Installing Apache2 SSL
From Dev411: The Code Wiki
This page describes building Apache 2.0.55 with SSL from source. Apache 2.x comes with mod_ssl built-in, however to use it you will need to have OpenSSL installed before you compile Apache.
Software used includes Apache HTTPD 2.0.55, OpenSSL 0.9.8a on CentOS 4.2.
| Table of contents |
Installing OpenSSL
OpenSSL is a crypto library that provides crypto services for Apache's SSL handling. It is also used to generate public key pairs, certificate requests and self-signed certificates that are used in SSL.
Download OpenSSL from http://www.openssl.org. The default directory for OpenSSL is /usr/local/ssl however more people are installing OpenSSL in /usr/local/openssl
There is a linking issue with Apache which requires OpenSSL to be built as a shared library. The OpenSSL 0.9.8a INSTALL doc says shared library mode is experimental and should only be used to conserve memory, however, it appears to be needed with Apache.
./config shared make make test su - make install
Once you have installed OpenSSL you will need to let Apache know where it is by adding it to /etc/ld.so.conf and reloading the ld configuration.
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
The reload the ld configuration:
/sbin/ldconfig<pre>
Installing Apache
To build Apache with SSL you will need to use the --enable-ssl and --with-ssl options. Some options are provided below:
./configure --enable-ssl --with-ssl=/usr/local/ssl ./configure --enable-ssl=shared --with-ssl=/usr/local/ssl ./configure --enable-ssl=shared --with-ssl=/usr/local/ssl --enable-mods-shared=all
Note: using --enable-mods-shared=all does not cover mod_ssl. It needs to be shared explicitly with --enable--ssl=shared
Generating Keys and Certificate
Before you can start Apache with SSL you will need to generate a public key pair and get a certificate for Apache to use. You will need to save the files generated by OpenSSL below and make them readable by Apache.
Generating a Public Key Pair
Use the following command to generate a RSA key pair. This will produce a DES3 password encrypted key file.
openssl genrsa -des3 -rand file1:file1 -out server.key 1024
Removing the Private Key Password
Using the encrypted key will require the password to be entered at the command line when Apache is started, however, often servers will need to be restarted in automatic mode. To enable this you will need to remove the password protection from the private key. If you do this you should protect the file by making it readable only by the root user. If your private key is compromised you will have to get the certificate revoked.
openssl rsa -in server.key -out server.pem
Generating a Certificate Signing Request
Once you have your key pair, you will need to generate a CSR or Certificate Signing Request. This cryptographic request will be used to generate a certificate. To generate a CSR, use the following:
openssl req -new -key server.key -out server.csr
Generating a Certificate
To get a certificate you can either use OpenSSL to generate a self-signed certificate or use a third-party CA.
To generate a self-signed certificate use the following:
openssl x509 -req -days 30 -in server.csr -signkey server.key -out server.crt
To receive a certificate from a third-party CA, you will need to enroll with a CA and submit your CSR to receive a signed certificate back. I get my certificates for free from CAcert.org (http://www.cacert.org). Just create an account there and request a certificate using their form. You simply submit the CSR and the certificate is provided back to you in an HTML page. You then copy it into a txt file server.crt.
Installing the Key and Certificate
Now that you have your private key file and certificate you will need to install them in Apache. The files are typically intsalled in the following locations:
/usr/local/apache2/conf/ssl.crt/server.crt /usr/local/apache2/conf/ssl.key/server.key
The next step is to include these locations in httpd.conf or more specifically in the included ssl.conf file. Specifically the SSLCertificateFile and SSLCertificateKeyFile directives need to point to the cert and key files.
## SSL Virtual Host Context
<VirtualHost _default_:443>
DocumentRoot "/usr/local/apache2/htdocs"
ServerName www.example.com
ErrorLog /usr/local/apache2/logs/error_log
TransferLog /usr/local/apache2/logs/ssl_request_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH: \
+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache2/ \
conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache2/ \
conf/ssl.key/server.key
</VirtualHost>
Starting Apache
By default, Apache's httpd.conf and ssl.conf files will only start SSL mode if you start Apache with the SSL option which you can do one of two ways depending of you use the httpd binary or apachectl. If you use the httpd binary, you will need to use the -DSSL flag:
httpd -k start -DSSL
If you start Apache with apachectl you will need to use the startssl option:
apachectl startssl
You can also configure Apache to start SSL without these options by commenting out the <IfDefine SSL> and </IfDefine> tags.
ApacheWorld.org (http://apacheworld.org/ty24/site.chapter17.html) has a more in-depth article on this.
Troubleshooting
There are a number of areas that can generate errors. You should not encounter them if you follow the steps above however they are presented here for troubleshooting purposes.
undefined symbol : X509_free
This error indicates a linking bug in Apache when a static OpenSSL is linked to a dynamic mod_ssl. The solution to this is to build a dynamic OpenSSL. Read more about this on the modssl-users mailing list (http://www.mail-archive.com/modssl-users@modssl.org/msg14344.html).
error while loading shared libraries: libssl.so.0.9.8
This error occurs when you build a dynamic OpenSSL but haven't loaded the OpenSSL library location via ldconfig. Read more about this at Tequila Fish (http://www.tequilafish.com/2005/11/10/apache-with-ssl-dftables-error-while-loading-shared-libraries/).
