This is a log of my installation/Compilation of Apache 2.0.43
with SSL, under old RedHat 7.0 Kernel: 2.4.2-2

This log includes compilation from scratch of Apache. I personally
usually compile stuff from scratch, since I have the 
NIH (Not Invented Here) mental syndrome. It is still mild,
and my shrink tells me that he still does not have to
report me to the authorities. Frankly, I do not like
my own layout after a while too, and change it often. 

This memo was originally written by Jan Labanowski (jkl@ccl.net)
around Nov 5, 2002

The UNIX commands are in italic. It assumed that you will just grab them
with the mouse and paste them in your xterm...

Few terms:
  Apache -- the Web Server
  DSO -- Dynamic Shared Object (additional modules can be added/updated
         to Apache without the need to recompile the whole thing, similar
         to shared libraries, but DSO modules are not only called, but
         can also call routines within Apache)
         
  SSL -- Secure Socket Layer - the encryption and certificate package which
         works with Apache

I assume you have moderately latest GNU tools (gmake, gzip, etc...) installed
and you also have a recent version of perl installed distribution. 

I assume that you do all installation as root...
You can also get the wget utility from
 ftp://ftp.gnu.org/pub/gnu/wget/. The local copy is here.

You will need to have openssl libraries (libcrypto and libssl) installed
for the latest wget to compile. If you do not have them, install openssl
first as described in my log:
http://www.ccl.net/cca/software/SUN/openssl.

By default, it installs wget binary to /usr/local/bin and puts man page into
/usr/local/man. You can edit the Makefile after .configure step if you
want them elsewhere. I installed the latest GNU one (now 1.8.2)as: 
    get wget-1.8.2.tar.gz and move it to directory /usr/local/uploads or
       the one you like the most, e.g.; /tmp.
    gunzip wget-1.8.2.tar.gz
    gtar xvf wget-1.8.2.tar
    mv wget-1.8.2 /usr/local     # I like it in /usr/local
    cd /usr/local/wget-1.8.2
    ./configure
    make
    make install

wget has also extensive GNU info pages and if you have install, do

   info wget

and seek knowledge.

1) Be a root... Run ksh or bash or other sh, but not C-shell.
   Before you install the new Apache, you have to know if you have some
   other installation of Apache running. If you do, you need to decide
   if you want to keep the old Apache running, or you stop it. 
   The problem is that Apache server by default listens to standard
   Web TCP ports, and you cannot have some other Apache listen on the same
   port(s). If Apache was installed before you will need either to disable
   it, or choose other ports. If some Apache is running 
   (do: ps -ef | grep httpd) check which ports it is using by:

      netstat -a -n | grep LISTEN

   if you want to see all ports given as numbers, rather than services names.

   If you get (among others):
      tcp        0      0 0.0.0.0:80        0.0.0.0:*               LISTEN
      tcp        0      0 0.0.0.0:443       0.0.0.0:*               LISTEN )
   The "well known ports" for HTTP and HTTPS are booked and some web
   server is running. 


2) If the old server is running check the files in /etc/init.d and
   see if there is an httpd file (or similar) and stop apache as:

      /etc/init.d/httpd stop    

3) If you do not want to kill previous Apache, and install the 
   new one in such a way that their TCP ports do not conflict, just
   continue on, and you will be OK, since this installation uses
   ports 24380 and 24343 rather than standard ports which your existing
   installation is most likely using (change them is already used for
   something else). Alternatively, If you know where is the configuration
   file for the already installed apache located, you can edit it and change
   port assignments, for example: 
      edit file /usr/local/apache1.3.13/conf/httpd.conf and change ports:
      
         cd /usr/local/apache1.3.13/conf
         cp -p httpd.conf httpd.conf.original
     
      emacs (or vi or whatever) httpd.conf and replace lines:
           Listen 80   -->    Listen 6080
           Port 80     -->    Port 6080
           Listen 443  -->    Listen 6443
           <VirtualHost _default_:443> --> <VirtualHost _default_:6443>
     then restart apache and check pages:

         cd /etc/init.d
         ./httpd start

         and try if this works, i.e., try the URLs:
            http://my.machine.com:6080/
            https://my.machine.com:6443/


4) Make top directory for Apache 2.0.43 installation. I did
     /usr/local/apache_2.0.43


     mkdir /usr/local/apache_2.0.43

  Then set APACHE_HOME environment variable

    APACHE_HOME=/usr/local/apache_2.0.43
    export APACHE_HOME

 
  I also made a subdirectory "sources" to have all needed sources in one
   place: 

     mkdir ${APACHE_HOME}/sources
     cd ${APACHE_HOME}/sources

   Put there the tar files:

      mkdir -p ${APACHE_HOME}/sources
      cd ${APACHE_HOME}/sources
      wget http://www.apache.org/dist/httpd/httpd-2.0.43.tar.gz
      wget http://www.apache.org/dist/httpd/httpd-2.0.43.tar.gz.asc
      wget http://www.apache.org/dist/httpd/KEYS


5) If you are paranoid, check integrity of the file retrieved with GNU PG
   If you do not have GNU PG then install it:
   (you can find my notes at http://www.ccl.net/cca/software/SUN/gnu-pg/) or
   skip this check and do not sleep well ever...

   Then check if the tar.gz file is fine:

       cd ${APACHE_HOME}/sources
       gpg --import KEYS
       gpg --verify httpd-2.0.43.tar.gz.asc


   It told me: 
     gpg: Good signature from "wrowe@covalent.net"
   which is good.


6) Unpack sources to build DSO Apache with mod_ssl and mm:

     cd ${APACHE_HOME}/sources
     gtar zxvf httpd-2.0.43.tar.gz


7) Configure the compilation... It needs to know where is your openssl.
   You have to have the openssl installed for the Apache SSL to run.
   Check if you have it at /usr/local/openssl or /usr/local/ssl
   and read my log on openssl at: http://www.ccl.net/cca/software/SUN/openssl".


       cd ${APACHE_HOME}/sources/httpd-2.0.43
       ./configure --prefix=${APACHE_HOME} \
             --enable-mods-shared=most \
             --with-ssl=/usr/local/openssl \
             --enable-ssl


7) Building and installing the apache:


       make
       make install



8) Try edit the httpd.conf file for testing... I just changed the following
   lines:

      cd ${APACHE_HOME}/conf
      emacs  httpd.conf         (or whatever your beloved editor is)

   and:

    Listen 80 --> listen 24380

    group #-1  --> group nobody

    ServerAdmin you@your.address --> ServerAdmin jkl@ccl.net
  
    #ServerName new.host.name:80 --> ServerName heechee.ccl.net:24380

   Hopefully port 24380 does not conflict with anything. Then start Apache
   without SSL support as:

      cd ${APACHE_HOME}/bin
      ./apachectl start


9) Point your browser at the http://server:port (in my case:
   http://heechee.ccl.net:24380) and see if your server is running.
   It should. Now kill it:

      cd ${APACHE_HOME}/bin
      ./apachectl stop


10) Now you can make certificates. Actually you cannot, since the
    regular distribution of apache 2.0 sources does not contain 
    files which are needed to create test server certificates.
    To be able to create test certificates you need to have a script 
    sign.sh which comes with the mod_ssl distribution for Apache
    1.3.x. (you can get the latest mod_ssl distribution for Apache 1.3.X
    from the: http://www.modssl.org.
    This script is missing in the Apache 2.0.43 distribution.
    I am providing it here as sign.sh. Note, I made a single change in this
    script. I changed a line with a number of 

         default_days            = 365

    to 

         default_days            = 2002

    just so the certificate will not expire for over 5 years.

    Put the script in the 
    ${APACHE_HOME}/conf directory and make it executable.

    cd ${APACHE_HOME}/conf
    chmod 755 sign.sh


11) Making the Certificate Signing Request (CSR). This is is "pre-certificate"
    which you would need to send to one of the commercial Certificate
    Authorities (CAs, like VeriSign or and Thawte) and they would return you
    the actual certificate after you pay them a few hundreds dollars and
    lots of paperwork. You really need to do it, if you are considering
    secure transactions. The CAs addresses are built into common browsers.
    The CAs are here to attest to your identity. Without them, we
    could not really trust if we give a MasterCard number to IBM, or
    someone who presents him/herself as IBM. If you just want to try HTTPS,
    I will tell you how to sign the CSR with the phony certificate agency
    you create yourself (with the self-signed certificate). You really need to
    read more about it to know what you are doing... Here is just list
    of commands which will get you there:

    a) make sure that your PATH and LD_LIBRARY_PATH is set so your
       commands know about openssl binary and libraries:


          PATH=${PATH}:/usr/local/openssl-0.9.6/bin
          export PATH

          LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/openssl-0.9.6/lib
          export LD_LIBRARY_PATH
    

    b) create private key in RSA format: It will ask you for the password
       (passphrase). Make sure you make a note of it.
      

        cd ${APACHE_HOME}/conf
        mkdir ssl.key
        cd ssl.key
        openssl genrsa -des3 -out server.key 1024 


       This will generate a file: server.key in the 
       ${APACHE_HOME}/conf/ssl.key directory.

    c) decrypt the key (i.e., strip the passphrase) and use it from now on:

         cd ${APACHE_HOME}/conf/ssl.key
         openssl rsa -in server.key -out server.key.unsecure
         mv server.key server.key.encrypted
         mv server.key.unsecure server.key
         chmod 600 server.key server.key.encrypted


    d) create Certificate Signing Request (CSR). Please note that you
       have to enter your machine fully qualified domain name as CommonName.

         cd ${APACHE_HOME}/conf
         mkdir ssl.csr
         cd ssl.csr
         openssl req -new -key ../ssl.key/server.key -out server.csr

       
       My dialog follows with bold entries typed in:
------------------------
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Ohio
Locality Name (eg, city) []:Columbus
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OSC
Organizational Unit Name (eg, section) []:CCL
Common Name (eg, YOUR name) []:heechee.ccl.net
Email Address []:jkl@ccl.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
------------------------

       Note that I did not enter the challenge password or additional name.
       This dialog created a file: server.csr in the
       ${APACHE_HOME}/conf/ssl.csr directory.

