Re: Installing httpd-2.2.15 with mod_ssl to use SSL Certificate files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 On June 7, 2011 9:41 , Sunil Rao <parlekar@xxxxxxxxx> wrote:


- What operating system or OS distribution are you running?  What version?
Apache Details:
Server version: Apache/2.2.15 (Unix)
Server built:   Jun  6 2011 16:10:26
OS Version: Linux 2.6.32-100.28.11.el6.x86_64


- Are you compiling Apache HTTP Server from source, or are you using a package built for you by someone else?  If a package built for you by someone else, what package and version?
httpd-2.2.15.tar
If you were using a package for Apache HTTP Server provided as a part of the Linux distribution you were running (Debian, Fedora, ...) then there would be a good chance that some of the mod_ssl configuration would have been done for you already by the package maintainers and/or that documentation on how to configure HTTPS would be available that was specific to the Linux distribution you are using.
However, what your write above sounds like you have compiled Apache HTTP Server yourself, instead of using a package provided by your Linux distribution. In this case, you should consider using the latest version, 2.2.19, rather than an old version.
I looked around, but did not find any step-by-step non-distribution-specific configuration examples for recent versions of Apache HTTP Server. (Does anyone else who is reading this know of any?) So you should rely on the Apache documentation for setting up and configuring HTTPS for your server: 

Configuration directives: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
Other topics: http://httpd.apache.org/docs/2.2/ssl/
To give you an example to work from, here is my configuration for mod_ssl. I'm running Apache HTTP Server 2.3.12 under Fedora 14 x86_64, but hopefully this will work for 2.2.x under other distributions as well. Note that this is for serving static, non-proxied content over HTTPS. I recommend that you get something like this working first, and once you understand mod_ssl better, only then work on adding proxy functionality.
Before attempting to use the example below, you should generate and install the SSL private key file (/etc/pki/tls/private/www.example.com.key in the example below, although the file name and location will be different on your system) and certificate (/etc/pki/tls/certs/www.example.com.cert). You should also install the root and/or intermediate certificate of the certification authority which signed your certificate (/etc/pki/tls/certs/CA.pem); in your case, these would be the appropriate Verisign root and/or intermediate certificates.
Make sure that the key is readable only by root (assuming that you are starting your web server as the root user) but that the certificate and CA chain file are readable by the user that the web server serves requests as. Then make sure that you are able to verify the certificate locally on your web server -- if this doesn't work, then you won't be able to get mod_ssl working:
openssl verify -verbose -CAfile /etc/pki/tls/certs/CA.pem -purpose sslserver /etc/pki/tls/certs/www.example.com.cert 

You should get output saying that the certificate is OK.

Here is how I have mod_ssl configured in my httpd.conf file:

SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(1024000)
SSLSessionCacheTimeout 600
SSLProtocol ALL -SSLv2
SSLCipherSuite ALL:!NULL:!LOW:!EXP:!ADH:!MD5

Listen 443
<VirtualHost *:443>

    ServerName   www.example.com:443
    DocumentRoot /var/www/htdocs

    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/www.example.com.cert
    SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.key
    SSLCertificateChainFile /etc/pki/tls/certs/CA.pem

<Directory />
        SSLRequireSSL
</Directory>

<Directory /var/www/htdocs>
        Order allow,deny
        Allow from all
</Directory>

</VirtualHost>
I hope this helps. If this isn't what you were asking for, if it's not clear, or if you encounter problems, please ask more specific questions, including detailed information (configuration, error log entries, symptoms, ...) regarding the situation you are encountering. 

--
  Mark Montague
  mark@xxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux