Bug#267477: Suggested steps which should be used and my detailed notes RE getting SSL over Apache2 on a vanilla Etch machine
I agree that it should be easier to get Apache2 working over SSL.
These are what I would suggest to be the steps needed to enable Apache2
over SSL.
Create the certificate...
# apache2-ssl-certificate
Enable the SSL mod...
# a2enmod ssl
Enable the default SSL site
# a2ensite default-ssl
These steps should be in the default Apache2 README Debian file. I feel
that these are reasonable steps for an admin to carry out. Obviously
the certificate could be changed at a later date.
Now to get Apache2 to use SSL on the current Etch We have to create a
couple of files and directories - I've pasted my twiki style notes for
getting SSL to work on Apache2 at the end of this email.
Note - my method adds a new site to the default site which listens on
443 - I would propose that a better way would be to create a site called
default-ssl and this site is enabled by the a2ensite command. Also, my
method has GB for the locale - obviously this should be changed by the
install script to the users locale.
These are my notes for getting SSL to work with the current version of
Apache2 on Etch...
-------------------------8<-------------------------------
---+++ Setting up Apache2 to use ssl
The following instructions were used to run ssl on a standard Etch install.
Etch does not have the directory /etc/apache2/ssl
This needs to be created with ownership and permissions of
drwxr-xr-x root root
Etch also needs the script /usr/sbin/apache2-ssl-certificate created
with ownership root:root and permissions of 766.
The contents of this file should be
<verbatim>
#!/bin/sh -e
if [ "$1" != "--force" -a -f /etc/apache2/ssl/apache.pem ]; then
echo "/etc/apache2/ssl/apache.pem exists! Use \"$0 --force.\""
exit 0
fi
if [ "$1" = "--force" ]; then
shift
fi
echo
echo creating selfsigned certificate
echo "replace it with one signed by a certification authority (CA)"
echo
echo enter your ServerName at the Common Name prompt
echo
echo If you want your certificate to expire after x days call this programm
echo with "-days x"
# use special .cnf, because with normal one no valid selfsigned
# certificate is created
export RANDFILE=/dev/random
openssl req $@ -config /usr/share/apache2/ssleay.cnf \
-new -x509 -nodes -out /etc/apache2/ssl/apache.pem \
-keyout /etc/apache2/ssl/apache.pem
chmod 600 /etc/apache2/ssl/apache.pem
ln -sf /etc/apache2/ssl/apache.pem \
/etc/apache2/ssl/`/usr/bin/openssl \
x509 -noout -hash < /etc/apache2/ssl/apache.pem`.0
</verbatim>
Etch also needs to have the file /usr/share/apache2/ssleay.cnf which
should have ownership of root:root and permissions of 644
The contents of this file should be
<verbatim>
#
# SSLeay example configuration file.
#
RANDFILE = $ENV::HOME/.rnd
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company;
recommended)
organizationName_max = 64
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_max = 64
commonName = server name (eg. ssl.domain.tld;
required!!!)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
</verbatim>
The rest of the instructions are:
run
<verbatim>
# apache2-ssl-certificate
</verbatim>
and respond to the prompts to create the certificate.
run
<verbatim>
# a2enmod ssl
</verbatim>
to enable the ssl mod
then run
<verbatim>
# /etc/init.d/apache2 force-reload
</verbatim>
as asked.
Edit /etc/apache2/ports.conf and add a new line
Listen 443
Make sure a new line character has been added after this line. This may
not be needed but better to be safe.
Then modified /etc/apache2/sites-available/default to basically add the
ssl site to the default setup.
The original block is copied and the port numbers added but it is
important to add the lines
<verbatim>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</verbatim>
to the second section.
This configuration basically means that the original site will be served
up over ssl (i.e. https)
This is the new /etc/apache2/sites-available/default file:
<verbatim>
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default
start page
# in /apache2-default/, but still have / go to the right
place
RedirectMatch ^/$ /apache2-default/
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default
start page
# in /apache2-default/, but still have / go to the right
place
RedirectMatch ^/$ /apache2-default/
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
# Added to enable ssl.
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>
</verbatim>
Then restarted the Apache server with
<verbatim>
# apache2ctl graceful
</verbatim>
The default page was then available at
http://server.example.com
and
https://server.example.com
-------------------------8<-------------------------------
Hope my notes help towards a satisfactory resolution of this bug.
Kev
Reply to: