Search:  
Gentoo Wiki

SSL

Prerequisites: Modules in Apache2 are controlled by

/etc/conf.d/apache2

Edit that file and add

-D SSL

to your "APACHE2_OPTS" if it doesn't already exist. The resulting line may look something like this:

APACHE2_OPTS="-D DEFAULT_VHOST -D PHP5 -D SSL"


Set up your virtual host definition. As I understand it you can only have 1 https site per IP address in /etc/apache2/vhosts.d/00_default_vhost.conf

<VirtualHost *:443>
Servername www.domainname.com
DocumentRoot /var/www/domainname/htdocs
 CustomLog     logs/domainname.log  clf
  SSLEngine  On
  SSLCertificateFile     /etc/apache2/ssl/server.crt
  SSLCertificateKeyFile  /etc/apache2/ssl/server.key
</VirtualHost>
Note: On newer installations of Apache2 (version?) you will find server.crt and server.key pre-generated in /etc/apache2/ssl/

restart apache and then check it is listening on port 443

/etc/init.d/apache2 restart
 * Stopping apache2 ..                                                                     [ ok ]
 * Starting apache2 ... 
#

# netstat -tpan | grep 443
tcp  0   0 0.0.0.0:443  0.0.0.0:*   LISTEN  30903/apache2

generate a key

#  openssl req -new > new.cert.csr

it asks you some questions

  1. Common name is your FQDN
  2. add a passphrase - it will get removed later
Generating a 1024 bit RSA private key
...............................++++++
.............++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase: XXXXXXXXXXXXXXX
Verifying - Enter PEM pass phrase:XXXXXXXXXXXXXXX
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.domainname.com
Email Address []:you@yourdomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

remove the passphrase from the key (optional):

openssl rsa -in privkey.pem -out new.cert.key

convert request into signed cert:

openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 1825

copy the key files to the correct place

#  cp new.cert.cert /etc/apache2/ssl/server.crt
#  cp new.cert.key /etc/apache2/ssl/server.key


Troubleshooting

If you are getting that "some data may have been transferred" error, it is because apache is listening on port 443, but doesn't have the SSLEngine turned on. If you run

 'openssl s_client -host localhost -port 443' 

it will attempt to make an SSL connection to 192.168.0.1:443. You can then type :

GET / HTTP/1.0

and you should get the webpage

Retrieved from "http://www.gentoo-wiki.info/SSL"

Last modified: Thu, 04 Sep 2008 05:58:00 +0000 Hits: 5,268