Apache mit mod_ssl unter lenny / etch

From: David <david_moerike(at)arcor.de>
Date: Mon Jun 16 2008 - 02:23:41 EDT

Habe schon lange Apache2 mit SSL nicht zum Laufen gebracht, - mit selbstsigniertem Testzertifikat -
das Buch von Mohammed J. Kabir und einiges Probieren aber hat geholfen -
M=F6ge das folgende n=FCtzlich sein /

Found long time no way to run Apache2 with SSL, with self-signed test cert,
but found help by the book from M.J.Kabir and some trials hope that the following is useful:

=3D=3D 1. Schl=FCssel erzeugen / Generate key =3D=3D
david@debian:~/ssl.ca-0.1$
openssl genrsa -des3 -out ca.key 2048 -rand /dev/urandom Generating RSA private key, 2048 bit long modulus
=2E......+++
=2E......................................................................=
=2E.+++

e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:

=3D=3D 2. Nach Download von

ssl.ca-0.1.tar.gz von http://www.openssl.contrib und Auspacken / download and extract =3D=3D

=3D=3D=3D 1. Schl=FCssel signieren / sign key =3D=3D=3D
david@debian:~/ssl.ca-0.1$ ./new-root-ca.sh
=2E/new-root-ca.sh

Self-sign the root CA...
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a D= N.
There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

---

Country Name (2 letter code) [MY]:de
de
State or Province Name (full name) [Perak]:.
=2E

Locality Name (eg, city) [Sitiawan]:.
=2E

Organization Name (eg, company) [My Directory Sdn Bhd]:.
=2E

Organizational Unit Name (eg, section) [Certification Services Division]:=
=2E
=2E

Common Name (eg, MD Root CA) []:

Email Address []:david_moerike@arcor.de
david_moerike@arcor.de

=3D=3D=3D 2. Server (Test!!!) Zertifikat erzeugen =3D=3D=3D

david@debian:~/ssl.ca-0.1$ ./new-server-cert.sh server
=2E/new-server-cert.sh server

No server.key round. Generating one
Generating RSA private key, 1024 bit long modulus
=2E...++++++
=2E...................++++++

e is 65537 (0x10001)

Fill in certificate data
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a D= N.
There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

---

Country Name (2 letter code) [MY]:de
de
State or Province Name (full name) [Perak]:.
=2E

Locality Name (eg, city) [Sitiawan]:.
=2E

Organization Name (eg, company) [My Directory Sdn Bhd]:.
=2E

Organizational Unit Name (eg, section) [Secure Web Server]:.
=2E

Common Name (eg, www.domain.com) []:localhost localhost
Email Address []:david_moerike@arcor.de
david_moerike@arcor.de

You may now run ./sign-server-cert.sh to get it signed

=3D=3D=3D 3. Self-Sign self-made certificate =3D=3D=3D

david@debian:~/ssl.ca-0.1$ ./sign-server-cert.sh server
=2E/sign-server-cert.sh server

CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key:
Check that the request matches the signature Signature ok
The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'de'
commonName            :PRINTABLE:'localhost'
emailAddress          :IA5STRING:'david_moerike@arcor.de'

Certificate is to be certified until Jun 15 19:22:48 2009 GMT (365 days) Sign the certificate? [y/n]:y
y

1 out of 1 certificate requests certified, commit? [y/n]y y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK

david@debian:~/ssl.ca-0.1$

=3D=3D It follows my /etc/apache2/conf.d/ssl =3D=3D

=3D=3D Anmerkung: in Kabir's Buch ist einiges
unter <IfDefine SSL> und einiges in
<IfModule mod_ssl.c> und es funktioniert nicht - einfach unbesorgt alles in
<IfModule mod_ssl.c> schreiben! /
Note - while in Kabir's book some things are in <IfDefine SSL>, and some in
<IfModule mod_ssl.c> this does not work - don't worry and put all in
<IfModule mod_ssl.c> =3D=3D

<IfModule mod_ssl.c>

  SSLMutex file:/var/log/apache2/ssl_mutex

  <VirtualHost localhost:443>

    DocumentRoot "/var/www/secure"
    ServerName "localhost"

    SSLCertificateFile "conf/ssl.crt/server.crt"     SSLCertificateKeyFile "conf/ssl.key/server.key"

    SSLEngine on

    LogLevel debug

  </VirtualHost>

</IfModule>

=3D=3D _default_:443 doesn't work!! =3D=3D

=3D=3D Offene Frage / Open Question:

SSLMutex when and for what necessary? =3D=3D

cp server.key /etc/apache2/conf/ssl.key
cp server.crt /etc/apache2/conf/ssl.crt
cd /etc/apache2/conf
chmod 400 ssl.key/server.key
chmod 500 ssl.key

=3D=3D note: conf and not conf.d

everything in conf.d is interpreted
as httpd.conf syntax and therefore
gives errors /
conf und nicht conf.d - alles in
conf.d wird als httpd.conf Syntax
interpretiert und ergibt Fehler! =3D=3D

=3D=3D and to cause mod_ssl loaded =3D=3D

cd /etc/apache2/conf.d/mods-enabled
ln -s ../mods-available/ssl.load
ln -s ../mods-available/ssl.conf

=3D=3D written file / Datei geschrieben :
/var/www/secure/index.html =3D=3D

=3D=3D and restart apache2

No building from source is neccessary /
keinerlei Bauen (Kompilieren) erforderlich! =3D=3D

David

-- 
To UNSUBSCRIBE, email to debian-testing-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


application/pgp-signature attachment: OpenPGP digital signature

Received on Mon Jun 16 02:25:26 2008