PLEASE.....
I use Zabbix, see www.zabbix.com for monitoring the servers at work, problem is that the front end runs on http and not https, which poses a problem for some of our customers... but fear not my little minions... below is how to activate https on Apache2 using SLES 11 SP3
Make sure apache2 is started
SuperNinja4:~ # service apache2 status Checking for httpd2: unused SuperNinja4:~ # service apache2 start Starting httpd2 (prefork) done SuperNinja4:~
Make sure that you have some kind of index page that can be displayed with normal http
SuperNinja4:~ # cd /srv/www/ SuperNinja4:/srv/www # ls cgi-bin hawk htdocs SuperNinja4:/srv/www # cd htdocs/ SuperNinja4:/srv/www/htdocs # ls apache_pb.gif apache_pb.png apache_pb2.gif apache_pb2.png apache_pb2_ani.gif favicon.ico gif index.html info2html.css robots.txt SuperNinja4:/srv/www/htdocs # vi index.html SuperNinja4:/srv/www/htdocs # cat index.html <html><body><h1>Hello this is King Rat - It works!</h1></body></html> SuperNinja4:/srv/www/htdocs #
Check if the webpage is displayed with http
Stop apache2 and make sure you are in the directory /etc/apache2
SuperNinja4:/srv/www/htdocs # cd /etc/apache2 SuperNinja4:/etc/apache2 # service apache2 stop Shutting down httpd2 (waiting for all children to terminate) done SuperNinja4:/etc/apache2 #
Start by creating all the certificates needed. Let's generate our own Certificate Authority key. In this step, we are impersonating someone like Verisign or Thawte. Well, not impersonating, but we are going to do the same thing for ourselves that they would normally do.
SuperNinja4:/etc/apache2 # openssl genrsa -des3 -out ca.key 4096 Generating RSA private key, 4096 bit long modulus ...................................++ ......................................++ e is 65537 (0x10001) Enter pass phrase for ca.key: Verifying - Enter pass phrase for ca.key:
For the certificate I used the pass phrase (insert your pass phase here, for example I used M1cr0s0f7), make sure that you use the same for all certificates. Note that those pass phrases are something you make up right then. You are not authenticating anything, but rather setting up a pass phrase for authenticating later.
Next, we’ll need to use that key to create a certificate. Before we do this, the information that you will enter here is NOT the information you will enter later for your own server. Remember, we are emulating a Certificate Authority here. When we generate our server certificate, we will put in the real information which must differ from what is here. Notice that we are making it good for 3650 days, or 10 years. Adjust to what you need.
SuperNinja4:/etc/apache2 # openssl req -new -x509 -days 3650 -key ca.key -out ca.crt Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:WA Locality Name (eg, city) []:Redmond Organization Name (eg, company) [Internet Widgits Pty Ltd]:Microsoft Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:www.microsoft.com Email Address []:bill.gates@microsoft.com SuperNinja4:/etc/apache2 # ls -ltr total 136 -rw-r--r-- 1 root root 12958 Mar 27 2013 magic -rw-r--r-- 1 root root 22 Mar 27 2013 uid.conf -rw-r--r-- 1 root root 2957 Mar 27 2013 ssl-global.conf -rw-r--r-- 1 root root 4648 Mar 27 2013 server-tuning.conf -rw-r--r-- 1 root root 85 Mar 27 2013 mod_usertrack.conf -rw-r--r-- 1 root root 1255 Mar 27 2013 mod_userdir.conf -rw-r--r-- 1 root root 344 Mar 27 2013 mod_status.conf -rw-r--r-- 1 root root 958 Mar 27 2013 mod_reqtimeout.conf -rw-r--r-- 1 root root 5075 Mar 27 2013 mod_mime-defaults.conf -rw-r--r-- 1 root root 1057 Mar 27 2013 mod_log_config.conf -rw-r--r-- 1 root root 369 Mar 27 2013 mod_info.conf -rw-r--r-- 1 root root 1503 Mar 27 2013 mod_autoindex-defaults.conf -rw-r--r-- 1 root root 1053 Mar 27 2013 listen.conf -rw-r--r-- 1 root root 8496 Mar 27 2013 httpd.conf -rw-r--r-- 1 root root 2765 Mar 27 2013 errors.conf -rw-r--r-- 1 root root 3763 Mar 27 2013 default-server.conf -rw-r--r-- 1 root root 1764 Mar 27 2013 charset.conv drwxr-xr-x 2 root root 4096 May 23 08:19 vhosts.d drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.prm drwx------ 2 root root 4096 May 23 08:19 ssl.key drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.csr drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crt drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crl lrwxrwxrwx 1 root root 13 May 23 08:19 mime.types -> ../mime.types drwxr-xr-x 2 root root 4096 May 23 08:37 conf.d drwxr-xr-x 2 root root 4096 Jul 8 09:01 sysconfig.d -rw-r--r-- 1 root root 3311 Jul 8 09:16 ca.key -rw-r--r-- 1 root root 2309 Jul 8 09:23 ca.crt SuperNinja4:/etc/apache2 #
Our Server Key and CSR
SuperNinja4:/etc/apache2 # openssl genrsa -des3 -out server.key 4096 Generating RSA private key, 4096 bit long modulus ...........................................................................................................................................................................................................................................................................................................................................................................................++ ............++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: SuperNinja4:/etc/apache2 # ls -ltr total 140 -rw-r--r-- 1 root root 12958 Mar 27 2013 magic -rw-r--r-- 1 root root 22 Mar 27 2013 uid.conf -rw-r--r-- 1 root root 2957 Mar 27 2013 ssl-global.conf -rw-r--r-- 1 root root 4648 Mar 27 2013 server-tuning.conf -rw-r--r-- 1 root root 85 Mar 27 2013 mod_usertrack.conf -rw-r--r-- 1 root root 1255 Mar 27 2013 mod_userdir.conf -rw-r--r-- 1 root root 344 Mar 27 2013 mod_status.conf -rw-r--r-- 1 root root 958 Mar 27 2013 mod_reqtimeout.conf -rw-r--r-- 1 root root 5075 Mar 27 2013 mod_mime-defaults.conf -rw-r--r-- 1 root root 1057 Mar 27 2013 mod_log_config.conf -rw-r--r-- 1 root root 369 Mar 27 2013 mod_info.conf -rw-r--r-- 1 root root 1503 Mar 27 2013 mod_autoindex-defaults.conf -rw-r--r-- 1 root root 1053 Mar 27 2013 listen.conf -rw-r--r-- 1 root root 8496 Mar 27 2013 httpd.conf -rw-r--r-- 1 root root 2765 Mar 27 2013 errors.conf -rw-r--r-- 1 root root 3763 Mar 27 2013 default-server.conf -rw-r--r-- 1 root root 1764 Mar 27 2013 charset.conv drwxr-xr-x 2 root root 4096 May 23 08:19 vhosts.d drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.prm drwx------ 2 root root 4096 May 23 08:19 ssl.key drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.csr drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crt drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crl lrwxrwxrwx 1 root root 13 May 23 08:19 mime.types -> ../mime.types drwxr-xr-x 2 root root 4096 May 23 08:37 conf.d drwxr-xr-x 2 root root 4096 Jul 8 09:01 sysconfig.d -rw-r--r-- 1 root root 3311 Jul 8 09:16 ca.key -rw-r--r-- 1 root root 2309 Jul 8 09:23 ca.crt -rw-r--r-- 1 root root 3311 Jul 8 09:46 server.key SuperNinja4:/etc/apache2 #
Now, we have to create a signing request, or CSR, from the server key we just made.To generate our signed certificate, we’ll need to first have a signing request so we can make the signed certificate.
