Setting up an SSL server with Apache2

Posted by Steve on Thu 9 Feb 2006 at 11:27

Tags: ,

With the introduction of the Apache2 packages in Debian it is much simpler to create and use a secure SSL protected webserver than in the old days with Apache 1.3, here we'll show how it is done.

If you have Apache 2.x installed already then you're good to go as you don't need anything extra installed.

If you haven't got it installed then you can do so easily:

earth:~# apt-get install apache2
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
  apache2-common apache2-mpm-worker apache2-utils openssl ssl-cert
Suggested packages:
  apache2-doc ca-certificates
The following NEW packages will be installed:
  apache2 apache2-common apache2-mpm-worker apache2-utils openssl ssl-cert
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 2040kB of archives.
After unpacking 6218kB of additional disk space will be used.
Do you want to continue? [Y/n]

Once the server is installed you need to do three things to get a working SSL setup:

  1. Generate, or import, a certificate.
  2. Enable Apaches SSL support.
  3. Configure your SSL options.

Generating A Certificate

Generating a certificate from scratch will give you something which will be used to protect the traffic exchanged between clients and your server, however it will be signed by a untrusted certificate authority so it will generate warnings.

Importing a paid and "trusted" certificate will avoid this problem, but that is beyond the scope of this simple introduction.

Generating an SSL certificate for Apache2 may be accomplished using the apache2-ssl-certificate script. This will ask you questions interactively then generate the certificate file appropriately.

Here's a sample session:

earth:~# apache2-ssl-certificate

creating selfsigned certificate
replace it with one signed by a certification authority (CA)

enter your ServerName at the Common Name prompt

If you want your certificate to expire after x days call this programm
with -days x
Generating a 1024 bit RSA private key
............++++++
..........................++++++
writing new private key to '/etc/apache2/ssl/apache.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Some-State]:Scotland
Locality Name (eg, city) []:Edinburgh
Organization Name (eg, company; recommended) []:Steve Kemp
Organizational Unit Name (eg, section) []:
server name (eg. ssl.domain.tld; required!!!) []:earth
Email Address []: earth-admin@steve.org.uk

Enabling SSL Support

To use the SSL facilities of Apache2 you must enable the module mod_ssl, this can be achieved using the helper tool a2enmod (We've previously discussed the Apache2 helper scripts.)

As root run:

earth:~# a2enmod ssl
Module ssl installed; run /etc/init.d/apache2 force-reload to enable.

Once this is done you'll have Apache setup to accept SSL connections, but the server will still only be listening for incoming HTTP requests on port 80 - and not SSL connections on port 443. To fix this you must add a line to the file /etc/apache2/ports.conf:

Listen 443

With these two steps out of the way you now have an Apache setup which will listen for and accept SSL connections. The next step is to modify your virtualhosts to use it.

Configuring your SSL Hosts

With a certificate setup, and the server updated to load and listen for incoming SSL connections you're almost finished. The final step is to ensure that your virtual hosts, or main host, will accept SSL options.

I use virtual hosts upon my machine and this just means adding a couple of options to each one I wish to use SSL:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem

For reference here is a complete example which should be easy to modify/understand:

NameVirtualHost *:443
NameVirtualHost *:80

<VirtualHost *:80>
        ServerName earth.my.flat
        DocumentRoot /var/www/
        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/access.log combined
</VirtualHost>

<VirtualHost *:443>
        ServerName earth.my.flat

        DocumentRoot /var/www/
        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/access.log combined

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>

 

 


Posted by Anonymous (213.164.xx.xx) on Thu 9 Feb 2006 at 11:54
Just a suggestion, but I think it would be clearer if the article title said "ssl server", not "secure server". It sounds like a hardening article :)

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Thu 9 Feb 2006 at 12:05
[ Send Message | View Steve's Scratchpad | View Weblogs ]

I thought the introduction would be sufficient to make it clear. Still its a good suggestion and I have no strong preference either way so I've changed it now.

Thanks.

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (195.14.xx.xx) on Thu 9 Feb 2006 at 12:35
we have already several articles on this one of things can be seen here
Apache2 Installation with SSL and PHP support

and if any one is ready to post a new article apache2 with mysql support configuration that would help more people and different from other articles

[ Parent | Reply to this comment ]

Posted by shanelabs (108.90.xx.xx) on Mon 10 Jun 2013 at 02:17
[ Send Message ]
I agree with you. We've set up a guide with just that purpose in mind: How to get HTTPS: Setting up SSL on your website

[ Parent | Reply to this comment ]

Posted by simms (216.13.xx.xx) on Thu 9 Feb 2006 at 13:00
[ Send Message ]
Very nice. Works right away, but it should be noted that you do need to restart the webserver after changing all these settings -- for example with
apache2ctl restart

[ Parent | Reply to this comment ]

Posted by simms (216.13.xx.xx) on Thu 9 Feb 2006 at 13:24
[ Send Message ]
OK.. this is perhaps a silly question, but is there something special I need to do to disable non-SSL Apache2 service on port 80?

I applied Steve's directions to my system, except that I didn't put in a VirtualHost stanza for port 80, and I removed Listen 80 from ports.conf .. however, while the SSL on port 443 is indeed working fine, Apache still responds to non-secure port 80 requests.

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Thu 9 Feb 2006 at 13:29
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Did you restart the server afterwards?

/etc/init.d/apache2 restart

Failing that I'd look to see that you don't have port 80 listed elsewhere:

rgrep 80 /etc/apache2/

Steve

[ Parent | Reply to this comment ]

Posted by simms (216.46.xx.xx) on Thu 9 Feb 2006 at 13:50
[ Send Message ]
Yep, the server was restarted.

rgrep 80 /etc/apache2/ returns nothing.

This is my 'default' site config (it's the only one there):
NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin webmaster@localhost

DocumentRoot /var/www/
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined

ServerSignature On

# [2006-02-09] added to enable SSL as per
# http://www.debian-administration.org/articles/349
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem

</VirtualHost>

Here's my ports.conf:
Listen 443

My httpd.conf is empty.

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Thu 9 Feb 2006 at 13:52
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Strange.

What does the output of lsof show?

lsof -i :80

(You might need to install lsof first.)

Steve

[ Parent | Reply to this comment ]

Posted by simms (216.13.xx.xx) on Thu 9 Feb 2006 at 14:00
[ Send Message ]
Strange indeed.

lsof -i :80 returns nothing as well.

Incidentally, lsof -i :443 shows Apache2 running as it should:
COMMAND   PID     USER   FD   TYPE  DEVICE SIZE NODE NAME

apache2 11488 root 3u IPv6 1442337 TCP *:https (LISTEN)
apache2 11489 www-data 3u IPv6 1442337 TCP *:https (LISTEN)
apache2 11490 www-data 3u IPv6 1442337 TCP *:https (LISTEN)
apache2 11495 www-data 3u IPv6 1442337 TCP *:https (LISTEN)

[ Parent | Reply to this comment ]

Posted by simms (216.46.xx.xx) on Thu 9 Feb 2006 at 14:04
[ Send Message ]
D'oh!
Looks like the whole thing was due to local caching -- in fact the server had stopped responding on :80 the minute I restarted. Man, I feel like a fool.
All's well.
Sorry for wasting your time, Steve -- and thanks for trying.

[ Parent | Reply to this comment ]

Posted by GoodTimes (146.180.xx.xx) on Thu 9 Feb 2006 at 14:13
[ Send Message | View Weblogs ]
were you checking if it repsonded using the browser?

i'd suggest wget next time or telnet localhost 80 to avoid that problem

especially if all you want to do is see if you can connect

aaron

Through correctness comes ease
-Chiun
-The Destroyer series

[ Parent | Reply to this comment ]

Posted by sno (62.254.xx.xx) on Thu 9 Feb 2006 at 18:50
[ Send Message | View Weblogs ]
thx for article, good and to the point.

i had that cache issue before with phpmyadmin, was freaking out wondering why it wasnt gone when i --purge'd it. Isp cache gets me everytime ;)

[ Parent | Reply to this comment ]

Posted by Anonymous (68.236.xx.xx) on Wed 19 Jul 2006 at 04:44
dont forget if you want to cert to be good for more then one month then add
-days xx

[ Parent | Reply to this comment ]

Posted by Anonymous (82.157.xx.xx) on Thu 9 Feb 2006 at 22:26
Please look at http://cacert.org for free SSL server certificates.

Self Signed is not needed anaymore.

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Fri 10 Feb 2006 at 09:16
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Is the root certificate for this CA included in any major browser?

If so they are usable, if not then they are not.

I see no information on the site except that this is one of their goals. No indication of whether they've succeeded ...

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (62.6.xx.xx) on Mon 13 Feb 2006 at 15:23
From TFA:

"Please note a general limitation is that, unlike long-time players like Verisign, CAcert's root certificate is not included by default in mainstream browsers, email clients, etc. This means people to whom you send encrypted email, or users who visit your SSL-enabled web server, will first have to import CAcert's root certificate, or they will have to agree to pop-up security warnings (which may look a little scary to non-techy users)."

[ Parent | Reply to this comment ]

Posted by Anonymous (58.69.xx.xx) on Fri 10 Feb 2006 at 07:10
Hello Steve, nice article...I didn't know there was such a script for quickly generating self-signed certs.

I noticed that you mentioned that you add some config lines for each vhost you wanted to enable SSL for. I remember trying before to have multiple SSL vhosts on one server, but they just couldn't work (apache complains about it, forgot the exact error...but it defaults to using the first ssl vhost I think). My workaround was to make each SSL vhost listen on different ports (1443,2443,etc) and have the vhost redirect to itself using the custom port when accessed by a client. It's not a workaround I'm particularly proud of though.

Is there actually a way to make multiple SSL vhosts "share" port 443 on one server? If not, can anyone care to share why apache would impose such a limit? Thanks!

-Paul Prantilla

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Fri 10 Feb 2006 at 09:13
[ Send Message | View Steve's Scratchpad | View Weblogs ]

This is well documented:

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (210.5.xx.xx) on Fri 10 Feb 2006 at 09:23
A great read. I guess I focused too much on what other forums from quick google searches had to say..and in my impatience didn't catch it on the actual apache docs. Thanks.

[ Parent | Reply to this comment ]

Posted by Anonymous (69.21.xx.xx) on Fri 10 Mar 2006 at 06:15
Another good solution that I found from the CACert.org wiki is to setup either a wildcard SSL cert or a multiple CNAME cert. This solution works great if say your company has several domain names that are all hosted from one server. You just create the *.csr file using CN0=\*.example1.com CN1=\*.example1.net etc.

[ Parent | Reply to this comment ]

Posted by Anonymous (89.173.xx.xx) on Wed 7 Feb 2007 at 16:29
I'm fixing the url, the document moved here:

Apache2 multiple SSL Virtual Hosts

[ Parent | Reply to this comment ]

Posted by Anonymous (80.189.xx.xx) on Fri 10 Feb 2006 at 21:47
Or go to Apachefriends.com - download XAMPP and run it. Simple as that!!

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Fri 10 Feb 2006 at 21:52
[ Send Message | View Steve's Scratchpad | View Weblogs ]

I guess you mean ApacheFriends.org ?

That is one solution for installing Apache + PHP + etc, but it is not ideal for Debian systems since it doesn't work with our packing system - and means that upgrades and security patches will need to be handled differently. Also looking at their webpages it doesn't mention SSL. Is that setup too?

Maybe when you have a single machine you can deal with that, but if you're looking after a lot it is best to stick to standard sources so you can patch them all in the same way ..

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (64.213.xx.xx) on Wed 15 Feb 2006 at 18:54
And for those that are quick reading the thread, ApacheFriends.org DOES NOT have a solution to the SSL on 1 VirtualHost problem. I missed that this was a different thread and thought I'd save anyone else from the mistake.

[ Parent | Reply to this comment ]

Posted by Anonymous (82.47.xx.xx) on Sun 26 Feb 2006 at 16:10
I tried this and it doesnt work on my server... I get errors when starting apache

[Sun Feb 26 16:09:01 2006] [error] VirtualHost :443 -- mixing ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Sun Feb 26 16:09:01 2006] [error] VirtualHost :80 -- mixing ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Sun Feb 26 16:09:01 2006] [warn] NameVirtualHost *:80 has no VirtualHosts
[Sun Feb 26 16:09:01 2006] [warn] NameVirtualHost *:443 has no VirtualHosts
Starting web server: Apache2.

This is what my .conf looks like

# This is here for backwards compatability reasons and to support
# installing 3rd party modules directly via apxs2, rather than
# through the /etc/apache2/mods-{available,enabled} mechanism.
#
#LoadModule mod_placeholder /usr/lib/apache2/modules/mod_placeholder.so

NameVirtualHost *:443
NameVirtualHost *:80

<virtualhost *:80>
ServerName 212.53.85.16
DocumentRoot /var/www/htdocs

</virtualhost>

<virtualhost *:443>
ServerName 212.53.85.16
DocumentRoot /var/www/htdocs
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</virtualhost>

and my ports.conf looks like

Listen 80
Listen 443

[ Parent | Reply to this comment ]

Posted by Anonymous (216.127.xx.xx) on Wed 1 Mar 2006 at 23:18
I just fixed this myself today. First off try removing the ServerName lines from your file. If you really do need it due to hosting several sites try instead configuring the file like the following.

NameVirtualHost 212.53.85.16:80

Right now you have said you are describing the * server but then in the Virtual Host you only configure the 213.x.x.x virtual host.

If that does not help then check to see if you have a second site configuration file laying around. The file you listed above seems valid. So I think you might have another in the sites-enabled directory that is causing you grief. Heck, editing with emacs might have left a backup file that would be loaded and give you this problem.

Lastly if you installed apache2 on a box that used to host apache 1.3 note that the apache2 configuation is in /etc/apache2 and not etc/apache. You might have edited the wrong conf file.

Hope sometin' here helps ya mon!
Nokkin de Troll

[ Parent | Reply to this comment ]

Posted by Anonymous (24.56.xx.xx) on Thu 2 Mar 2006 at 05:49
Thanks man! It worked flawlessly and saved me loads of time.

[ Parent | Reply to this comment ]

Posted by Anonymous (70.69.xx.xx) on Wed 8 Mar 2006 at 21:15
I followed this tutorial exactly, made all the config files match etc. But when I got to https://myip I keep getting it asking me for a username and pw. None of the system password's work. What am I doing wrong?

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Wed 8 Mar 2006 at 21:21
[ Send Message | View Steve's Scratchpad | View Weblogs ]

SSL has nothing to do with username / password authentication.

I'd suggest that you have some other changes present in your Apache2 setup which is causing this.

Look for either .htaccess files beneath your documentroot, or "Require" settings somewhere inside /etc/apache2.

For more help you may find the debian-user mailing list helpful ...

[ Parent | Reply to this comment ]

Posted by Anonymous (213.196.xx.xx) on Sun 12 Mar 2006 at 14:18
Excellent article! Saved me a lot of time searching.

[ Parent | Reply to this comment ]

Posted by woodsey (202.180.xx.xx) on Sat 18 Mar 2006 at 10:04
[ Send Message ]
Good step by step guide that worked flawlessly

[ Parent | Reply to this comment ]

Posted by Anonymous (193.30.xx.xx) on Thu 30 Mar 2006 at 15:55
i get this error message when I try to use https on my server have you got any idea what's the problem?

[Thu Mar 30 16:34:11 2006] [warn] RSA server certificate CommonName (CN) `myserver.mydomain.com'
does NOT match server name!?

