0

I just installed a new wildcard certificate on my Ubuntu server (there was a single certificate installed before). I modified /etc/apache2/sites-available/000-default.conf which is for one specific subdomain and updated the paths: 

<VirtualHost *:80>
        ServerName www.site.com
        ServerAlias site.com
        ServerAdmin admin@site.com
        DocumentRoot /var/www/html
</VirtualHost>

<VirtualHost *:80>
        ServerName subdomain.site.com
        Redirect permanent / https://subdomain.site.com/
</VirtualHost>

<VirtualHost *:443>
     SSLEngine On
     SSLCertificateFile /etc/ssl/site.com/ssl_certificate.crt
     SSLCertificateKeyFile /etc/ssl/site.com/ssl/*_site_com_DSA_private.key
     SSLCertificateChainFile /etc/ssl/site.com/IntermediateCA.crt

    ServerAdmin admin@site.com
    ServerName subdomain.ipdoc.com
    ProxyRequests Off
</VirtualHost>

After restarting apache2, it asks for the password for *_site_com_DSA_private.key, which I enter and apache2 starts normal [OK].

When opening the page on Chrome I get: 

subdomain.site.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

On Firefox:

no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

The paths for the certificate files are double checked. The subdomain first was protected with a single certificate, only for the subdomain. Everything worked.

Ubuntu Version 14.04
Apache2 Version 2.4.7
OpenSSL Version: 1.0.1f-1ubuntu2.22
enigma969
  • 121
  • 4

1 Answers1

1

Looks like you are missing which SSL protocol and in which order to use, also you must specify on which IP should SSL be listening.

And eventually your virtual host with 443 should look like this:

<VirtualHost X.X.X.X:443>
SSLEngine on
SSLCertificateFile /home/user/ssl.cert
SSLCertificateKeyFile /home/user/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCACertificateFile /home/user/ssl.ca

 #rest of directives...
</VirtualHost>

Above version will ensure compatibility with most SSL clients.

Make sure to replace X.X.X.X with your server's IP.

Line SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 tells apache which ssl protocols to use.

You can then use some online tool to test validity and quality of your server setup and SSL certificate, one good result for example could look like this:

enter image description here

Aleksandar Pavić
  • 272
  • 2
  • 11