New versions of apache2 require a chain of certs in one file, not anymore separate files:
cat /etc/apache2/ssl/cert.crt /etc/apache2/ssl/intermediate.crt > /etc/apache2/ssl/chain.crt
Common SSL-Cert config for all vhosts in 000-default:
# cert-file: # SSLCertificateFile /etc/apache2/ssl/cert.crt # replaced by chain-file: SSLCertificateFile /etc/apache2/ssl/chain.crt
# the selfmade private key file associated with the certificate # generated via $ openssl genrsa -out domain.privatekey 2048 # CSR - Certificate Signing Request - for this private key was generated via # $ openssl req -new -key domain.privatekey -out domain.csr # uploaded to cert registry
SSLCertificateKeyFile /etc/apache2/ssl/domain.privatekey
# DEPRECATED: # now SSLCertificateFile contains the chain of rapidssl-intermediate and domain crt - see above! # SSLCertificateChainFile /etc/apache2/ssl/rapidssl_intermediate.crt
Check your certs:
Cert trusted by CA?
openssl verify -CAfile intermediate.crt cert.crt
private key ok? - should return the same value:
openssl x509 -noout -modulus -in certificate.crt openssl rsa -noout -modulus -in private.key
This line in apache2.conf httpd.conf blocks the User-Agent EvilBotName: SetEnvIfNoCase User-Agent “EvilBotName” BlockedAgent