To create the CSR, we do this, this has to have the REAL information, no bull, special attention to this part below, Common Name (eg, YOUR name) []:SuperNinja4.xxxx.com, it must be the server name that you have set in /etc/hosts
SuperNinja4:/etc/apache2 # openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:WZ Locality Name (eg, city) []:New York Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your company name here Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:SuperNinja4.xxxx.com Email Address []:root@SuperNinja4.xxxx.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: HIT ENTER An optional company name []: HIT ENTER SuperNinja4:/etc/apache2 # ls -ltr total 144 -rw-r--r-- 1 root root 12958 Mar 27 2013 magic -rw-r--r-- 1 root root 22 Mar 27 2013 uid.conf -rw-r--r-- 1 root root 2957 Mar 27 2013 ssl-global.conf -rw-r--r-- 1 root root 4648 Mar 27 2013 server-tuning.conf -rw-r--r-- 1 root root 85 Mar 27 2013 mod_usertrack.conf -rw-r--r-- 1 root root 1255 Mar 27 2013 mod_userdir.conf -rw-r--r-- 1 root root 344 Mar 27 2013 mod_status.conf -rw-r--r-- 1 root root 958 Mar 27 2013 mod_reqtimeout.conf -rw-r--r-- 1 root root 5075 Mar 27 2013 mod_mime-defaults.conf -rw-r--r-- 1 root root 1057 Mar 27 2013 mod_log_config.conf -rw-r--r-- 1 root root 369 Mar 27 2013 mod_info.conf -rw-r--r-- 1 root root 1503 Mar 27 2013 mod_autoindex-defaults.conf -rw-r--r-- 1 root root 1053 Mar 27 2013 listen.conf -rw-r--r-- 1 root root 8496 Mar 27 2013 httpd.conf -rw-r--r-- 1 root root 2765 Mar 27 2013 errors.conf -rw-r--r-- 1 root root 3763 Mar 27 2013 default-server.conf -rw-r--r-- 1 root root 1764 Mar 27 2013 charset.conv drwxr-xr-x 2 root root 4096 May 23 08:19 vhosts.d drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.prm drwx------ 2 root root 4096 May 23 08:19 ssl.key drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.csr drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crt drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crl lrwxrwxrwx 1 root root 13 May 23 08:19 mime.types -> ../mime.types drwxr-xr-x 2 root root 4096 May 23 08:37 conf.d drwxr-xr-x 2 root root 4096 Jul 8 09:01 sysconfig.d -rw-r--r-- 1 root root 3311 Jul 8 09:16 ca.key -rw-r--r-- 1 root root 2309 Jul 8 09:23 ca.crt -rw-r--r-- 1 root root 3311 Jul 8 09:46 server.key -rw-r--r-- 1 root root 1760 Jul 8 09:50 server.csr SuperNinja4:/etc/apache2 #
Sign the Certificate
Let sign the signing request using the Certificate Authority certificate and key that we made at the beginning. What we will get is our perfectly forged signed certificate.
The command we’re going to run looks like this below
SuperNinja4:/etc/apache2 # openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt Signature ok subject=/C=US/ST=WZ/L=New York/O=xxxx/CN=SuperNinja4.xxxx.com/emailAddress=root@SuperNinja4.xxxx.com Getting CA Private Key Enter pass phrase for ca.key: SuperNinja4:/etc/apache2 # ls -ltr total 148 -rw-r--r-- 1 root root 12958 Mar 27 2013 magic -rw-r--r-- 1 root root 22 Mar 27 2013 uid.conf -rw-r--r-- 1 root root 2957 Mar 27 2013 ssl-global.conf -rw-r--r-- 1 root root 4648 Mar 27 2013 server-tuning.conf -rw-r--r-- 1 root root 85 Mar 27 2013 mod_usertrack.conf -rw-r--r-- 1 root root 1255 Mar 27 2013 mod_userdir.conf -rw-r--r-- 1 root root 344 Mar 27 2013 mod_status.conf -rw-r--r-- 1 root root 958 Mar 27 2013 mod_reqtimeout.conf -rw-r--r-- 1 root root 5075 Mar 27 2013 mod_mime-defaults.conf -rw-r--r-- 1 root root 1057 Mar 27 2013 mod_log_config.conf -rw-r--r-- 1 root root 369 Mar 27 2013 mod_info.conf -rw-r--r-- 1 root root 1503 Mar 27 2013 mod_autoindex-defaults.conf -rw-r--r-- 1 root root 1053 Mar 27 2013 listen.conf -rw-r--r-- 1 root