Document Actions
Using HTTPS with APACHE2 (the shortcut)
This HowTo describes a fast way (i.e. shortcut) to get APACHE2 up and running with mod_ssl and your own selfsigned certificate.
Introduction
Basically, using https and ssl to encrypt the traffic between web server and browser is a good thing. But for most applications a full blown real world certificate, signed by a big trustwothy company billing you for it, isn't worth the effort.Here is a quick and easy way to get your own server certificate and certification authority at no cost (except the time it takes to explain to your users, why browsers like IE always raise an "error" when using this certificate).
Creating your CA and Cert
This is known to work with installations of Apache2 and OpenSSL on Linux (as far as I know any Linux install will do). I don't know about Windows or OSX.With the installation comes a script under /usr/bin called gensslcert. It provides an easy way to generate your own CA and cert in one swoop.
Gensslcert takes the following options:
-C Common name "Your Webspace Name"
-N comment "some comment"
-c country (two letters, e.g. DE) e.g. AT
-s state e.g. Vienna
-l city e.g. Vienna
-o organisation "Your Company Name"
-u organisational unit "Web Services"
-n fully qualified domain name webserver.your.domain
-e email address of webmaster webmaster@your.domain
-y days server cert is valid for e.g. 365
-Y days CA cert is valid for e.g. 365
-d run in debug mode
-h show usage
So, an example:
We will use the (fictional) company "Three Weenies Inc." with the (fixional) domain "3weenies.com", located at Behindethebushes, Inthemarches, WestEastland (Country Code WE). The certificate and the CA certificate will be valid for 2 years (i.e. 730 days).
The complete command reads:
/usr/bin/gensslcert -C www.3weenies.com \
-N "Service at a whim" -c WE -s Inthemarches \
-l Behindethebushes -o "Three Weenies Inc." \
-u "Web Services" -n www.3weenies.com \
-e webmaster@3weenies.com -y 730 -Y 730
This will generate and install CA and server certificate into the rigth places within your apache2 installation.
Configuring APACHE2 to use SSL
First we have to tell our webserver to listen on port 443, the standard port for SSL connection. This is done by adding (or uncommenting) the lineListen 443in the config file listen.conf
To enable SSL you need to either make a general ssl confiuration or screate a single vhost for this purpose.
Either way apache is only capable of supporting one certificate.
If you need different certificates for different vhosts, you have to use separate instances of apache.
We use the vhost aproach.
Cd into the /etc/apache2/vhosts directory. There you will find a template called vhost-ssl.template, copy this to vhost-ssl.conf (or any other name you like, but keep the .conf extension).
Within this file you can leave everything on defaults, but check the path to your newly created certificates. In some circumstances you will have to rename/copy/link the created certificate.
With the command
/usr/sbin/rcapache2 extreme-configtest (on SuSE)you can test the configuration before implementing it.
service apache extreme-configtest (on RH, CentOS, Fedora)
/usr/sbin/httpd extreme-configtest or the like
Don't bother if the test throws a warning like
[warn] _default_ VirtualHost overlap on port 443,
the first has precedence
This is only to tell you that there might be more than one instance trying to listen on port 443.
It will work just as well.
If nothing else is reported, especially no errors, you can now restart your apache by issuing the command
rcapache restart
service apache restartetc.
Point your browser at "https://YOURSERVERNAME" and see what happens.
If you get not the desired page but an error page instead, take a look at the log files under /var/log/apache2 (or /var/log/httpd etc.).