[ Parent | Reply to this comment ]

Posted by Steve (212.20.xx.xx) on Thu 30 Mar 2006 at 15:58
[ Send Message | View Steve's Scratchpad | View Weblogs ]

The error means the server name used by your webserver (ie "www.example.com") is different from the name of the certificate.

Generate another one as described above but make sure you enter an identical name to the server's external hostname.

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (82.55.xx.xx) on Wed 3 May 2006 at 19:16
the guide is really helpful but when generating a Selfsigned Certificate the following error occurs:
...
...
Country Name (2 letter code) [GB]:problems making Certificate Request

and the creation stops. The certificate isn't created.

How can I solve it?

thanks for guide and help

peace

[ Parent | Reply to this comment ]

Posted by thirawat (202.129.xx.xx) on Fri 26 May 2006 at 05:06
[ Send Message ]
country code namae 2 letter.

eg. thailand = th
united state = us

[ Parent | Reply to this comment ]

Posted by Anonymous (173.72.xx.xx) on Mon 18 May 2009 at 16:32
I am having the same problem.
When I execute the command:
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
I am getting this response:
Generating a 2048 bit RSA private key
....................+++
........................................+++
writing new private key to 'myserver.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:problems making Certificate Request

I can not enter a two letter country code, for example th , if I do I get an error:

Country Name (2 letter code) [GB]:problems making Certificate Request
> th
bash: th: command not found

Please advise. Thank you

[ Parent | Reply to this comment ]

Posted by Anonymous (203.26.xx.xx) on Fri 2 Jun 2006 at 15:11
Thank you!

Your example was extremely helpful!!

[ Parent | Reply to this comment ]

Posted by jsabater (80.36.xx.xx) on Wed 14 Jun 2006 at 16:35
[ Send Message ]
Thanks for the article. I have not created a default certificate using apache2-ssl-certificate but a specific certificate for every domain using openssl (/usr/lib/ssl/misc/CA.pl -newreq-nodes), so I have a certificate and a key. I am setting up two virtual hosts like this:


ServerName subdomain1.domain.com
DocumentRoot /var/www/subdomain1.domain.com/public_html
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/subdomain1.domain.com_newcert.pem"
SSLCertificateKeyFile "/etc/apache2/ssl/subdomain1.domain_newkey.pem"
ErrorLog /var/log/apache2/error_subdomain1.domain.com.log
CustomLog /var/log/apache2/access_subdomain1.domain.com.log combined



ServerName subdomain2.domain.com
DocumentRoot /var/www/subdomain2.domain.com/public_html
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/subdomain2.domain.com_newcert.pem"
SSLCertificateKeyFile "/etc/apache2/ssl/subdomain2.domain_newkey.pem"
ErrorLog /var/log/apache2/error_subdomain2.domain.com.log
CustomLog /var/log/apache2/access_subdomain2.domain.com.log combined


The cert and key files are different and have been signed by CAcert.org. The thing is that, in case I configure only the first virtualhost everything works fine. But the moment I configure the second virtualhost, then both offer the certificate of the second one when you connect.

Any hints? Thanks in advance.

--
Jaume Sabater
http://linuxsilo.net/

"Ubi sapientas ibi libertas"

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Wed 14 Jun 2006 at 16:38
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Without using multiple IP addresses you cannot have more than one SSL server upon a single host.

If you had a "wildcard certificate" then it would work - but two different ones? Not at all.

See the Apache documentation for details.

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (206.45.xx.xx) on Wed 12 Jul 2006 at 23:20
Great help! Thanks a lot.

[ Parent | Reply to this comment ]

Posted by doug (64.123.xx.xx) on Wed 6 Sep 2006 at 16:36
[ Send Message ]
Wonderfully clear article in the great Scottish tradition.

I'm a real estate broker (non-tech variety) and run a web site containing a rental application that is not secure. I got everything loaded per this article and the application comes up okay as a secure page but when I hit submit (which is a post to a perl script that sends an emmail acknowledgement and creates a file on disc containing the application info)the browser produces a dialogue box that leads only to opening or saving the file containing the perl script.

Would appreciate some guidance.

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Wed 6 Sep 2006 at 16:48
[ Send Message | View Steve's Scratchpad | View Weblogs ]

You've probably enabled the CGI handling for the non-SSL site, but not for the SSL one.

If you give an example of the URL which is failing (eg. is it /some/path/foo.cgi ?) then we might be able to help.

Steve

[ Parent | Reply to this comment ]

Posted by doug (64.123.xx.xx) on Wed 6 Sep 2006 at 17:44
[ Send Message ]
Hoping this is the answer:
http://64.123.174.195/DBRE_Ap.htm
the failure is the attempt to post to /cgi-bin/new2FormMail.pl

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Wed 6 Sep 2006 at 17:53
[ Send Message | View Steve's Scratchpad | View Weblogs ]

OK I see the problem there:

  • When sending the form via the http server it works.
  • When sending the form to the https server you instead download the source to the script.

Inside the SSL virtualhost you're using you should add the following:

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

That will probably be enough. (Run "/etc/init.d/apache2 restart" afterwards!)

If that doesn't help then please post the configuration files for both the http and the https sites - basically you want to make them match so that the same CGI settings apply to both..

PS.

Steve

[ Parent | Reply to this comment ]

Posted by doug (64.123.xx.xx) on Wed 6 Sep 2006 at 21:28
[ Send Message ]
Thanks a lot. That did it.
This is a hell of useful web site.
Been a few years since I tried to get Debian help off the internet. This was by far my best experience.

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Wed 6 Sep 2006 at 22:04
[ Send Message | View Steve's Scratchpad | View Weblogs ]

You got lucky :)

Your question was fairly easy understand, and you came back to supply followup details. Too often people ask questions and don't give enough useful information to identify their problems, or simply never return to answer any questions.

Still I'm glad you're impressed. I think the visitors here all do a great job of helping each other.

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (87.16.xx.xx) on Tue 26 Sep 2006 at 03:47
That's right !
That's how a guide must be ... essential !

[ Parent | Reply to this comment ]

Posted by guydl (217.64.xx.xx) on Thu 26 Oct 2006 at 11:37
[ Send Message ]
Hello, great article !
Just a small question, it is possible to configure like the exemple below ?
(same config for 80 and 443 ports and special config for 443 port)

Guy

NameVirtualHost *:443
NameVirtualHost *:80

<virtualhost *:>
ServerName earth.my.flat
DocumentRoot /var/www/
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</virtualhost>

<virtualhost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</virtualhost>

[ Parent | Reply to this comment ]

Posted by Anonymous (61.94.xx.xx) on Tue 7 Nov 2006 at 05:31
Maybe it's not suitable with the article but still connected.
1. The difference of ssh and ssl?.
2. for example, I make a html page as index.html for my website on https. It's a simple html login page without using database (just enter username and password and then submit to other html page). What I want to know can we decrypt the message (read the original message before encrypted), so server can know the username and password. How to do that and can we do it for web that's not using database?. Thanx.

[ Parent | Reply to this comment ]

Posted by Anonymous (84.222.xx.xx) on Sun 19 Nov 2006 at 10:56
mixing * ports and non-* ports with a NameVirtualHost address
why this error?

[ Parent | Reply to this comment ]

Posted by Anonymous (67.188.xx.xx) on Sat 25 Nov 2006 at 23:28
If you check in /etc/apache2/sites-enabled/ you will see a symlink named "000-default" which points to a file, /etc/apache2/sites-available/default, that contains a wild card NameVirtualHost directive for *. Because that host does not specify ports as a separate setting, like *:* it bullies all of the other NameVirtualHost directives you might want to create. This creates an unstable situation where Apache is not sure what all of the directives will do and it gives a warning that explains this.

A reasonable solution would be to remove the 000-default site from the sites-enabled folder. Or you could edit the default site to be a little more friendly. It is possible that *:* would play nicer than simply *.

