Sameer Siruguri

My Blog

More LAMP adventures: Setting up SSL on Apache/Ubuntu

Ready to run an SSL server on your Ubuntu install? Here how you do it, in a few easy steps.

We will do this for an Apache2 server configuration on Ubuntu – if you’re using a different flavor of Linux (Debian, Fedora, etc.), many of these instructions are similar. I’ll try to keep track of where the major differences are.

Remember that SSL isn’t the default mode for an Apache server installation. So you have to enable the corresponding module, and also set up an SSL certificate for the server to present.

The first thing you have to do is enable the SSL module. You have to enable the module in Apache (all these commands have to be done with root privileges):

a2enmod ssl
a2ensite default-ssl

Check that ssl is now available as a module: apachectl -t -D DUMP_MODULES should return a list of modules that contains ssl_module.

Next, you need to install a certificate that the server will return to identify itself. You can get a certificate signed by a certificate authority, or just use a self-signed certificate if you don’t mind your users seeing a scary-looking security exception in their browsers.

There are plenty of pages describing how to generate these files. Here’s a long-ish tutorial I just found today on a LAMP related website, that has a section on generating these files.

Don’t follow the rest of the instructions on the site – they don’t work. You need to put some of those directives outside the VirtualHost section, otherwise you get a syntax error when you restart your server: SSLRandomSeed cannot occur within <VirtualHost> section, and so on.

Instead, configure your main site’s .conf file as follows (this assumes you are running the same site under both HTTP and HTTPS):

<VirtualHost *:80>
Include /etc/apache2/domains/
<VirtualHost *:443>
Include /etc/apache2/domains/

SSLEngine On
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

<IfModule mime.c>
AddType application/x-x509-ca-cert      .crt
AddType application/x-pkcs7-crl         .crl

SetEnvIf User-Agent ".MSIE." nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0


<IfModule mod_ssl.c>
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm
SSLSessionCacheTimeout 600

SSLVerifyClient none
SSLProxyEngine off
SSLProtocol -all +TLSv1 +SSLv3

Want more? Check out this complete set of possible options you can add to your mod_ssl config.

Single Post Navigation

Leave a Reply

Your email address will not be published. Required fields are marked *