i have a fedora server that i want to setup https on.
after pursuing what seemed like the appropriate install/test, i try to fire up my httpd and get the be low failure
in httpd/ssl.conf, i put
# Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt SSLCACertificateFile /etc/letsencrypt/live/linuxlighthouse.com/fullchain.pem
but on httpd start, i get, …
[Sat Dec 12 13:14:10.608136 2015] [ssl:info] [pid 11866] AH01914: Configuring server www.linuxlighthouse.com:443 for SSL protocol
[Sat Dec 12 13:14:10.608860 2015] [ssl:debug] [pid 11866] ssl_engine_init.c(1615): AH02209: CA certificate: CN=linuxlighthouse.com
[Sat Dec 12 13:14:10.608888 2015] [ssl:debug] [pid 11866] ssl_engine_init.c(1615): AH02209: CA certificate: CN=Let’s Encrypt Authority X1,O=Let’s Encrypt,C=US
[Sat Dec 12 13:14:10.609095 2015] [ssl:debug] [pid 11866] ssl_engine_init.c(392): AH01893: Configuring TLS extension handling
[Sat Dec 12 13:14:10.609160 2015] [ssl:emerg] [pid 11866] AH02572: Failed to configure at least one certificate and key for www.linuxlighthouse.com:443
[Sat Dec 12 13:14:10.609195 2015] [ssl:emerg] [pid 11866] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
It says: “to find CA certificates for client authentication”. You’ll probably just want normal HTTPS access for your normal browsing users from the WWW for your server, right? No fancy client certificate authentication?
But I recommend reading in the first place. But sometimes they teach you to do ten different steps you now don’t require to do, so I’ll just point you to the above directives, so you’ll won’t make it harder on yourself. But… Still… Read
Oh, BTW… Which version of Apache does your server have? If it is below version 2.4.8, you still need SSLCertificateChainFile:
Notice the slight difference between the two sets of directives. I’ll leave it up to you on how and why
The second set of directive would also work on Apache versions 2.4.8 and higher, but SSLCertificateChainFile is deprecated on those versions, so it’s wiser not to use it any longer… You’ll never know when they remove support for it (if ever).
The IP will give an invalid certificate, because the certificate is for the domain name - not the IP address, so using the IP address will not match with the certificate.
To expand on Osiris' comment, you wouldn't, couldn't (at least not with LE), and shouldn't. If you want the green lock, just use the FQDN when you're browsing to your server. Or ignore the warning, since you know perfectly well which host you're accessing.