACHE_LOG_DIR}/accessSSL.log combined  </VirtualHost> 

while many other virtualhost configs wil be available in /etc/apache2/sites-enabled/ and in /etc/apache2/sites-available/ it was /etc/apache2/httpd.conf that was CRUCIAL to solving all problems.

for further info:

http://wiki.vpslink.com/Enable_SSL_on_Apache2

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert

*generating your own certificate (self-signed) will result in a certificate whose authority the user's browser will not recognize. therefore, the browser will scream bloody murder and the user will have to "understand the risks" a dozen times before the browser actually opens up the page. so, it only works for testing purposes. having said that, this is the HOW-TO:

5. goto the apache folder (in ubuntu12 /etc/apache2/)
6. create a folder like ssl (or anything that works for you, the name is not a system requirement)
7. goto chosen directory /etc/apache2/ssl
8. run sudo openssl req -new -x509 -nodes -out MYSITE.COM.crt -keyout MYSITE.COM.key
9. use MYSITE.COM.crt and MYSITE.COM.key in your <VirtualHost> tag

name format is NOT under a strict system requirement, must be the same as the file :) - names like 212-MYSITE.COM.crt, june2014-Godaddy-MYSITE.COM.crt should work.