[ Parent | Reply to this comment ]

Posted by Anonymous (220.233.xx.xx) on Fri 8 Dec 2006 at 12:08
hi,

just installed Etch, and i don't seem to have the apache2-ssl-certificate script.

am i missing something, or is did this script not make it to Etch from Sarge?

cheers
justin

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Fri 8 Dec 2006 at 12:11
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Not present. Run this:

export RANDFILE=/dev/random

openssl req $@ -new -x509 -days 365 -nodes -out \
 /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem

chmod 600 /etc/apache2/ssl/apache.pem


Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (82.238.xx.xx) on Sun 17 Dec 2006 at 09:27
yes, apache2-ssl-certificate is no longer present in etch, it seems.

One solution
# mkdir /etc/apache2/ssl
# /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/apache.pem

Hope this helps.

[ Parent | Reply to this comment ]

Posted by Anonymous (80.87.xx.xx) on Sat 31 Mar 2007 at 13:39
Thanks for the tip. BTW, I guess the lass option should read /etc/apache2/ssl/apache.pem (ernieofori)

[ Parent | Reply to this comment ]

Posted by endecotp (86.6.xx.xx) on Fri 6 Jul 2007 at 23:27
[ Send Message | View Weblogs ]
Steve, what do you expect the $@ in that command to do?

(Oh, why does SSL always have to be so complicated???)

Phil.

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Sat 7 Jul 2007 at 00:07
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Allow you to pass additional arguments to the command if you wish.

Out of context it looks strange, but in a shell-script it works as expected.

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (80.177.xx.xx) on Fri 11 May 2007 at 15:00
Here is how I set up Apache2 to run ssl on a standard Etch install.

Before running any of the above commands the differences between Sarge and Etch need to be resolved. Basically Etch is missing one directory, one script and one configuration file.

Etch does not have the directory /etc/apache2/ssl

This needs to be created with ownership and permissions of

drwxr-xr-x root root

Etch also needs the script /usr/sbin/apache2-ssl-certificate created with ownership root:root and permissions of 766.

The contents of this file should be

#!/bin/sh -e

if [ "$1" != "--force" -a -f /etc/apache2/ssl/apache.pem ]; then
echo "/etc/apache2/ssl/apache.pem exists! Use \"$0 --force.\""
exit 0
fi

if [ "$1" = "--force" ]; then
shift
fi

echo
echo creating selfsigned certificate
echo "replace it with one signed by a certification authority (CA)"
echo
echo enter your ServerName at the Common Name prompt
echo
echo If you want your certificate to expire after x days call this programm
echo with "-days x"

# use special .cnf, because with normal one no valid selfsigned
# certificate is created

export RANDFILE=/dev/random
openssl req $@ -config /usr/share/apache2/ssleay.cnf \
-new -x509 -nodes -out /etc/apache2/ssl/apache.pem \
-keyout /etc/apache2/ssl/apache.pem
chmod 600 /etc/apache2/ssl/apache.pem
ln -sf /etc/apache2/ssl/apache.pem \
/etc/apache2/ssl/`/usr/bin/openssl \
x509 -noout -hash < /etc/apache2/ssl/apache.pem`.0



Etch also needs to have the file /usr/share/apache2/ssleay.cnf which should have ownership of root:root and permissions of 644

The contents of this file should be

#
# SSLeay example configuration file.
#

RANDFILE = $ENV::HOME/.rnd

[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
countryName_min = 2
countryName_max = 2

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State

localityName = Locality Name (eg, city)

organizationName = Organization Name (eg, company; recommended)
organizationName_max = 64

organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_max = 64

commonName = server name (eg. ssl.domain.tld; required!!!)
commonName_max = 64

emailAddress = Email Address
emailAddress_max = 40



The rest of the instructions are then the same as the original above:

run
# apache2-ssl-certificate
and respond to the prompts to create the certificate.

run
# a2enmod ssl
to enable the ssl mod

then run
# /etc/init.d/apache2 force-reload
as asked.

Edit /etc/apache2/ports.conf and add a new line
Listen 443

Make sure a new line character has been added after this line. This may not be needed but better to be safe.

Then modified /etc/apache2/sites-available/default to basically add the ssl site to the default setup.

The original block is copied and the port numbers added but it is important to add the lines

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem

to the second section.

This configuration basically means that the original site will be served up over ssl (i.e. https)

This is the new /etc/apache2/sites-available/default file:

NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin webmaster@localhost

DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
RedirectMatch ^/$ /apache2-default/
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined
ServerSignature On

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

</VirtualHost>

NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin webmaster@localhost

DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
RedirectMatch ^/$ /apache2-default/
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined
ServerSignature On

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

# Added to enable ssl.
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem

</VirtualHost>


Then restarted the Apache server with
# apache2ctl graceful

Your default web page should then be available at
https://www.example.com
as well as
http://www.example.com

From here you can change the DocumentRoot to get it to point somewhere else.

[ Parent | Reply to this comment ]

Posted by Anonymous (130.155.xx.xx) on Tue 3 Jul 2007 at 01:48

Question:
The script makes a symbolic link, that is named using the hash of the "key+certificate" file.

ln -sf /etc/apache2/ssl/apache.pem \
  /etc/apache2/ssl/`/usr/bin/openssl \
      x509 -noout -hash < /etc/apache2/ssl/apache.pem`.0 

Why is this needed?

[ Parent | Reply to this comment ]

Posted by blytkerchan (24.203.xx.xx) on Wed 10 Jan 2007 at 00:53
[ Send Message ]
Thanks for this excellent article: all the information I needed was right there so my HTTPS server was set up in under five minutes!

[ Parent | Reply to this comment ]

Posted by kfelgner (68.73.xx.xx) on Wed 21 Feb 2007 at 01:56
[ Send Message ]
Thanks for the article. Only problem for me is that when opening an https URL in a web browser (https://WEB_server_IP_address/test.txt), I'm stuck with client denied by server configuration errors. Any ideas?

DEBIANHOST:/etc/apache2/sites-available# tail /var/www/webdav/logs/error.log
[Tue Feb 20 18:08:53 2007] [error] [client ip] client denied by server configuration: /var/www/webdav/
[Tue Feb 20 18:09:21 2007] [error] [client ip] client denied by server configuration: /var/www/webdav/test1.txt
[Tue Feb 20 18:09:26 2007] [error] [client ip] client denied by server configuration: /var/www/webdav/test2.txt
[Tue Feb 20 18:09:44 2007] [error] [client ip] client denied by server configuration: /var/www/webdav/test.txt

DEBIANHOST:/etc/apache2/sites-available# tail /var/www/webdav/logs/access.log
ip - - [20/Feb/2007:18:08:53 -0500] "GET / HTTP/1.1" 403 202 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9"
ip - - [20/Feb/2007:18:09:21 -0500] "GET /test1.txt HTTP/1.1" 403 211"-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9"
ip - - [20/Feb/2007:18:09:26 -0500] "GET /test2.txt HTTP/1.1" 403 211"-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9"
ip - - [20/Feb/2007:18:09:44 -0500] "GET /test.txt HTTP/1.1" 403 210 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9"

The different files are my attempts to change permissions, but nothing worked:
DEBIANHOST:/var/www/webdav# ls -l
total 16
drwxr-xr-x 2 root root 4096 2007-02-20 16:32 logs
-rw-r--r-- 1 root root 30 2007-02-13 07:51 test1.txt
-rw-r--r-- 1 www-data www-data 18 2007-02-13 09:08 test2.txt
-rw-r----- 1 www-data www-data 12 2007-02-13 07:36 test.txt
DEBIANHOST:/var/www# ls -l
total 8
drwxr-xr-x 2 root root 4096 2006-09-12 15:02 apache2-default
drwxr-xr-x 3 www-data www-data 4096 2007-02-13 09:08 webdav

My site files are here:
DEBIANHOST:/etc/apache2/sites-available# ls
default hmawdav
DEBIANHOST:/etc/apache2/sites-available# cat default
NameVirtualHost *:80

<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
RedirectMatch ^/$ /apache2-default/
</Directory>

ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
</VirtualHost>

DEBIANHOST:/etc/apache2/sites-available# cat hmawdav
NameVirtualHost *:443

<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName DEBIANHOST
DocumentRoot /var/www/webdav/
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

ErrorLog /var/www/webdav/logs/error.log
CustomLog /var/www/webdav/logs/access.log combined
</VirtualHost>

[ Parent | Reply to this comment ]

Posted by Steve (80.68.xx.xx) on Wed 21 Feb 2007 at 10:04
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Take a look at /var/www/webdav/logs/error.log.

