SSL Certificate Installation with Ubuntu & Apache & PositiveSSL

This is a quick and dirty “how to” that will get you running commercially-verified, high grade encryption, HTTPS connections on your Apache server.  The process should be roughly the same across all Linux distributions (probably different filepaths), but it was tested with Ubuntu 10.04.  The basic assumption here is that you have the mod_ssl module installed and enabled for Apache and a dedicated IP address for each each domain you wish to provide encryption for (multiple SSL certs will each require their own IP, so you’ll have to go with a static IP configuration).  Okay?  Great, let’s get started.  One thing to note is that most of the time (if you buy a cheap certificate) you’ll only be able to verifiably encrypt either or, but not both, so choose one (or something like

  1. First thing you’ll want to do is create a private key and public certificate signing request (CSR) for the domain, using the following command (replace www_yourdomain_com with www_example_com or example_com or secure_example_com… see above) :
    openssl req -nodes -newkey rsa:2048 -keyout www_yourdomain_com.key -out www_yourdomain_com.csr
  2. You’ll be prompted to fill out org info.  Please do so, but (if you’re using the cheap Comodo’s PositiveSSL from NameCheap) you’ll need to set COMMON NAME parameter to the domain (i.e.  Skip the challenge password and optional company name.
  3. Open your newly created www_yourdomain_com.csr and copy & paste the entire certificate signing request into your registration of a new SSL cert (from PositiveSSL, for instance).
  4. Follow the SSL company’s instructions how to use tumblr app.
  5. You should receive from them something like the following:
    1. www_yourdomain_com.crt
  6. If you didn’t receive a bundle, you’ll need to create your own bundle from the files they do send over.
  7. You might have “ssl.key” and “ssl.crt” sub-directories located at /etc/ssl.  If you do not, I recommend creating them (N.B. /etc/ssl/ssl.key and its contents should be set to visible only by Apache!).
  8. Move the www_yourdomain_com.key file to /etc/ssl/ssl.key
  9. Move the CRT (www_yourdomain_com.crt) and the bundle ( to /etc/ssl/ssl.crt
  10. Now go wild in the /etc/apache2/sites-enabled/ directory by finding the domain for which you want to enable SSL and open them for editing.
  11. Copy the entire <VirtualHost XXX.XXX.XXX.XXX:PORT>blah blah blah </VirtualHost> and paste it into the same file, just immediately below its existing location.   Change the port number from :80 to :443 (SSL default).
  12. Add the following entries inside of your new <VirtualHost> configuration:
    • SSLEngine on
    • SSLCertificateKeyFile /etc/ssl/ssl.key/www_yourdomain_com.key
    • SSLCertificateFile /etc/ssl/ssl.crt/www_yourdomain_com.crt
    • SSLCertificateChainFile /etc/ssl/ssl.crt/
  13. Save the file and give Apache the old restart:  /etc/init.d/apache2 restart
  14. Go to bed.

Remove PHP Warning “Unable to load dynamic library” mhash after upgrading Ubuntu

After upgrading Ubuntu to 10.04 (give or take a version), you might notice the following warning (or variant) thrown by PHP5:

PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php5/20090626/' - /usr/lib/php5/20090626/ cannot open shared object file: No such file or directory in Unknown on line 0

This is the result of the latest version of PHP already having mhash included in the php5-common package.   Even though php5-mhash got removed in the upgrade, the mhash.ini file still references it (and the warning gets thrown).

To fix this, you’ll need to comment out the following line in /etc/php5/cli/conf.d/mhash.ini :

This is a hack, but it removes the tiresome warning.