Configuring Apache to use your Gandi SSL Certificate

Configuring Apache to use your Gandi SSL Certificate

Installing Apache 2

First of all, you need to install the application on the server.

aptitude install apache2

Then, you need to activate the ssl module (we will reload Apache later):

a2enmod ssl

Next, make sure that Apache listens on the HTTPS port. In the file /etc/apache2/ports.conf, add:

<IfModule mod_ssl.c>
    Listen 443
    NameVirtualHost YOUR_IP_ADDRESS:443
</IfModule>

…if it is not already present.

Obtaining the intermediary certificates

So that your certificate can be recognized as having been issued by an approved certification authority, you need to recover the intermediary certificates issued by Gandi: Retrieving the Gandi intermediate certificate

Activate a domain under Apache SSL

Install your keys/certificates and any necessary intermediary certificates (to form a string) in, for example: /etc/ssl

cp cert-domain.tld.crt /etc/ssl/certs/domain.tld.crt
cp myserver.key /etc/ssl/private/domain.tld.key
cp GandiXXXSSLCA.pem /etc/ssl/certs/GandiXXXSSLCA.pem

Don't forget to replace every occurence of domain.tld with your own domain. The exact filename GandiXXXSSLCA.pem can vary depending on which type of certificate you got from Gandi.

To add a domain name to your secure Apache, create a dedicated website:

vi /etc/apache2/sites-available/000-domain.tld-ssl

If you're getting a “site does not exist” error later on, you will need to add a ”.conf” suffix to the file name. In this example: /etc/apache2/sites-available/000-domain.tld-ssl.conf

…and add the virtualhost of your domain in the following manner:

  <VirtualHost YOUR_IP_ADDRESS:443>

        ServerName www.domain.tld
        ServerAlias domain.tld
        DocumentRoot /var/www/www.domain.tld/
        CustomLog /var/log/apache2/secure_access.log combined

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/domain.tld.crt
        SSLCertificateKeyFile /etc/ssl/private/domain.tld.key
        SSLCertificateChainFile /etc/ssl/certs/GandiXXXSSLCA.pem
        SSLVerifyClient None

  </VirtualHost>

Then activate the SSL website by reloading Apache:

a2ensite 000-domain.tld-ssl
/etc/init.d/apache2 reload

If your server has a firewall, do not forget to open the HTTPS port 443.

For Apache versions >= 2.4.8

With 2.4.8, Apache has deprecated the SSLCertificateChainFile directive, and you may receive the error

The SSLCertificateChainFile directive is deprecated, SSLCertificateFile should be used instead.

The new method is as follows:

Take the intermediate certificate you downloaded from Gandi (e.g. GandiStandardSSLCA.pem), and open it in a text editor.
Copy the contents, including the – BEGIN – and – END – lines.
Locate and open for editing the file containing your server certificate, e.g. mydomain.com.crt. This should be the same file indicated on the SSLCertificateFile line of your VirtualHost block.
Paste the contents of the intermediate certificate into the text file, appending it to the existing certificate block. You will now have two certificate blocks in that file.
Save your server certificate file (in the same location it was originally)
Edit your VirtualHost configuration, and comment out the line beginning with SSLCertificateChainFile. The file referenced by SSLCertificateFile now contains both certificates, so commenting out the chain file is all you need to do.
Restart Apache

Check your completed SSL chain

Using the following openssl command with your IP address (or the hostname of the server) and the associated port of the service (443 in case of apache2/SSL) :

openssl s_client -connect ip.ip.ip.ip:port

Or you can use http://www.digicert.com/help/ to visualize the chain on a more graphical way.

Table of Contents