Steve

[ Parent | Reply to this comment ]

Posted by kfelgner (68.73.xx.xx) on Wed 21 Feb 2007 at 11:20
[ Send Message ]
I must be missing what you see. Here again is /var/www/webdav/logs/error.log:
DEBIANHOST:/etc/apache2/sites-available# tail /var/www/webdav/logs/error.log
[Tue Feb 20 18:08:53 2007] [error] [client ip] client denied by server configuration: /var/www/webdav/
[Tue Feb 20 18:09:21 2007] [error] [client ip] client denied by server configuration: /var/www/webdav/test1.txt
[Tue Feb 20 18:09:26 2007] [error] [client ip] client denied by server configuration: /var/www/webdav/test2.txt
[Tue Feb 20 18:09:44 2007] [error] [client ip] client denied by server configuration: /var/www/webdav/test.txt

What do I need to change in the server config?

[ Parent | Reply to this comment ]

Posted by kfelgner (66.73.xx.xx) on Wed 21 Feb 2007 at 13:25
[ Send Message ]
After all that..turns out this was local-configs.conf:

DEBIANHOST:~$ cat /etc/apache2/conf.d/local_configs.conf
#Tighten access to the file system
<Directory />
#forbid default access to file system locations
Order Deny,Allow
Deny from all
#prevent use of .htaccess files in all directories
#apart from those specifically enabled
AllowOverride None
</Directory>
#limit available info about this server
ServerSignature Off
ServerTokens production
#hide all files with the .inc (php include) extension
<Files "*.inc">
Order allow,deny
Deny from all
</Files>


So adding a directive to the SSL VirtualHost solved it.
<Directory /var/www/webdav>
AllowOverride None
Order allow,deny
allow from all
</Directory>

[ Parent | Reply to this comment ]

Posted by cpankonien (71.200.xx.xx) on Thu 22 Mar 2007 at 14:41
[ Send Message | View Weblogs ]
Hi Steve,
I (somewhat) successfully got ssl working, with the following exception: when i access https://192.168.10.2 everything works fine. however, when i access it via fqdn https://www.ccpip.net i get a 501 not implemented - the requested method is not implemented by the server.

note that i do get a security warning that the cert does not match the server name, so it appears that some communication is taking place.

any clues as to what i've borked up will be appreciated!

Thanks,

Cliff Pankonien

[ Parent | Reply to this comment ]

Posted by Anonymous (202.129.xx.xx) on Fri 13 Apr 2007 at 00:37
For generating certificate you might have used the "apache2-ssl-certificate" command in debian sarge but in debian etch this command not available.If you want to generate certificates you need to use openssl from you command prompt Use the following command to generate certificates

#openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem

Good luck
-Setiawans

[ Parent | Reply to this comment ]

Posted by Anonymous (87.54.xx.xx) on Wed 18 Jul 2007 at 06:04
What do I do wrong, when my Apache2 error log generates this line:
[Error] Illegal attempt to re-initialise SSL for server(Theoretically shouldn't happen!)

[ Parent | Reply to this comment ]

Posted by Anonymous (95.166.xx.xx) on Sat 19 Feb 2011 at 19:26
I had missed putting "SSLEngine on" in each of my VirtualHost definitions, when I got that error.

[ Parent | Reply to this comment ]

Posted by Anonymous (193.251.xx.xx) on Fri 13 Apr 2007 at 08:37
With Etch , my server crash with this message :

[Fri Apr 13 09:22:07 2007] [error] Init: Private key not found
[Fri Apr 13 09:22:07 2007] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Fri Apr 13 09:22:07 2007] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Apr 13 09:22:07 2007] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri Apr 13 09:22:07 2007] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib



Thanks for light

[ Parent | Reply to this comment ]

Posted by Anonymous (82.229.xx.xx) on Mon 14 May 2007 at 10:54
apache2-ssl-certificate is no longer on debian

Chty

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Mon 14 May 2007 at 10:58
[ Send Message | View Steve's Scratchpad | View Weblogs ]

True. See the earlier comment in this article for alternative instructions.

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (195.148.xx.xx) on Sun 10 Jun 2007 at 15:59
The basic configuration didn't work on my debian 4.0 & Apache 2.20! I did have to introduce virtualhost ports seperatly like this:


NameVirtualHost *:80

<VirtualHost *:80>
ServerName earth.my.flat
DocumentRoot /var/www/
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</VirtualHost>


NameVirtualHost *:443

<VirtualHost *:443>
ServerName earth.my.flat

DocumentRoot /var/www/
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>

[ Parent | Reply to this comment ]

Posted by Anonymous (82.241.xx.xx) on Sun 17 Jun 2007 at 11:03
apache2-ssl-certificate script is not existing in the Debian etch distribution.

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Sun 17 Jun 2007 at 12:55
[ Send Message | View Steve's Scratchpad | View Weblogs ]

True. Read the comments on this article and you'll see this has been mentioned already, along with a solution.

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (204.114.xx.xx) on Wed 4 Jul 2007 at 06:08
HI Everyone,
Can we host different apps on a single SSL enabled domain...Like xyz.domain.com is SSL enabled. By default https://xyz.domain.com will listen on 443 and I have an App configured there

<VirtualHost xyz.domain.com:443>
....
</VirtualHost>

Can i configure it again on another port the below way?
<VirtualHost xyz.domain.com:9886>
....
</VirtualHost>

[ Parent | Reply to this comment ]

Posted by Anonymous (75.24.xx.xx) on Sat 7 Jul 2007 at 06:24
Yes, just make sure you use https://xyz.domain.com:9886/ as your URL in your browser and it will work.

[ Parent | Reply to this comment ]

Posted by tompuce (90.29.xx.xx) on Thu 19 Jul 2007 at 21:40
[ Send Message ]
Hi,
Nice work. So I would ask you for my problem: all seems work, but only seems !
I notice I did the configuration without reading this article, but I do all that is noticed. (and of course apache2 works fine before trying to add ssl feature)
First a basic netstat: no more port 80 neither 443
And the /var/log/apache2/error.log says:
[error] Init: Multiple RSA server certificates not allowed
I defined in the <VirtualHost *:443> the directives SSL....
And I don't see any problem in the ssl.conf
Thanks to your help and any explanation.

[ Parent | Reply to this comment ]

Posted by Anonymous (84.55.xx.xx) on Fri 24 Aug 2007 at 08:23
have you put 443 in the /etc/apache2/ports.conf ?

[ Parent | Reply to this comment ]

Posted by tompuce (90.36.xx.xx) on Fri 24 Aug 2007 at 08:55
[ Send Message ]
thanks to your answer but yes I added the 443 port listening
the problem comes with ssl certificate I think, in error log file I had the messages:
[error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]
[error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

on other forum I found some post about, but I tried and nothing works at this time.

thanks for your help me to understand what happens

[ Parent | Reply to this comment ]

Posted by Anonymous (59.92.xx.xx) on Fri 22 May 2009 at 15:09
Hey is problem solved..??

[ Parent | Reply to this comment ]

Posted by Anonymous (173.8.xx.xx) on Wed 1 Dec 2010 at 00:02
I had same error which is caused by 'reload' the httpd.conf instead of 'restart', the error is gone after restart.

you can use
/etc/init.d/httpd status
to find out the server is not running but pid file seems dead locked.
I don't know what the hell the pid file is.

