Nethence Documentation Lab Webmail Your IP BBDock  


Those documents are obsolete, please use the Nethence Documentation instead.

HomeUnixWindowsOracleObsoleteHardwareDIYMechanicsScriptsConfigsPrivate

Enabling SSL on Apache 2
on debian jessie and redhat
 
http://pbraun.nethence.com/doc/www/apache2.html
http://pbraun.nethence.com/doc/www/apache2-ssl.html
 
Apache configuration on Debian Jessie
Make sure openssl and mod_ssl, are installed
dpkg -l | grep openssl
dpkg -l | grep apache2
ls -l /usr/lib/apache2/modules/mod_ssl.so
 
Make sure mod_ssl is enabled,
cd /etc/apache2/mods-enabled/
ls -l *ssl*
 
Prepare some folder to store the certificates,
mkdir -p /etc/apache2/ssl/
cd /etc/apache2/ssl/
 
Either create a temporary self-signed certification,
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf apache.pem
commonname: hostname.example.net 
subjectaltname: DNS:hostname,IP:IP_ADDRESS 
alternatively,
openssl req -new -x509 -nodes -out host.example.net.crt -keyout host.example.net.key 
or deploy your real certificates,
/etc/apache/ssl/example.net.pem
/etc/apache/ssl/example.net.priv.pem
/etc/apache/ssl/example.net.priv.nopass.pem
See http://pbraun.nethence.com/unix/security/openssl.html for more information.
 
Check that apache2 is listening on port 443,
cd /etc/apache2/
cat ports.conf
NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
NameVirtualHost *:443
Listen 443
</IfModule>

<IfModule mod_gnutls.c>
NameVirtualHost *:443
Listen 443
</IfModule>
netstat -an --inet --inet6 | grep 443
 
Enable or re-configure the HTTPS service (using the real certificates here),
cd /etc/apache2/sites-available/
mv default-ssl.conf default-ssl.conf.dist
vi host.ssl.conf 
<IfModule mod_ssl.c>
<VirtualHost *:443>
SSLEngine on
#SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateFile /etc/apache2/ssl/example.net.pem 
SSLCertificateKeyFile /etc/apache2/ssl/example.net.priv.nopass.pem 

ServerName host.example.net 
ServerAdmin webmaster@example.net 

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
ErrorLog /var/log/apache2/error-ssl.log 
CustomLog /var/log/apache2/access-ssl.log combined

DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
</IfModule>
then enable the https service,
cd ../sites-enabled/
ln -s ../sites-available/host.ssl.conf 
 
Reload apache (yes a reload is enought even for a new cert:-),
apachectl configtest
httpd -S
cd /var/log/apache2/
tail -F error-ssl.log error.log
service apache2 reload
 
Troubleshooting
If you get this warning when checking apache configuration,
[warn] _default_ VirtualHost overlap on port 443, the first has precedence
==> add NameVirtualHost *:443 into ports.conf, see above.
Ref. https://www.demenageur-site.com/blog/2012/06/plusieurs-certificats-ssl-pour-differents-virtualhosts-sur-une-seule-ip/
 
Additional notes on redhat - RHEL
On redhat systems it is basically the same, just different configuration file locations and folders.
 
Prepare or deploy your certificates,
mkdir -p /etc/httpd/ssl/
cd /etc/httpd/ssl/
host.example.net.crt
host.example.net.key
 
Enable SSL,
cd /etc/httpd/conf.d/
mv -f ssl.conf ssl.conf.dist
cat > ssl.conf <<EOF9
LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
EOF9
 
Add an HTTPS virtualhost (port 443),
NameVirtualHost *:443

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/host.example.net.crt 
SSLCertificateKeyFile /etc/httpd/sll/host.example.net.key 
...
</VirtualHost>
 
Ready to go,
apachectl configtest
httpd -S
service httpd reload
 
References
Installer et configurer le module ssl pour Apache2
Setting up a secure server with Apache and mod-ssl
 
Configuring your Apache Server
How do I create a self-signed SSL Certificate for testing purposes
How do I create a real SSL Certificate
How do I create and use my own Certificate Authority (CA)
 

Last update: Dec 21, 2015