[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#267477: Suggested steps which should be used and my detailed notes RE getting SSL over Apache2 on a vanilla Etch machine

I agree that it should be easier to get Apache2 working over SSL.
These are what I would suggest to be the steps needed to enable Apache2 over SSL. 


Create the certificate...

# apache2-ssl-certificate

Enable the SSL mod...

# a2enmod ssl

Enable the default SSL site

# a2ensite default-ssl
These steps should be in the default Apache2 README Debian file. I feel that these are reasonable steps for an admin to carry out. Obviously the certificate could be changed at a later date.
Now to get Apache2 to use SSL on the current Etch We have to create a couple of files and directories - I've pasted my twiki style notes for getting SSL to work on Apache2 at the end of this email.
Note - my method adds a new site to the default site which listens on 443 - I would propose that a better way would be to create a site called default-ssl and this site is enabled by the a2ensite command. Also, my method has GB for the locale - obviously this should be changed by the install script to the users locale.
These are my notes for getting SSL to work with the current version of Apache2 on Etch... 


-------------------------8<-------------------------------

---+++ Setting up Apache2 to use ssl

The following instructions were used to run ssl on a standard Etch install.

Etch does not have the directory /etc/apache2/ssl

This needs to be created with ownership and permissions of

drwxr-xr-x root root
Etch also needs the script /usr/sbin/apache2-ssl-certificate created with ownership root:root and permissions of 766. 

The contents of this file should be

<verbatim>
#!/bin/sh -e

if [ "$1" != "--force" -a -f /etc/apache2/ssl/apache.pem ]; then
 echo "/etc/apache2/ssl/apache.pem exists!  Use \"$0 --force.\""
 exit 0
fi

if [ "$1" = "--force" ]; then
 shift
fi

echo
echo creating selfsigned certificate
echo "replace it with one signed by a certification authority (CA)"
echo
echo enter your ServerName at the Common Name prompt
echo
echo If you want your certificate to expire after x days call this programm
echo with "-days x"

# use special .cnf, because with normal one no valid selfsigned
# certificate is created

export RANDFILE=/dev/random
openssl req $@ -config /usr/share/apache2/ssleay.cnf \
 -new -x509 -nodes -out /etc/apache2/ssl/apache.pem \
 -keyout /etc/apache2/ssl/apache.pem
chmod 600 /etc/apache2/ssl/apache.pem
ln -sf /etc/apache2/ssl/apache.pem \
 /etc/apache2/ssl/`/usr/bin/openssl \
 x509 -noout -hash < /etc/apache2/ssl/apache.pem`.0
</verbatim>
Etch also needs to have the file /usr/share/apache2/ssleay.cnf which should have ownership of root:root and permissions of 644 

The contents of this file should be

<verbatim>
#
# SSLeay example configuration file.
#

RANDFILE                = $ENV::HOME/.rnd

[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = GB
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Some-State

localityName                    = Locality Name (eg, city)
organizationName = Organization Name (eg, company; recommended) 
organizationName_max            = 64

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_max      = 64
commonName = server name (eg. ssl.domain.tld; required!!!) 
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 40
</verbatim>

The rest of the instructions are:

run
<verbatim>
# apache2-ssl-certificate
</verbatim>

and respond to the prompts to create the certificate.

run
<verbatim>
# a2enmod ssl
</verbatim>
to enable the ssl mod

then run
<verbatim>
# /etc/init.d/apache2 force-reload
</verbatim>
as asked.

Edit /etc/apache2/ports.conf and add a new line
Listen 443
Make sure a new line character has been added after this line. This may not be needed but better to be safe.
Then modified /etc/apache2/sites-available/default to basically add the ssl site to the default setup.
The original block is copied and the port numbers added but it is important to add the lines 

<verbatim>
       SSLEngine on
       SSLCertificateFile /etc/apache2/ssl/apache.pem
</verbatim>

to the second section.
This configuration basically means that the original site will be served up over ssl (i.e. https) 

This is the new /etc/apache2/sites-available/default file:

<verbatim>
NameVirtualHost *:80
<VirtualHost *:80>
       ServerAdmin webmaster@localhost

       DocumentRoot /var/www/
       <Directory />
               Options FollowSymLinks
               AllowOverride None
       </Directory>
       <Directory /var/www/>
               Options Indexes FollowSymLinks MultiViews
               AllowOverride None
               Order allow,deny
               allow from all
# This directive allows us to have apache2's default start page # in /apache2-default/, but still have / go to the right place 
               RedirectMatch ^/$ /apache2-default/
       </Directory>

       ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
       <Directory "/usr/lib/cgi-bin">
               AllowOverride None
               Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
               Order allow,deny
               Allow from all
       </Directory>

       ErrorLog /var/log/apache2/error.log

       # Possible values include: debug, info, notice, warn, error, crit,
       # alert, emerg.
       LogLevel warn

       CustomLog /var/log/apache2/access.log combined
       ServerSignature On

   Alias /doc/ "/usr/share/doc/"
   <Directory "/usr/share/doc/">
       Options Indexes MultiViews FollowSymLinks
       AllowOverride None
       Order deny,allow
       Deny from all
       Allow from 127.0.0.0/255.0.0.0 ::1/128
   </Directory>

</VirtualHost>

NameVirtualHost *:443
<VirtualHost *:443>
       ServerAdmin webmaster@localhost

       DocumentRoot /var/www/
       <Directory />
               Options FollowSymLinks
               AllowOverride None
       </Directory>
       <Directory /var/www/>
               Options Indexes FollowSymLinks MultiViews
               AllowOverride None
               Order allow,deny
               allow from all
# This directive allows us to have apache2's default start page # in /apache2-default/, but still have / go to the right place 
               RedirectMatch ^/$ /apache2-default/
       </Directory>

       ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
       <Directory "/usr/lib/cgi-bin">
               AllowOverride None
               Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
               Order allow,deny
               Allow from all
       </Directory>

       ErrorLog /var/log/apache2/error.log

       # Possible values include: debug, info, notice, warn, error, crit,
       # alert, emerg.
       LogLevel warn

       CustomLog /var/log/apache2/access.log combined
       ServerSignature On

   Alias /doc/ "/usr/share/doc/"
   <Directory "/usr/share/doc/">
       Options Indexes MultiViews FollowSymLinks
       AllowOverride None
       Order deny,allow
       Deny from all
       Allow from 127.0.0.0/255.0.0.0 ::1/128
   </Directory>

       # Added to enable ssl.
       SSLEngine on
       SSLCertificateFile /etc/apache2/ssl/apache.pem

</VirtualHost>
</verbatim>

Then restarted the Apache server with
<verbatim>
# apache2ctl graceful
</verbatim>

The default page was then available at

http://server.example.com

and

https://server.example.com

-------------------------8<-------------------------------


Hope my notes help towards a satisfactory resolution of this bug.

Kev
Reply to: