Apache SSL HOWTO
This page used to be just note that the guide is actually posted as a blog entry, but thanks to Inline Posts Plugin for Wordpress, the post with guide is now included right below:
I decided to enable SSL-secured access to this server. The system running Salamanteri is Fedora 7 Linux + Apache 2 (at the moment of writing) so at least with Fedora 7 anything I did should work too. Yes, I wrote a description for those webmasters without knowlege about everything (should be easy enough to adapt my “guide” for other distributions or unixes. Whatever the reason you might want to connect securely (https://salamanteri.homelinux.net/wordpress/), my reason was gaining a way to securely login to administration page without separate ssh-tunnel. How to do it? You need to have apache installed with mod_ssl plugin - depending on distro they might be provided in separate packages or both in apache binary package. I noticed that my apache was already set up to serve https-connections in port 443 (that however was not open for anything but localhost). I tried if it worked and it was ok and it worked, but certificates had expired - and since I haven’t set-up SSL by myself these were clearly Fedora’s sample certificates. I googled on renewing certificates and found an old manual for Red Hat Enterprise Linux (link to RHEL-guide). It was good enough - Fedora 7 had some files in different locations but easily located, so… I needed to renew the certificate. In this case I only made self-signed cert., not CA-signed one, so the user will receive a notice that it cant be verified and asked if he trusts and accepts the certificate. Noteworthy, these are the important lines from my
/etc/httpd/conf.d/ssl.conf (it should come readily setup well, so I only show subject relevant lines):
<VirtualHost _default_:443>
# Enable/Disable SSL for this virtual host.
SSLEngine on
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# List the ciphers that the client is permitted to negotiate.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
### Following two options were my hints as where the
### certificates were located on my server (Fedora 7):
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# IE has problems, huh? No surprise.
</VirtualHost>
- So I changed directory with
cd /etc/pki/tls/certs/(which in RHEL manual was/etc/httpd/conf/). - Removed fake sample certificates:
rm localhost.crt rm ../private/localhost.key
(in RHEL-3 these wererm ssl.key/server.keyandrm ssl.crt/server.crt). cdto directory withMakefilefor creating SSL-certificates. This step became obsolete in Fedora 7 as the directory was same for theMakefileand certificates, the directory I was in already (in RHEL-3 apparently the directory was/usr/share/ssl/certs/).- I then ran
make genbuild, as was said in manual. Got the following output:[root@salamanteri certs]# make genkey umask 77 ; \ /usr/bin/openssl genrsa -des3 1024 > /etc/pki/tls/private/localhost.key Generating RSA private key, 1024 bit long modulus ....................++++++ .++++++ e is 65537 (0x10001) Enter pass phrase:
…at which point I had to enter a password (apparently aske every time you start secure server). Twice naturally. Now I had a private key made. - Then continued to create self signed certificate. Of course “a self-signed certificate does not provide the security guarantees of a CA-signed certificate.” but I’m willing to compromise here (and other users will just have to trust me).
I went with RHEL manual and ranmake testcert, it produced some output, I wrote the highlites:
First I was asked the private key’s password again, then I was asked following questions (my replies in bold - almost anyway):Country Name (2 letter code) [GB]:FI State or Province Name (full name) [Berkshire]:Uusimaa Locality Name (eg, city) [Newbury]:Helsinki Organization Name (eg, company) [My Company Ltd]:Salamanteri Organizational Unit Name (eg, section) []:hacking Common Name (eg, your name or your server's hostname) []:salamanteri.homelinux.net Email Address []:robsku@fiveam.org
…and even though I wrote “Salamanteri” as “Company Name” there is no such company, Salamanteri is just the name of my server… (you can answer ‘.’ to leave a field blank). - What’s left was rebooting apache with
/etc/init.d/httpd restart… Which then asks the earlier given password for private key encryption! An unfortunate steps on restarts is that you will be asked for password whenever you (re)start apache (that RHEL manual mentioned a way to make it start without password but I was not interested. They also recommended against it…) - Finally it was set-up, I tried loading https://salamanteri.homelinux.net/wordpress/. Sure enough firefox warned me that the certification could not be verified (this is because of using self signed certificate) - after accepting the certificate the blog main-page was loaded.
- Last but not least! I dont suppose that starting httpd at non-interactive system boot-up would work well… So I entered
chkconfig httpd offto disable starting httpd at boot (on some distros the command is different, I know RH & Fedora has it and debian for one does not - however even a first-timer with httpd should know how to set boot-up services on/off in own system, so I’m not worried.
Unfortunately that means (in rare cases of system reboot) having to log in as root first, running/etc/init.d/httpd start& logging off - everytime the system has been rebooted.
Afterwords
Got any questions, comments, small guide on how & where you do these steps on another *nix system? Send whatever is on your mind (no spam ;) ) with comment form below.Resources:
- RHEL-3 System Administrator guide, Chapter 27. Apache HTTP Secure Server Configuration, 27.6. Generating a Key and 27.8. Creating a Self-Signed Certificate
- Debian: Renewing apache SSL certificates
Author is a 29 years old linux zealot and hacker from Finland.
![[Fedora Powered]](/ico/tiny/fedora_powered.png){kind=small}
![[Apache Web Server]](/ico/tiny/apache.gif){kind=small}
![[PHP Powered]](/ico/tiny/php2.png){kind=small}
![[Wordpress]](/ico/tiny/wordpress.png){kind=small}
![[MySQL]](/ico/tiny/mysql.png){kind=small}
![[W3C Standards]](/ico/tiny/w3c.gif){kind=small}
![[Debian GNU/Linux]](/ico/tiny/debian.png){kind=small}
![[Perl]](/ico/tiny/perl2.gif){kind=small}
February 28th, 2009 at 4:58 am
pki certificate…
I can’t believe I missed this! I’m going to have to do some more reading me thinks….