Changes between Version 10 and Version 11 of howto/Apache2


Ignore:
Timestamp:
Jan 10, 2015, 11:14:39 AM (9 years ago)
Author:
whmagill
Comment:

clean up ssl instructions

Legend:

Unmodified
Added
Removed
Modified

  • howto/Apache2

    v10 v11  
    164164and then accessing: ''http://<servername>/manual/''
    165165
    166 === Secure Sockets (https) === #ssl
    167 '''Note:''' Establishing Secure Sockets is a fairly extensive process. This is simply a shortcut for testing purposes.
    168 
    169 This works for a development system (not recommended for production!).
    170 
    171 {{{
    172 openssl genrsa -des3 -out server.key 1024
    173 # [enter your passphrase, a simple password we will remove soon]
    174 openssl req -new -key server.key -out server.csr
     166=== Apache SSL/TLS Encryption (aks Secure Sockets  or https) === #ssl
     167'''Note:''' Establishing Secure Sockets is a fairly extensive process. One should first read the current Apache2 documentation found in the Apache2 manual:
     168{{{
     169http://httpd.apache.org/docs/2.2/ssl/
     170}}}
     171==== Generate a self-signed certificate ====
     172The following instructions are to generate a "self-signed" certificate.\\
     173This is simply a shortcut for testing purposes (a self-signed certificate is not recommended for production!).\\
     174The complete dialog is listed here for reference. The commands necessary are prefixed as "$ sudo", with comments prefixed with a #.\\
     175
     176{{{
     177$ sudo openssl genrsa -des3 -out server.key 1024
     178# Enter pass phrase for server.key [enter your passphrase, a simple password we will remove soon]
     179
     180Generating RSA private key, 1024 bit long modulus
     181.....++++++
     182................++++++
     183e is 65537 (0x10001)
     184Enter pass phrase for server.key:
     185Verifying - Enter pass phrase for server.key:
     186
     187
     188$ sudo openssl req -new -key server.key -out server.csr
     189#
    175190# [you can accept all the defaults, it does not matter, or customize it to your liking]
    176 openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
    177 # [will ask for passphrase]
    178 cp server.key server.key.bak
    179 openssl rsa -in server.key.bak -out server.key
    180 # [passphrase needs to be typed]
    181 sudo cp server.crt /opt/local/apache2/conf/
    182 sudo cp server.key /opt/local/apache2/conf/
     191
     192Enter pass phrase for server.key:
     193You are about to be asked to enter information that will be incorporated
     194into your certificate request.
     195What you are about to enter is what is called a Distinguished Name or a DN.
     196There are quite a few fields but you can leave some blank
     197For some fields there will be a default value,
     198If you enter '.', the field will be left blank.
     199-----
     200Country Name (2 letter code) [AU]:
     201State or Province Name (full name) [Some-State]:
     202Locality Name (eg, city) []:
     203Organization Name (eg, company) [Internet Widgits Pty Ltd]:
     204Organizational Unit Name (eg, section) []:
     205Common Name (e.g. server FQDN or YOUR name) []:
     206Email Address []:
     207
     208Please enter the following 'extra' attributes
     209to be sent with your certificate request
     210A challenge password []:
     211An optional company name []:
     212
     213
     214$ sudo openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
     215# [will ask for passphrase - the same as you entered in the first step]
     216
     217Signature ok
     218subject=/C=US/ST=Pennsylvania/L=Elizabethtown/O=MVE/OU=Elizabethtown/CN=mcgillsociety.org/emailAddress=magill@icloud.com
     219Getting Private key
     220Enter pass phrase for server.key:
     221
     222$ sudo cp server.key server.key.bak
     223$ sudo openssl rsa -in server.key.bak -out server.key
     224# [will ask for passphrase - the same as you entered in the first step]
     225
     226Enter pass phrase for server.key.bak:
     227writing RSA key
     228
     229$ sudo cp server.crt /opt/local/apache2/conf/
     230$ sudo cp server.key /opt/local/apache2/conf/
     231}}}
     232'''Note:''' Certificate generation can be accomplished in any directory. If you did so in ''"/opt/local/apache2/conf"'' the last two copy commands are redundant, and will generate the following  errors respectively:
     233{{{
     234cp: /opt/local/apache2/conf/server.crt and server.crt are identical (not copied).
     235cp: /opt/local/apache2/conf/server.key and server.key are identical (not copied).
    183236}}}
    184237
     
    191244Include conf/extra/httpd-ssl.conf
    192245}}}
     246After each change to the config file, you should again verify the file syntax, and then you need to stop and restart Apache for the changes to take effect.
     247{{{
     248$ /opt/local/apache2/bin/apachectl -t
     249$ sudo port unload apache2
     250$ sudo port load apache2
     251}}}
     252
     253The most likely error you will receive is:
     254{{{
     255Syntax error on line 120 of /opt/local/apache2/conf/extra/httpd-ssl.conf:
     256SSLCertificateFile: file '/opt/local/apache2/conf/server.crt' does not exist or is empty
     257}}}
     258If so, simply revisit the instructions above to create a self-signed certificate.
     259
     260==== Verify your success ====
     261
     262type ''"https://<your server address>"'' in Safari. \\
     263Safari should return the pop-up: "Safari can't verify the identity of the website "<your server address>" \\
     264At which point you can view the details of your certificate and select your appropriate actions.
     265
    193266
    194267[wiki:howto <- Back to the HOWTO section]