this is obsolete doc -- see http://doc.nethence.com/ instead

Enabling SSL on Apache 2 

on debian jessie and redhat 

 

http://pbraun.nethence.com/doc/www/apache2.html 

http://pbraun.nethence.com/doc/www/apache2-ssl.html 

 

Apache configuration on Debian Jessie 

Make sure openssl and mod_ssl, are installed 

dpkg -l | grep openssl
dpkg -l | grep apache2
ls -l /usr/lib/apache2/modules/mod_ssl.so

 

Make sure mod_ssl is enabled, 

cd /etc/apache2/mods-enabled/
ls -l *ssl*

 

Prepare some folder to store the certificates, 

mkdir -p /etc/apache2/ssl/
cd /etc/apache2/ssl/

 

Either create a temporary self-signed certification, 

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf apache.pem

commonname: hostname.example.net 

subjectaltname: DNS:hostname,IP:IP_ADDRESS 

alternatively, 

  openssl req -new -x509 -nodes -out host.example.net.crt -keyout host.example.net.key 

or deploy your real certificates, 

/etc/apache/ssl/example.net.pem
/etc/apache/ssl/example.net.priv.pem
/etc/apache/ssl/example.net.priv.nopass.pem

See http://pbraun.nethence.com/unix/security/openssl.html for more information. 

 

Check that apache2 is listening on port 443, 

cd /etc/apache2/
cat ports.conf
NameVirtualHost *:80
Listen 80

 

<IfModule mod_ssl.c>
    NameVirtualHost *:443
    Listen 443
</IfModule>

 

<IfModule mod_gnutls.c>
    NameVirtualHost *:443
    Listen 443
</IfModule>
netstat -an --inet --inet6 | grep 443

 

Enable or re-configure the HTTPS service (using the real certificates here), 

cd /etc/apache2/sites-available/
mv default-ssl.conf default-ssl.conf.dist

  vi host.ssl.conf 

<IfModule mod_ssl.c>
<VirtualHost *:443>
        SSLEngine on
        #SSLCertificateFile /etc/apache2/ssl/apache.pem

SSLCertificateFile /etc/apache2/ssl/example.net.pem 

SSLCertificateKeyFile /etc/apache2/ssl/example.net.priv.nopass.pem 

 

ServerName host.example.net 

ServerAdmin webmaster@example.net 

 

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

ErrorLog /var/log/apache2/error-ssl.log 

        CustomLog /var/log/apache2/access-ssl.log combined

 

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

 

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>
</IfModule>

then enable the https service, 

cd ../sites-enabled/

ln -s ../sites-available/host.ssl.conf 

 

Reload apache (yes a reload is enought even for a new cert:-), 

apachectl configtest
httpd -S
cd /var/log/apache2/
tail -F error-ssl.log error.log
service apache2 reload

 

Troubleshooting 

If you get this warning when checking apache configuration, 

[warn] _default_ VirtualHost overlap on port 443, the first has precedence

==> add NameVirtualHost *:443 into ports.conf, see above. 

Ref. https://www.demenageur-site.com/blog/2012/06/plusieurs-certificats-ssl-pour-differents-virtualhosts-sur-une-seule-ip/ 

 

Additional notes on redhat - RHEL 

On redhat systems it is basically the same, just different configuration file locations and folders. 

 

Prepare or deploy your certificates, 

mkdir -p /etc/httpd/ssl/
cd /etc/httpd/ssl/

  host.example.net.crt 

  host.example.net.key 

 

Enable SSL, 

cd /etc/httpd/conf.d/
mv -f ssl.conf ssl.conf.dist
cat > ssl.conf <<EOF9
LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
EOF9

 

Add an HTTPS virtualhost (port 443), 

NameVirtualHost *:443

 

<VirtualHost *:443>
        SSLEngine on

SSLCertificateFile /etc/httpd/ssl/host.example.net.crt 

SSLCertificateKeyFile /etc/httpd/sll/host.example.net.key 

        ...
</VirtualHost>

 

Ready to go, 

apachectl configtest
httpd -S
service httpd reload

 

References 

Installer et configurer le module ssl pour Apache2: https://technique.arscenic.org/lamp-linux-apache-mysql-php/apache-le-serveur-http/modules-complementaires/article/installer-et-configurer-le-module-ssl-pour-apache2 

Setting up a secure server with Apache and mod-ssl: https://www.debian-administration.org/article/31/Setting_up_a_secure_server_with_Apache_and_mod-ssl 

 

Configuring your Apache Server : http://www.faqs.org/docs/Linux-HOWTO/SSL-RedHat-HOWTO.html#s4 

How do I create a self-signed SSL Certificate for testing purposes : http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#selfcert 

How do I create a real SSL Certificate : http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#realcert 

How do I create and use my own Certificate Authority (CA) : http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#ownca