My problem maybe was caused by I have several IP listen on 443 but no virtual host respectively.

[ Parent | Reply to this comment ]

Posted by Anonymous (213.143.xx.xx) on Sat 29 Sep 2007 at 13:02
Hi,

in your previous article on apache2 ( before it was packaged), there was a line saying:

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

in ssl.conf.

However, this doesn't seem to appear in my etch installation of apache2.

After I added this by hand to ssl.conf my problems with Apache2 on MSIE6 disappeared. Since this is mentioned on a lot of places, I find it strange that it hasn't been included in the official package? (i installed Debian Etch Stable on the machine). Is there a reason for this, and am I missing a point somewhere?

Best regards,
Jure

[ Parent | Reply to this comment ]

Posted by Anonymous (203.94.xx.xx) on Tue 23 Oct 2007 at 05:00
This is a great intro, however if you want to install a certificate from a trusted authority (IE: geotrust, verisign) then the process is slightly different.

To get a trusted certificate, you must send the trusted autority a CSR file (Certificate Request) which you generate from your .key (private key) file, (There are plenty of "howto's" to show you how to accomplish this and it is outside the scope of this message to show you how)
EG. http://www.rapidssl.com/ssl-certificate-support/generate-csr/Apac he2.htm

They then send you back a .crt file (A Certificate)

This is different from the self signing .pem file that you generate in your example, and it simply will not work the way you describe.

However, if you manually join the .key file and the .crt file together with a text editor (vi, pico etc) you create a single file and name this domain_name.pem then you reference this file in the apache config and all will work;

SSLCertificateFile /etc/apache2/ssl/domain_name.pem



Samples of the files are below to show you the process;

I generate a .key file (domain_name.key);
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC9D6//mPq2hQr/YQ8pwPAO4EeM12BwarG0C2pQy2tcXq3P4rYY
4dDbY6Zt+4GZqKj1wT0w7bUkVzwrKgdLCO2MTC75X0ewTLsIMVl8J/mMZfHrnl1E
5rXRjmF+dy5dV/PbWJcboM0S2m8d/5VIgdVP4dKZ9WLECqjwz4lgS+oPQwIDAQAB
AoGAL37RaBS2Z0PlD2MCvCqMJDCTyP4SbCthmSmE++cegYYHhEIgHQAdx/+wv9B/
uTL298RWwQD7Ho9yq3vy7+F2SoEfK7NbiQJAPOIa78uAEIgvWGoHv19W/WqUaAn6
hM0J3ejVgjI4Jug/MSQe7yeNOMiFMt8QWxUp7UFIJWPWTQOt0gvWo77JoQJAMeAP
PoxsTd6PIZQ/saYEPjcYjXdgsPtsH3A9KrHNeSvFpoAo1eT9g1mWVLicVy3AhTdc
7198FYLn+DZSDrWI4QJANXDghxg8A07Ze2uNyKSnTboxFzAqUZl/ZHI/qbJ8mrdw
bIvaN5lRW5PgPfSd7yZ+xcz/VP5XqNd3qIsVjXdDWw==
-----END RSA PRIVATE KEY-----

I then use this file to generate a .csr file (domain_name.csr), which I send to the trusted certificate provider, and they send back a valid Certificate which you save in a .crt file (domain_name.crt)


Sample Certificate file (Returned from SSL Cert vendor and saved as domain_name.crt);
-----BEGIN CERTIFICATE-----
MIIDVDCCAr2gAwIBAgIDBwAAMA0GCSqGSIb3DQEBBAUAMFoxCzAJBgNVBAYTAlVT
MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4
IFNlY3VyZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwHhcNMDcxMDIzMDA1NzQzWhcN
MTAxMDIzMDA1NzQzWjCBwzELMAkGA1UEBhMCQVUxHTAbBgNVBAoTFGFkbWluLmRv
bWFpbnouY29tLmF1MRIwEAYDVQQLEwkyNTMwMjQ3NjQxMTAvBgNVBAsTKFNlZSB3
HwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvZ2xvYmFs
Y2ExLmNybDAfBgNVHSMEGDAWgBS+qKB0clBrRLfJI9j7qP+zV2tobDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B
AQQFAAOBgQBW8f4cV3fTqSecZvoETlocM3vnzLWpDS6DHrGaxYgjGne9ic9i/TJf
cvtzL5P9lM8xcsVhj4TdQwYBrbkr9xAWSc3jUEhPfDkqPqU1rWKY8B2nlANQJTzY
LGNdsbIH/m6zwP8VtSWLFM6HGqpMUnEj9o9wIw1EXnU/7+O1FuHi/g==
-----END CERTIFICATE-----



Then you join these together in a single file to create a single .pem file (domain_name.pem);
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC9D6//mPq2hQr/YQ8pwPAO4EeM12BwarG0C2pQy2tcXq3P4rYY
4dDbY6Zt+4GZqKj1wT0w7bUkVzwrKgdLCO2MTC75X0ewTLsIMVl8J/mMZfHrnl1E
5rXRjmF+dy5dV/PbWJcboM0S2m8d/5VIgdVP4dKZ9WLECqjwz4lgS+oPQwIDAQAB
AoGAL37RaBS2Z0PlD2MCvCqMJDCTyP4SbCthmSmE++cegYYHhEIgHQAdx/+wv9B/
uTL298RWwQD7Ho9yq3vy7+F2SoEfK7NbiQJAPOIa78uAEIgvWGoHv19W/WqUaAn6
hM0J3ejVgjI4Jug/MSQe7yeNOMiFMt8QWxUp7UFIJWPWTQOt0gvWo77JoQJAMeAP
PoxsTd6PIZQ/saYEPjcYjXdgsPtsH3A9KrHNeSvFpoAo1eT9g1mWVLicVy3AhTdc
7198FYLn+DZSDrWI4QJANXDghxg8A07Ze2uNyKSnTboxFzAqUZl/ZHI/qbJ8mrdw
bIvaN5lRW5PgPfSd7yZ+xcz/VP5XqNd3qIsVjXdDWw==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDVDCCAr2gAwIBAgIDBwAAMA0GCSqGSIb3DQEBBAUAMFoxCzAJBgNVBAYTAlVT
MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4
IFNlY3VyZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwHhcNMDcxMDIzMDA1NzQzWhcN
MTAxMDIzMDA1NzQzWjCBwzELMAkGA1UEBhMCQVUxHTAbBgNVBAoTFGFkbWluLmRv
bWFpbnouY29tLmF1MRIwEAYDVQQLEwkyNTMwMjQ3NjQxMTAvBgNVBAsTKFNlZSB3
HwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvZ2xvYmFs
Y2ExLmNybDAfBgNVHSMEGDAWgBS+qKB0clBrRLfJI9j7qP+zV2tobDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B
AQQFAAOBgQBW8f4cV3fTqSecZvoETlocM3vnzLWpDS6DHrGaxYgjGne9ic9i/TJf
cvtzL5P9lM8xcsVhj4TdQwYBrbkr9xAWSc3jUEhPfDkqPqU1rWKY8B2nlANQJTzY
LGNdsbIH/m6zwP8VtSWLFM6HGqpMUnEj9o9wIw1EXnU/7+O1FuHi/g==
-----END CERTIFICATE-----

reference this in your apache ssl configuration;
SSLCertificateFile /etc/apache2/ssl/domain_name.pem

and restart apache.




[ Parent | Reply to this comment ]

Posted by Anonymous (2002:0xx:0xx:0xxx:0xxx:0xxx:xx) on Mon 27 Apr 2009 at 09:31
This method (a .pem) file created by merging the private .key and public .crt files worked a treat. Apache asked me for my key passphrase during startup (as expected) and secured the site. What boggles me is why the other method seems to be the preferred one yet it clearly does not work!

