Bug#267477: Apache2 and SSL Quick Hints
Here is a rough outline of how to get Apache2 SSL working. I agree that
the package could be more SSL friendly out of the box. I came here to file
a bug myself ;-).
1. Have Apache working without SSL!
2. Generate your SSLCertificateFile and SSLCertificateKeyFile files. I
used the newcert-ca.sh script at http://www.openssl.org/contrib/ . If you
go this route be sure to read the script before you start running it so
that you understand what you are doing. You will run it one time to create
a CA and a second time calling that CA to create a the files for your
3. Copy the .key and .cert over to the /etc/apache2/ssl/ directory so that
they are easy to get to.
4. Copy your sites-available/default file and call it default-ssl.
***Including this file already set up is something that the APACHE2 .deb
could be doing at install time.***
5. Edit your new default-ssl as follows. The first two lines you will just
edit what is there. The stuff inside the # SSL STUFF + bars will be
inserted after the <VirtualHost *:443> line:
# SSL STUFF (START) ++++++++++++++++++++++++++++++++++++++++++++++++++++
# see http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html for the meaning
# The following enables only the seven strongest ciphers.
# SSL STUFF (END) +++++++++++++++++++++++++++++++++++++++++++++++++++++++
6. Run "a2enmod" and make sure that ssl is enabled.
7. Make sure the ports.conf line contains both a "Listen 80" and a "Listen
8. Test your setup by running "apache2 -D SSL -S". The results should look
something like these below:
littleguy:/etc/apache2/sites-enabled# apache2 -D SSL -S
apache2: Could not determine the server's fully qualified domain name,
using 127.0.0.1 for ServerName
wildcard NameVirtualHosts and _default_ servers:
*:443 is a NameVirtualHost
default server 127.0.0.1 (/etc/apache2/sites-enabled/default-ssl:2)
port 443 namevhost 127.0.0.1
*:80 is a NameVirtualHost
default server 127.0.0.1 (/etc/apache2/sites-enabled/default:2)
port 80 namevhost 127.0.0.1 (/etc/apache2/sites-enabled/default:2)
9. "/etc/inid.d/apache2 restart" and then go test your SSL (and nonSSL)
Debian Apache Maintainers -- Could y'all include at least a sample
default-ssl file and some terse documentation in the README?