I’ll assume you have a standard Debian system with the apache2 package installed and ready.

The first step is to generate a key. You must choose a passphrase here. We’ll remove that later on for easier Apache2 restarts

openssl genrsa -des3 -out server.key 4096

Next, you need to generate a Certificate Sign Request or CSR. Some things to consider:

• Enter the Fully Qualified Domain Name in the Common Name field. For this blog that’d be ‘blog.kabisa.nl’.
• There’s no need to set a challenge password.

openssl req -new -key server.key -out server.csr

Next, sign the request with your key.

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Then, create an insecure version of your key. This will remove the pass phrase. If you don’t do this apache will ask for the pass phrase when it loads the key.

openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

A good place to keep your key and certificate is /etc/apache2/ssl. Make sure you chmod 600 it for the root user.

Okay, setup your VirtualHosts. This example is for a Passenger-powered example app.

<VirtualHost *:80>
  ServerName example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerAdmin support@example.com
  ServerName example.com

  # SSL Engine Switch
  SSLEngine on

  # SSL Cipher Suite:
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

  # Server Certificate
  SSLCertificateFile /etc/apache2/ssl/server.crt

  # Server Private Key
  SSLCertificateKeyFile /etc/apache2/ssl/server.key

  # Set header to indentify https requests for Mongrel
  RequestHeader set X-Forwarded-Proto "https"

  BrowserMatch ".*MSIE.*" \
  nokeepalive ssl-unclean-shutdown \
  downgrade-1.0 force-response-1.0

  DocumentRoot /var/rails/example/current/public
  <Directory "/var/rails/example/current/public">
    AllowOverride all
    Allow from all
    Options -MultiViews
  </Directory>
 </VirtualHost>

There is a file name /etc/apache2/ports.conf that configures which ports apache listen on. Make it look like this:

NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
    NameVirtualHost *:443
    Listen 443
</IfModule>

All set. Now restart apache2 and you should be good to go.

After configuring a new IP address for the clone, I booted up the system. Nice, but I ran into a problem:

Configuring network interfaces...SIOCSIFADDR: No such device
eth0: ERROR while getting interface flags: No such device
SIOCSIFNETMASK: No such device
SIOCSIFBRDADDR: No such device
eth0: ERROR while getting interface flags: No such device
eth0: ERROR while getting interface flags: No such device
Failed to bring up eth0.

After some investigation I found that the MAC address for eth0 is stored on disk in /etc/udev/rules.d/z25_persistent-net.rules. That makes sense, because the whole file system was cloned. But, I swapped the virtual network card, and I’d expect is to work. It didn’t.

The solution is quite easy. Empty /etc/udev/rules.d/z25_persistent-net.rules. Then shutdown and start your VPS. You must do a full shutdown, a reboot won’t work.

For the lazy folk out there, here’s how to quickly empty the file:

echo "" > /etc/udev/rules.d/z25_persistent-net.rules

After you have started your VPS back up again, you should be able to ping out over the network. If you peek in /etc/udev/rules.d/z25_persistent-net.rules you should see a line that contains the MAC address for your virtual network device.