0

I'm trying to enable ssl (tls?) I ran into these errors and I have these questions.

  1. Why did apache not restart? And how do I get it to restart? Replacing restart with start does not work.
  2. Could skipping step three be causing the problem? If so how do I complete step three?
  3. I actually created a new .csr and .key file (I'm new to all of this) with a different names. Could this be causing the problem? the .csr and .key files that are there are named something different than the new ones I created. Should I replace the old .csr and .key files with the new ones I created to get the .crt files? Should I replace the old .csr and .key files by renaming the new ones I created and adding the new files to the directory overwriting the old files?

I followed these steps which can be found here

https://wiki.bitnami.com/Components/Apache#How_to_enable_HTTPS_support_with_SSL_certificates.

I got two certificates from my ca one was named a random alpha numeric string such as 8d0g03k02K.crt the other was named using common english and had the word bundle in it dot crt. what I did was rename the random string server.crt and the file with the word bundle in it to server-ca.crt. both of these files end with .crt

Next with the help of ftp I replaced the server.crt file that was in /opt/bitnami/apache2/conf/ with the .crt file that I renamed server.crt from the random alphanumeric string. I also upload the file renamed to server-ca.crt from the file name that used the word bundle in it.

Now I try to step three below but when I open httpd.conf I search for SSLCertificateKeyFile to add /opt/bitnami/apache2/conf/server-ca.crt. There is no SSLCertificateKeyFile word in httpd.conf.

I then proceed no to steps 4 and 5 because I don't know what to do with step 3.

when I type the command to restart it starts to restart ok and then I got an error httpd could not be restarted.

  1. Why did apache not restart? And how do I get it to restart? Replacing restart with start does not work.
  2. Could skipping step three be causing the problem? If so how do I complete step three?
  3. I actually created a new .csr and .key file (I'm new to all of this) with a different names. Could this be causing the problem? the .csr and .key files that are there are named something different than the new ones I created. Should I replace the old .csr and .key files with the new ones I created to get the .crt files? Should I replace the old .csr and .key files by renaming the new ones I created and adding the new files to the directory overwriting the old files?

Here are the instructions I followed:

By default, your application is hosted at the root of your c ustom domain name eg. a Wordpress blog hosted at https: //my-domain.com/

Follow these steps to activate SSL support:

1. Use the table below to identify the correct locations for your certificate and configuration files.

Current application URL: https:// [c ustom - domain]/ Example: https: //my-domain.com/

Apache configuration file: /opt/bitnami/apache2/conf/bitnami/bitnami.conf

Certificate file: /opt/bitnami/apache2/conf/server.crt

Certificate key file: /opt/bitnami/apache2/conf/server.key

CA certificate bundle file (if present): /opt/bitnami/apache2/conf/server-ca.crt

2. Copy your SSL certificate and certificate key file to the specified locations. Find out more about uploading and editing files.

NOTE: If you use different names for your certificate and key files, you should reconfigure the SSLCertificateFile and SSLCertificateKeyFile directives in the corresponding Apache configuration file to reflect the correct file names.

3. If your certificate authority has also provided you with a PEM-encoded Certificate Authority (CA) bundle, you must copy it to the correct location in the previous table. Then, modify the Apache configuration file to include the following line below the SSLCertificateKeyFile directive. Choose the correct directive based on your scenario and Apache version:

Apache configuration file: /opt/bitnami/apache2/conf/bitnami/bitnami.conf

Directive to include (Apache v2.4.8+): SSLCACertificateFile “/opt/bitnami/apache2/conf/server-ca.crt”

Directive to include (Apache < v2.4.8): SSLCertificateChainFile “/opt/bitnami/apache2/conf/server-ca.crt”

4. Once you have copied all the server certificate files, you may make them readable by the root user only with the following commands:

sudo chown root:root /opt/bitnami/apache2/conf/server*
sudo chmod 600 /opt/bitnami/apache2/conf/server*

5. Restart the Apache server.

sudo /opt/bitnami/ctlscript.sh restart apache

You should now be able to access your application using an HTTPS URL.

Improve this question
2
  • 1
    Could you include the specific error messages that apache is throwing and/or log file detailing the events?
    – mdpc
    Commented Dec 20, 2014 at 23:03
  • Syntax OK ...scripts/ctl.sh : httpd stopped Syntax OK ...2/scripts/ctl.sh : httpd could not be started there are a lot of different log files is there a specific one I should be looking for? And what should I be looking for in that log file that would help here?
    – Jason
    Commented Dec 20, 2014 at 23:37

2 Answers 2

Reset to default
1

SSLCertificateKeyFile is the most important part of SSL. SSLCertificateKeyFile is used to encrypt the data you send to Mr Smith's browser as he points it to your address. Mr Smith's browser uses SSLCertificateFile to decrypt the traffic, so it needs to exactly match SSLCertificateKeyFile (secondly, Smith uses it to prevent man-in-the-middle attack, but that's another story).

Apache checks if .key matches .crt on startup, so no wonder it doesn't start if you have no key, or mismatched key.

Your instruction is only partial. It misses the beginning - you have generated your .key file as a very first step (even before you have had any .crt), which you want now to place in /opt/bitnami/apache2/conf/server.key and make sure you have SSLCertificateKeyFile /opt/bitnami/apache2/conf/server.key entry.

So fix this, and also add server-ca.crt as stated in the instruction.

The crucial thing about .key, that you've could have missed, is that the server.crt you receive is only usable when you have exactly the same .key that was generated together in the same process.

The generation flows this way: together with .key file, you generated a .csr file. These two match each other. Next, the .csr file has been converted by some company into server.crt file, which still matches the same .key. And only this one. The .crt is the file which is actually useful for SSL.

The .csr file is only needed for your certification authority as an input file from which they generate a .crt file, you don't use it for the actual SSL connection.

Improve this answer
0

Open SSH terminal step 1 cd /opt/bitnami/apache2/conf/

Step 2

Delete or rename the existing server.crt and server.key files in this directory (I prefer to rename them to server.crt_legacy and server.key_legacy

sudo mv server.crt server.crt_legacy

sudo mv server.key server.key_legacy

Step 3

Create two new files in their place:

sudo touch server.crt

sudo touch server.key

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .