Blog Tags: 

Self signed and trusted SSL certificates

Important note: Please note that current appliances include support for getting free Let's Encrypt SSL certificates. Please see the Let's Encrypt docs within the new Confconsole doc pages for full details.

Keeping it simple, HTTPS is a combination of the HTTP and SSL/TLS protocols, which provides encryption while authenticating the server. The main idea is to create a secure channel over an insecure network, ensuring "reasonable" protection from eavesdroppers and man-in-the-middle attacks.

HTTPS assumes that special CA (Certificate Authority) certificates are pre-installed in web browsers. If your SSL certificate is not signed by one of these CA's, the browser will display a warning:

TurnKey appliances generate self signed certificates on first boot to provide an encrypted traffic channel, but because the certificates are not signed by a trusted CA, the warning is displayed. In most cases, this is acceptable. If it's not, go get a signed certificate.

Authoritatively signed certificates


Authoritatively signed certificates can be costly, for example, Verisign (the most well known CA) charges $1,499 per year for their recommended certificate. There are cheap alternatives (I recently purchased a certificate from Go Daddy for $12.99) as well as a couple of free providers.

Generate key and CSR

First up is to create a certificate key and a certificate signing request (CSR). This can be done with OpenSSL.

apt-get update
apt-get install openssl

# replace bold type with your info
openssl req -new -newkey rsa:2048 -nodes -out www_example_com.csr -keyout www_example_com.key -subj "/C=US/ST=Arizona/L=Scottsdale/O=Example Company Inc./"

Submit the CSR

The above will generate two files, www_example_com.key and

Once you have signed up for an authoritatively signed certificate, you will be requested to upload the CSR file or its contents.

Verify the request

The signing authority will need to verify the validity of the request and that it was submitted by the entity to which the domain in the request is registered, usually done by contacting the administrative contact for the domain.

Further steps may be required when requesting an Extended Validation (EV) certificate, which color the address bar green in recent browsers.

Download signed certificate

After validation, your signed certificate (crt) will be available for download. Most likely your signing authority will include an intermediate CA certificate bundle (trust chain).

Note: you should make a backup of all SSL related files.

Generate PEM and placement

Generate the pem from the key and crt

cat www_example_com.key > cert.pem

Place the generated pem and intermediate bundle (eg. bundle.crt) in /etc/ssl/certs/, and make them read-only to root.

chown root:root *.pem *.crt
chmod 400 *pem *.crt

Update configuration, enable SSL and reload webserver

Apache configuration

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/cert.pem
    SSLCertificateChainFile /etc/ssl/certs/bundle.crt
a2enmod ssl
/etc/init.d/apache2 force-reload

Lighttpd configuration

$SERVER["socket"] == "" {
    ssl.engine  = "enable"
    ssl.pemfile = "/etc/ssl/certs/cert.pem" = "/etc/ssl/certs/bundle.crt"
lighty-enable-mod ssl
/etc/init.d/lighttpd force-reload

Do you use an authoritatively signed certificate? Is self-signed sufficient? Leave a comment!


Neil Aggarwal's picture

If you are using an SSL certificate for testing, offers free certificates that are authorititavely signed.  You have to pay for certs that you use for e-commerce and secure transactions, but for testing, their free certs work very well.

Alon Swartz's picture

Thanks for the link Neil, I'm sure people will find it useful. I noticed that Go Daddy also offers a free one-year Standard SSL Certificate to open source projects. I wonder what happens when your year is up?
Neil Aggarwal's picture

I assume the GoDaddy cert will expire in 1 year and you have to pay for renewal or get a different cert.

I have used the StartSsl certs for non open-source projects so that is an advantage there.

Guest's picture

in case if i don't wanna pay to any thirdpary for CA what can i do then?

Jeremy Davis's picture

here but i haven't tested any of them. If you try some feedback may be useful for others.

Also Google turned up a old Slashdot story with a couple of ideas, although they may be out of date? (And aren't actually open source).

Peter N's picture

I'm not clear on how to update the apache configuration file.  Which file do I edit? and how do I edit it? I'm assuming that I would need to modify the:/etc/apache2/sites-available/default file is that right? If so, then how/what do I replace it in the file.


