SSL to Apache 1.3

Kernels & Hardware, configuring network, installing services

SSL to Apache 1.3

Postby root04 » 2004-07-31 23:21

I want to implent SSL to my Apache. I have tryed to search some good howto guides, with no good luck. Do you have some good links in your favourites or other tips?
root04
 
Posts: 18
Joined: 2004-06-23 03:20

Postby lacek » 2004-08-03 09:29

You need to install the libapache-mod-ssl package. It containg a script called mod-ssl-makecert. By running it, you can get a certificate for your server (Create a 'custom' certificate if you intend to run a real server).
It will ask some questions, first for the fake CA, then for the server. The 'common name' field in the server parameters should be the name of the server.
If you chose to encrypt the certificates, you'll need to supply the correct password upon starting Apache.
After the script exited, you should have these files:
/etc/apache/ssl.key/server.key
/etc/apache/ssl.crt/server.crt

After this, you need to configure Apache to listen on the https port and accept SSL connections. Make sure thet /etc/apache/httpd.conf has these lines:
Listen 80
Listen 443

If a Listen line is given, then all ports should be listed, this is why the default 80 is listed, too. Then you need to configure a VirtualHost:
Code: Select all
<VirtualHost *:443>
        ServerName your.server.name
        SSLEngine on
        SSLCertificateKeyFile /etc/apache/ssl.key/server.key
        SSLCertificateFile /etc/apache/ssl.crt/server.crt
        DocumentRoot /var/www/htdocs
</VirtualHost>


You may wish to tune the VirtualHost configuration, but this one is a good start. Note that the browsers will bark at the certificate, saying an unknown CA signed it (which is true), but it will work.

Hope this helps.
lacek
Moderator Team Member
 
Posts: 769
Joined: 2004-03-11 18:49
Location: Budapest, Hungary

Postby root04 » 2004-08-03 17:33

Thanks for your good answer lacek! I will definetly try your howto.
root04
 
Posts: 18
Joined: 2004-06-23 03:20

Postby root04 » 2004-08-04 01:59

I started install the SSL:
apt-get install libapache-mod-ssl

Everything went great, packet installed and /etc/apache/ssl.key/ etc. was created. But i dont know where this libapache-mod-ssl is located so i cant run it and make an certificate to my server. Find/locate dont find it.

I also opened port 443 and put virtual server conf in. Then restart apache:

Failed to start apache :
Starting web server: apacheSyntax error on line 993 of /etc/apache/httpd.conf:
Invalid command 'SSLEngine', perhaps mis-spelled or defined by a module not included in the server configuration failed

Any ideas?
root04
 
Posts: 18
Joined: 2004-06-23 03:20

Postby lacek » 2004-08-04 09:51

Oh, crap. I forgot one (but certainly important) thing.
After you installed libapache-mod-ssl, you should have a line in your /etc/apache/httpd.conf (or in /etc/apache/modules.conf -- whichever is holding the LoadModule... lines):
LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so

After it is done, restart apache, and you should be fine. Sorry about this.
lacek
Moderator Team Member
 
Posts: 769
Joined: 2004-03-11 18:49
Location: Budapest, Hungary

Postby root04 » 2004-08-04 16:35

Np, im glad of your help :wink:
I did add that loadmodule and error changed to:

Failed to start apache :
Starting web server: apachefailed
Last edited by root04 on 2004-08-06 04:43, edited 1 time in total.
root04
 
Posts: 18
Joined: 2004-06-23 03:20

Postby root04 » 2004-08-04 22:24

And certificates are created correctly:

mod-ssl-makecert
/etc/apache/ssl.crt/server.crt: already present
/etc/apache/ssl.csr/server.csr: already present
/etc/apache/ssl.key/server.key: already present

Still trying to figure this out...
root04
 
Posts: 18
Joined: 2004-06-23 03:20

Postby lacek » 2004-08-05 09:10

With your httpd.conf, my apache starts and runs smoothly. There is one thing, however, you should have a
Listen 80
line in your httpd.conf (The 'Port 80' is not enough), if you want your apache to server non-https querys.

Actually, the /var/log/apache/error.log file should contain more valuable information, peek at the end of it, and/or paste the last few lines of it to here.
lacek
Moderator Team Member
 
Posts: 769
Joined: 2004-03-11 18:49
Location: Budapest, Hungary

Postby root04 » 2004-08-05 09:58

Oh yes. Listen 80... My bad :shock:

I now added that and checked that everything is ok. However, there seems to be some problem in the certificate tho. Im now trying to google some info about this:

[Thu Aug 5 09:52:13 2004] [error] mod_ssl: Init: Unable to read server certificate from file /etc/apache/ssl.crt/server.crt

(OpenSSL library error follows)
[Thu Aug 5 09:52:13 2004] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence

All those /etc/apache/ssl.* folders and files are located in the server in those dirs. But i havent manually created any cerficate... So i think thats the problem now.
root04
 
Posts: 18
Joined: 2004-06-23 03:20

Postby lacek » 2004-08-05 10:14

Yes, it seems to be... Try to run mod-ssl-makecert and overwrite the existing ceriticates.
lacek
Moderator Team Member
 
Posts: 769
Joined: 2004-03-11 18:49
Location: Budapest, Hungary

Postby root04 » 2004-08-06 04:42

It now really works! :lol:

When it asked those guestions, i just added defaults:
1. Country Name (2 letter code) [XY]:
2. State or Province Name (full name) [Snake Desert]:
3. Locality Name (eg, city) [Snake Town]:
4. Organization Name (eg, company) [Snake Oil, Ltd]:
5. Organizational Unit Name (eg, section) [Webserver Team]:
6. Common Name (eg, FQDN) [www.snakeoil.dom]:
7. Email Address (eg, name@fqdn) [www@snakeoil.dom]:
8. Certificate Validity (days) [365]:

Does it make any effect on how this certificate works? My next step is figuring out how to put SSL only in certain directories, like phpMyAdmin etc.

And thanks a lot helping me with this!
root04
 
Posts: 18
Joined: 2004-06-23 03:20

Postby lacek » 2004-08-06 08:19

It should not have any effect what you typed as the data of the certificate. I guess the script didin't write the certificates for some misterious reason....

You can't enable/disable SSL on a per-directory basis. You'll have to make VirtualHosts to achieve this.
Also, note that a physical host can have only one certificate, no matter how many you specify, only the first one will be used (you can't have a certificate for each VirtualHost, to my knowledge).
lacek
Moderator Team Member
 
Posts: 769
Joined: 2004-03-11 18:49
Location: Budapest, Hungary

Postby Guest » 2004-08-06 11:45

OK. Well, im gonna search some good virtual host guides now :)
Guest
 


Return to System configuration

Who is online

Users browsing this forum: No registered users and 9 guests

fashionable