Re: https

[Yehuda Katz <yehuda@xxxxxxxxxx>]

On Fri, Apr 4, 2014 at 12:55 AM, Andy Canfield <andycanfield@xxxxxxxxxx> wrote:

There are several lines in places that read
    <IfModule mod_ssl.c>
There is no file on my hard disk named "mod_ssl.c". There is, however, a file named
    /usr/lib/apache2/modules/mod_ssl.so
Is there some magic connection between "mod_ssl.c" and "mod_ssl.so"? Like was the ssl module written in C?

http://httpd.apache.org/docs/2.2/mod/core.html#ifmodule

<IfModule module>:

The module argument can be either the module identifier or the file name of the module, at the time it was compiled. For example, rewrite_module is the identifier and mod_rewrite.c is the file name. 

On 04/03/2014 09:46 PM, Yehuda Katz wrote:

Debian/Ubuntu have a slightly different default layout and include some tools to help you work with it. The tools just create the symlinks for you, but the major benefit is that all of them support tab-completion, so you know what is available.

a2enmod / a2dismod: enable or disable apache modules

a2ensite / a2dissite: enable or disable apache vhosts

a2enconf / a2disconf: enable or disable apache configuration files (added in Ubuntu 13.10)

The first this to check is that you have loaded mod_ssl, either by running `a2enmod ssl` or looking at the modules-enabled directory.

You are probably not listening on 443 since it is inside the <ifmodule> and the module is not loaded.

Then as instructed by a2enmod I ran the command
  service apache2 restart
I normally use '/etc/init.d/apache2 restart' but I did it with 'service' this time.

They do the same thing in this case.

I usually run apache2ctl configtest before I restart to make sure that I will not discover a problem when the server is in the process of restarting.

 

After some editing for fixing up things like DocumentRoot (changed to my own) I got it to restart with no errors.

You should have Ubuntu's default SSL vhost in sites-available/default-ssl.conf and you can enable it using the tool (or manual symlink).

There is no file extension on "/etc/apache2/sites-available/default-ssl", I assume that file is correct. It starts with these two lines:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>

The above has they keyword "_default_" in the VirtualHost line. All of my existing http config files read like this:
    <VirtualHost *:80>
There is no Virtual Host name in that line, so presumably they all share the same virtual host, yes? Do I need multiple virtual hosts for https, or will one virtual host be OK for all the sites?

An HTTPS vhost is exactly the same as an HTTP vhost except for the certificate configuration.

If you want multiple vhosts with HTTPS though, you either need an IP address for each or all of your users need to support SNI in their browsers (any modern browser should).

This wiki page is a bit old, but still looks correct: http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

Wonderful! I rebooted the computer just to make 100% sure of my restarting EVERYTHING, and then ran 'nmap localhost' and it finally showed me this line:
    443/tcp  open  https
Great! Now somebody is listening.

I sent Firefox to "https://localhost/" and after a bunch of crabbing about the certificate I got to see the same site. So now I have to figure out how to make a certificate (FYI I am an anarchist).

I went to one of my sites and followed a link and discovered that it switched back to "http://" because that is what is in the HTML. Gotta fix that.

You can enable any vhost for SSL by adding a few directives to it (it will stop listening on non-ssl):

- Change the vritualhost port to 443

- SSLEngine on

- SSLCertificateFile      /etc/apache2/ssl/example.com.crt

- (SSLCertificateKeyFile /etc/apache2/ssl/example.com.key if the key is not in the same file)

There are a few other default things in the default-ssl vhost to fix buggy browsers and provide more info to cgi-scripts.

"buggy browsers" as in Internet Explorer, right? These are intra-company web sites, and we simply tell people not to use IE.

- Y

Thank you very much Yehuda. I think I am launched and can follow on for a while by myself.

On Thu, Apr 3, 2014 at 6:10 AM, Andy Canfield <andycanfield@xxxxxxxxxx> wrote:

Files:

-rw-r--r-- 1 root 859 Apr  3 11:45 /etc/apache2/ssl/crt/vhost1.crt

-rw-r--r-- 1 root 916 Apr  3 11:45 /etc/apache2/ssl/key/vhost1.key

So AFAIK I've got a certificate I've generated myself. Nobody vouches for me but it shoud enable encryption and make my TCP/IP packets hard to read.

Contents of /etc/apache2/ports.conf:
NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

Files:

-rw-r--r-- 1 andy 1439 Apr  3 14:48 /etc/apache2/sites-available/default
-rw-r--r-- 1 andy 7485 Jun 16  2011 /etc/apache2/sites-available/default-ssl
-rw-r--r-- 1 root 7469 Feb  7  2012 /etc/apache2/sites-available/default-ssl.original
-rw-r--r-- 1 root  950 Feb  7  2012 /etc/apache2/sites-available/default.original

I see here that /etc/apache2/sites-available has one symbolic link to /etc/apache2/sites-available/default, and no symbolic links to any of the other entries in the sites-available directory. Also all the other entries in /etc/apache2/sites-available are symbolic links to configuration files such as

lrwxrwxrwx 1 root 21 May  6  2012 /etc/apache2/sites-enabled/opal.conf -> /www/opal/apache.conf

These links have been working fine for years as links into the site control directory and not into 'sites-available'. But perhaps that is wrong.

Maybe what I need is a symbolic link from sites-enabled to ../sites-available/default-ssl ? Nope, tested, did not solve the problem....

When I give this command (as root) -

    /etc/init.d/apache2 restart

I see only this output:

apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.1.112 for ServerName
 ... waiting apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.1.112 for ServerName
                                                                            [ OK ]

But nmap still says that nothing is listening to port 443.

Thank you Oren.

On 04/03/2014 04:04 PM, Oren wrote:

Hi Andy.
Process basically include getting/creating a certificate, define it on your site and reload apache.
here is a centos manual which is not exactly the same on ubuntu but pretty much explains the order of things
http://wiki.centos.org/HowTos/Https

on ubuntu you will have to open the 443 port
<IfModule mod_ssl.c>
    Listen 443
</IfModule>

once the https is ready, you can do a redirect to the https site from http. (with mod_rewrite)

do you have logs or any information on what is not working?

Oren

On 04/03/2014 11:39 AM, Andy Canfield wrote:

I have been using apache for maybe ten years now, and maintain two
servers in addition to the apache on my notebook computer for testing.
All using Ubuntu Linux *.04 LTS. It now appears that I ought to convert
from http to https.

But the documentation is insane. A piece here, a piece there, have to do
X (but first? and afterwards?). Assuming everything is else is OK, this
is way you edit this line in VirtualHost file (there is no
"/etc/apache2/.../VirtualHost" file!)

I figure that I need to do it in two steps:
[1] Get the https version up and running, and
[2] Make the http version automatically switch to https.

But I can't get https working at all, for anything. There's a "Listen
443" in /etc/apache2/ports.conf but 'nmap localhost' says 443 is a
closed port.

Has anybody else ever converted a hosted site from http to https? What
did you have to do to get the secure one working?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

.