Raible's WikiRaible DesignsWiki Home News Recent Changes AppFuseHomepage - Korean QuickStart Guide - Chinese - German - French - Korean - Portuguese - Spanish User Guide Tutorials - English - Chinese - German - Korean - Portuguese - Spanish FAQ - Korean Latest Downloads Other ApplicationsStruts Resume Security Example Struts Menu Set your name in UserPreferences Edit this page Referenced by Articles Articles_cn Articles_de Articles_pt Articles_zh JSPWiki v2.2.33 Hide Menu |
The Apache + SSL HOWTOVersion 1.6.8 (changelog: view source) Spanish translation maintained by Sergio Artigas French translation maintained by Jean-Francois Moreau Revised September 26, 2002 by Matt Raible for Apache 2.0.42. Original Article at http://tud.at/programm/apache-ssl-win32-howto.php3. NEW! (January 23, 2005) Chris Thompson has written an an updated and simplified Apache+SSL HowTo for Windows.OverviewThis page describes the installation of the Win32 version of Apache with the mod_ssl extension. The newest version should always be available from http://tud.at/programm/apache-ssl-win32-howto.php3. This process worked for many people on Windows NT, 98, ME, 2000 and XP; please mail me your suggestions and bug reports. You can even install Apache with SSL in addition to the Microsoft Internet Information Server if you need to. Note: sometimes, there are changes between the precompiled apache distributions so that this HOWTO is not correct anymore. In this case, if the current version does not work for you, download an older version - one that was published before the modification date of this HOWTO. Or, if you like adventures, try to make it run, and mail me if you needed to change anything. Apache with mod_ssl seems to be the only free (as in speech, not in beer) solution for Win32. Please note that Apache on Win32 is considered beta quality as it doesn't reach the stability and performance of Apache on Un*x platforms. 1.: Installing ApacheGet the Win32 version of the Apache web server from one of the mirrors. It is called something like . This is a self-extracting archive that contains the Apache base system and sample configuration files. Don't mix Apache versions 1.3 and 2! It won't work. If you find 1.3.x on modssl.org, you cannot expect it to work with 2.0.x. Install Apache as described in http://www.apache.org/docs/windows.html. For Linux, to install Apache 2.0.42 with mod_sll installed, I performed the following steps: I used http://httpd.apache.org/docs-2.0/install.html as a reference. If you're using Apache 2.0.42 with Tomcat, you can download the binary mod_jk.so from http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.0/bin/linux/i386/mod_jk-2.0.42.so. After downloading, put this file into your directory and rename it . Click here for more information on configuring Apache and Tomcat. Note: You can skip this step and get a full Apache+SSL distribution from modssl.org, as described below. There will be no fancy installation program but you won't need to overwrite the stock Apache files. This is the better way if you are experienced and don't fear editing configuration files (which you will need to do anyway). Change at least the following parameters in : [Replace all occurences of with the real domain name!]
Install the Apache service (NT only) and start the server. Verify that everything works before proceeding to the SSL installation because this limits the possible errors. Try http://www.my-server.dom:443/. It won't be encrypted yet but if this works then the port configuration (port 443) is right. 2.: Getting OpenSSL and mod_sslIf you want to compile the mod_ssl.so module, you can use the latest sources, available at http://www.modssl.org/contrib/ftp/source/ for Apache 1.3.x and included in Apache HTTP server sources, accesible as a CVS code repository (see the instructions at http://httpd.apache.org/dev/anoncvs.txt) for Apache 2.0.x. For Windows, the precompiled module is available at http://hunter.campbus.com/ (where you will find there Apache 1.3 and 2.0 binaries with the corresponding mod_ssl.so module versions included), while binaries for Linux are included in the major Linux distributions. Apache Software Foundation mades a point in not offering the compiled binaries for the SSL module, due to the export regulations for cryptographic software from USA. Don't ask for binaries if they will not be available at the currently indicated locations. Various ISVs provide free binaries for this module in various projects such as NuSphere Technology Platform, Apache-SSL etc. OpenSSL is required for getting a certificate to use with your web server. You may download its sources and compile it from http://www.openssl.org/source/. Compiled binaries are available at http://gnuwin32.sourceforge.net/packages/openssl.htm for Windows and are included in major Linux distributions. OpenSSL for Windows might also be obtained by downloading and installing Cygwin from http://www.cygwin.com. Put the files and from the Apache/modssl distribution directory to (or in another folder mentioned in the PATH environment variable). This is important! About 70 % of the e-mails I receive is because people forget to do this. 3.: Creating a test certificateThe following instructions are adapted from http://www.apache-ssl.org/#FAQ. Open a shell window (Command Prompt in Windows) and change the current directory to the directory where you have the openssl.exe file (openssl file for Linux). This creates a certificate signing request ( ) and a private key ( ), using the configuration file that is provided with the binary distribution of OpenSSL or with Cygwin ( ) that will make the OpenSSL application to prompt for each detail of the certificate. When asked for , give the exact domain name of your web server (e.g. www.my-server.dom). The certificate belongs to