This is a log of my installation/Compilation of Apache 2.0.43
with SSL, under Solaris 2.8. gcc was: egcs-2.91.66
This log includes compilation from scratch of Apache. I personally
usually compile stuff from scratch, since I have the
NIH (Not Invented Here) mental syndrome. It is still mild,
and my shrink tells me that he still does not have to
report me to the authorities. Frankly, I do not like
my own layout after a while too, and change it often.
This memo was originally written by Jan Labanowski (jkl@ccl.net)
around Oct 13, 2002
The UNIX commands are in italic. It assumed that you will just grab them
with the mouse and paste them in your xterm...
Few terms:
Apache -- the Web Server
DSO -- Dynamic Shared Object (additional modules can be added/updated
to Apache without the need to recompile the whole thing, similar
to shared libraries, but DSO modules are not only called, but
can also call routines within Apache)
SSL -- Secure Socket Layer - the encryption and certificate package which
works with Apache
I assume you have moderately latest GNU tools (gmake, gzip, etc...) installed
and you also have a recent version of perl installed distribution.
I assume that you do all installation as root...
You can also get the wget utility from
ftp://ftp.gnu.org/pub/gnu/wget/. The local copy is here.
You will need to have openssl libraries (libcrypto and libssl) installed
for the latest wget to compile. If you do not have them, install openssl
first as described in my log:
http://www.ccl.net/cca/software/SUN/openssl.
By default, it installs wget binary to /usr/local/bin and puts man page into
/usr/local/man. You can edit the Makefile after .configure step if you
want them elsewhere. I installed the latest GNU one (now 1.8.2)as:
get wget-1.8.2.tar.gz and move it to directory /usr/local/uploads or
the one you like the most, e.g.; /tmp.
gunzip wget-1.8.2.tar.gz
gtar xvf wget-1.8.2.tar
mv wget-1.8.2 /usr/local # I like it in /usr/local
cd /usr/local/wget-1.8.2
./configure
make
make install
wget has also extensive GNU info pages and if you have install, do
info wget
and seek knowledge.
1) Be a root... Run ksh or bash or other sh, but not C-shell.
Before you install the new Apache, you have to know if you have some
other installation of Apache running. If you do, you need to decide
if you want to keep the old Apache running, or you stop it.
The problem is that Apache server by default listens to standard
Web TCP ports, and you cannot have some other Apache listen on the same
port(s). If Apache was installed before you will need either to disable
it, or choose other ports. If some Apache is running
(do: ps -ef | grep httpd) check which ports it is using by:
netstat -a | grep LISTEN
or
netstat -a -n | grep LISTEN
if you want to see all ports given as numbers, rather than services names.
If you get (among others):
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:https *:* LISTEN
(or, with netstat -n option:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN )
The "well known ports" for HTTP and HTTPS are booked and some web
server is running.
2) If the old server is running check the files in /etc/init.d and
see if there is an httpd file (or similar) and stop apache as:
/etc/init.d/httpd stop
3) If you do not want to kill previous Apache, and install the
new one in such a way that their TCP ports do not conflict, just
continue on, and you will be OK, since this installation uses
ports 24380 and 24343 rather than standard ports which your existing
installation is most likely using (change them is already used for
something else). Alternatively, If you know where is the configuration
file for the already installed apache located, you can edit it and change
port assignments, for example:
edit file /usr/local/apache1.3.13/conf/httpd.conf and change ports:
cd /usr/local/apache1.3.13/conf
cp -p httpd.conf httpd.conf.original
emacs (or vi or whatever) httpd.conf and replace lines:
Listen 80 --> Listen 6080
Port 80 --> Port 6080
Listen 443 --> Listen 6443
<VirtualHost _default_:443> --> <VirtualHost _default_:6443>
then restart apache and check pages:
cd /etc/init.d
./httpd start
and try if this works, i.e., try the URLs:
http://my.machine.com:6080/
https://my.machine.com:6443/
4) Make top directory for Apache 2.0.43 installation. I did
/usr/local/apache_2.0.43
mkdir /usr/local/apache_2.0.43
Then set APACHE_HOME environment variable
APACHE_HOME=/usr/local/apache_2.0.43
export APACHE_HOME
I also made a subdirectory "sources" to have all needed sources in one
place:
mkdir ${APACHE_HOME}/sources
cd ${APACHE_HOME}/sources
Put there the tar files:
mkdir -p ${APACHE_HOME}/sources
cd ${APACHE_HOME}/sources
wget http://www.apache.org/dist/httpd/httpd-2.0.43.tar.gz
wget http://www.apache.org/dist/httpd/httpd-2.0.43.tar.gz.asc
wget http://www.apache.org/dist/httpd/KEYS
5) If you are paranoid, check integrity of the file retrieved with GNU PG
If you do not have GNU PG then install it:
(you can find my notes at http://www.ccl.net/cca/software/SUN/gnu-pg/) or
skip this check and do not sleep well ever...