root 8496 Mar 27 2013 httpd.conf -rw-r--r-- 1 root root 2765 Mar 27 2013 errors.conf -rw-r--r-- 1 root root 3763 Mar 27 2013 default-server.conf -rw-r--r-- 1 root root 1764 Mar 27 2013 charset.conv drwxr-xr-x 2 root root 4096 May 23 08:19 vhosts.d drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.prm drwx------ 2 root root 4096 May 23 08:19 ssl.key drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.csr drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crt drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crl lrwxrwxrwx 1 root root 13 May 23 08:19 mime.types -> ../mime.types drwxr-xr-x 2 root root 4096 May 23 08:37 conf.d drwxr-xr-x 2 root root 4096 Jul 8 09:01 sysconfig.d -rw-r--r-- 1 root root 3311 Jul 8 09:16 ca.key -rw-r--r-- 1 root root 2309 Jul 8 09:23 ca.crt -rw-r--r-- 1 root root 3311 Jul 8 09:46 server.key -rw-r--r-- 1 root root 1760 Jul 8 09:50 server.csr -rw-r--r-- 1 root root 1988 Jul 8 10:06 server.crt SuperNinja4:/etc/apache2 #
Generate server.key that won’t prompt for a password
Now, we have a little problem. Our server.key file will cause apache2 to prompt us for a password every time it starts. We need to fix it so that doesn’t happen. We’ll do that with these three commands:
SuperNinja4:/etc/apache2 # openssl rsa -in server.key -out server.key.insecure Enter pass phrase for server.key: writing RSA key SuperNinja4:/etc/apache2 # mv server.key server.key.secure SuperNinja4:/etc/apache2 # mv server.key.insecure server.key SuperNinja4:/etc/apache2 # ls -ltr total 152 -rw-r--r-- 1 root root 12958 Mar 27 2013 magic -rw-r--r-- 1 root root 22 Mar 27 2013 uid.conf -rw-r--r-- 1 root root 2957 Mar 27 2013 ssl-global.conf -rw-r--r-- 1 root root 4648 Mar 27 2013 server-tuning.conf -rw-r--r-- 1 root root 85 Mar 27 2013 mod_usertrack.conf -rw-r--r-- 1 root root 1255 Mar 27 2013 mod_userdir.conf -rw-r--r-- 1 root root 344 Mar 27 2013 mod_status.conf -rw-r--r-- 1 root root 958 Mar 27 2013 mod_reqtimeout.conf -rw-r--r-- 1 root root 5075 Mar 27 2013 mod_mime-defaults.conf -rw-r--r-- 1 root root 1057 Mar 27 2013 mod_log_config.conf -rw-r--r-- 1 root root 369 Mar 27 2013 mod_info.conf -rw-r--r-- 1 root root 1503 Mar 27 2013 mod_autoindex-defaults.conf -rw-r--r-- 1 root root 1053 Mar 27 2013 listen.conf -rw-r--r-- 1 root root 8496 Mar 27 2013 httpd.conf -rw-r--r-- 1 root root 2765 Mar 27 2013 errors.conf -rw-r--r-- 1 root root 3763 Mar 27 2013 default-server.conf -rw-r--r-- 1 root root 1764 Mar 27 2013 charset.conv drwxr-xr-x 2 root root 4096 May 23 08:19 vhosts.d drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.prm drwx------ 2 root root 4096 May 23 08:19 ssl.key drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.csr drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crt drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crl lrwxrwxrwx 1 root root 13 May 23 08:19 mime.types -> ../mime.types drwxr-xr-x 2 root root 4096 May 23 08:37 conf.d drwxr-xr-x 2 root root 4096 Jul 8 09:01 sysconfig.d -rw-r--r-- 1 root root 3311 Jul 8 09:16 ca.key -rw-r--r-- 1 root root 2309 Jul 8 09:23 ca.crt -rw-r--r-- 1 root root 3311 Jul 8 09:46 server.key.secure -rw-r--r-- 1 root root 1760 Jul 8 09:50 server.csr -rw-r--r-- 1 root root 1988 Jul 8 10:06 server.crt -rw-r--r-- 1 root root 3243 Jul 8 10:08 server.key SuperNinja4:/etc/apache2 #
Placing the files
At this stage, you should now have a bunch of files. Just having them doesn’t get us anywhere, so let’s get them installed. First, we are going to change some permissions, because we don’t want just anyone having access to these files. To apply the appropriate permissions, run this below