       Normally you would send this file to a Certificate Authority,
       and they would send you back your certificate signed by them.
   
12) Signing the CSR just created. 
    For testing purposes you can pretend that you are a Certificate
    Authority (CA) and sign the certificate yourself with the Certificate
    of your own Certificate Authority (CA).

    a) Create private key for your "Certificate Authority" (remember to
       make a note about passphrase)


       cd ${APACHE_HOME}/conf/ssl.key
       openssl genrsa -des3 -out ca.key 1024

    
    b) decrypt the ca.key similarly as you did for server.key

       cd ${APACHE_HOME}/conf/ssl.key
       openssl rsa -in ca.key -out ca.key.unsecure 
       mv ca.key ca.key.encrypted
       mv ca.key.unsecure ca.key
       chmod 600 ca.key ca.key.encrypted


    c) Create a CA Certificate (X509 structure) with the RSA key of the CA

         cd ${APACHE_HOME}/conf
         mkdir ssl.crt
         cd ssl.crt
         openssl req -new -x509 -days 2002 -key ../ssl.key/ca.key -out ca.crt

       My dialog looked like:
------------
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Ohio
Locality Name (eg, city) []:Columbus
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OSC
Organizational Unit Name (eg, section) []:CCL
Common Name (eg, YOUR name) []:CCL-Team 
Email Address []:jkl@ccl.net
------------

       And as a result, the file: ca.crt was created in the 
       ${APACHE_HOME}/conf/ssl.crt directory.

    d) Now you have a phony self signed Certificate of Certificate Authority
       and you can use it sigh your Server Certificate Signing Request, i.e.,
       file server.csr. You need the script sign.sh for it. Since the
       script assumes that you have all your certificates and keys in the
       same directory, you need to create a temporary directory and copy
       stuff there:

         cd ${APACHE_HOME}/conf
         mkdir temp
         cd temp
         cp ../ssl.crt/*.crt .
         cp ../ssl.csr/*.csr .
         cp ../ssl.key/*.key .
         ../sign.sh server.csr 

       My conversation was as follows:
----------------------------
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'Ohio'
localityName          :PRINTABLE:'Columbus'
organizationName      :PRINTABLE:'OSC'
organizationalUnitName:PRINTABLE:'CCL'
commonName            :PRINTABLE:'heechee.ccl.net'
emailAddress          :IA5STRING:'jkl@ccl.net'
Certificate is to be certified until Apr  7 20:50:32 2008 GMT (2002 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
--------------------------

       As a result, the file server.crt was created in 
       ${APACHE_HOME}/conf/temp directory.
       You need to move it where it belongs, i.e., to ssl.crt directory
       and delete temp, since you do not need it really...

       cd ${APACHE_HOME}/conf/temp
       mv server.crt ../ssl.crt
       cd ..
       rm -rf temp
       cd ssl.crt
       chmod 600 *



13) Now it is probably prudent to save these files on a diskette
    or CD so when you need to move your Apache server to another
    machine or disk, or to reinstall it, you will not have to
    recreate certificates (people already registered them in their
    browsers, and they would be angry if they had to redo it).


      cd ${APACHE_HOME}/conf
      tar cvf certs.tar ssl.crt ssl.csr ssl.key
      
    and copy the file certs.tar in a safe place.

14) Test the SSL and certificates. You need to edit the file ssl.conf now.
    
      cd ${APACHE_HOME}/conf
      emacs ssl.conf


    I did following changes:

Listen 443 --> Listen 24343

<VirtualHost _default_:443> --> <VirtualHost _default_:24343>

ServerName new.host.name:443 --> ServerName heechee.ccl.net:24343
ServerAdmin jkl@ccl.net

    and then fired apache as:

      cd ${APACHE_HOME}/bin
      ./apachectl startssl


    Then, with my browser, I checked if I can get to:
       https://heechee.ccl.net:24343/
    I could, and then I lived happily ever after...

    My starting config files are available here as:
    httpd.conf and
    ssl.conf and


15) Starting Apache on boot-up
    To start Apache automatically at boot-up I modified slightly the
    apachectl script from  ${APACHE_HOME}/bin and copied it
    as httpd-2 to /etc/init.d. The httpd-2 was simplified to only respond to
    start and stop arguments, and start as SSL by defaults. I also
    made sure that /etc/init.d/httpd-2 had the permission 755. I then
    linked it to the appropriate runlevel (3)

       cd /etc/init.d
       chmod 755 httpd-2
       cd /etc/rc3.d/init.d
       ln -s ../init.d/httpd-2 S55httpd-2
       /etc/init.d/httpd-jkl start                # just testing
       /etc/init.d/httpd-jkl stop


                 -- THE END --

If you see something wrong here, please let me know, so I can save
other peoples time.

Jan    -- jkl@ccl.net