Have I messed up buying the wrong SSL certificate for my domain?

Question

I have just purchased an SSL certificate from Go Daddy. I setup the certificate to be:

www.mydomainname.com (I changed the domain as you can tell.)

I setup Apache and it is working. So when I type https://www.mydomainname.com it all works.

HOWEVER:

When I type http://www.mydomainname.com I get this error from Apache:

Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

I was hoping I could type

http://www.mydomainname.com for HTTP requests

and

https://www.mydomainname.com when I want secure requests.

What have I done wrong?

Here is my Apache configuration:

Under sites-enabled (I am using Ubuntu's Apache setup)

I have file called ssl

    <IfModule mod_ssl.c>;
        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/www.mydomainname.com.crt
        SSLCertificateKeyFile /etc/apache2/ssl/www.mydomainname.com.key
    </IfModule>

and another called webapp:

    <IfModule mod_proxy_ajp.c>
        ProxyRequests On
        ProxyVia On

        <Location />
            Order allow,deny
            Allow from all
            AuthType Basic
            AuthName "Restricted area"
            AuthUserFile /etc/apache2/passwd/access
            Require valid-user
            ProxyPass ajp://localhost:9999/
            ProxyPassReverse ajp://localhost:9999/
        </Location>

        <Location /uploader>
            Order allow,deny
            Satisfy Any
            Allow from all
            ProxyPass ajp://localhost:9999/uploader
            ProxyPassReverse ajp://localhost:9999/uploader
        </Location>
    </IfModule>

Hi Peter. Your certificate is fine, so don't worry about having wasted money there. The problem is in your apache conf, and you'll have better luck with your question at serverfault. — , Jun 09 '09 at 19:37
Aye to both. Good with the SSL cert, and go ahead and uncheck community wiki! — squillman, Jun 09 '09 at 19:55
This question was originally asked on Stack Overflow: http://stackoverflow.com/questions/972080/have-i-messed-up-buying-the-wrong-ssl-cert-for-my-domain-closed and automatically migrated here by voting. When questions are migrated, they are forced to "community wiki" mode, and not associated with the same user account so nobody can uncheck the wiki. — Greg Hewgill, Jun 09 '09 at 20:09

score 10 · Answer 1 · edited Mar 06 '10 at 14:34

Check your Apache configuration to make sure you're listening on port 80 for HTTP and port 443 for HTTPS.

In your /etc/httpd/conf/httpd.conf, you should have "Listen 80". You should also have an /etc/httpd/conf.d/ssl.conf file (probably) with "Listen 443" specified in it.

You need virtual hosts configured, one for *:80 and one for *:443. The *:443 needs to have the SSL specification in it, the *:80 should not have the SSL stuff in it.

You did not buy the wrong SSL certification.

score 1 · Answer 2 · answered Jun 09 '09 at 19:49

You actually need to configuer 2 VHosts, the SSL VHost and the non-SSL VHost differ only by the SSL part you actually place in the VHost since you could have a multitude of SSL VHosts (listening on different ports) it doesn't actually make sense to provide this in a server wide context which I think is what you are doing.

score 1 · Answer 3 · edited Mar 06 '10 at 14:33

OK, I fixed it. I got mixed up with not having Virtualhost earlier. This is the end configuration:

ssl configuration is:

    <VirtualHost *:443>
        DocumentRoot /var/www/

        <IfModule mod_proxy_ajp.c>
            ProxyRequests On
            ProxyVia On

            <Location />
                Order allow,deny
                Allow from all
                AuthType Basic
                AuthName "Restricted area"
                AuthUserFile /etc/apache2/passwd/site-access
                Require valid-user
                ProxyPass ajp://localhost:9999/
                ProxyPassReverse ajp://localhost:9999/
            </Location>

            <Location /uploader>
                Order allow,deny
                Satisfy Any
                Allow from all
                ProxyPass ajp://localhost:9999/uploader
                ProxyPassReverse ajp://localhost:9999/uploader
            </Location>
        </IfModule>

        <IfModule mod_ssl.c>
            SSLEngine On
            SSLCertificateFile /etc/apache2/ssl/www.mydomain.com.crt
            SSLCertificateKeyFile /etc/apache2/ssl/www.mydomain.com.key
        </IfModule>
    </VirtualHost>

Webapp configuration is:

    <VirtualHost *:80>
        DocumentRoot /var/www/

        <IfModule mod_proxy_ajp.c>
            ProxyRequests On
            ProxyVia On

            <Location />
                Order allow,deny
                Allow from all
                AuthType Basic
                AuthName "Restricted area"
                AuthUserFile /etc/apache2/passwd/site-access
                Require valid-user
                ProxyPass ajp://localhost:9999/
                ProxyPassReverse ajp://localhost:9999/
            </Location>

            <Location /uploader>
                Order allow,deny
                Satisfy Any
                Allow from all
                ProxyPass ajp://localhost:9999/uploader
                ProxyPassReverse ajp://localhost:9999/uploader
            </Location>
        </IfModule>
    </VirtualHost>

Awesome, glad it's working out for you! – Matt Simmons Jun 09 '09 at 20:28 — Matt Simmons, Jun 09 '09 at 20:28

score 0 · Answer 4 · answered Jun 09 '09 at 19:58

If you TRULY bought the wrong cert and its not just a configuration issue then the best plan is usually to cancel/revoke your certificate and have it reissued.

Most CA's have a policy that they will do this for free for a certain period of time (ie 1 week).

Hope this helps.

Have I messed up buying the wrong SSL certificate for my domain?

4 Answers4