Then check if the tar.gz file is fine:
cd ${APACHE_HOME}/sources
gpg --import KEYS
gpg --verify httpd-2.0.43.tar.gz.asc
It told me:
gpg: Good signature from "wrowe@covalent.net"
which is good.
6) Unpack sources to build DSO Apache with mod_ssl and mm:
cd ${APACHE_HOME}/sources
gtar zxvf httpd-2.0.43.tar.gz
7) Configure the compilation... It needs to know where is your openssl.
You have to have the openssl installed for the Apache SSL to run.
Check if you have it at /usr/local/openssl or /usr/local/ssl
and read my log on openssl at: http://www.ccl.net/cca/software/SUN/openssl".
cd ${APACHE_HOME}/sources/httpd-2.0.43
./configure --prefix=${APACHE_HOME} \
--enable-mods-shared=most \
--with-ssl=/usr/local/openssl \
--enable-ssl
7) Building and installing the apache:
make
make install
8) Try edit the httpd.conf file for testing... I just changed the following
lines:
cd ${APACHE_HOME}/conf
emacs httpd.conf (or whatever your beloved editor is)
and:
Listen 80 --> listen 24380
group #-1 --> group nobody
ServerAdmin you@your.address --> ServerAdmin jkl@ccl.net
#ServerName new.host.name:80 --> ServerName heechee.ccl.net:24380
Hopefully port 24380 does not conflict with anything. Then start Apache
without SSL support as:
cd ${APACHE_HOME}/bin
./apachectl start
9) Point your browser at the http://server:port (in my case:
http://heechee.ccl.net:24380) and see if your server is running.
It should. Now kill it:
cd ${APACHE_HOME}/bin
./apachectl stop
10) Now you can make certificates. Actually you cannot, since the
regular distribution of apache 2.0 sources does not contain
files which are needed to create test server certificates.
To be able to create test certificates you need to have a script
sign.sh which comes with the mod_ssl distribution for Apache
1.3.x. (you can get the latest mod_ssl distribution for Apache 1.3.X
from the: http://www.modssl.org.
This script is missing in the Apache 2.0.43 distribution.
I am providing it here as sign.sh. Note, I made a single change in this
script. I changed a line with a number of
default_days = 365
to
default_days = 2002
just so the certificate will not expire for over 5 years.
Put the script in the
${APACHE_HOME}/conf directory and make it executable.
cd ${APACHE_HOME}/conf
chmod 755 sign.sh
11) Making the Certificate Signing Request (CSR). This is is "pre-certificate"
which you would need to send to one of the commercial Certificate
Authorities (CAs, like VeriSign or and Thawte) and they would return you
the actual certificate after you pay them a few hundreds dollars and
lots of paperwork. You really need to do it, if you are considering
secure transactions. The CAs addresses are built into common browsers.
The CAs are here to attest to your identity. Without them, we
could not really trust if we give a MasterCard number to IBM, or
someone who presents him/herself as IBM. If you just want to try HTTPS,
I will tell you how to sign the CSR with the phony certificate agency
you create yourself (with the self-signed certificate). You really need to
read more about it to know what you are doing... Here is just list
of commands which will get you there:
a) make sure that your PATH and LD_LIBRARY_PATH is set so your
commands know about openssl binary and libraries:
PATH=${PATH}:/usr/local/openssl-0.9.6/bin
export PATH
LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/openssl-0.9.6/lib
export LD_LIBRARY_PATH
b) create private key in RSA format: It will ask you for the password
(passphrase). Make sure you make a note of it.
cd ${APACHE_HOME}/conf
mkdir ssl.key
cd ssl.key
openssl genrsa -des3 -out server.key 1024
This will generate a file: server.key in the
${APACHE_HOME}/conf/ssl.key directory.
c) decrypt the key (i.e., strip the passphrase) and use it from now on:
cd ${APACHE_HOME}/conf/ssl.key
openssl rsa -in server.key -out server.key.unsecure
mv server.key server.key.encrypted
mv server.key.unsecure server.key
chmod 600 server.key server.key.encrypted
d) create Certificate Signing Request (CSR). Please note that you
have to enter your machine fully qualified domain name as CommonName.
cd ${APACHE_HOME}/conf
mkdir ssl.csr
cd ssl.csr
openssl req -new -key ../ssl.key/server.key -out server.csr
My dialog follows with bold entries typed in:
------------------------
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Ohio
Locality Name (eg, city) []:Columbus
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OSC
Organizational Unit Name (eg, section) []:CCL
Common Name (eg, YOUR name) []:heechee.ccl.net
Email Address []:jkl@ccl.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
------------------------
Note that I did not enter the challenge password or additional name.