SuperNinja4:/etc/apache2 # chmod 0600 server.key.secure server.key server.csr server.crt SuperNinja4:/etc/apache2 # ls -ltr total 152 -rw-r--r-- 1 root root 12958 Mar 27 2013 magic -rw-r--r-- 1 root root 22 Mar 27 2013 uid.conf -rw-r--r-- 1 root root 2957 Mar 27 2013 ssl-global.conf -rw-r--r-- 1 root root 4648 Mar 27 2013 server-tuning.conf -rw-r--r-- 1 root root 85 Mar 27 2013 mod_usertrack.conf -rw-r--r-- 1 root root 1255 Mar 27 2013 mod_userdir.conf -rw-r--r-- 1 root root 344 Mar 27 2013 mod_status.conf -rw-r--r-- 1 root root 958 Mar 27 2013 mod_reqtimeout.conf -rw-r--r-- 1 root root 5075 Mar 27 2013 mod_mime-defaults.conf -rw-r--r-- 1 root root 1057 Mar 27 2013 mod_log_config.conf -rw-r--r-- 1 root root 369 Mar 27 2013 mod_info.conf -rw-r--r-- 1 root root 1503 Mar 27 2013 mod_autoindex-defaults.conf -rw-r--r-- 1 root root 1053 Mar 27 2013 listen.conf -rw-r--r-- 1 root root 8496 Mar 27 2013 httpd.conf -rw-r--r-- 1 root root 2765 Mar 27 2013 errors.conf -rw-r--r-- 1 root root 3763 Mar 27 2013 default-server.conf -rw-r--r-- 1 root root 1764 Mar 27 2013 charset.conv drwxr-xr-x 2 root root 4096 May 23 08:19 vhosts.d drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.prm drwx------ 2 root root 4096 May 23 08:19 ssl.key drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.csr drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crt drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crl lrwxrwxrwx 1 root root 13 May 23 08:19 mime.types -> ../mime.types drwxr-xr-x 2 root root 4096 May 23 08:37 conf.d drwxr-xr-x 2 root root 4096 Jul 8 09:01 sysconfig.d -rw-r--r-- 1 root root 3311 Jul 8 09:16 ca.key -rw-r--r-- 1 root root 2309 Jul 8 09:23 ca.crt -rw------- 1 root root 3311 Jul 8 09:46 server.key.secure -rw------- 1 root root 1760 Jul 8 09:50 server.csr -rw------- 1 root root 1988 Jul 8 10:06 server.crt -rw------- 1 root root 3243 Jul 8 10:08 server.key SuperNinja4:/etc/apache2 #
Now, here’s where things depend on the distribution that you are using.
I will try and describe what I am doing so that if you are not on SLES, you will still be able to get this working.
In SLES, the apache2 config directory is located at /etc/apache2. Underneath that, there are a handful of directories. The three we care about are /etc/apache2/ssl.crt, /etc/apache2/ssl.csr, and /etc/apache2/ssl.key. The server.crt needs to be moved to /etc/apache2/ssl.crt. The server.csr file needs to be moved to /etc/apache2/ssl.csr. And the server.key file needs to be moved to /etc/apache2/ssl.key:
SuperNinja4:/etc/apache2 # mv /etc/apache2/server.key /etc/apache2/ssl.key/server.key SuperNinja4:/etc/apache2 # mv /etc/apache2/server.crt /etc/apache2/ssl.crt/server.crt SuperNinja4:/etc/apache2 # mv /etc/apache2/server.csr /etc/apache2/ssl.csr/server.csr SuperNinja4:/etc/apache2 # ls -ltr total 140 -rw-r--r-- 1 root root 12958 Mar 27 2013 magic -rw-r--r-- 1 root root 22 Mar 27 2013 uid.conf -rw-r--r-- 1 root root 2957 Mar 27 2013 ssl-global.conf -rw-r--r-- 1 root root 4648 Mar 27 2013 server-tuning.conf -rw-r--r-- 1 root root 85 Mar 27 2013 mod_usertrack.conf -rw-r--r-- 1 root root 1255 Mar 27 2013 mod_userdir.conf -rw-r--r-- 1 root root 344 Mar 27 2013 mod_status.conf -rw-r--r-- 1 root root 958 Mar 27 2013 mod_reqtimeout.conf -rw-r--r-- 1 root root 5075 Mar 27 2013 mod_mime-defaults.conf -rw-r--r-- 1 root root 1057 Mar 27 2013 mod_log_config.conf -rw-r--r-- 1 root root 369 Mar 27 2013 mod_info.conf -rw-r--r-- 1 root root 1503 Mar 27 2013 mod_autoindex-defaults.conf -rw-r--r-- 1 root root 1053 Mar 27 2013 listen.conf -rw-r--r-- 1 root root 8496 Mar 27 2013 httpd.conf -rw-r--r-- 1 root root 2765 Mar 27 2013 errors.conf -rw-r--r-- 1 root root 3763 Mar 27 2013 default-server.conf -rw-r--r-- 1 root root 1764 Mar 27 2013 charset.conv drwxr-xr-x 2 root root 4096 May 23 08:19 vhosts.d drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.prm drwxr-xr-x 2 root root 4096 May 23 08:19 ssl.crl lrwxrwxrwx 1 root root 13 May 23 08:19 mime.types -> ../mime.types drwxr-xr-x 2 root root 4096 May 23 08:37 conf.d drwxr-xr-x 2 root root 4096 Jul 8 09:01 sysconfig.d -rw-r--r-- 1 root root 3311 Jul 8 09:16 ca.key -rw-r--r-- 1 root root 2309 Jul 8 09:23 ca.crt -rw------- 1 root root 3311 Jul 8 09:46 server.key.secure drwx------ 2 root root 4096 Jul 8 10:11 ssl.key drwxr-xr-x 2 root root 4096 Jul 8 10:11 ssl.crt drwxr-xr-x 2 root root 4096 Jul 8 10:12 ssl.csr SuperNinja4:/etc/apache2 #
System configuration
First thing is to edit /etc/sysconfig/apache2. Search through that file for the directive called APACHE_MODULES. Make sure you see ’ssl’ in there. If not, add it. Then, search through the file and find APACHE_SERVER_FLAGS. Make sure it has ‘SSL’ in it. If not, add it. Save and close the file. Note that in APACHE_SERVER_FLAGS, ssl must be in caps SSL.
SuperNinja4:/etc/apache2 # vi /etc/sysconfig/apache2 SuperNinja4:/etc/apache2 # cat /etc/sysconfig/apache2 | grep APACHE_MODULES # * In the APACHE_MODULES variable, you can use mod_xyz or just xyz syntax. # APACHE_MODULES="authz_host alias auth dir log_config mime setenvif" # APACHE_MODULES="authz_host actions alias asis auth autoindex cgi dir imap include log_config mime negotiation setenvif status userdir" APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 reqtimeout ssl" SuperNinja4:/etc/apache2 # cat /etc/sysconfig/apache2 | grep APACHE_SERVER_FLAGS # * to finally enable ssl support, you need to add 'SSL' to APACHE_SERVER_FLAGS APACHE_SERVER_FLAGS="SSL" SuperNinja4:/etc/apache2 #
You can also manage apache’s modules with the ‘a2enmod’ command. To view the list of loaded modules, run ‘a2enmod -l’. Make sure that ssl is loaded
SuperNinja4:/etc/apache2 # a2enmod -l actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 reqtimeout ssl SuperNinja4:/etc/apache2 #
Next, open up the config file that tells apache2 which ports to listen on. In SLES, this file is /etc/apache2/listen.conf. Add the Listen port 443, add the following lines
Listen 443
NameVirtualHost *:443
SuperNinja4:/etc/apache2 # vi listen.conf SuperNinja4:/etc/apache2 # cat listen.conf # Listen: Allows you to bind Apache to specific IP addresses and/or # ports. See also the <VirtualHost> directive. # # http://httpd.apache.org/docs-2.2/mod/mpm_common.html#listen # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses (0.0.0.0) # # When we also provide SSL we have to listen to the # standard HTTP port (see above) and to the HTTPS port # # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" # Listen 80 Listen 443 # Use name-based virtual hosting # # - on a specified address / port: # # # - name-based virtual hosting: # NameVirtualHost *:80 NameVirtualHost *:443 # # - on all addresses and ports. This is your best bet when you are on # dynamically assigned IP addresses: # SuperNinja4:/etc/apache2 #
Next is to setup the vhost.template, make a file called vhost-ssl.conf in the directory /etc/apache2/vhosts.d, make sure that
ServerName SuperNinja4.xxxx.com
ServerAdmin root@SuperNinja4.xxxx.com
Is set to what you used in the certificates
