How to install SSL on GCE [WordPress + Apache]

I created a privatekey file using openssl command:

openssl genrsa -des3 -out private.key 2048

Entered my password, and followed by generating CSR:

Read More
openssl req -new -key privatekey.key -out csrkey.csr

I use this CSR key to create my SSL certificate through RapidSSL. They issued me 3 certificate ending in .cer namely:

  1. CACertificate-1.cer
  2. CACertificate-2.cer
  3. ServerCertificate-1.cer

I uploaded all of these certificates to the /etc/apache2/ folder

/etc/apache2/ contains:

I then had to add the code to /etc/apache2/apache2.conf:

<VirtualHost _default_:443>
SSLEngine on
DocumentRoot /var/www/html
ServerName example.co.uk
SSLEngine on
SSLCertificateFile /etc/apache2/CACertificate-1.cer
SSLCertificateKeyFile /etc/apache2/privatekey.key
SSLCertificateChainFile /etc/apache2/chain.ctr
</VirtualHost>

My /etc/apache2/apache2.conf file didn’t have the <VirtualHost>, when I tried to restart apache it it said “SSLEngine command not deined in this module”. So I have a look around and found /etc/apache2/sites-available/default-ssl.conf which did contain <VirtualHost>

I proceeded by adding the code above, but after restarting apache using

sudo apachectl restart

But the https://example.co.uk is giving me a grey screen: SSL connection error

ERR_SSL_PROTOCOL_ERROR Hide details Unable to make a secure connection
to the server. This may be a problem with the server, or it may be
requiring a client authentication certificate that you don’t have.

Related posts

1 comment

  1. Here are the steps to enable HTTPS protocol of your Apache service on Google Compute Engine (You can safely skip those steps that you’ve already taken) :

    1. Create a secure directory to install and protect your keys

    $ sudo mkdir /etc/apache2/ssl.crt
    $ cd /etc/apache2/ssl.crt

    1. Generate a private key

    $ sudo openssl genrsa -out example.key 2048

    1. Generate a certificate signing request (CSR)

    $ sudo openssl req -new -key example.key -out example.csr

    1. You can use your new CSR to obtain a valid certificate from a certificate authority (CA). Alternatively, you can generate a self-signed certificate by running the following command

    $ sudo openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt

    Caution: Self-signed certificates are not suitable for public sites.
    While a self-signed certificate implements full encryption, it will
    cause most browsers to present a warning or error when visitors try to
    access your site. The above command is provided for testing purposes
    only.

    1. Open Apache’s SSL site configuration file for editing

    $ sudo nano /etc/apache2/sites-available/default-ssl.conf

    1. Edit the following directives’ values

    SSLCertificateFile /etc/apache2/ssl.crt/example.crt

    SSLCertificateKeyFile /etc/apache2/ssl.crt/example.key

    1. Uncomment and edit SSLCertificateChainFile value, if you got a certificate chain file from your CA

    SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

    1. Save the configuration file and close it.

    2. Now enable this site configuration file

    $ sudo a2ensite default-ssl.conf

    1. You can use the command below to verify and see configuration errors

    $ sudo apachectl configtest

    1. Restart the Apache service

    $ sudo service apache2 restart

    1. Add/Enable GCE firewall rules for the following protocol:ports pairs for your VM instance

    tcp:80 and tcp:443

Comments are closed.