1

Hi,

Im a linux newbie and have been tasked with getting a SSL cert loaded and working for one of our existing apps. It appears to be Ubuntu and I have managed to generate & export the CSR off to our external CA. SSL appears to be up already on the site, its just showing the “site not trusted” message that you would expect to be. I m just not sure what to do next, Ive read about setting up a virtual host on 443 and creating a directory - would be grateful for some pointers please - thanks.

3 Spice ups
2

Ubuntu is a flavor of Linux. It is not a web server. Figure out what web server is installed.

2 Spice ups
3

You need to find out what webserver you’re using then follow the instructions forsetting up a signed cert for that.

Will be either Apache or NGINX I wouldhave thought

1 Spice up
4

Hi,

if its an Apache running on your Ubuntu, you have to edit your actual running config under /etc/apache2/sites-enabled/ or create a new siteconfig for your new virtual host under /etc/apache2/sites-available/. (If you’ve created a new config, you’ll have to activate it with a2ensite newconfigfilename)

Example for a working Apache config:

**<== Virtual Host for https connection** # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName [www.example.com](http://www.example.com)

ServerName www.yoursite.com
ServerAlias www.yoursite.de
ServerAdmin webmaster@yoursite.com
DocumentRoot /var/www/yoursite <== Path to your website

Available loglevels: trace8, …, trace1, debug, info, notice, warn,

error, crit, alert, emerg.

It is also possible to configure the loglevel for particular

modules, e.g.

#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

For most configuration files from conf-available/, which are

enabled or disabled at a global level, it is possible to

include a line for only one particular virtual host. For example the

following line enables the CGI configuration for this host only

after it has been globally disabled with “a2disconf”.

#Include conf-available/serve-cgi-bin.conf
SSLCertificateFile /etc/letsencrypt/live/yoursite.com/cert.pem <== Path to your certificate
SSLCertificateKeyFile /etc/letsencrypt/live/yoursite.com/privkey.pem <== Path to your private keyfile of the CSR
SSLCertificateChainFile /etc/letsencrypt/live/yoursite.com/chain.pem <== Path to chain if neccessary

2 Spice ups
5

Ok so I have worked out it is Apache2. So to amend an existing siteconfig file, I can see that there is a 000-default.conf file and default-ssl.conf in the sites-enabled directory, so I would amend one of those files with a similiar config to the one you have listed?

Does apache need to restarted after this? The CSR I generated a .key file which I assume I now need to convert to a .pem? Thanks.

1 Spice up
6

no the apache config will use the .key and the signed .crt you get back fro the CA.

the CSR is the Certificate Signing Key that you give to the CA.

Your CA should have a how-to for all this

2 Spice ups
7

If you are a new Linux enthusiast I suggest rolling a “transition” suite such as Webmin. Webmin will expose you to many options to create and configure server elements, including the installation of SSL’s. I believe the new version has an “Let’s Encrypt” module you can use to automate the certificate process.

8

Using Lets Encrypt is a great suggestion, if you dont need a payed certificate. The installation is very simple, also with only shell access.

Have a look at https://certbot.eff.org/ especially https://certbot.eff.org/lets-encrypt/ubuntubionic-apache

It create all necessary keys, CSR’s and certificates. It will also automatically generate and activate a new Apache config.

1 Spice up
9

Lets Encrypt is the way to go here, unless you have a company policy that requires you to use your own CA server.

As Kevin7436 says its really easy.