Show pageOld revisionsBacklinksExport to PDFBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Setting up Apache HTTP Server with SSL support, self-signed certificate and virtual hosts on Ubuntu ====== I needed to set up a server to host a secure helpdesk application. So, first i installed httpd (the Apache HTTP Server) and configured it to allow SSL connections. Installing Apache wasn't hard with Ubuntus software center. I have chosen to install the whole LAMP stack <code bash> $ sudo apt-get update $ sudo apt-get install lamp-server </code> I tested the installation was OK, I opened http://apacheserver in the browser. The browser displayed that Apache 'It works!' page! The module mod_ssl (http://httpd.apache.org/docs/2.0/mod/mod_ssl.html) provides SSL/TLS support to httpd. It is available in the httpd installation as a part of the apache2-common package. On Ubuntu, use the following command to enable SSL <code bash> $ sudo a2ensite default-ssl $ sudo service apache2 restart </code> I tested the installation was OK, I opened https://apacheserver in the browser. The browser, again, displayed that Apache 'It works!' page! To use a self-signed certificate, the package ssl-cert must be installed, which it was on my installation. I wanted to configure my own self-signed certificate for the server and to store it in /etc/apache2/ssl. To do so, run the following command from the terminal: <code bash> $ sudo mkdir /etc/apache2/ssl $ sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.crt </code> The command prompts you to enter the hostname to use in the certificate. Once done, you can now see that there is a new file in the /etc/apache2/ssl directory: <code bash> drwxr-xr-x 2 root root 4096 2011-12-16 14:40 ./ drwxr-xr-x 8 root root 4096 2011-12-16 14:12 ../ lrwxrwxrwx 1 root root 10 2011-12-16 14:40 a9630d61 -> apache.crt -rw——- 1 root root 2685 2011-12-16 14:40 apache.crt </code> That last command will have generated an apache.crt file that contains both the certificate and the key. Let’s now separate that file into two files: - apache.pem to store the certificate - apache.key to store the key I will simply copy the original apache.crt file twice, one with each name and edit each file. <code bash> $ cd /etc/apache2/ssl $ sudo cp apache.crt apache.pem $ sudo cp apache.crt apache.key </code> The apache.pem file must contain everything from the beginning line to the ending line of the certificate <code bash> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </code> The apache.key file must contain everything from the beginning line to the ending line of the key <code bash> -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- </code> Now, I have to configure httpd to use my new certificate. To do so, I edit the configuration with text editor of your choice <code bash> $ sudo vim /etc/apache2/sites-enabled/default-ssl </code> We have to update the following two lines <code bash> SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key </code> With the following two lines <code bash> SSLCertificateFile /etc/apache2/ssl/apache.pem SSLCertificateKeyFile /etc/apache2/ssl/apache.key </code> The private key shall only be readable by root: <code bash> $ sudo chmod 600 /etc/apache2/ssl/apache.key </code> Let’s now restart Apache2 again <code bash> $ sudo /etc/init.d/apache2 restart </code> If you need a virtual host, create a virtual host in /etc/apache2/sites-avaliable, and edit it: <code bash> $ cd /etc/apache2/sites-avaliable $ touch example.com.ssl.conf $ vim example.com.ssl.conf </code> Paste the following: <code bash> <IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin root@example.com ServerName example.com ServerAlias www.example.com DocumentRoot /var/www/example.com ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/ssl/examplecom.crt SSLCertificateKeyFile /etc/ssl/examplecom.key SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost> </IfModule> </code> Enable it, and you're done <code bash> $ sudo a2ensite example.com.ssl.conf </code> If you don't want a self-signed certificate, use StartSSL which gives free certificates for non commercial use: https://www.startssl.com Installation instructions here linux/misc/apache_ssl.txt Last modified: 2019/10/31 09:05by 127.0.0.1