[ Parent | Reply to this comment ]

Posted by Anonymous (68.110.xx.xx) on Tue 1 Jan 2008 at 23:17
this no longer works :(

Package apache2-common is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
apache2.2-common apache2-utils

apache2-ssl-certificate is no where to be found. I would think it is in apache2-utils but it is not.

[ Parent | Reply to this comment ]

Posted by Anonymous (190.96.xx.xx) on Thu 26 Jun 2008 at 04:48
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=398520 :

Use make-ssl-cert from package ssl-cert, e.g.:

# mkdir /etc/apache2/ssl
# /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

Apparently by default it only makes certs valid for 30 days, so you'd have to use some option to change that I assume.

[ Parent | Reply to this comment ]

Posted by Anonymous (220.245.xx.xx) on Mon 7 Jan 2008 at 07:43
One of the easist things I have had to setup, thanks very much.
As a newbie the only thing I had to guess was where to put the configuration lines. I simply added them to the end of my /etc/apache2/apache2.conf not sure if thats right but everything seems to be working.

thanks
Munga

[ Parent | Reply to this comment ]

Posted by doug (64.123.xx.xx) on Tue 30 Sep 2008 at 17:09
[ Send Message ]
Two years ago I used this article and some follow-up questions to set up ssl with a self-signed certificate. Now the certificate is about to expire and I have been unable to renew it. I have tried numerous variations of the command apache2-ssl-certificate --force and -days x but have not made them work. Could someone reply with the command that would extend the certificate 1000 days. (I am still using apache sarge. Thanks in advance.

[ Parent | Reply to this comment ]

Posted by Steve (80.68.xx.xx) on Tue 30 Sep 2008 at 17:51
[ Send Message | View Steve's Scratchpad | View Weblogs ]

I use this for creating a new CERT - I'm sorry to say I have no idea how to extend and existing cert.

export RANDFILE=/dev/random

openssl req -new -x509 -days 1000-nodes -out \
 /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem


chmod 600 /etc/apache2/ssl/apache.pem

Steve

[ Parent | Reply to this comment ]

Posted by doug (64.123.xx.xx) on Tue 30 Sep 2008 at 19:56
[ Send Message ]
Thanks. That seemed to work without any complaints from the programs. But the certificate as it shows up in the browser is the same. Do I need to restart or do something else?

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Tue 30 Sep 2008 at 20:00
[ Send Message | View Steve's Scratchpad | View Weblogs ]

You'll need to restart your Apache server to make it re-read the key:

/etc/init.d/apache2 restart

Also it might be worth double-checking you're referring the file that we created (/etc/apache2/ssl/apache.pem) in your Apache configuration, not another key file.

Steve

[ Parent | Reply to this comment ]

Posted by doug (64.123.xx.xx) on Wed 1 Oct 2008 at 16:49
[ Send Message ]
Ok, thanks. We're all set for another three years. Thanks for your prompt and even-handed advice. This site is a great service for a non-tech operation like ours.

[ Parent | Reply to this comment ]

Posted by doug (64.123.xx.xx) on Wed 8 Oct 2008 at 17:00
[ Send Message ]
Steve: Everything seems to be working ok but when apache2 restarts it asks for the pass phrase. Did not do this before. It's okay as long as I am sitting at the screen but it a problem otherwise. Did I miss something? Or can I automate the response?

[ Parent | Reply to this comment ]

Posted by Steve (80.68.xx.xx) on Wed 8 Oct 2008 at 17:05
[ Send Message | View Steve's Scratchpad | View Weblogs ]

The best way is to generate your key without a passphrase.

[ Parent | Reply to this comment ]

Posted by doug (64.123.xx.xx) on Wed 8 Oct 2008 at 18:47
[ Send Message ]
Steve: Everything seems to be working ok but when apache2 restarts it asks for the pass phrase. Did not do this before. It's okay as long as I am sitting at the screen but it a problem otherwise. Did I miss something? Or can I automate the response?

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Wed 8 Oct 2008 at 19:39
[ Send Message | View Steve's Scratchpad | View Weblogs ]

The best way is to generate your key without a passphrase in the first place.

Like I said before.

You can remove one easily enough...

Steve

[ Parent | Reply to this comment ]

Posted by doug (64.123.xx.xx) on Wed 8 Oct 2008 at 22:20
[ Send Message ]
Steve:

I could not get that command to work. Seems like the openssl command ends at "...key" I tried including "Enter pass phrase..." several ways but could not get that accepted.

When I end the command at "...key" the program responds "writing RSA key" but I am given no opportunity to enter a blank as a pass phrase.

Glanced at the "open" man page but is beyond me at this time and now hoping to prevail on you again.

Thanks.

Doug

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Wed 8 Oct 2008 at 22:27
[ Send Message | View Steve's Scratchpad | View Weblogs ]

OK lets take it from the top.

  • you want SSL on Apache.
  • You've got a key. Which has a passphrase on it.

Your options are either:

  • Generate a new key - making sure it doesn't have a passphrase.
  • Remove the passphrase from the existing key.

Since you don't show exactly what went wrong I think generating a new key should be the easiest route. As root run:

export RANDFILE=/dev/random

openssl req -new -x509 -days 1000 -nodes -out  /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem

chmod 600 /etc/apache2/ssl/apache.pem

/etc/init.d/apache2 restart

That should work pretty well.

Steve

[ Parent | Reply to this comment ]

Posted by doug (64.123.xx.xx) on Thu 9 Oct 2008 at 21:17
[ Send Message ]
Steve:

Thanks. That did it. Feel like I owe you some money... I'll look around on your site to see what I can do.

Doug

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Fri 10 Oct 2008 at 18:58
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Great, glad we got there in the end.

I have a wishlist at amazon, linked to on my profile page, but honestly a "thank you" comment is just as good.

Submitting new articles is even more useful!

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (195.27.xx.xx) on Mon 24 Nov 2008 at 11:07
The script apache2-ssl-certificate doesn't exist anymore.
For a work-around, see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=398520

[ Parent | Reply to this comment ]

Posted by Anonymous (99.235.xx.xx) on Wed 6 Apr 2011 at 06:26
Suggested update:

You say:
<<<<<
I use virtual hosts upon my machine and this just means adding a couple of options to each one I wish to use SSL:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem

For reference here is a complete example which should be easy to modify/understand:
>>>>>

But it is not clear which specific filename(s) you are referring to.


I can't tell, but perhaps the article needs a slight update / modification?

I just installed today, and within the resulting files are the various 'snakeoil' files. Which is to say, it seems possible that having enabled mod_ssl, apache2/https is ready to go out of the box.

Not to say what you have isn't entirely appropriate, but perhaps a paragraph in the middle along the lines of:

With this change, you can test that all is well with apache by going to https://localhost. You will notice some extra dialogues as a result, which can be addressed by using your own (self-signed) certificate. And here's how you do that ... (proceeding with what you already have).

[ Parent | Reply to this comment ]

Posted by lucaspontes (189.112.xx.xx) on Mon 17 Oct 2011 at 00:26
[ Send Message ]
How to configure two domains with the same SSL certificate on the same server?

[ Parent | Reply to this comment ]

Posted by lucaspontes (189.112.xx.xx) on Mon 17 Oct 2011 at 00:29
[ Send Message ]
I have two appointments to the same server and intend to use the same certificate.
The ServerName parameter seems not work with SSL.

