When does Ubuntu 16.04 use /etc/apache2/ssl/apache.crt?

Solution 1:

According to some manuals the SSL certificate files must be placed under /etc/apache2/ssl/, but they can be placed in a different folder, depending on your own configuration.

To have HTTPS access to your site, you must enable the SSLEngine and provide a valid SSL certificate.

For this purpose you should use OpenSSL command line tool to generate your own certificate. Then you need to validate the certificate at any provider like as COMODO, StarSSL, your local DNS provider, etc. Usually they offer free certificates for few months. Regarding this way of certificate generation you may look at these guides: for 14.04 and 16.04.

Also you can use the software tool Let's Encrypt. From Let's Encrypt Getting Started page:

To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol, which typically runs on your web host.


I would suggest you to use Let's Encrypt, at this stage. So let's begin.

1st - install Let's Encrypt:

sudo apt install python-letsencrypt-apache

2nd - generate the certificate. To generate SSL certificate compatible with Apache just type: letsencrypt --apache. This command will start interactive dialogue (where you must fill your site's personal data) and will generate HTTPS.conf file based on your existing HTTP.conf file.

You can use and some additional parameters, for example letsencrypt --apache certonly will do the same as above but will not generate HTTPS.conf file.

Also you can put all necessary parameters to avoid the dialogue. According to the information provided in the question our command should looks like:

sudo letsencrypt --apache certonly --rsa-key-size 4096 --email [email protected] -d my.domain.name.de

Let's assume you choose the last approach. The command will generate all necessary certificate files and they will be placed in the folder /etc/letsencrypt/archive/my.domain.name.de/. Also these files will be sym-linked into the folder /etc/letsencrypt/live/my.domain.name.de/. These symlinks will be updated automatically in the future, so we will use them.

3rd - configure (manually) your HTTPS VirtualHost. According to the above the configuration file should looks like:

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>

       ServerAdmin [email protected]
       ServerName my.domain.name.de
       DocumentRoot /var/www/mysslsite           

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/my.domain.name.de/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.name.de/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/my.domain.name.de/chain.pem

        <Directory /var/www/mysslsite>
            Options FollowSymLinks MultiViews
            AllowOverride All
            Order allow,deny
            allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/mysite.ssl.error.log
        CustomLog ${APACHE_LOG_DIR}/mysite.ssl.access.log combined

    </VirtualHost>
</IfModule>

4th - a2ensite the new VirtualHost, just in case a2enmod ssl and restart Apache. That's it. I hope now you will have HTTPS access to your site.

5th - renew your certificate into the future. For this purpose you can edit root's Crontab and add a job which will try to letsencrypt renew the certificates, every Sunday at 3:00 AM for example. Type sudo crontab -e and add this line at the bottom:

0 3 * * 0 /usr/bin/letsencrypt renew >> /var/log/letsencrypt-renew.log 2>&1



Notes:

  • letsencrypt / python-letsencrypt-apache is available for Ubuntu 16.04 and above, for previous versions there is certbot which is almost the same - from Ubuntu Manuals.

  • If you have few VirtualHosts you can use this syntax to generate their certificates (all together):

    sudo letsencrypt --apache certonly --rsa-key-size 4096 --email [email protected] -d my.domain.name-1.de -d my.domain.name-2.de -d my.domain.name-3.de
    
  • certbot.eff.org - Automatically enable HTTPS on your website with EFF's Certbot, deploying Let's Encrypt certificates.

  • The above answer is based on this one, where more details about the Apache's VH configuration are provided.


Read here how and why you should updatete your letsecrypt/certbot until February 13th, 2019: Failed to upgrade certbot on Ubuntu Bionic