No meu caso, não habilitei o site 'default-ssl'. Apenas '000-default' foi listado na pasta /etc/apache2/sites-enabled .
Ativar o site SSL no Ubuntu 14 LTS, Apache 2.4.7:
a2ensite default-ssl
service apache2 reload
Eu comprei um certificado comodo ssl e enviei o CSR (Certificate Signing Request) gerado pelo meu servidor para o site de gerenciamento SSL.
With the 3 files it returned me with,
- AddTrustExternalCARoot.crt
- PositiveSSLCA2.crt
- www_example_com.crt
Enviei-os para minha pasta / etc / ssl / ssl-certs e atualizei meu host virtual em meus sites - disponível e reiniciei adequadamente.
NameVirtualHost 107.167.120.195:80 #sample ip address
NameVirtualHost 107.167.120.195:443 #sample ip address
......... #normal http virtual host (working well)
<VirtualHost 107.167.120.195:443>
ServerAdmin [email protected]
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example
SSLEngine on
SSLCertificateFile /etc/ssl/ssl-certs/www_example_com.crt
SSLCertificateKeyFile /etc/ssl/ssl-certs/server.key
SSLCertificateChainFile /etc/ssl/ssl-certs/PositiveSSLCA2.crt
</VirtualHost>
Eu também ativei o 'a2enmod ssl' e ele está ativado.
Este é o erro que recebo quando acesso a página da Web https no chrome:
SSL connection error
Error code: ERR_SSL_PROTOCOL_ERROR
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Eu também verifiquei meus arquivos de log do Apache e parece haver um erro dizendo que o Common Name (CN) não é o mesmo que o servidor.
RSA server certificate CommonName (CN) 'www.example.com' does NOT match server name!?
e
Invalid method in request \x16\x03\x01
O que devo fazer?
EDITAR:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.key
Generating a 2048 bit RSA private key
..........................................+++
................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SG
State or Province Name (full name) [Some-State]:Singapore
Locality Name (eg, city) []:Singapore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CompanyName
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Password123
An optional company name []:CompanyName
E gerou o CSR, no meu gerenciamento de certificados SSL, o URL que eu forneci também era www.example.com.
Editar
openssl s_client -connect 107.167.120.195:443 //sample ip address
e me retorna com o seguinte
CONNECTED(00000003)
140401734006440:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
No meu caso, não habilitei o site 'default-ssl'. Apenas '000-default' foi listado na pasta /etc/apache2/sites-enabled .
Ativar o site SSL no Ubuntu 14 LTS, Apache 2.4.7:
a2ensite default-ssl
service apache2 reload