Need help with my SSL config please

I followed the instructions here: https://library.linode.com/web-servers/ … ertificate">https://library.linode.com/web-servers/apache/ssl-guides/ubuntu-12.04-precise-pangolin#sph_install-a-commercial-ssl-certificate

When I submitted the CSR to RapidSSL, it told me to go back and get a 2048 request. I figured out how to do that and resubmitted the request and got my private cert (I chose sha-2).

Here is my ports.conf:

[color]# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz

NameVirtualHost *:80
Listen 80

 <ifmodule mod_ssl.c=""># If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <virtualhost *:443=""># Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    NameVirtualHost 198.74.54.233:443
    Listen 443</virtualhost></ifmodule> 

 <ifmodule mod_gnutls.c="">Listen 443</ifmodule> [/color]

–--------------

My virtual host file

[color] <virtualhost *:80=""># Admin email, Server Name (domain name), and any aliases
  ServerAdmin rick@flyingdingo.com
  ServerName  k9hq.org

  # Index file and Document Root (where the public files are located)
  DirectoryIndex index.html index.php
  DocumentRoot /home/rick/public/k9hq.org/public

  # Log file locations
  LogLevel warn
  ErrorLog  /home/rick/public/k9hq.org/log/error.log
  CustomLog /home/rick/public/k9hq.org/log/access.log combined</virtualhost> 

 <virtualhost 198.74.54.233:443="">SSLEngine On
     SSLProtocol all
     SSLCertificateFile /etc/apache2/ssl/k9hq.org.crt
     SSLCertificateKeyFile /etc/apache2/ssl/k9hq.org.key
     SSLCACertificateFile /etc/apache2/ssl/intermediate.cer

     ServerAdmin hello@k9hq.org
     ServerName k9hq.org
     DocumentRoot /home/rick/public/k9hq.org/public
     ErrorLog  /home/rick/public/k9hq.org/log/error.log
     CustomLog /home/rick/public/k9hq.org/log/access.log combined</virtualhost> [/color]

Apache does not throw errors when I reload the service, yet I am unable to make a secure connection with a browser. Do you think I need to add something to Apache because of the 2048 cert or the SHA-2 hash? I am at a dead end.

7 Replies

Working fine here. Perhaps you're using www.k9hq.org instead of k9hq.org? 2 different domains, and your SSL certificate is only valid for the non-www one.

That is so odd. I am entering https://k9hq.org in Safari, Chrome, and Firefox in incognito mode and without, and each time I get an SSL connection error. And it’s working for you? Even now?

https://www.ssllabs.com/ssltest/analyze … Results=on">https://www.ssllabs.com/ssltest/analyze.html?d=k9hq.org&hideResults=on

Gives good idea of what your SSL and config look like.

Using an SSL without www is a bit confusing for some. Normally if you get the www with the domain you can use both with the same cert. You can then redirect access from https://k9hq.org to https://www.k9hq.org for more straightforward analytics.

I'm not getting any errors in Firefox 24 ESR. It would help if you posted the precise error message you're getting from your browsers.

Using 2048 bit RSA is fine, but SHA-2 is a little unusual and may pose a problem with really old browsers. But that's probably not the issue here, if it's not even working for you in Chrome.

Thanks, AGWA. I have isolated it to a problem with my home net through Comcast. I can take my laptop and phone to other networks, and everything works as expected. Now I’m trying to figure out what change Comcast has made to their network that is causing me this trouble.

This just sounds like a DNS issue. Comcast has there own DNS that is used as default for all customers. You are essentially switching to a different DNS whenever you move to a new Wifi with your laptop, or access the site over your phone's network. Switching to Google's DNS or OpenDNS at home might also help avoid future issues like this. In my experience, a public DNS like Google's will always propagate changes across the web faster than an ISP's private one.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct