====== Setting up Apache HTTP Server with SSL support, self-signed certificate and virtual hosts on Ubuntu ======
I needed to set up a server to host a secure helpdesk application. So, first i installed httpd (the Apache HTTP Server) and configured it to allow SSL connections.
Installing Apache wasn't hard with Ubuntus software center. I have chosen to install the whole LAMP stack
$ sudo apt-get update
$ sudo apt-get install lamp-server
I tested the installation was OK, I opened http://apacheserver in the browser. The browser displayed that Apache 'It works!' page!
The module mod_ssl (http://httpd.apache.org/docs/2.0/mod/mod_ssl.html) provides SSL/TLS support to httpd. It is available in the httpd installation as a part of the apache2-common package. On Ubuntu, use the following command to enable SSL
$ sudo a2ensite default-ssl
$ sudo service apache2 restart
I tested the installation was OK, I opened https://apacheserver in the browser. The browser, again, displayed that Apache 'It works!' page!
To use a self-signed certificate, the package ssl-cert must be installed, which it was on my installation.
I wanted to configure my own self-signed certificate for the server and to store it in /etc/apache2/ssl. To do so, run the following command from the terminal:
$ sudo mkdir /etc/apache2/ssl
$ sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.crt
The command prompts you to enter the hostname to use in the certificate. Once done, you can now see that there is a new file in the /etc/apache2/ssl directory:
drwxr-xr-x 2 root root 4096 2011-12-16 14:40 ./
drwxr-xr-x 8 root root 4096 2011-12-16 14:12 ../
lrwxrwxrwx 1 root root 10 2011-12-16 14:40 a9630d61 -> apache.crt
-rw——- 1 root root 2685 2011-12-16 14:40 apache.crt
That last command will have generated an apache.crt file that contains both the certificate and the key. Let’s now separate that file into two files:
- apache.pem to store the certificate
- apache.key to store the key
I will simply copy the original apache.crt file twice, one with each name and edit each file.
$ cd /etc/apache2/ssl
$ sudo cp apache.crt apache.pem
$ sudo cp apache.crt apache.key
The apache.pem file must contain everything from the beginning line to the ending line of the certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
The apache.key file must contain everything from the beginning line to the ending line of the key
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
Now, I have to configure httpd to use my new certificate. To do so, I edit the configuration with text editor of your choice
$ sudo vim /etc/apache2/sites-enabled/default-ssl
We have to update the following two lines
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
With the following two lines
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
The private key shall only be readable by root:
$ sudo chmod 600 /etc/apache2/ssl/apache.key
Let’s now restart Apache2 again
$ sudo /etc/init.d/apache2 restart
If you need a virtual host, create a virtual host in /etc/apache2/sites-avaliable, and edit it:
$ cd /etc/apache2/sites-avaliable
$ touch example.com.ssl.conf
$ vim example.com.ssl.conf
Paste the following:
ServerAdmin root@example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/examplecom.crt
SSLCertificateKeyFile /etc/ssl/examplecom.key
SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Enable it, and you're done
$ sudo a2ensite example.com.ssl.conf
If you don't want a self-signed certificate, use StartSSL which gives free certificates for non commercial use: https://www.startssl.com
Installation instructions here