Installing a wildcard domain SSL certificate on Amazon AWS EC2 Ubuntu

I recently needed to add a wildcard SSL certificate, purchased from Network Solutions, to an AWS EC2 instance running Ubuntu 12.04. Here’s the steps I followed for success:

First, unzip the archive that Network Solutions provides, into your home directory. Mine happens to be at /home/ubuntu/certificates which includes these files:

  • AddTrustExternalCARoot.crt
  • OV_NetworkSolutionsOVServerCA2.crt
  • OV_USERTrustRSACertificationAuthority.crt
  • STAR.MYWEBSITE.COM.crt

You will use all the above files EXCEPT AddTrustExternalCARoot.crt. It is a legacy file for use in circumstance (for example, an Intranet) where very old legacy browsers are used. Not my use case, so I’m not going to delve further into this.

First, you need to copy your private key (used when generating the certificate request that you supplied to Network Solutions in order for them to generate your certificate), into place:

sudo cp /home/ubuntu/certificates/server.key /etc/apache2/ssl/

Concatenate two CRT files together, and put them into a new file in the Apache SSL directory:

cat /home/ubuntu/certificates/star_mywebsite/OV_USERTrustRSACertificationAuthority.crt /home/ubuntu/certificates/star_mywebsite/OV_NetworkSolutionsOVServerCA2.crt > /etc/apache2/ssl/NetworkSolutionsChain.crt

then

cd /etc/apache2/sites-enabled

For each of your enabled vhosts, add a new VirtualHost directive for port 80 which redirects all incoming port 80 traffic to https, and then change the original VirtualHost directive to respond on 443, and declare the paths to your SSLCertificeFile, SSLCertificateKeyFile, and SSLCertificateChainFile:

<VirtualHost *:80>
    ServerName example.mywebsite.com
    Redirect "/" "https://example.mywebsite.com/"
</VirtualHost>
<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/STAR.MYWEBSITE.COM.crt
    SSLCertificateKeyFile /etc/apache2/ssl/server.key
    SSLCertificateChainFile /etc/apache2/ssl/NetworkSolutionsChain.crt
    # ... your other declarations ... 
</VirtualHost>

If you are going to have multiple virtual hosts running on port 443, you’ll want to avoid triggering this error:

[warn] _default_ VirtualHost overlap on port 443, the first has precedence

To do so, edit the /etc/apache2/ports.conf:

sudo vi /etc/apache2/ports.conf

Then, find the ifModule mod_ssl.c block, and change it to match:

<IfModule mod_ssl.c> 
    # If you add NameVirtualHost *:443 here, you will also have to change 
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl 
    # to <VirtualHost *:443> 
    # Server Name Indication for SSL named virtual hosts is currently not 
    # supported by MSIE on Windows XP.
    NameVirtualHost *:443
    Listen 443
</IfModule>

Next edit /etc/apache2/sites-available/default-ssl and change the line:

<VirtualHost _default_:443>

to:

<VirtualHost *:443>

Test that your edits are syntactically correct and that your SSL cert files are found:

sudo apache2ctl configtest

You should get a “Syntax OK” response, at which point, you can reload your Apache configuration:

sudo service apache2 reload

Now, visit your website using https to confirm!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.