Well I must be missing something because every time I try and restart apache it returns with [fail] but it doesn't tell me what the error was. I've checked and rechecked my file paths to the various SSL files, but I'm stumped. I'm still very new to server administration and this is the first time I've tried getting a commercial SSL certificate to work. I have two other sites enabled using self-signed certificates and they seem to work just fine. Any idea where I've gone wrong with this commercial certificate? It's from Comodo if that makes any difference.

My server
Ubuntu 10.04 with Apache 2

What seems like relevant info from my /var/log/apache2/error.log

[error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/apache2/sites-enabled/domain.com:60)

[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

My /etc/apache2/ports.conf

NameVirtualHost xxx.xxx.xxx.xxx:443
NameVirtualHost xxx.xxx.xxx.xxx:80
Listen 80

<IfModule mod_ssl.c>
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

My /etc/apache2/sites-available/mydomain.com

<VirtualHost xxx.xxx.xxx.xxx:80>
   ServerAdmin webmaster@localhost
   ServerName www.domain.com
   ServerAlias domain.com
   DocumentRoot /var/www/domain.com/public
   <Directory />
      Options FollowSymLinks
      AllowOverride None
   </Directory>
   <Directory /var/www/domain.com/public>
      Options -Indexes FollowSymLinks MultiViews
      AllowOverride None
      Order allow,deny
      Allow from All
   </Directory>

        <Directory /usr/share/phpmyadmin>
                Options -Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order deny,allow
                Deny from all
        </Directory>

   ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
   <Directory "/usr/lib/cgi-bin">
      AllowOverride None
      Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
      Order allow,deny
      Allow from all
   </Directory>

   ErrorLog /var/log/apache2/error.log

   # Possible values include: debug, info, notice, warn, error, crit,
   # alert, emerg.
   LogLevel warn

   CustomLog /var/log/apache2/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
</IfModule>
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost xxx.xxx.xxx.xxx:443>
   ServerAdmin webmaster@localhost
   ServerName www.domain.com
   ServerAlias domain.com
   DocumentRoot /var/www/domain.com/public/ssl
   <Directory />
      Options FollowSymLinks
      AllowOverride None
   </Directory>
   
        <Directory /var/www/domain.com/public/ssl>
                Options -Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order deny,allow
                Deny from all
        </Directory>

   <Directory /usr/share/phpmyadmin>
                Options -Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order deny,allow
                Deny from all
      Allow from XXX.XXX.XXX.XXX
        </Directory>   

   ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
   <Directory "/usr/lib/cgi-bin">
      AllowOverride None
      Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
      Order allow,deny
      Allow from all
   </Directory>

   ErrorLog /var/log/apache2/error.log

   # Possible values include: debug, info, notice, warn, error, crit,
   # alert, emerg.
   LogLevel warn

   CustomLog /var/log/apache2/ssl_access.log combined

   Alias /doc/ "/usr/share/doc/"
   <Directory "/usr/share/doc/">
      Options Indexes MultiViews FollowSymLinks
      AllowOverride None
      Order deny,allow
      Deny from all
      Allow from 127.0.0.0/255.0.0.0 ::1/128
   </Directory>

   #   SSL Engine Switch:
   #   Enable/Disable SSL for this virtual host.
   SSLEngine on

   #   Server Certificate Chain:
   #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
    SSLCertificateChainFile /etc/ssl/localcerts/ssl.domain.com/www.domain.ca-bundle

   #   Certificate Authority (CA):
   #SSLCACertificatePath /etc/ssl/certs/
       SSLCACertificatePath /etc/ssl/localcerts/ssl.domain.com
    SSLCACertificateFile /etc/ssl/localcerts/ssl.domain.com/www.domain.com.crt
    SSLCACertificateFile /etc/ssl/localcerts/ssl.domain.com/www.domain.com.key

   <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
   </FilesMatch>
   <Directory /usr/lib/cgi-bin>
      SSLOptions +StdEnvVars
   </Directory>
   
   BrowserMatch "MSIE [2-6]" \
      nokeepalive ssl-unclean-shutdown \
      downgrade-1.0 force-response-1.0
   # MSIE 7 and newer should be able to use keepalive
   BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
</IfModule>

_________________
I'm completely new to the LAMP stack.

Try this:

SSLCertificateFile /etc/ssl/localcerts/ssl.domain.com/www.domain.com.crt
SSLCertificateKeyFile /etc/ssl/localcerts/ssl.domain.com/www.domain.com.key

The default spelling is “SSLCACertificate…..” but changing it to “SSLCertificate…..” totally worked! - Strange. I guess I should have taken the error logs ‘HINT’ more literal. Thanks hybinet.

Another question along the lines of SSL. Maybe someone can help me better understand this. I have three enabled websites, two with self-signed certificates and the one with the commercial certificate. I’ve notice there seems to be an alphabetical precedence with the SSL certificates. Meaning even though I go to the commercial certificated ssl page it still come up with the self-sighed certificate. Does this has something to do with one ip address per certificate and my commercial cert not being a ’wildcard’ or…..?

_________________
I'm completely new to the LAMP stack.

"SSLCACertificateFile" is for verifying client certificates. It's rarely used in public websites. Your own certificates and keys should be specified using "SSLCertificateFile" and "SSLCertificateKeyFile". The "chain" certificate is only used if the certificate issuer says you should. If the issuer says it's "single root", then you don't need chain certificates. If it's a self-signed certificate, then you don't need chain certificates.

Yes, normally you need one IP address per certificate. You can add another IP address in the "Extras" menu. SSL counts as a valid justification for using more than 2 IP addresses, so if you need more than 2, you should open a support ticket and ask for another IP address. But if you're only using SSL for your own needs, you might want to get around this by having your SSL sites on different ports of the same IP address. (That's what "Listen 443" does.)

Wildcard certificates only work if all your sites are subdomains of the same domain, e.g. clients.domain.com, forum.domain.com, blog.domain.dom. They also cost 10x more, so don't bother unless you need 10 SSL websites all belonging to the same domain.

And now I know. Thanks again!

_________________
I'm completely new to the LAMP stack.