Hello,
as stated our Rails app (Rails 4.0.13) stopped working with SSL after upgrading our system from Ubuntu 12.04 to the following software versions:
Ubuntu 16.04
Apache 2.4.18
Phusion Passenger Enterprise 5.1.1
Rails 4.0.13
Ruby 2.3.3 or 2.1.5 (with rvm)
It does work without SSL. However with SSL enabled, the website can't be accessed ("Safari can't establish a secure connection"...)
NO errors in application log or Apache's error log.
---
SSLStrictSNIVHostCheck off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
<VirtualHost *:80>
# Redirect all to https
</VirtualHost>
# Basic
DocumentRoot /srv/rails/myapp/current/public
# Passenger
PassengerEnabled on
PassengerUser myapp
PassengerGroup myapp
PassengerAppEnv production
PassengerRuby /usr/local/rvm/gems/ruby-2.3.3/wrappers/ruby
<Directory /srv/rails/myapp/current/public>
Options None
Require all granted
</Directory>
# SSL
SSLEngine on
SSLCertificateFile /srv/rails/myapp/current/lib/linux/ssl/myapp.de.crt
SSLCertificateKeyFile /srv/rails/myapp/current/lib/linux/ssl/myapp.de.key
SSLCACertificateFile /srv/rails/myapp/current/lib/linux/ssl/Comodo.pem
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ServerSignature off
SSLCompression off
SSLSessionTickets off
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
</VirtualHost>
---
This is our old and working virtual host config under Ubuntu 12.04 (Apache 2.2):
---
<VirtualHost *:80>
# Redirect all to https
ServerName {{SERVERNAME}}
ServerAlias {{SERVERALIAS}}
Redirect / https://{{SERVERNAME}}/
</VirtualHost>
<VirtualHost {{IP_FOR_SSL}}:443>
# Basic
ServerName {{SERVERNAME}}
ServerAlias {{SERVERALIAS}}
DocumentRoot {{RAILS_ROOT}}/public
# Passenger
PassengerEnabled on
PassengerMinInstances 2
PassengerUser myapp
PassengerGroup myapp
<Directory {{RAILS_ROOT}}/public>
AllowOverride all
Options -MultiViews
</Directory>
# SSL
SSLEngine on
SSLCertificateFile {{RAILS_ROOT}}/lib/linux/ssl/{{SERVERNAME}}.crt
SSLCertificateKeyFile {{RAILS_ROOT}}/lib/linux/ssl/{{SERVERNAME}}.key
SSLCACertificateFile {{RAILS_ROOT}}/lib/linux/ssl/Comodo.pem
</VirtualHost>
---
Thanks, Nikolas