Ariel Di Girolamo's picture

Hello people,

Anyone can help configuring an ssl certificate for a virtual host? I made all the configuration folowing those instructions and my virtual host keeps me providing me the selfsigned certificate from turnkey, even if a configure a dedicate ip address for tha site. Any ideas?

I'll be very glad if someone can help me :)




Alon Swartz's picture

Try restarting the webserver so changes take effect.

dannymcc's picture

If I already have a site up and running using the Turnkey LAMP stack, which Apache config file should I be editing?

If I edit the default one won't those changes only show on new virtual hosts not existing ones?

L. Arnold's picture

To answer your question at the end:  Do you use an authoritatively signed certificate? Is self-signed sufficient?

I tend to use the SSL Generated Certs for Webmin, WebShell and PHPMyAdmin.  If I need SSL for a Public site I have been finding $10 certs recently on Comodo and getting irritated when they try to renew for $50..  I think I found a good alternative that seems more "ong term in it price offering just now at:

They have good pricing on Domain Registrations as well though I like Tucows for that.

1 and 2 year SSL certs for less than $10 a year (even 3  years if you want to avoid the hassle).

That was the Hard Work.  The next part was just refresh/repeat from previous cert installs.

Run the process outlined in the great blog post above to generate the CSR (Certificate Signing Request).. For me this is easiest in Webmin because I can Copy Paste then edit before submitting look in your root directory to find it, then move it with the the Certs you are Generating to etc/ssl/private (or a folder of your choice).

Generally you need to take 2 Certs (the primary cert and the intermediate cert and copy them into new files  --

In Apache - Go to Edit Directives under your 443 Port.  The following is my general format calling out .cert (or .crt) .key and intermediate.cert :

SSLEngine on
SSLCertificateFile /etc/ssl/private/www_myweb_net.cert
    ServerAdmin  webmaster@localhost
DocumentRoot /var/www/TURNKEYAPPFOLDER/
SSLCertificateKeyFile /etc/ssl/private/www_myweb_net.key
SSLCACertificateFile //etc/ssl/private/www_myweb_inter_ca.cert


In fact I am here posting because I needed to get the script again to generate a CSR and it was about as easy a SSL install as I have done...  Templates are the key...  and avoid Comodo's Bait and Switch.  GeoTrust seems, to me anyway, the more reputable SSL provider.

Bjørn's picture


Hello, I have been trying to get a free cert to work, but i am running into this error after trying to follow the steps outlined in the blog, and the comment by mr Arnold.
[Fri Jan 13 23:30:47 2012] [error] Init: Unable to read server certificate from file /etc/ssl/certs/certfile.pem
[Fri Jan 13 23:30:47 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Jan 13 23:30:47 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
Any idea what could be causing this? I have tried loading the cert on my windows 7 machine, and it seems to be working nicely there.
Bjørn's picture

The problem in my above post was that the generated .pem file was not the correct one to use, rather one should use the .crt file itself.

Startcom had just the info needed on their site:

SSL directives:

   SSLEngine on
   SSLProtocol all -SSLv2

   SSLCertificateFile /usr/local/apache/conf/ssl.crt
   SSLCertificateKeyFile /usr/local/apache/conf/ssl.key
   SSLCertificateChainFile /usr/local/apache/conf/
   SSLCACertificateFile /usr/local/apache/conf/ca.pem
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown


I also found the next solution i needed on their blog: That there is no real use in having a passphrase on the key file, so it should be decrypted.

Now it works as it should, thanks!

Jeremy Davis's picture

I'm sure others will find your discovery useful.

Simona Angelo's picture

I think the cheapest out there is StartSSL which gives you the first year free and charges you A LOT in the 2nd year...

Godaddy is reasonable but has bad customer service and is a hassle to install.

I would recommend certificate because of their customer service and affordable rates.  Go for the FREE 90 days trial first and test them out.  Then, get their cheapest certificate (DV) every year.  Worth it, especially when you go through the process of actually installing the certificate.

Magson Fernandes's picture

Hi, Is not working for my website www. what to do?

Can anyone help me out how to configure.


Waiting for your reply???

Eline Joseph's picture

I got mine Free SSL certificate from and It was too easy to configure...!

Jiger's picture


Hi all,

Can any please help me with the configuration of an ssl certificate loaded on a virtual server.

I made the below configurations however  the virtual server keeps on providing the selfsigned certificate warning from turnkey.  