This dialog created a file: server.csr in the
${APACHE_HOME}/conf/ssl.csr directory.
Normally you would send this file to a Certificate Authority,
and they would send you back your certificate signed by them.
12) Signing the CSR just created.
For testing purposes you can pretend that you are a Certificate
Authority (CA) and sign the certificate yourself with the Certificate
of your own Certificate Authority (CA).
a) Create private key for your "Certificate Authority" (remember to
make a note about passphrase)
cd ${APACHE_HOME}/conf/ssl.key
openssl genrsa -des3 -out ca.key 1024
b) decrypt the ca.key similarly as you did for server.key
cd ${APACHE_HOME}/conf/ssl.key
openssl rsa -in ca.key -out ca.key.unsecure
mv ca.key ca.key.encrypted
mv ca.key.unsecure ca.key
chmod 600 ca.key ca.key.encrypted
c) Create a CA Certificate (X509 structure) with the RSA key of the CA
cd ${APACHE_HOME}/conf
mkdir ssl.crt
cd ssl.crt
openssl req -new -x509 -days 2002 -key ../ssl.key/ca.key -out ca.crt
My dialog looked like:
------------
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Ohio
Locality Name (eg, city) []:Columbus
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OSC
Organizational Unit Name (eg, section) []:CCL
Common Name (eg, YOUR name) []:CCL-Team
Email Address []:jkl@ccl.net
------------
And as a result, the file: ca.crt was created in the
${APACHE_HOME}/conf/ssl.crt directory.
d) Now you have a phony self signed Certificate of Certificate Authority
and you can use it sigh your Server Certificate Signing Request, i.e.,
file server.csr. You need the script sign.sh for it. Since the
script assumes that you have all your certificates and keys in the
same directory, you need to create a temporary directory and copy
stuff there:
cd ${APACHE_HOME}/conf
mkdir temp
cd temp
cp ../ssl.crt/*.crt .
cp ../ssl.csr/*.csr .
cp ../ssl.key/*.key .
../sign.sh server.csr
My conversation was as follows:
----------------------------
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Ohio'
localityName :PRINTABLE:'Columbus'
organizationName :PRINTABLE:'OSC'
organizationalUnitName:PRINTABLE:'CCL'
commonName :PRINTABLE:'heechee.ccl.net'
emailAddress :IA5STRING:'jkl@ccl.net'
Certificate is to be certified until Apr 7 20:50:32 2008 GMT (2002 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
--------------------------
As a result, the file server.crt was created in
${APACHE_HOME}/conf/temp directory.
You need to move it where it belongs, i.e., to ssl.crt directory
and delete temp, since you do not need it really...
cd ${APACHE_HOME}/conf/temp
mv server.crt ../ssl.crt
cd ..
rm -rf temp
cd ssl.crt
chmod 600 *
13) Now it is probably prudent to save these files on a diskette
or CD so when you need to move your Apache server to another
machine or disk, or to reinstall it, you will not have to
recreate certificates (people already registered them in their
browsers, and they would be angry if they had to redo it).
cd ${APACHE_HOME}/conf
tar cvf certs.tar ssl.crt ssl.csr ssl.key
and copy the file certs.tar in a safe place.
14) Test the SSL and certificates. You need to edit the file ssl.conf now.
cd ${APACHE_HOME}/conf
emacs ssl.conf
I did following changes:
Listen 443 --> Listen 24343
<VirtualHost _default_:443> --> <VirtualHost _default_:24343>
ServerName new.host.name:443 --> ServerName heechee.ccl.net:24343
ServerAdmin jkl@ccl.net
and then fired apache as:
cd ${APACHE_HOME}/bin
./apachectl startssl
Then, with my browser, I checked if I can get to:
https://heechee.ccl.net:24343/
I could, and then I lived happily ever after...
My starting config files are available here as:
httpd.conf and
ssl.conf and
15) Starting Apache on boot-up
To start Apache automatically at boot-up I modified slightly the
apachectl script from ${APACHE_HOME}/bin and copied it
as httpd-2 to /etc/init.d. The httpd-2 was simplified to only respond to
start and stop arguments, and start as SSL by defaults. I also
made sure that /etc/init.d/httpd-2 had the permission 755. I then
linked it to the appropriate runlevel (3)
cd /etc/init.d
chmod 755 httpd-2
cd /etc/rc3.d/init.d
ln -s ../init.d/httpd-2 S55httpd-2
/etc/init.d/httpd-jkl start # just testing
/etc/init.d/httpd-jkl stop
-- THE END --
If you see something wrong here, please let me know, so I can save
other peoples time.
Jan -- jkl@ccl.net