Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
SSL to Apache 1.3
SSL to Apache 1.3
I want to implent SSL to my Apache. I have tryed to search some good howto guides, with no good luck. Do you have some good links in your favourites or other tips?
You need to install the libapache-mod-ssl package. It containg a script called mod-ssl-makecert. By running it, you can get a certificate for your server (Create a 'custom' certificate if you intend to run a real server).
It will ask some questions, first for the fake CA, then for the server. The 'common name' field in the server parameters should be the name of the server.
If you chose to encrypt the certificates, you'll need to supply the correct password upon starting Apache.
After the script exited, you should have these files:
/etc/apache/ssl.key/server.key
/etc/apache/ssl.crt/server.crt
After this, you need to configure Apache to listen on the https port and accept SSL connections. Make sure thet /etc/apache/httpd.conf has these lines:
Listen 80
Listen 443
If a Listen line is given, then all ports should be listed, this is why the default 80 is listed, too. Then you need to configure a VirtualHost:
You may wish to tune the VirtualHost configuration, but this one is a good start. Note that the browsers will bark at the certificate, saying an unknown CA signed it (which is true), but it will work.
Hope this helps.
It will ask some questions, first for the fake CA, then for the server. The 'common name' field in the server parameters should be the name of the server.
If you chose to encrypt the certificates, you'll need to supply the correct password upon starting Apache.
After the script exited, you should have these files:
/etc/apache/ssl.key/server.key
/etc/apache/ssl.crt/server.crt
After this, you need to configure Apache to listen on the https port and accept SSL connections. Make sure thet /etc/apache/httpd.conf has these lines:
Listen 80
Listen 443
If a Listen line is given, then all ports should be listed, this is why the default 80 is listed, too. Then you need to configure a VirtualHost:
Code: Select all
<VirtualHost *:443>
ServerName your.server.name
SSLEngine on
SSLCertificateKeyFile /etc/apache/ssl.key/server.key
SSLCertificateFile /etc/apache/ssl.crt/server.crt
DocumentRoot /var/www/htdocs
</VirtualHost>
Hope this helps.
I started install the SSL:
apt-get install libapache-mod-ssl
Everything went great, packet installed and /etc/apache/ssl.key/ etc. was created. But i dont know where this libapache-mod-ssl is located so i cant run it and make an certificate to my server. Find/locate dont find it.
I also opened port 443 and put virtual server conf in. Then restart apache:
Failed to start apache :
Starting web server: apacheSyntax error on line 993 of /etc/apache/httpd.conf:
Invalid command 'SSLEngine', perhaps mis-spelled or defined by a module not included in the server configuration failed
Any ideas?
apt-get install libapache-mod-ssl
Everything went great, packet installed and /etc/apache/ssl.key/ etc. was created. But i dont know where this libapache-mod-ssl is located so i cant run it and make an certificate to my server. Find/locate dont find it.
I also opened port 443 and put virtual server conf in. Then restart apache:
Failed to start apache :
Starting web server: apacheSyntax error on line 993 of /etc/apache/httpd.conf:
Invalid command 'SSLEngine', perhaps mis-spelled or defined by a module not included in the server configuration failed
Any ideas?
Oh, crap. I forgot one (but certainly important) thing.
After you installed libapache-mod-ssl, you should have a line in your /etc/apache/httpd.conf (or in /etc/apache/modules.conf -- whichever is holding the LoadModule... lines):
LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so
After it is done, restart apache, and you should be fine. Sorry about this.
After you installed libapache-mod-ssl, you should have a line in your /etc/apache/httpd.conf (or in /etc/apache/modules.conf -- whichever is holding the LoadModule... lines):
LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so
After it is done, restart apache, and you should be fine. Sorry about this.
With your httpd.conf, my apache starts and runs smoothly. There is one thing, however, you should have a
Listen 80
line in your httpd.conf (The 'Port 80' is not enough), if you want your apache to server non-https querys.
Actually, the /var/log/apache/error.log file should contain more valuable information, peek at the end of it, and/or paste the last few lines of it to here.
Listen 80
line in your httpd.conf (The 'Port 80' is not enough), if you want your apache to server non-https querys.
Actually, the /var/log/apache/error.log file should contain more valuable information, peek at the end of it, and/or paste the last few lines of it to here.
Oh yes. Listen 80... My bad
I now added that and checked that everything is ok. However, there seems to be some problem in the certificate tho. Im now trying to google some info about this:
[Thu Aug 5 09:52:13 2004] [error] mod_ssl: Init: Unable to read server certificate from file /etc/apache/ssl.crt/server.crt
(OpenSSL library error follows)
[Thu Aug 5 09:52:13 2004] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence
All those /etc/apache/ssl.* folders and files are located in the server in those dirs. But i havent manually created any cerficate... So i think thats the problem now.
I now added that and checked that everything is ok. However, there seems to be some problem in the certificate tho. Im now trying to google some info about this:
[Thu Aug 5 09:52:13 2004] [error] mod_ssl: Init: Unable to read server certificate from file /etc/apache/ssl.crt/server.crt
(OpenSSL library error follows)
[Thu Aug 5 09:52:13 2004] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence
All those /etc/apache/ssl.* folders and files are located in the server in those dirs. But i havent manually created any cerficate... So i think thats the problem now.
It now really works!
When it asked those guestions, i just added defaults:
1. Country Name (2 letter code) [XY]:
2. State or Province Name (full name) [Snake Desert]:
3. Locality Name (eg, city) [Snake Town]:
4. Organization Name (eg, company) [Snake Oil, Ltd]:
5. Organizational Unit Name (eg, section) [Webserver Team]:
6. Common Name (eg, FQDN) [www.snakeoil.dom]:
7. Email Address (eg, name@fqdn) [www@snakeoil.dom]:
8. Certificate Validity (days) [365]:
Does it make any effect on how this certificate works? My next step is figuring out how to put SSL only in certain directories, like phpMyAdmin etc.
And thanks a lot helping me with this!
When it asked those guestions, i just added defaults:
1. Country Name (2 letter code) [XY]:
2. State or Province Name (full name) [Snake Desert]:
3. Locality Name (eg, city) [Snake Town]:
4. Organization Name (eg, company) [Snake Oil, Ltd]:
5. Organizational Unit Name (eg, section) [Webserver Team]:
6. Common Name (eg, FQDN) [www.snakeoil.dom]:
7. Email Address (eg, name@fqdn) [www@snakeoil.dom]:
8. Certificate Validity (days) [365]:
Does it make any effect on how this certificate works? My next step is figuring out how to put SSL only in certain directories, like phpMyAdmin etc.
And thanks a lot helping me with this!
It should not have any effect what you typed as the data of the certificate. I guess the script didin't write the certificates for some misterious reason....
You can't enable/disable SSL on a per-directory basis. You'll have to make VirtualHosts to achieve this.
Also, note that a physical host can have only one certificate, no matter how many you specify, only the first one will be used (you can't have a certificate for each VirtualHost, to my knowledge).
You can't enable/disable SSL on a per-directory basis. You'll have to make VirtualHosts to achieve this.
Also, note that a physical host can have only one certificate, no matter how many you specify, only the first one will be used (you can't have a certificate for each VirtualHost, to my knowledge).