HackNBlog @ Salamanteri Server

I decided to enable SSL-secured access to this server. The system running Salamanteri is Fedora 7 Linux + Apache 2 (at the moment of writing) so at least with Fedora 7 anything I did should work too. Yes, I wrote a description for those webmasters without knowlege about everything (should be easy enough to adapt my “guide” for other distributions or unixes.

Whatever the reason you might want to connect securely (https://salamanteri.homelinux.net/wordpress/), my reason was gaining a way to securely login to administration page without separate ssh-tunnel.

How to do it?

You need to have apache installed with mod_ssl plugin - depending on distro they might be provided in separate packages or both in apache binary package. I noticed that my apache was already set up to serve https-connections in port 443 (that however was not open for anything but localhost).

I tried if it worked and it was ok and it worked, but certificates had expired - and since I haven’t set-up SSL by myself these were clearly Fedora’s sample certificates. I googled on renewing certificates and found an old manual for Red Hat Enterprise Linux (link to RHEL-guide). It was good enough - Fedora 7 had some files in different locations but easily located, so…

I needed to renew the certificate. In this case I only made self-signed cert., not CA-signed one, so the user will receive a notice that it cant be verified and asked if he trusts and accepts the certificate.

Noteworthy, these are the important lines from my /etc/httpd/conf.d/ssl.conf (it should come readily setup well, so I only show subject relevant lines):

<VirtualHost _default_:443>
#   Enable/Disable SSL for this virtual host.
SSLEngine on
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# List the ciphers that the client is permitted to negotiate.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
### Following two options were my hints as where the
### certificates were located on my server (Fedora 7):
#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
# IE has problems, huh? No surprise.
</VirtualHost>

• So I changed directory with cd /etc/pki/tls/certs/ (which in RHEL manual was /etc/httpd/conf/).
• Removed fake sample certificates:

   rm localhost.crt
  rm ../private/localhost.key

  (in RHEL-3 these were rm ssl.key/server.key and rm ssl.crt/server.crt).
• cd to directory with Makefile for creating SSL-certificates. This step became obsolete in Fedora 7 as the directory was same for the Makefile and certificates, the directory I was in already (in RHEL-3 apparently the directory was /usr/share/ssl/certs/).
• I then ran make genbuild, as was said in manual. Got the following output:

   [root@salamanteri certs]# make genkey
  umask 77 ; \
  /usr/bin/openssl genrsa -des3 1024 > /etc/pki/tls/private/localhost.key
  Generating RSA private key, 1024 bit long modulus
  ....................++++++
  .++++++
  e is 65537 (0x10001)
  Enter pass phrase:

  …at which point I had to enter a password (apparently aske every time you start secure server). Twice naturally. Now I had a private key made.
• Then continued to create self signed certificate. Of course “a self-signed certificate does not provide the security guarantees of a CA-signed certificate.” but I’m willing to compromise here (and other users will just have to trust me).
  I went with RHEL manual and ran make testcert, it produced some output, I wrote the highlites:
  First I was asked the private key’s password again, then I was asked following questions (my replies in bold - almost anyway):

   Country Name (2 letter code) [GB]:FI
  State or Province Name (full name) [Berkshire]:Uusimaa
  Locality Name (eg, city) [Newbury]:Helsinki
  Organization Name (eg, company) [My Company Ltd]:Salamanteri
  Organizational Unit Name (eg, section) []:hacking
  Common Name (eg, your name or your server's hostname) []:salamanteri.homelinux.net
  Email Address []:robsku@fiveam.org

  …and even though I wrote “Salamanteri” as “Company Name” there is no such company, Salamanteri is just the name of my server… (you can answer ‘.’ to leave a field blank).
• What’s left was rebooting apache with /etc/init.d/httpd restart … Which then asks the earlier given password for private key encryption! An unfortunate steps on restarts is that you will be asked for password whenever you (re)start apache (that RHEL manual mentioned a way to make it start without password but I was not interested. They also recommended against it…)
• Finally it was set-up, I tried loading https://salamanteri.homelinux.net/wordpress/. Sure enough firefox warned me that the certification could not be verified (this is because of using self signed certificate) - after accepting the certificate the blog main-page was loaded.
• Last but not least! I dont suppose that starting httpd at non-interactive system boot-up would work well… So I entered chkconfig httpd off to disable starting httpd at boot (on some distros the command is different, I know RH & Fedora has it and debian for one does not - however even a first-timer with httpd should know how to set boot-up services on/off in own system, so I’m not worried.
  Unfortunately that means (in rare cases of system reboot) having to log in as root first, running /etc/init.d/httpd start & logging off - everytime the system has been rebooted.

Afterwords

Got any questions, comments, small guide on how & where you do these steps on another *nix system? Send whatever is on your mind (no spam ;) ) with comment form below.

Resources:

• RHEL-3 System Administrator guide, Chapter 27. Apache HTTP Secure Server Configuration, 27.6. Generating a Key and 27.8. Creating a Self-Signed Certificate
• Debian: Renewing apache SSL certificates

Tags: apache, fedora, guide, howto, Linux/Unix, Red Hat, security, ssl

This entry was posted on Thursday, October 2nd, 2008 at 7:21 pm and is filed under IT Security, Linux/Unix. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.