Luca favaro's picture

I've trying to setup turnkey mediawiki to use https and a wildcard certificate without any luck. I would also like to setup a redirect from the http site on port 80 to 443.

This is a fresh installation

I've read hundreds of forums and followed each and every suggestion but in the best case I would get something working but that would break something else.

I have my .pem, .crt and .key files loaded under /etc/ssl/certs

My configuration files /etc/mediawiki/apache.conf and /etc/mediawiki/localsettings.php are now back to their original 

I can see the main page when I go to and but in the case of https it showing a warning and I can see it is using the self-signed certificate. Evidently is not using my wildcard certificate.

Any help is appreciated


Luca favaro's picture

Anyone out there willing to help out?

Now I tried replacing the cert.pem files under /etc/ssl/certs with my own certificates

but on the webpage I still get the error and when I look at the certificate it tells me is still the self-signed one....

I believe the configuration file for apache is /etc/apache2/sites-available/default-ssl.conf

because when I change something there I can see it is actually changing on the page.

right now I have changed these lines in the file

        SSLCertificateFile    /etc/ssl/certs/cert.pem 

         SSLCACertificateFile /etc/ssl/certs/Go_Daddy_Root_Certificate_Authority_-_G2.pem

I don't where else to look...

Jeremy Davis's picture

Firstly you should be able to redirect http to https (port 80 to port 443) by replacing the existing lines within the Apache mediawiki conf file relatring to port 80 (/etc/mediawiki/apache.conf) with this instead:
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]

Regarding the SSL cert location; in v14.0 we tightened the security screws a bit. Part of that was moving the default cert location from /etc/ssl/certs to /etc/ssl/private. Also the modification you put in /etc/apache2/mods-available/ssl.conf should work and is the sensible place to declare a server-wide wildcard cert IMO. However if a cert location is declared in any of the enabled Apache virtualhost conf files (any that are in /etc/apache2/sites-enabled) then that setting will override it.

Regarding the /etc/apache2/sites-available/default-ssl.conf file; that virtualhost conf file should actually be disabled or it will probably clash with the ssl settings in the mediawiki site file (which is actually /etc/mediawiki/apache.conf as noted above).

To see what sites are enabled have a peek in the aptly named /etc/apache2/sites-enabled directory. E.g.

ls -l /etc/apache2/sites-enabled

By default that should only include mediawiki.conf (which will be a symlink to /etc/apache2/sites-available/mediawiki.conf; which in turn will be a symlink to /etc/mediawiki/apache.conf). Check that to see if it declares certs anywhere; if it does (and you have certs declared how you want in /etc/apache2/mods-available/ssl.conf) then you can safely delete any lines relating to certs (from your /etc/mediawiki/apache.conf and/or of the sites listed in /etc/apache2/sites-enabled). Once you are done you need to restart Apache to apply your new config.

service apache2 restart
Also as a word of caution I would advise that you do these changes (redirect http to https & add CA cert) separately (both will require Apache restart). Then if something doesn't work as it should you have a good idea where to start looking...

Add new comment