Would appreciate if some Linux expert(s) can help me with this on priority. Thanks in advance...



Lighttpd configuration

$SERVER["socket"] == "" {
    ssl.engine  = "enable"
    ssl.pemfile = "/etc/ssl/certs/cert.pem" = "/etc/ssl/certs/bundle.crt"
	lighty-enable-mod ssl
	/etc/init.d/lighttpd force-reload





Lars's picture

After trying StartSSL and Comodo's Free SSL certificate for 3 months I finally bought a GeoTrust RapidSSL cert for my little mailserver ( got it for EUR 8.76 at ).

The only part I did forget was to install the intermediate certificate - and so got an error message in Thunderbird. After adding the follwoing line in Postfix the problem was solved and now the SSL certificate is working smoothly (even on my Samsung android mail app):

smtpd_tls_CAfile = /etc/ssl/certs/ca_rapidssl.crt

Bill Carney's picture

I purchased a UCC certificate and have it running on three domains on a LAMP server on port 443.  That part works fine.  One of the server names corresponds to the Webmin installation I have on the machine.  How do I configure port 12321 (or 8080 in my case, I changed it) to use the SSL certificate?  I tried adding:


<VirtualHost *:8080>
 DocumentRoot /var/www/
 SSLEngine on
        SSLCertificateFile /etc/ssl/certs/cert.pem
        SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt

to a site-available .conf file, but I still get the scary error message.  Any suggestions?

Sapna's picture

Dear Team,

Can i create self signed certificate without an3rd party CA. Bcoz i make self sign certificate but when open website it says croess https://

If yes plese suggest.


If No please the way farward.



Sapna Singh

T.J.'s picture

I am trying to install a Godaddy cert and I am having issues with mobile browsers reporting the certificate is not trusted. I believe this is due to the Intermediate certificate.  I make most of the changes through the webmin interface. For Virtual Host on port 443 I have SSL on with the cert and certificate authorities file fields filled in with paths to the files - cert.pem and bundle.crt. When I apply/stop/start apache these directives are updated in the global config.

<VirtualHost *:443>

SSLEngine on
SSLCertificateFile /etc/ssl/certs/cert.pem
SSLCertificateChainFile /etc/ssl/certs/bundle.crt
SSLCACertificateFile /etc/ssl/certs/bundle.crt



I am still receiving the error on some mobile browsers. What am I doing wrong?


Thank You

Eugene's picture

I am having the same issue with android users. Did you ever find a solution?

Mac's picture

GoDaddy is not trusted by all browsers - had many problems and their support was very unhelpful.

You should switch to a trusted CA like Comodo or GeoTrust RapidSSL - had no problems at all with my cert, even on older Android devices:

I used the following directives for my Apache:

  SSLEngine on
  SSLProtocol All -SSLv2 -SSLv3 +TLSv1
  SSLCertificateKeyFile /etc/apache2/ssl.key/
  SSLCertificateFile /etc/apache2/ssl.crt/
  SSLCACertificateFile /etc/apache2/ssl.crt/comodo-bundle.crt

Hope that helps !



daytonamustang's picture

I am getting the following messages after I paste my CRT and KEY in the Webmin > SSL Encrytion > Upload Certificate ... Questions: What can I do to revert back to the default? I dont want to reinstall all the time.

  • I have done this on 3 fresh installs and after a reboot Apachee will not restart
  • Is there a way to "reset" (aka back to normal) so that it can just use the default certificates
  • Is Webmin the problem? Do I have to use the command line to edit Apachee2 conf files?


[Fri May 16 13:19:33 2014] [error] Init: Unable to read server certificate from file /etc/ssl/certs/cert.pem
[Fri May 16 13:19:33 2014] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri May 16 13:19:33 2014] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri May 16 13:21:32 2014] [error] Init: Unable to read server certificate from file /etc/ssl/certs/cert.pem
[Fri May 16 13:21:32 2014] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri May 16 13:21:32 2014] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri May 16 13:22:20 2014] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Fri May 16 13:24:28 2014] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Fri May 16 13:25:13 2014] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Fri May 16 13:55:19 2014] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
L. Arnold's picture

I have never used Webmin to fill in cert and key, specifically, so I don't know the situation specifically you have,  but my feeling is that you don't need a customized cert for webmin or webshell.  You are the only one normally logging in and you can always accept the self-signed or built in cert.

