The goal:

On a SLES 11 server, run Apache2 with an official SSL certificate.

The way:

At first it should be clear that all modules and programs are installed (e.g. Apache2, OpenSSL, and so on).

  1. Start YaST and set up a WEB site. Take care that under “Server-Modules” SSL is set to active. Don’t set up a virtual host. Close YaST by clicking finish. Attention! After this step you never touch YaST for any configuration of Apache2 server again! At this point all future configuration will be handmade… ;o)
  2. Open a shell, change with the command “su” to root rights. Create with “mkdir ca” the directory ca in a location you want. (E.g. under the temp directory in the root directory). Change with the command “cd ca” in this directory.
  3. Create with the following command a private key for your Apache2 server:
    $ openssl genrsa -des3 -out www.yourdomain-example.com.key 2048
    
    	

    Attention! You will be asked for a passphrase. Remember your entered passphrase, take care that you don’t lose this!

  4. Create with the following command a csr file:
    $ openssl req -new -key www.yourdomain-example.com.key -out www.yourdomain-example.com.csr
    
    

    Attention! You will be asked some things when the csr file is creating. Under “Common Name” enter your domain name! E.g.: Common Name (eg, YOUR name) []:*.mydomain.com

  5. With the content of the created csr file you can get an official certificate. For this step you have to go to a certification organization like VeriSign, thawte, GeoThrust, RapidSSL, and so on. Please check on the vendors website for the procedure to get your own certificate.
  6. After finishing all formalities by your chosen vendor you get (often) two keys back. Your certification key and a intermediate key. Sometimes you have to download the intermediate key, please heed the information of your chosen vendor.
  7. Now you have three files. A www.yourdomain-example.com.crt file (the content of this file is your official key from your chosen vendor), a www.your-domian-example.com.key (you created this under step 3) and at last the intermediate.crt file.
  8. Copy the file www.yourdomain-example.com.crt to the path “/etc/apache2/ssl.crt”, the file www.yourdomain-example.com.key copy to the path “etc/apache2/ssl.key”, the intermediate.crt file copy to the path /etc/apache2/ssl.crt”.
  9. Now change to the directory vhosts.d in the apache2 directory (etc/apache2/vhosts.d).

    Enter the command:

    cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts/your_favorite_ssl_ssite_name.conf
  10. Open your your_favorite_ssl_ssite_name.conf file with vi, or your favorite editor (remember you need to have root rights!), and change it until the commands look like the following example (surely you have to change the file names and domains name to your chosen names ;o) ) Please also notice that in this example all commend lines are invisible… ;o)

    ——————— vhost-file start ———————–

    
    <IfDefine SSL>
    <IfDefine !NOSSL>
    
    <VirtualHost www.your-domian-example.com:443>
    
            DocumentRoot "/srv/www/htdocs"
            ServerName www.your-domian-example.com:443
            ServerAdmin name@your-domian-example.com
            ErrorLog /var/log/apache2/error_log
            TransferLog /var/log/apache2/access_log
    
            SSLProtocol all -SSLv2
    
            SSLEngine on
    
            SSLCipherSuite HIGH:MEDIUM
    
            SSLCertificateFile /etc/apache2/ssl.crt/www.your-domian-example.com.crt
    
            SSLCertificateKeyFile /etc/apache2/ssl.key/www.your-domian-example.com.key
    
            SSLCertificateChainFile /etc/apache2/ssl.crt/intermediate.crt
    
            <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                SSLOptions +StdEnvVars
            </Files>
            <Directory "/srv/www/cgi-bin">
                SSLOptions +StdEnvVars
            </Directory>
    
            SetEnvIf User-Agent ".*MSIE.*" \
                     nokeepalive ssl-unclean-shutdown \
                     downgrade-1.0 force-response-1.0
    
            CustomLog /var/log/apache2/ssl_request_log   ssl_combined
    
    </VirtualHost>
    
    </IfDefine>
    </IfDefine>
    
    

    ——————— vhost-file end ———————–

    Save the your_favorite_ssl_ssite_name.conf file.

  11. Open under “etc/apache2” the file httpd.conf and enter on the end of the file:
    SSLPassPhraseDialog exec:/path/to/passphrase-file
    
    
  12. Create the passphrase-file in your chosen path and enter the following lines:
    #!/bin/sh
    echo "passphrase"
    
    

    For the passphrase insert your chosen passphrase under Step 3. Save the file and make it executable with the command “chmod +x passphrase-file”. Test the file if they deliver the passphrase. You can do this with the command “./passphrase”.

  13. Restart apache2 with the command “rcapache2 restart”.

    Normally you should now be able to open your website over SSL in your browser. If you want to access your secure website outside the hosted server ( ;o) ) remember to open the port 443 on the firewall… ;o)

(Visited 1 times, 1 visits today)
Tags: ,
Category: SUSE Linux Enterprise Server, Technical Solutions
This entry was posted Monday, 11 April, 2011 at 11:22 am
You can follow any responses to this entry via RSS.

Leave a Reply

Your email address will not be published. Required fields are marked *

No comments yet