Thursday, March 24, 2011

How to Enable SSL+ Apache2 on Ubuntu from source

Today I'm going to start System administration tutorial because currently I got opportunity to work in University Of Colombo Network Operating Center as trainee Network and System Administrator so I believe that I can get lot of experience in this period and  also I hope to share all the new knowledge with you all. Today I'm going to talk about enabling SSL in our own Ubuntu apache2 server. In here I'm not going to talk installing apache2 because easily you can do it but in enabling ssl is little bit hard and it gives some unexpected errors so in this post I'm going to show  how successfully enable ssl in our Apache2 server.

To enable ssl we need to enable mod_ssl with apache and install openssl for generate keys.
To configure secure server, use public key cryptography so we need to generate public and private key pair and need to get certificate. In my case I'm going to create self-signed certificate otherwise we can get certificate from Certificate Authority (CA) also using Google we can find several commercial and free CA's. So first I compile and install openssl to generate above things as follow.
01. Installing openssl

Here I used openssl source ( openssl-0.9.7e.tar.gz ) you can download it from   then you should extract it as following

tar -zxvf  openssl-0.9.7e.tar.gz

tar -xvf and gunzip
After this you should cd into openssl-0.9.7 and can configure using following command.

./counfigure --prefix=/usr/local

using prefix we can specify directory for Openssl and next we can compile and install openssl using make and make install (first make then make install )commands

02. Generating key for Certificate Signing Request (CSR)
 We need to generate key for that we can use (I use mkdir ssl and create directory for keys and inside it)

         openssl genrsa -des -out keyname.key 1024

 during key generation we should enter password for our key.

03.  Then I create Certificate Signing Request (CSR)
        Using following command

      openssl req -new -key keyname.key -out csrname.csr

This command will prompt for a series of things as follow Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name, Email Address...etc
Then we can submit this CSR file to a CA  (Certificate Authority)for process. They will use this CSR file and issue the certificate. On the other hand, we can create self-signed certificate using this CSR.

04.  Creating self-signed Certificate
Using following command.
          openssl x509 -req -days 365 -in csrname.csr -signkey keyname.key -out crtname.crt

Here I got error because my .key file is not inside my current directory so remember to execute this command inside relevant directory (my case directory ssl) that include your above generated key
After executing above command we can see our certificate using following command (following is my certificate).

                    Openssl x509 -in crtname.crt -text -noout

Now in my ssl directory include following files and I change file permission of all the keys to 400 as follow.

05. Enabling the ssl module for Apache2 using a2enmod ssl
 Now we finished creating Certificate now we can enable ssl module for apache2

        Sudo a2enmod ssl

            06. To enable ssl site we should add following things to our apache httpd.conf (/usr/local/apache2/conf) file 

#Instruct Apache2 to listen port 443

Listen 443

#Creating vertual host to listen 443

# I create ssl directory to kept my secure website
DocumentRoot /usr/local/apache2/htdocs/ssl
ErrorLog /usr/local/apache2/logs/server2log

       SSLEngine On

   # Here, I am allowing only "high" and "medium" security key lengths.
# Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2.
SSLProtocol all -SSLv2
#   Server Certificate That I create in above step:
SSLCertificateFile /usr/local/apache2/
#   Server Private Key:
SSLCertificateKeyFile /usr/local/apache2/conf/
#   Server Certificate Chain these things related to my Certificat Athority(CA) I create different .crt #for my CA this not compulsory:
SSLCertificateChainFile /usr/local/apache2/conf/my-ca.crt
#   Certificate Authority (CA):
SSLCACertificateFile /usr/local/apache2/conf/my-ca.crt

07. Finally to get load ssl module to apache we need to add following line into httpd.conf

LoadModule ssl_module modules/

Now  restart apache server(/usr/local/apache2/bin apachectl restart or ./apachectl restart). Following is how my ssl site and certificate work  on my browser.

During this installation I got several errors and I found solutions for those errors using forums and Internet so I hope it may help you too .

01)when I compile openssl on my Ubuntu os I got following error.

I found this solution
 Unpack openssl-0.9.7m.tar.gz
edit Configure and Makefile and change all instances of -m486 to -mtune=i486 .

Run "tar -pczf openssl-0.9.7m.tar.gz openssl-0.9.7m" to repack dir, remove the unpacked directory. Make sure you do this before running ./config setup on any upgrades in the future until this is fixed in ./setup package.

02) When I configure httpd.conf and restart the server I got following error.

It may Forget to add listen 443 line in httpd.conf
Also his occurs when several apache instances running same time we can use netstat and ps command and can kill instances.  

03) After finishing create virtual host for port 443 I got following error.

This error gives when apache server couldn't load from usr/local/apache2/module directory. This can occur when we didn't configure apache (apache installation from source) with ssl enabling. in apache configuration we want to  use as follow to enable ssl

./configure  --enable-mods-shared=”all ssl” --with-ssl


Anonymous said...

Parkinson's disease is a genic disease, anyone to a Groovy academic degree until He breaks the soul wholly. Filing for failure Beholding them sort, brings lightsomeness. elderly antidepressants, such as tricylics, importantly improves impression in PD patients, the rake-brain roadblock, and then changing into the neurotransmitter dopamine. Current studies being made on the correlation of strong-arm physical exertion lento and allowing time to look into for dizziness, severity, weakness or rigidity.

Also visit my page ... Parkinson's disease specialists Moore

Anonymous said...

lupus complications are ruled out. My father has lupus.
I wish I could sleep on.

my webpage - Brisbane lupus treatment

Anonymous said...

cholesterol is of import for the are foods that let down
cholesterol so important?

my weblog ...

Anonymous said...

Several medical studies have shown that healthy pregnant women between the ages of 34 and 44 have almost the same odds as 25-year-old women for bearing healthy babies. At the end of the week, most people want to rest or catch up on chores that were left unfinished during the week.

Anonymous said...

On the other hand, men should have a nutritional balance, in order to improve the quality and quantity of their sperms that will fertilize the egg.
Health is also a critical factor, diet, exercise and pre-natal vitamins along with folic acid will improve your chances of getting pregnant fast.

°.MคNןU.°Powered by Blogger