Apache Howto SSL

From openSUSE

How to get your SSL server up and running as fast as possible.

You need to have read the Apache Quickstart HOWTO before going on with this one.

Contents 1 Prerequisites 2 Keys 3 Create a virtual host (required) 4 Restart to apply configuration 5 Configuration questions 6 Troubleshooting 6.1 Common catch 7 See also

Prerequisites

Make sure that apache starts with mod_ssl loaded. The following command adapts APACHE_MODULES in /etc/sysconfig/apache2: Make sure that the SSL configuration is active. The following command enables it (similarly to the command above it changes APACHE_SERVER_FLAGS):

The reason why the flag SSL is also needed is because all SSL configuration is enclosed in <IfDefine> statements. This way it can be dormant until the necessary prerequisites are present and you want to use it at all. In addition, it can be useful to be able to start apache unattended at boot time even if you use encrypted keys that need a passphrase otherwise.

Keys

For a real SSL setup, TinyCA is recommended to create and manage certificates. It is available on openSUSE as tinyca2. Also, please refer to Apache's SSL documentation.

The following steps will create self signed keys in a very simple way:

The command will (over)write these files:

• /etc/apache2/ssl.crt/ca.crt
• /etc/apache2/ssl.key/server.key
• /etc/apache2/ssl.crt/server.crt
• /etc/apache2/ssl.csr/server.csr

A copy of ca.crt will be installed as /srv/www/htdocs/CA.crt for download.

Create a virtual host (required)

Note that to set up multiple HTTPS hosts, the virtual host(s) must be IP-based, as name-based virtual hosting will not work.

• copy /etc/apache2/vhosts.d/vhost-ssl.template to /etc/apache2/vhosts.d/vhost-ssl.conf and adapt it al gusto.
• a separate virtual host is needed because a vhost cannot speak both HTTP and HTTPS
• note that the file must end in ".conf" to be read automatically

Restart to apply configuration

For the enabled modules, server flags, generated keys and vhosts to take effect, start or restart the apache service.

Configuration questions

For all configuration questions, consult the manual: http://localhost/manual (if the apache2-doc package is installed), or http://httpd.apache.org/docs-2.2/ (the online version) Read the documentation under /usr/share/doc/packages/apache2/ (where you will also find example configuration files).

Troubleshooting

Read any error messages when you start the service. Reproduce what is not working and see how it is reflected in the logs. The log files can be monitored in a root shell: To check your SSL vhost setup, use:

If you suspect a bug, please report it.

Common catch

The server logs this,

 [Thu Aug 28 21:07:39 2003] [error] [client 192.168.0.180] Invalid method in request j

while the client shows this:

 SSL error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

Cause: client speaks HTTPS, server speaks HTTP. If that happens to be port 443, it means that the server is listening on the port but not with SSL.

If it was the other way round (client speaks HTTP, server speaks HTTPS), the server would log 400 and the client show an error 400 (HTTP_BAD_REQUEST) page.

See also

• more HOWTOs about Apache web server (LAMP, WebDAV, VirtualHosts)
• Package documentation and example configuration files in /usr/share/doc/packages/apache2/

Passed QA check: Fsundermeyer 13:34, 15 June 2009 (UTC)