Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.debian.org > debian-apache > 07 > 080266.html (Request Expert lists.debian.org Support)

Bug#267477: Suggested steps which should be used and my detailed notes RE getting SSL over Apache2 on a vanilla Etch machine

From: Maybach Admin <maybachadmin(at)maybach.freewayprojects.com>
Date: Wed Aug 22 2007 - 13:24:35 EDT


I agree that it should be easier to get Apache2 working over SSL.

These are what I would suggest to be the steps needed to enable Apache2 over SSL.

Create the certificate...

# apache2-ssl-certificate

Enable the SSL mod...

# a2enmod ssl

Enable the default SSL site

# a2ensite default-ssl

Do you need help?X

These steps should be in the default Apache2 README Debian file. I feel that these are reasonable steps for an admin to carry out. Obviously the certificate could be changed at a later date.

Now to get Apache2 to use SSL on the current Etch We have to create a couple of files and directories - I've pasted my twiki style notes for getting SSL to work on Apache2 at the end of this email.

Note - my method adds a new site to the default site which listens on 443 - I would propose that a better way would be to create a site called default-ssl and this site is enabled by the a2ensite command. Also, my method has GB for the locale - obviously this should be changed by the install script to the users locale.

These are my notes for getting SSL to work with the current version of Apache2 on Etch... 

-------------------------8<-------------------------------

---+++ Setting up Apache2 to use ssl

The following instructions were used to run ssl on a standard Etch install.

Etch does not have the directory /etc/apache2/ssl

This needs to be created with ownership and permissions of

Do you need more help?X

drwxr-xr-x root root

Etch also needs the script /usr/sbin/apache2-ssl-certificate created with ownership root:root and permissions of 766.

The contents of this file should be

<verbatim>

#!/bin/sh -e

if [ "$1" != "--force" -a -f /etc/apache2/ssl/apache.pem ]; then   echo "/etc/apache2/ssl/apache.pem exists! Use \"$0 --force.\""   exit 0
fi

if [ "$1" = "--force" ]; then
  shift
fi

echo
echo creating selfsigned certificate
echo "replace it with one signed by a certification authority (CA)" echo
echo enter your ServerName at the Common Name prompt echo
echo If you want your certificate to expire after x days call this programm echo with "-days x"

# use special .cnf, because with normal one no valid selfsigned # certificate is created

Can we help you?X

export RANDFILE=/dev/random
openssl req $@ -config /usr/share/apache2/ssleay.cnf \   -new -x509 -nodes -out /etc/apache2/ssl/apache.pem \   -keyout /etc/apache2/ssl/apache.pem
chmod 600 /etc/apache2/ssl/apache.pem
ln -sf /etc/apache2/ssl/apache.pem \
  /etc/apache2/ssl/`/usr/bin/openssl \
  x509 -noout -hash < /etc/apache2/ssl/apache.pem`.0
</verbatim>

Etch also needs to have the file /usr/share/apache2/ssleay.cnf which should have ownership of root:root and permissions of 644

The contents of this file should be

<verbatim>

#
# SSLeay example configuration file.
#

RANDFILE                = $ENV::HOME/.rnd

[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = GB
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Some-State

localityName                    = Locality Name (eg, city)

organizationName                = Organization Name (eg, company; 
recommended)
organizationName_max            = 64

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_max      = 64

commonName                      = server name (eg. ssl.domain.tld; 
required!!!)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 40

</verbatim>

The rest of the instructions are:

run
<verbatim>

# apache2-ssl-certificate
</verbatim>

and respond to the prompts to create the certificate.

run
<verbatim>

# a2enmod ssl
</verbatim>

to enable the ssl mod

Can't find what you're looking for?X

then run
<verbatim>

# /etc/init.d/apache2 force-reload
</verbatim>

as asked.

Edit /etc/apache2/ports.conf and add a new line Listen 443

Make sure a new line character has been added after this line. This may not be needed but better to be safe.

Then modified /etc/apache2/sites-available/default to basically add the ssl site to the default setup.

The original block is copied and the port numbers added but it is important to add the lines

<verbatim>

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/apache.pem

</verbatim>

to the second section.

This configuration basically means that the original site will be served up over ssl (i.e. https)

Don't know where to look next?X

This is the new /etc/apache2/sites-available/default file:

<verbatim>

NameVirtualHost *:80
<VirtualHost *:80>

        ServerAdmin webmaster@localhost 

        DocumentRoot /var/www/
        
                Options FollowSymLinks
                AllowOverride None
        
        
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
                # This directive allows us to have apache2's default 
start page
                # in /apache2-default/, but still have / go to the right 
place
                RedirectMatch ^/$ /apache2-default/
        

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        

Confused? Frustrated?X

                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/"> 

        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

NameVirtualHost *:443
<VirtualHost *:443>

        ServerAdmin webmaster@localhost 

        DocumentRoot /var/www/
        
                Options FollowSymLinks
                AllowOverride None
        
        
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
                # This directive allows us to have apache2's default 
start page
                # in /apache2-default/, but still have / go to the right 
place
                RedirectMatch ^/$ /apache2-default/
        

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/"> 

        Options Indexes MultiViews FollowSymLinks
        AllowOverride None

Do you need help?X

        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory> 
        # Added to enable ssl.
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/apache.pem
Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365X

</VirtualHost>
</verbatim>

Then restarted the Apache server with
<verbatim>

# apache2ctl graceful
</verbatim>

The default page was then available at

http://server.example.com

and

https://server.example.com 

-------------------------8<-------------------------------

Hope my notes help towards a satisfactory resolution of this bug.

Kev 

-- 
To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Received on Wed Aug 22 13:28:25 2007
Do you need more help?X

This archive was generated by hypermail 2.1.8 : Sun Oct 07 2007 - 07:57:15 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library