Apache 2 with SSL


Couldn’t find any decent instructions for adding https to an apache2.0.52 server so I thought that I would write my own:

Firstly get down the latest versions of openssl and apache into your src directory (not as root)

wget http://www.openssl.org/source/openssl-0.9.7e.tar.gz
wget http://www.mirror.ac.uk/mirror/ftp.apache.org/httpd/httpd-2.0.52.tar.bz2

First we have to make &install openssl:

tar -xvzf openssl-0.9.7e.tar.gz
cd openssl-0.9.7e ./config make make test su -c "make install"

This will have made and install a base version of openssl in /usr/local/ssl You can put the bin subdirectory in your Path statement but as we don’t need it very often there is little point.

Now we get to configure and install apache. Kill the old version of apache that you have (su -c “apachectl stop”) cd to the directory that contains the source file and:

bzip2 -dc httpd-2.0.52.tar.bz2 | tar xf -
cd httpd-2.0.52
./configure --enable-layout=Debian --enable-mods-shared=most --with-mpm=prefork --with-ssl=/usr/local/ssl --enable-ssl=static make
su -c "make install"

So thats installed apache 2.0.52 latest version. It should have also picked up your config file and will run the site normally with no problem, but obviously we want to get https to work which means creating our server certificate.

So lets create (might be easier to do this with superuser):

mkdir /etc/apache2/ssl.key
cd /etc/apache2/ssl.key
/usr/local/ssl/bin/openssl genrsa -des3 -out server.key 1024

It will ask you for a phrase, type something in that you will remember. 1024bits is the recommended for browsers. Then issue the follow command, but when you are asked for “CommonName” put in the name that you will type to view your page in your browser. It doesn’t have to be a domain name, I typed in the IP address of my server with no problems.

openssl req -new -key server.key -out server.csr

So thats got out it, this is normally where we would send off the .csr to verisign or somewhere expensive, but lets self sign ourself by issuing:

openssl x509 -req -days 3650 -set_serial 1 -in server.csr -signkey server.key -out server.crt

And thats created the certificate for us to use. The browser will prompt us because we are not a trusted certificate authority, but that doesn’t matter. All we have to do is make sure the apache config files are setup correctly now.

su -c "vi /etc/apache2/ssl.conf"

The entry for SSLCertificateFile should be:

SSLCertificateFile /etc/apache2/ssl.key/server.crt

and for SSLCertificateKeyFile:

SSLCertificateKeyFibr />

Now just setup the VirtualHost directive replace the existing with:

DocumentRoot "/yourwebserver/root"
ServerAdmin email@email.com

Now save it and issue:

su -c "apachectl startssl"

It will ask you for your passphrase (I am sure that there is a way around this, but for now its good enough for me), it should then startup. If it doesn’t startup and throws up an error about x509 certs, you haven’t compiled the SSL as a static module in Apache. If it can’t find the certificate that means the certificate is not in the place that it thought it would be.

Try it out by connecting with a browser…

comments powered by Disqus