This is a log of my installation/Compilation of Apache 2.0.43 with SSL, under old RedHat 7.0 Kernel: 2.4.2-2 This log includes compilation from scratch of Apache. I personally usually compile stuff from scratch, since I have the NIH (Not Invented Here) mental syndrome. It is still mild, and my shrink tells me that he still does not have to report me to the authorities. Frankly, I do not like my own layout after a while too, and change it often. This memo was originally written by Jan Labanowski (jkl@ccl.net) around Nov 5, 2002 The UNIX commands are in italic. It assumed that you will just grab them with the mouse and paste them in your xterm... Few terms: Apache -- the Web Server DSO -- Dynamic Shared Object (additional modules can be added/updated to Apache without the need to recompile the whole thing, similar to shared libraries, but DSO modules are not only called, but can also call routines within Apache) SSL -- Secure Socket Layer - the encryption and certificate package which works with Apache I assume you have moderately latest GNU tools (gmake, gzip, etc...) installed and you also have a recent version of perl installed distribution. I assume that you do all installation as root... You can also get the wget utility from ftp://ftp.gnu.org/pub/gnu/wget/. The local copy is here. You will need to have openssl libraries (libcrypto and libssl) installed for the latest wget to compile. If you do not have them, install openssl first as described in my log: http://www.ccl.net/cca/software/SUN/openssl. By default, it installs wget binary to /usr/local/bin and puts man page into /usr/local/man. You can edit the Makefile after .configure step if you want them elsewhere. I installed the latest GNU one (now 1.8.2)as: get wget-1.8.2.tar.gz and move it to directory /usr/local/uploads or the one you like the most, e.g.; /tmp. gunzip wget-1.8.2.tar.gz gtar xvf wget-1.8.2.tar mv wget-1.8.2 /usr/local # I like it in /usr/local cd /usr/local/wget-1.8.2 ./configure make make install wget has also extensive GNU info pages and if you have install, do info wget and seek knowledge. 1) Be a root... Run ksh or bash or other sh, but not C-shell. Before you install the new Apache, you have to know if you have some other installation of Apache running. If you do, you need to decide if you want to keep the old Apache running, or you stop it. The problem is that Apache server by default listens to standard Web TCP ports, and you cannot have some other Apache listen on the same port(s). If Apache was installed before you will need either to disable it, or choose other ports. If some Apache is running (do: ps -ef | grep httpd) check which ports it is using by: netstat -a -n | grep LISTEN if you want to see all ports given as numbers, rather than services names. If you get (among others): tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN ) The "well known ports" for HTTP and HTTPS are booked and some web server is running. 2) If the old server is running check the files in /etc/init.d and see if there is an httpd file (or similar) and stop apache as: /etc/init.d/httpd stop 3) If you do not want to kill previous Apache, and install the new one in such a way that their TCP ports do not conflict, just continue on, and you will be OK, since this installation uses ports 24380 and 24343 rather than standard ports which your existing installation is most likely using (change them is already used for something else). Alternatively, If you know where is the configuration file for the already installed apache located, you can edit it and change port assignments, for example: edit file /usr/local/apache1.3.13/conf/httpd.conf and change ports: cd /usr/local/apache1.3.13/conf cp -p httpd.conf httpd.conf.original emacs (or vi or whatever) httpd.conf and replace lines: Listen 80 --> Listen 6080 Port 80 --> Port 6080 Listen 443 --> Listen 6443 <VirtualHost _default_:443> --> <VirtualHost _default_:6443> then restart apache and check pages: cd /etc/init.d ./httpd start and try if this works, i.e., try the URLs: http://my.machine.com:6080/ https://my.machine.com:6443/ 4) Make top directory for Apache 2.0.43 installation. I did /usr/local/apache_2.0.43 mkdir /usr/local/apache_2.0.43 Then set APACHE_HOME environment variable APACHE_HOME=/usr/local/apache_2.0.43 export APACHE_HOME I also made a subdirectory "sources" to have all needed sources in one place: mkdir ${APACHE_HOME}/sources cd ${APACHE_HOME}/sources Put there the tar files: mkdir -p ${APACHE_HOME}/sources cd ${APACHE_HOME}/sources wget http://www.apache.org/dist/httpd/httpd-2.0.43.tar.gz wget http://www.apache.org/dist/httpd/httpd-2.0.43.tar.gz.asc wget http://www.apache.org/dist/httpd/KEYS 5) If you are paranoid, check integrity of the file retrieved with GNU PG If you do not have GNU PG then install it: (you can find my notes at http://www.ccl.net/cca/software/SUN/gnu-pg/) or skip this check and do not sleep well ever... Then check if the tar.gz file is fine: cd ${APACHE_HOME}/sources gpg --import KEYS gpg --verify httpd-2.0.43.tar.gz.asc It told me: gpg: Good signature from "wrowe@covalent.net" which is good. 6) Unpack sources to build DSO Apache with mod_ssl and mm: cd ${APACHE_HOME}/sources gtar zxvf httpd-2.0.43.tar.gz 7) Configure the compilation... It needs to know where is your openssl. You have to have the openssl installed for the Apache SSL to run. Check if you have it at /usr/local/openssl or /usr/local/ssl and read my log on openssl at: http://www.ccl.net/cca/software/SUN/openssl". cd ${APACHE_HOME}/sources/httpd-2.0.43 ./configure --prefix=${APACHE_HOME} \ --enable-mods-shared=most \ --with-ssl=/usr/local/openssl \ --enable-ssl 7) Building and installing the apache: make make install 8) Try edit the httpd.conf file for testing... I just changed the following lines: cd ${APACHE_HOME}/conf emacs httpd.conf (or whatever your beloved editor is) and: Listen 80 --> listen 24380 group #-1 --> group nobody ServerAdmin you@your.address --> ServerAdmin jkl@ccl.net #ServerName new.host.name:80 --> ServerName heechee.ccl.net:24380 Hopefully port 24380 does not conflict with anything. Then start Apache without SSL support as: cd ${APACHE_HOME}/bin ./apachectl start 9) Point your browser at the http://server:port (in my case: http://heechee.ccl.net:24380) and see if your server is running. It should. Now kill it: cd ${APACHE_HOME}/bin ./apachectl stop 10) Now you can make certificates. Actually you cannot, since the regular distribution of apache 2.0 sources does not contain files which are needed to create test server certificates. To be able to create test certificates you need to have a script sign.sh which comes with the mod_ssl distribution for Apache 1.3.x. (you can get the latest mod_ssl distribution for Apache 1.3.X from the: http://www.modssl.org. This script is missing in the Apache 2.0.43 distribution. I am providing it here as sign.sh. Note, I made a single change in this script. I changed a line with a number of default_days = 365 to default_days = 2002 just so the certificate will not expire for over 5 years. Put the script in the ${APACHE_HOME}/conf directory and make it executable. cd ${APACHE_HOME}/conf chmod 755 sign.sh 11) Making the Certificate Signing Request (CSR). This is is "pre-certificate" which you would need to send to one of the commercial Certificate Authorities (CAs, like VeriSign or and Thawte) and they would return you the actual certificate after you pay them a few hundreds dollars and lots of paperwork. You really need to do it, if you are considering secure transactions. The CAs addresses are built into common browsers. The CAs are here to attest to your identity. Without them, we could not really trust if we give a MasterCard number to IBM, or someone who presents him/herself as IBM. If you just want to try HTTPS, I will tell you how to sign the CSR with the phony certificate agency you create yourself (with the self-signed certificate). You really need to read more about it to know what you are doing... Here is just list of commands which will get you there: a) make sure that your PATH and LD_LIBRARY_PATH is set so your commands know about openssl binary and libraries: PATH=${PATH}:/usr/local/openssl-0.9.6/bin export PATH LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/openssl-0.9.6/lib export LD_LIBRARY_PATH b) create private key in RSA format: It will ask you for the password (passphrase). Make sure you make a note of it. cd ${APACHE_HOME}/conf mkdir ssl.key cd ssl.key openssl genrsa -des3 -out server.key 1024 This will generate a file: server.key in the ${APACHE_HOME}/conf/ssl.key directory. c) decrypt the key (i.e., strip the passphrase) and use it from now on: cd ${APACHE_HOME}/conf/ssl.key openssl rsa -in server.key -out server.key.unsecure mv server.key server.key.encrypted mv server.key.unsecure server.key chmod 600 server.key server.key.encrypted d) create Certificate Signing Request (CSR). Please note that you have to enter your machine fully qualified domain name as CommonName. cd ${APACHE_HOME}/conf mkdir ssl.csr cd ssl.csr openssl req -new -key ../ssl.key/server.key -out server.csr My dialog follows with bold entries typed in: ------------------------ Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Ohio Locality Name (eg, city) []:Columbus Organization Name (eg, company) [Internet Widgits Pty Ltd]:OSC Organizational Unit Name (eg, section) []:CCL Common Name (eg, YOUR name) []:heechee.ccl.net Email Address []:jkl@ccl.net Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: ------------------------ Note that I did not enter the challenge password or additional name. This dialog created a file: server.csr in the ${APACHE_HOME}/conf/ssl.csr directory. Normally you would send this file to a Certificate Authority, and they would send you back your certificate signed by them. 12) Signing the CSR just created. For testing purposes you can pretend that you are a Certificate Authority (CA) and sign the certificate yourself with the Certificate of your own Certificate Authority (CA). a) Create private key for your "Certificate Authority" (remember to make a note about passphrase) cd ${APACHE_HOME}/conf/ssl.key openssl genrsa -des3 -out ca.key 1024 b) decrypt the ca.key similarly as you did for server.key cd ${APACHE_HOME}/conf/ssl.key openssl rsa -in ca.key -out ca.key.unsecure mv ca.key ca.key.encrypted mv ca.key.unsecure ca.key chmod 600 ca.key ca.key.encrypted c) Create a CA Certificate (X509 structure) with the RSA key of the CA cd ${APACHE_HOME}/conf mkdir ssl.crt cd ssl.crt openssl req -new -x509 -days 2002 -key ../ssl.key/ca.key -out ca.crt My dialog looked like: ------------ Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Ohio Locality Name (eg, city) []:Columbus Organization Name (eg, company) [Internet Widgits Pty Ltd]:OSC Organizational Unit Name (eg, section) []:CCL Common Name (eg, YOUR name) []:CCL-Team Email Address []:jkl@ccl.net ------------ And as a result, the file: ca.crt was created in the ${APACHE_HOME}/conf/ssl.crt directory. d) Now you have a phony self signed Certificate of Certificate Authority and you can use it sigh your Server Certificate Signing Request, i.e., file server.csr. You need the script sign.sh for it. Since the script assumes that you have all your certificates and keys in the same directory, you need to create a temporary directory and copy stuff there: cd ${APACHE_HOME}/conf mkdir temp cd temp cp ../ssl.crt/*.crt . cp ../ssl.csr/*.csr . cp ../ssl.key/*.key . ../sign.sh server.csr My conversation was as follows: ---------------------------- CA signing: server.csr -> server.crt: Using configuration from ca.config Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'Ohio' localityName :PRINTABLE:'Columbus' organizationName :PRINTABLE:'OSC' organizationalUnitName:PRINTABLE:'CCL' commonName :PRINTABLE:'heechee.ccl.net' emailAddress :IA5STRING:'jkl@ccl.net' Certificate is to be certified until Apr 7 20:50:32 2008 GMT (2002 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: OK -------------------------- As a result, the file server.crt was created in ${APACHE_HOME}/conf/temp directory. You need to move it where it belongs, i.e., to ssl.crt directory and delete temp, since you do not need it really... cd ${APACHE_HOME}/conf/temp mv server.crt ../ssl.crt cd .. rm -rf temp cd ssl.crt chmod 600 * 13) Now it is probably prudent to save these files on a diskette or CD so when you need to move your Apache server to another machine or disk, or to reinstall it, you will not have to recreate certificates (people already registered them in their browsers, and they would be angry if they had to redo it). cd ${APACHE_HOME}/conf tar cvf certs.tar ssl.crt ssl.csr ssl.key and copy the file certs.tar in a safe place. 14) Test the SSL and certificates. You need to edit the file ssl.conf now. cd ${APACHE_HOME}/conf emacs ssl.conf I did following changes: Listen 443 --> Listen 24343 <VirtualHost _default_:443> --> <VirtualHost _default_:24343> ServerName new.host.name:443 --> ServerName heechee.ccl.net:24343 ServerAdmin jkl@ccl.net and then fired apache as: cd ${APACHE_HOME}/bin ./apachectl startssl Then, with my browser, I checked if I can get to: https://heechee.ccl.net:24343/ I could, and then I lived happily ever after... My starting config files are available here as: httpd.conf and ssl.conf and 15) Starting Apache on boot-up To start Apache automatically at boot-up I modified slightly the apachectl script from ${APACHE_HOME}/bin and copied it as httpd-2 to /etc/init.d. The httpd-2 was simplified to only respond to start and stop arguments, and start as SSL by defaults. I also made sure that /etc/init.d/httpd-2 had the permission 755. I then linked it to the appropriate runlevel (3) cd /etc/init.d chmod 755 httpd-2 cd /etc/rc3.d/init.d ln -s ../init.d/httpd-2 S55httpd-2 /etc/init.d/httpd-jkl start # just testing /etc/init.d/httpd-jkl stop -- THE END -- If you see something wrong here, please let me know, so I can save other peoples time. Jan -- jkl@ccl.net