Monday, March 27, 2006

Apche+SSL Howtos

If you ever do online banking and notice all the URL's start with https:// and have a lockpad symbol on the browser, well thats SSL.

In order to tell Apache to include SSL support we need to edit the /etc/apache/httpd.conf file and scroll ALL the way to the bottom. This is where we will uncomment the following line.

change this:
#Include /etc/apache/mod_ssl.conf

to this:
Include /etc/apache/mod_ssl.conf


NOTE: The above assumes that your distribution has shipped with mod_ssl and httpd installed. If you installed from source or your distribution does not contain both of these, this LinuxAnswer will not apply to you.

Once that is done you need to make a simple edit to the /etc/rc.d/rc.httpd file so that the apache server knows you want to startup with SSL support.

change this:
'start')
/usr/sbin/apachectl start ;;
to this:
'start')
/usr/sbin/apachectl startssl ;;


Now all thats left is to setup the SSL Certs. If you really don't care about having official certs, Slackware comes with pre-made ones, I use these, but if you ran a legit production webserver you would probably want to spend the money and have real certs made. You also have the option to create your own self-signed certs and if you are interested in that, jump all the way to the bottom of this Howto. Anyway, to use the premade certs run the following commands and say yes to overwrite:

cp /etc/apache/ssl.crt/snakeoil-rsa.crt /etc/apache/ssl.crt/server.crt
cp /etc/apache/ssl.key/snakeoil-rsa.key /etc/apache/ssl.key/server.key


Now all thats left to do is restart the apache server:

/etc/rc.d/rc.httpd restart


If you want to make sure that SSL is working correctly run this command:

netstat -tpan | grep 443


If everything is working correctly, you should get output that looks like the following:

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 27426/httpd


If you don't get any output whatsoever then something went wrong and you need to look at your /var/log/apache/error_log file.

Now that SSL is all set up, you are going to want to tell Apache what to serve up when somebody connects using https://. This is done by the VirtualHost directive and the one pertaining to SSL connections can be found in the /etc/apache/mod_ssl.conf file. The default looks like this and you will certainly need to change some of the settings.



# General setup for the virtual host
DocumentRoot "/var/www/htdocs"
ServerName new.host.name
ServerAdmin you@your.address
ErrorLog /var/log/apache/error_log
TransferLog /var/log/apache/access_log


And finally if you want to create your own self-signed certs and not use the ones that come with Slackware thats easy to do as well. I got the following commands from http://www.apache-ssl.org/#FAQ

Step one - create the key and request:

openssl req -new > new.cert.csr

Step two - remove the passphrase from the key (optional):

openssl rsa -in privkey.pem -out new.cert.key

Step three - convert request into signed cert:

openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 1825

Step four - copy the cert and key to the appropriate places

cp new.cert.cert /etc/apache/ssl.crt/server.crt
cp new.cert.key /etc/apache/ssl.key/server.key


A few things to note:

When asked for Common Name in step one, be sure to enter the FQDN of your webserver ie www.mywebserver.com

When asked for A challenge password in step one, go ahead and just press enter

If you don't remove the passphrase from the key in Step two, you will be prompted to enter a password every time you run /etc/rc.d/rc.httpd start. This means if your box reboots for some reason, your webserver won't start unless you are there to provide the passphrase.

1 comment:

Anonymous said...

hi unix nice posts man liked ur spirit hoping to get you continued here