Where you want a custom cert is on the outward pointing system/web site etc.  Above I noted how I normally install a cert in the post titled  "My 2 Step and 2 Bits on SSL Certs" .  Specifically there you need to get your key, cert, and trusted authority certs all be installed.  I do that through Webmin, but functionally as a series of "text edits" in the APACHE SERVER SETUP in Webmin - or directly in Webshell.

When you do this the cert will move forward with TKLBAM backups and restores and you will only have to update the setup when your certificate (or certificates) expire.

Hope this helps -  again, see the post above titled.  You are Setting these settings within APACHE in Webmin normally as opposed to the whole install.

My 2 Step and 2 Bits on SSL Certs

Fabrizio Bartolomucci's picture

As an iOS developer, I own a number of trusted certificates by Apple, including those conencted to remote notifications. Is it possibile to use them in the Apache https configuration to get rid of the warning on web sites, and how to do it?

Jeremy Davis's picture

But it's possible I guess. Have you tried following the tutorial to see if it works?

I guess another good option might be to ask Apple themselves (or on Apple support forums or something?) and if so how you might go about it...

Jim Armstrong's picture

Yes! Its possible to get ride of those security warning on web sites by making certain modification on Apache HTTPS Configuration, but in order to do that you must have SSL certificate from trusted CA!

I have drafted tutoril on this but its all about Apple Mac OS X Server! I wish, It could help you and guide you!

See more here;

Fabrizio Bartolomucci's picture

Thanks, yet  I would need to use it on a Centos linux server to certify it, not on a mac server. Can I use the same certificate even there?

Jeremy Davis's picture

Initially I thought your thread hijack was somewhat legitimate (I thought you were referring to using an Apple provided cert on a TurnKey appliance). But now we're totally off topic talking about OSX servers and CentOS. These are the TurnKey Linux (Debian based software appliances) forums. Please take your discussion somewhere more appropriate. At least have the courtesy to start your own thread rather than hijacking someone else's and taking it completely off topic...

Fabrizio Bartolomucci's picture

I did not note when I went off-topic. I still need a trusted certificate for my centOS Apache server to get rid of the warning, and I wondered whether I could use the ones I already use for my Apple remote notifications.

Inviato da iPad

> Il giorno 27/nov/2014, alle ore 21:31, TurnKey GNU/Linux <> ha scritto:

Jeremy Davis's picture

Perhaps ask on the CentOS forums...?
Terence Oort's picture

Hi All

Got my self assigned ssl certs on the go.

Now, maybe if anyone can explain the following I'm having.

Locally (at home) the https works like a charm, but when accessing my cloud from an external network on the web interface mainly. Upon first login through https works fine, logging out and login again. The page does not load, like it loses connection, but testing on different network it's works again, but does the exact same with login/logout, page not load

disabled enforce https, all is fine, logged in and logged out multiple times, no issue

Could it be the ssl cert not being a verified cert from a vendor?


Thank you in advance

L. Arnold's picture

I've got certs in all parts of Apache but I am not finding how Webmin and Webshell are controlled.

Thought it might be "lightly" below but nothing in the directory as described.

Please inform.


Praveen's picture

Can get namecheap certificate

<a href="">Ide Dr</a>

Rob S's picture

Excellent guide, however, a word of warning.

If you use cert.pem it will be overwritten when the ca-certificates package is updated.  Ectract from the update taking place on my Turnkey LAMP updating:

Processing triggers for ca-certificates (20141019+deb8u1) ...
Updating certificates in /etc/ssl/certs... 20 added, 18 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
[master f8f7e4b] committing changes in /etc after apt run
 126 files changed, 575 insertions(+), 554 deletions(-)
 rewrite ssl/certs/cert.pem (100%)
 mode change 100644 => 120000

Instead give the pem file a meaningful name to avoid the problem e.g. my_ssl_site.pem then it will not be overwritten.

Seth Berrier's picture

The steps above have worked great for me (I get the green lock in my browser when I visit standard HTTPS protocol pages from the server).  In the end I did not keep the name cert.pem (as the above poster suggested) and I think this is actually causing other issues.

When I go to the webmin interface at port 12321 (or shell-in-a-box at 12320) this does not get the right certificate.  Chrome reports that it is still receiving the old self-signed certificate.

