3

I created a privatekey file using openssl command:

openssl genrsa -des3 -out private.key 2048

Entered my password, and followed by generating CSR:

openssl req -new -key privatekey.key -out csrkey.csr

I use this CSR key to create my SSL certificate through RapidSSL. They issued me 3 certificate ending in .cer namely:

  1. CACertificate-1.cer
  2. CACertificate-2.cer
  3. ServerCertificate-1.cer

I uploaded all of these certificates to the /etc/apache2/ folder

/etc/apache2/ contains:

I then had to add the code to /etc/apache2/apache2.conf:

<VirtualHost _default_:443>
SSLEngine on
DocumentRoot /var/www/html
ServerName example.co.uk
SSLEngine on
SSLCertificateFile /etc/apache2/CACertificate-1.cer
SSLCertificateKeyFile /etc/apache2/privatekey.key
SSLCertificateChainFile /etc/apache2/chain.ctr
</VirtualHost>

My /etc/apache2/apache2.conf file didn't have the <VirtualHost>, when I tried to restart apache it it said "SSLEngine command not deined in this module". So I have a look around and found /etc/apache2/sites-available/default-ssl.conf which did contain <VirtualHost>

I proceeded by adding the code above, but after restarting apache using

sudo apachectl restart

But the https://example.co.uk is giving me a grey screen: SSL connection error

ERR_SSL_PROTOCOL_ERROR Hide details Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.

GRS
  • 2,807
  • 4
  • 34
  • 72
  • Slight update for 2018, you can use https://letsencrypt.org/ to automatically handle this process on your Apache server. – jonobr1 Mar 13 '18 at 02:12

1 Answers1

3

Here are the steps to enable HTTPS protocol of your Apache service on Google Compute Engine (You can safely skip those steps that you've already taken) :

  1. Create a secure directory to install and protect your keys

$ sudo mkdir /etc/apache2/ssl.crt
$ cd /etc/apache2/ssl.crt

  1. Generate a private key

$ sudo openssl genrsa -out example.key 2048

  1. Generate a certificate signing request (CSR)

$ sudo openssl req -new -key example.key -out example.csr

  1. You can use your new CSR to obtain a valid certificate from a certificate authority (CA). Alternatively, you can generate a self-signed certificate by running the following command

$ sudo openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt

Caution: Self-signed certificates are not suitable for public sites. While a self-signed certificate implements full encryption, it will cause most browsers to present a warning or error when visitors try to access your site. The above command is provided for testing purposes only.

  1. Open Apache’s SSL site configuration file for editing

$ sudo nano /etc/apache2/sites-available/default-ssl.conf

  1. Edit the following directives’ values

SSLCertificateFile /etc/apache2/ssl.crt/example.crt

SSLCertificateKeyFile /etc/apache2/ssl.crt/example.key

  1. Uncomment and edit SSLCertificateChainFile value, if you got a certificate chain file from your CA

SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

  1. Save the configuration file and close it.

  2. Now enable this site configuration file

$ sudo a2ensite default-ssl.conf

  1. You can use the command below to verify and see configuration errors

$ sudo apachectl configtest

  1. Restart the Apache service

$ sudo service apache2 restart

  1. Add/Enable GCE firewall rules for the following protocol:ports pairs for your VM instance

tcp:80 and tcp:443

Kamran
  • 3,397
  • 26
  • 40