Pages

Thursday, March 24, 2011

How to Enable SSL+ Apache2 on Ubuntu from source

Today I'm going to start System administration tutorial because currently I got opportunity to work in University Of Colombo Network Operating Center as trainee Network and System Administrator so I believe that I can get lot of experience in this period and  also I hope to share all the new knowledge with you all. Today I'm going to talk about enabling SSL in our own Ubuntu apache2 server. In here I'm not going to talk installing apache2 because easily you can do it but in enabling ssl is little bit hard and it gives some unexpected errors so in this post I'm going to show  how successfully enable ssl in our Apache2 server.


To enable ssl we need to enable mod_ssl with apache and install openssl for generate keys.
To configure secure server, use public key cryptography so we need to generate public and private key pair and need to get certificate. In my case I'm going to create self-signed certificate otherwise we can get certificate from Certificate Authority (CA) also using Google we can find several commercial and free CA's. So first I compile and install openssl to generate above things as follow.
01. Installing openssl

Here I used openssl source ( openssl-0.9.7e.tar.gz ) you can download it from www.openssl.org/source   then you should extract it as following


tar -zxvf  openssl-0.9.7e.tar.gz

 
or
tar -xvf and gunzip
After this you should cd into openssl-0.9.7 and can configure using following command.


./counfigure --prefix=/usr/local


using prefix we can specify directory for Openssl and next we can compile and install openssl using make and make install (first make then make install )commands





02. Generating key for Certificate Signing Request (CSR)
 We need to generate key for that we can use (I use mkdir ssl and create directory for keys and inside it)

        
         openssl genrsa -des -out keyname.key 1024
         


 during key generation we should enter password for our key.


03.  Then I create Certificate Signing Request (CSR)
        Using following command

      openssl req -new -key keyname.key -out csrname.csr


This command will prompt for a series of things as follow Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name, Email Address...etc
Then we can submit this CSR file to a CA  (Certificate Authority)for process. They will use this CSR file and issue the certificate. On the other hand, we can create self-signed certificate using this CSR.




04.  Creating self-signed Certificate
Using following command.
          openssl x509 -req -days 365 -in csrname.csr -signkey keyname.key -out crtname.crt


Here I got error because my .key file is not inside my current directory so remember to execute this command inside relevant directory (my case directory ssl) that include your above generated key
After executing above command we can see our certificate using following command (following is my certificate).

                    Openssl x509 -in crtname.crt -text -noout

 
Now in my ssl directory include following files and I change file permission of all the keys to 400 as follow.
 

05. Enabling the ssl module for Apache2 using a2enmod ssl
 Now we finished creating Certificate now we can enable ssl module for apache2

        Sudo a2enmod ssl

            06. To enable ssl site we should add following things to our apache httpd.conf (/usr/local/apache2/conf) file 

#Instruct Apache2 to listen port 443

Listen 443

#Creating vertual host to listen 443
NameVirtualHost 127.0.0.1:443
ServerAdmin charith079@gmail.com



# I create ssl directory to kept my secure website
DocumentRoot /usr/local/apache2/htdocs/ssl
ServerName www.secure.com
ServerAlias www.secure.com
ErrorLog /usr/local/apache2/logs/server2log

       SSLEngine On

   # Here, I am allowing only "high" and "medium" security key lengths.
SSLCipherSuite HIGH:MEDIUM
# Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2.
SSLProtocol all -SSLv2
#   Server Certificate That I create in above step:
SSLCertificateFile /usr/local/apache2/secure.com.crt
#   Server Private Key:
SSLCertificateKeyFile /usr/local/apache2/conf/secure.com.key
#   Server Certificate Chain these things related to my Certificat Athority(CA) I create different .crt #for my CA this not compulsory:
SSLCertificateChainFile /usr/local/apache2/conf/my-ca.crt
#   Certificate Authority (CA):
SSLCACertificateFile /usr/local/apache2/conf/my-ca.crt

 
07. Finally to get load ssl module to apache we need to add following line into httpd.conf

LoadModule ssl_module modules/mod_ssl.so

Now  restart apache server(/usr/local/apache2/bin apachectl restart or ./apachectl restart). Following is how my ssl site and certificate work  on my browser.






Errors
During this installation I got several errors and I found solutions for those errors using forums and Internet so I hope it may help you too .

01)when I compile openssl on my Ubuntu os I got following error.




I found this solution
 Unpack openssl-0.9.7m.tar.gz
edit Configure and Makefile and change all instances of -m486 to -mtune=i486 .

Run "tar -pczf openssl-0.9.7m.tar.gz openssl-0.9.7m" to repack dir, remove the unpacked directory. Make sure you do this before running ./config setup on any upgrades in the future until this is fixed in ./setup package.

02) When I configure httpd.conf and restart the server I got following error.


Solution:
It may Forget to add listen 443 line in httpd.conf
Also his occurs when several apache instances running same time we can use netstat and ps command and can kill instances.  

03) After finishing create virtual host for port 443 I got following error.




Solution:
This error gives when apache server couldn't load mod_ssl.so from usr/local/apache2/module directory. This can occur when we didn't configure apache (apache installation from source) with ssl enabling. in apache configuration we want to  use as follow to enable ssl

./configure  --enable-mods-shared=”all ssl” --with-ssl

 
°.MคNןU.°Powered by Blogger