SuperNinja4:/etc/apache2/vhosts.d # vi vhost-ssl.conf SuperNinja4:/etc/apache2/vhosts.d # cat vhost-ssl.conf # Template for a VirtualHost with SSL # Note: to use the template, rename it to /etc/apache2/vhost.d/yourvhost.conf. # Files must have the .conf suffix to be loaded. # # See /usr/share/doc/packages/apache2/README.QUICKSTART for further hints # about virtual hosts. # NameVirtualHost statements should be added to /etc/apache2/listen.conf. # # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these # directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html> # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # <IfDefine SSL> <IfDefine !NOSSL> ## ## SSL Virtual Host Context ## <VirtualHost *:443> # General setup for the virtual host DocumentRoot "/srv/www/htdocs/" ServerName SuperNinja4.xxxx.com ServerAdmin root@SuperNinja4.xxxx.com ErrorLog /var/log/apache2/error_log TransferLog /var/log/apache2/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS only: SSLProtocol all -SSLv2 -SSLv3 <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/srv/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> CustomLog /var/log/apache2/ssl_request_log ssl_combined </VirtualHost> </IfDefine> </IfDefine> SuperNinja4:/etc/apache2/vhosts.d #
Start apache2 and make sure that there are no errors
SuperNinja4:/etc/apache2/vhosts.d # service apache2 start Starting httpd2 (prefork) [Tue Jul 08 10:28:29 2014] [warn] module ssl_module is already loaded, skipping [Tue Jul 08 10:28:29 2014] [warn] NameVirtualHost *:80 has no VirtualHosts done SuperNinja4:/etc/apache2/vhosts.d # SuperNinja4:/etc/apache2/vhosts.d # tail -200f /var/log/apache2/error_log [Tue Jul 08 09:01:35 2014] [warn] Init: Session Cache is not configured [hint: SSLSessionCache] [Tue Jul 08 09:01:35 2014] [notice] Apache/2.2.12 (Linux/SUSE) mod_ssl/2.2.12 OpenSSL/0.9.8j-fips PHP/5.3.17 configured -- resuming normal operations [Tue Jul 08 09:15:08 2014] [notice] caught SIGTERM, shutting down [Tue Jul 08 10:28:29 2014] [warn] module ssl_module is already loaded, skipping [Tue Jul 08 10:28:29 2014] [notice] Apache/2.2.12 (Linux/SUSE) mod_ssl/2.2.12 OpenSSL/0.9.8j-fips PHP/5.3.17 configured -- resuming normal operations
Another handy command to check what is loaded is httpd2
SuperNinja4:/etc/apache2/vhosts.d # httpd2 -M [Tue Jul 08 10:42:10 2014] [warn] module ssl_module is already loaded, skipping [Tue Jul 08 10:42:10 2014] [warn] NameVirtualHost *:443 has no VirtualHosts [Tue Jul 08 10:42:10 2014] [warn] NameVirtualHost *:80 has no VirtualHosts Loaded Modules: core_module (static) mpm_prefork_module (static) http_module (static) so_module (static) actions_module (shared) alias_module (shared) auth_basic_module (shared) authn_file_module (shared) authz_host_module (shared) authz_groupfile_module (shared) authz_default_module (shared) authz_user_module (shared) authn_dbm_module (shared) autoindex_module (shared) cgi_module (shared) dir_module (shared) env_module (shared) expires_module (shared) include_module (shared) log_config_module (shared) mime_module (shared) negotiation_module (shared) setenvif_module (shared) ssl_module (shared) suexec_module (shared) userdir_module (shared) php5_module (shared) reqtimeout_module (shared) Syntax OK SuperNinja4:/etc/apache2/vhosts.d #
Check if port 443 is listening
SuperNinja4:/etc/apache2/vhosts.d # netstat -antp | grep LIST | grep 443 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 6836/httpd2-prefork SuperNinja4:/etc/apache2/vhosts.d #
NEXT..... Check if https works....
WOOOOPPPPPEEEE!! https
# General setup for the virtual host DocumentRoot "/srv/www/htdocs/" ServerName SuperNinja4.xxxx.com ServerAdmin root@SuperNinja4.xxxx.com ErrorLog /var/log/apache2/error_log TransferLog /var/log/apache2/access_logHappy https ing... remember my BitCoins... please.... pretty please.... please please.....
Very nice article,keep sharing more intresting updates with us.
ReplyDeletethank you....
big data hadoop training
hadoop admin training