[ Parent | Reply to this comment ]

Posted by Anonymous (198.175.xx.xx) on Wed 7 Nov 2012 at 14:15
hi im trying to do something similar to you , but failing:

when i have conf file as below:-
<VirtualHost 162.109.35.186:9090>
ServerAdmin root@162.109.35.186
DocumentRoot "/usr/local/AdventNet/WebNMS"
ServerName APACHE_SERVER_NAME
SSLEngine on
SSLCertificateFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/server.cer
</VirtualHost>

<VirtualHost 162.109.35.198:9095>
DocumentRoot "/usr/local/AdventNet/virtual"
ServerAdmin root@162.109.35.198
ServerName 162.109.35.198
</VirtualHost>


i get following error:-

[Wed Nov 07 12:36:16 2012] [info] Init: Seeding PRNG with 136 bytes of entropy
[Wed Nov 07 12:36:16 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 12:36:16 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 12:36:16 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 12:36:16 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Nov 07 12:36:19 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Nov 07 12:36:19 2012] [info] Init: Initializing (virtual) servers for SSL
[Wed Nov 07 12:36:19 2012] [info] Configuring server for SSL protocol
[Wed Nov 07 12:36:19 2012] [info] Configuring server for SSL protocol
[Wed Nov 07 12:36:19 2012] [error] Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!


if i add follwing still same:
NameVirtualHost 162.109.35.186:9090
NameVirtualHost 162.109.35.198:9095


but if i do following

<VirtualHost 162.109.35.186:9090>
ServerAdmin root@162.109.35.186
DocumentRoot "/usr/local/AdventNet/WebNMS"
ServerName APACHE_SERVER_NAME
SSLEngine on
SSLCertificateFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/server.cer
</VirtualHost>

<VirtualHost 162.109.35.198:9095>
DocumentRoot "/usr/local/AdventNet/virtual"
ServerAdmin root@162.109.35.198
ServerName 162.109.35.198
SSLEngine on
SSLCertificateFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/server.cer
</VirtualHost>

without commeted out:
#NameVirtualHost 162.109.35.186:9090
#NameVirtualHost 162.109.35.198:9095

i get following errors :
[Wed Nov 07 13:01:16 2012] [info] Init: Seeding PRNG with 136 bytes of entropy
[Wed Nov 07 13:01:16 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 13:01:16 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 13:01:16 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 13:01:16 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Nov 07 13:01:17 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Nov 07 13:01:17 2012] [info] Init: Initializing (virtual) servers for SSL
[Wed Nov 07 13:01:17 2012] [info] Configuring server for SSL protocol
[Wed Nov 07 13:01:17 2012] [info] Configuring server for SSL protocol
[Wed Nov 07 13:01:17 2012] [warn] RSA server certificate CommonName (CN) `162.109.35.186' does NOT match server name!?
[Wed Nov 07 13:01:17 2012] [info] Configuring server for SSL protocol
[Wed Nov 07 13:01:17 2012] [warn] RSA server certificate CommonName (CN) `162.109.35.186' does NOT match server name!?
[Wed Nov 07 13:01:17 2012] [info] mod_ssl/2.2.10 compiled against Server: Apache/2.2.10, Library: OpenSSL/0.9.7d
[Wed Nov 07 13:01:17 2012] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/AdventNet/WebNMS/apache/logs/jk-runtime-status
[Wed Nov 07 13:01:17 2012] [info] Init: Seeding PRNG with 136 bytes of entropy
[Wed Nov 07 13:01:17 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 13:01:17 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 13:01:17 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Nov 07 13:01:17 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Nov 07 13:01:19 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Nov 07 13:01:19 2012] [info] Init: Initializing (virtual) servers for SSL
[Wed Nov 07 13:01:19 2012] [info] Configuring server for SSL protocol
[Wed Nov 07 13:01:19 2012] [info] Configuring server for SSL protocol
[Wed Nov 07 13:01:19 2012] [warn] RSA server certificate CommonName (CN) `162.109.35.186' does NOT match server name!?
[Wed Nov 07 13:01:19 2012] [info] Configuring server for SSL protocol
[Wed Nov 07 13:01:19 2012] [warn] RSA server certificate CommonName (CN) `162.109.35.186' does NOT match server name!?
[Wed Nov 07 13:01:19 2012] [info] mod_ssl/2.2.10 compiled against Server: Apache/2.2.10, Library: OpenSSL/0.9.7d
[Wed Nov 07 13:01:19 2012] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/AdventNet/WebNMS/apache/logs/jk-runtime-status
[Wed Nov 07 13:01:19 2012] [notice] Digest: generating secret for digest authentication ...
[Wed Nov 07 13:01:19 2012] [notice] Digest: done
[Wed Nov 07 13:01:20 2012] [notice] Apache/2.2.10 (Unix) DAV/2 mod_ssl/2.2.10 OpenSSL/0.9.7d mod_jk/1.2.26 configured -- resuming normal operations
[Wed Nov 07 13:01:20 2012] [info] Server built: Oct 28 2008 10:34:09
[Wed Nov 07 13:02:04 2012] [info] [client 162.109.35.186] Connection to child 0 established (server tycotest04:443)
[Wed Nov 07 13:02:04 2012] [info] Seeding PRNG with 136 bytes of entropy
[Wed Nov 07 13:02:05 2012] [info] Initial (No.1) HTTPS request received for child 0 (server tycotest04:443)
[Wed Nov 07 13:02:05 2012] [error] [client 162.109.35.186] File does not exist: /usr/local/AdventNet/WebNMS/unauthenticatedservlets/com.adventnet .nms.servlets.ConnectionCheckServlet
[Wed Nov 07 13:02:06 2012] [info] [client 162.109.35.186] Connection to child 1 established (server tycotest04:443)
[Wed Nov 07 13:02:06 2012] [info] Seeding PRNG with 136 bytes of entropy
[Wed Nov 07 13:02:06 2012] [info] Initial (No.1) HTTPS request received for child 1 (server tycotest04:443)
[Wed Nov 07 13:02:06 2012] [error] [client 162.109.35.186] File does not exist: /usr/local/AdventNet/WebNMS/unauthenticatedservlets/com.adventnet .nms.servlets.ConnectionCheckServlet
[Wed Nov 07 13:02:07 2012] [info] [client 162.109.35.186] Connection closed to child 1 with standard shutdown (server tycotest04:443)
[Wed Nov 07 13:02:07 2012] [info] [client 162.109.35.186] Connection closed to child 0 with standard shutdown (server tycotest04:443)
[Wed Nov 07 13:02:11 2012] [info] removed PID file /usr/local/AdventNet/WebNMS/apache/logs/httpd.pid (pid=7584)
[Wed Nov 07 13:02:11 2012] [notice] caught SIGTERM, shutting down


any ideas what i'm doing wrong as atleast it should regonsise the 186 ip address as its the main one that works if i dont have virtual host config.

[ Parent | Reply to this comment ]

Posted by Anonymous (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Wed 28 Dec 2011 at 21:06
Are you seriously putting the SSL key (combine with the cert) into a directory & file anyone can read?

If you don't understand the security implications of SSL you shouldn't be writing how-tos about it.

[ Parent | Reply to this comment ]

Posted by Christian (200.115.xx.xx) on Tue 3 Apr 2012 at 22:03
[ Send Message ]
thanx it's very useful

[ Parent | Reply to this comment ]

Posted by Anonymous (50.88.xx.xx) on Thu 18 Oct 2012 at 13:44
The command apache2-ssl-certificate is not being found in Ubuntu/Debian. Where is the script located? Perhaps you want to consider adding the script location and any other pertinent information regarding the command.

Also when you are referring to add "Listen 443" on ports.conf file you might want to specify in what section of the file to add the directive. For instance does it go at the top with the other ports or goes between the the first <IfModule mod_ssl.c> brackets.

You a assuming everyone has been using Apache for a while but a beginner might not understand your content as it will have to search for the mention information.

[ Parent | Reply to this comment ]

Posted by ld50 (80.238.xx.xx) on Thu 21 Mar 2013 at 17:56
[ Send Message ]
RTFC (read the friendly comments) - apache2-ssl-certificate is covered there.

[ Parent | Reply to this comment ]

Posted by ld50 (80.238.xx.xx) on Thu 21 Mar 2013 at 17:51
[ Send Message ]
Many thanks.

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

Which init system are you using in Debian?






( 1609 votes ~ 7 comments )

 

 

Related Links