0

I followed this tutorial: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-20-04#step-3-%E2%80%93-configuring-apache-to-use-ssl

This is the content of my file: /etc/apache2/sites-available/nestledevelopment.conf :

<VirtualHost *:443>
   ServerName nestledevelopment.local
   DocumentRoot /var/www/html/nestledevelopment/

SSLEngine on
   SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
   SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
</VirtualHost>

The command of sudo apache2ctl configtest is shows me: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message Syntax OK

But when i access my virtual host nestledevelopment.local, it still shows the that the connection is not secure. And i need to accept the risk and continue.

Not sure what I did wrong, Would you please suggest where to look? what should i try ? Thank you

Attila Naghi
  • 171

1 Answers1

2

Self-signed certificates are considered not trustworthy by definition. Certificates work with what you may call a "chain of trust": I trust Alice, because I trust Bob and he says Alice is trustworthy. I trust Bob, because I trust Cleo and she says Bob is trustworthy. And so forth, until you arrive at the root certificates that come with your browser (or other client).

Let's say you point your browser at https://askubuntu.com. That server provides you with a certificate that says "I'm askubuntu.com, honest, cross my heart!". But why should your browser trust this certificate? Because the certificate has been signed by a certificate authority or CA. In AskUbuntu's case, that CA is Let's Encrypt. And by it signature, Let's Encrypt says, "Yes, the certificate the server at https://askubuntu.com showed you is valid, and you can trust it". So, the next question is, why should your browser trust Let's Encrypt? And here we are at the chain of trust we've seen above: After one or multiple intermediary certificates which each "deliver" trust to another, the chain arrives at one of the root certificates that came with your browser.

So, what does all that mean for your self-signed certificate? That certificate can't possibly be accepted by your browser, because (as the term already points out) you've signed it yourself. There's no chain of trust. It's a bit like you want to enter a company building, and issue yourself an key card for the door. That won't exactly fly ;)

So your configuration is probably completely fine, at least you didn't provide any indication of additional problems. You just have to add an exception in your browser.

Henning Kockerbeck
  • 8,057