I have dug as much as I can and I cannot figure out how webmin is even intercepting that port!  Apache does not appear to be listening on it or doing any sort of HTTP proxy and the /etc/webmin/miniserv.conf file is listening on port 10000 not 12321.  Shell-in-a-box is much the same (I just can't figure out where the server is that serves it and it doesn't seem to be apache).

Can anyone point me to where I can get webmin to use the proper certificate?  I know nothing about webmin really so I'm not even sure where I should look to configure it and what I thought was the obvious place (/etc/webmin/miniserv.conf) doesn't look right.

Jeremy Davis's picture

The theory to add CA certs to stunnel should be similar although the details will probably be specific (to stunnel).
Seth Berrier's picture

A short trip over to /etc/stunnel/stunnel.conf and there's a very obvious line that needs to be updated:

cert = /etc/ssl/private/cert.pem

Switch that to your properly signed cert and restart stunnel4 and bingo, it works!

TheShif's picture

Well - I hate to admit that I have spent way to many hours trying to understand some of the nuances of this SSL thread - and still can't be successfull getting my certs to install and function.

I have no issues conducting any of the steps - it's just that they universally leave me with an error 500 internal server error when I'm finished.

I'm not clear on if I should be using the .pem or the .crt, but both methods fail equally and identically.  Nothing I have done so far has any impact on the cert for webmin.

I like "secure out of the box" - but a self signed cert has limited play in the real world.  And I really want to use the turnkey appliance in the real world. 

Because I know there are LOTS of folks in this forum way smarter than me - maybe someone could rewrite this post with steps that are known to work - without any of the additional conversations and steps that dont really work.

I'm guessing that the very same directions would be appliable to all the turnkey distributions, which means writing this up will help folks use ALL the various appliances turnkey has built.  Seems like it would be a good investment of time;  I can't be  (I HOPE)  the only person whos been struggling and unseccessfull with certificates.

Come on guys - can anyone step up to this?  Heck - I'll even write it up for the forums here nice a pretty if I can just figure out how to make it work.  :)

Lost and forlorn in Turnkey certificate land -



Rob S's picture

Hi Tony

The steps do work as described and I have used them many times.  The key to finding why you are getting the 500 error is to review the Apache error logs - /var/log/apache2/error.log.  Assuming that you do not get an error when you restart Apache after installing the new certificate?

More help can be provided by posting the output you get when you restart Apache - service apache2 restart - and from the error.log covering the retstart and then the web request made to the site.



Elias Santiago's picture

I've tried many times to use the certificate installation method that uses, but Webmin or Apache do not seem to update the certificate. 


Has anyone tried it? 

Jeremy Davis's picture

Since v14.2 TurnKey's Confconsole (commandline UI configuration tool) supports getting Let's Encrypt certificates OOTB.

They are free and work well, so what's not to like! :)

PB's picture

I am using Let’s Encrypt trough Plesk add-on (extension) it works just fine

check this out

Jeremy Davis's picture

Since v14.2 TurnKey's Confconsole (commandline UI configuration tool) supports getting Let's Encrypt certificates OOTB.

venkat shanthi's picture

Very informative.Thank you for posting.


Dave Richards's picture

Is it possible to remove the self-signed certificate altogether?  I have an SSL cert installed on my DNS and believe that I need to get rid of the server-side SSL to make them place nice.

Dave Richards's picture

Ooops... I meant play nice, not "place nice"

kinjo's picture

Here’s the mail I got recently for my problem

Disable QUIC Protocol
in URL write "chrome://flags/#enable-quic Protocol" and hit Enter,
if will be selected as Default, now click on that drop-down and select Disabled, 
now click on Relaunch in bottom.

2) Update the system Time
3) Disable unknown or unused extensions
4) Check if there is restrictions on Firewall or not.

If you error is still not solved, or getting other SSL error please visit <ERR_SSL_PROTOCOL_ERROR – Fix by deskdecode>


Frank Baumgartner's picture

Besides Apache and Lighttpd, nginx has become very populer.  Nginx config would be looking like this: 
listen *:443 ssl; server_name; ssl_certificate /var/opt/gitlab/nginx/ssl/; ssl_certificate_key /var/opt/gitlab/nginx/ssl/; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5;
You may find further details here:


Add new comment