this server name and browsers complain if the name doesn't match. If you didn't provide a config file, OpenSSL will try to use the file specified by the OPENSSL_CONF environment variable. This variable is usually not defined and if you follow the instructions from the original tutorial (linked at the top of this page), which does not use the switch, you will get an error about "distinguished name". (Thanks to Olivier Gambier for clearing this problem, using information from http://www.openssl.org/docs/apps/req.html.) On a Windows system, files with extensions are treated as special files (of type SpeedDial) and Windows Explorer will refuse to display its extension, regardless of display settings, and the file will have a strongly modified context menu that might prevent you from editing it and might mislead you to believe you don't have this file. Just look for a SpeedDial-type file displayed simply as . This removes the passphrase from the private key. You MUST understand what this means; should be only readable by the Apache server and the administrator. You should delete the file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key. This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase if you don't want this. If you have users with MS Internet Explorer 4.0+ and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate: Create an directory and move and into it. For Linux create two directories: and . Move into and move into . 4.: Configuring Apache and mod_sslCopy the executable files (*.exe, *.dll, *.so) from the downloaded apache-mod_ssl distribution over your original Apache installation directory (remember to stop Apache first and DO NOT overwrite your edited config files etc.!). Find the LoadModule directives in your file and add this after the existing ones, according to the file you have found in the distribution: or or in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will be done for you when you compile with ) In newer versions of the distribution for Apache 1.x, it could also be necessary to add after the AddModule lines that are already in the config file. Copy from the OpenSSL distribution to Apache/conf/. For Windows, you can download from http://www.raibledesigns.com/tomcat/ssl.conf (Right click -> Save Target As...). Make sure and change the and values on lines 93 and 94. Add the following to the end of : Don't forget to call apache with if the directive is active in the config file! In other words, either start Apache from the command line with or comment out the start/end tags in . NOTE: When using SSL with multiple Virtual Hosts, you must use an ip-based configuration. This is because SSL requires you to configure a specific port (443), whereas name-based specifies all ports (*). You might the following error if you try to mix name-based virtual hosts with SSL. You might need to use to change the key HKEY_LOCAL_MACHINE/SOFTWARE/Apache Group/Apache/X.Y.Z to the correct number if the from is not the same version as the previously installed one. (This seems not to be necessary with recent versions.) Start the server, this time from the command prompt (not as a service) in order to see the error messages that prevent Apache from starting. If everything is OK, (optionally) press CTRL+C to stop the server and start it as a service if you prefer. If it doesn't work, Apache should write meaningful messages to the screen and/or into the error.log and SSL.log files in the Apache/logs directory. If something doesn't work, set all s to the maximum and look into the logfiles. They are very helpful. DON'T e-mail me or the other contributors without having plain Apache installed (Step 1). We will ignore your request; we are not the Free Apache Helpdesk and there is enough good documentation on configuring Apache; if that is not enough for you, you shouldn't run a secure server anyway. Also, DON'T e-mail without having looked into the error.log and SSL.log with set to Debug. Debugging connect problemsProblems connecting to the server with a browser can have many reasons, many of them on the client (proxy, DNS, general IE dumbness). So, if you encounter problems connecting with SSL, try another browser and/or look into the settings. If even this doesn't work, you can use OpenSSL to debug the problem. Common problemsQ: I see the following when starting Apache: A: Did you copy the openssl DLLs to WINNT/SYSTEM32 (or WINDOWS/SYSTEM on Win9x/ME)? You can verify this by copying into a directory of its own and executing it. If it complains about not being able to find some DLLs, then you haven't copied them into the correct directory. One user told me that he had this problem even when he did everything right. He then found the problem: corrupt openssl DLLs. So if you get this error despite having done everything correctly, try the openssl DLLs from another version from modssl.org/contrib. Q: I see the following when starting Apache: or: A: You didn't add the AddModule line (or not where it belongs, it belongs below the other AddModule lines). Q: SSL doesn't work in the browser and I see the following in some logfile: A: How much clearer can an error message get? Your VirtualHost or Listen configuration is wrong. Q: When trying to connect to https://www.myhost.com I kept getting an error about an unknown protocol. I could however connect to https://10.10.0.14 which is the local ip of the server. A: Under the VirtualHost section you add to the httpd.conf, I had to change <VirtualHost www.myhost.com:443> to <VirtualHost _default_:443>.Not sure why this had to be done in my case, but it works. Questions about Java servlets, OpenSSL compilation etc.Don't ask us about installing servlet extensions, recompiling mod_ssl or Apache with EAPI, recompiled versions etc. We have no idea and won't be able help you. We are just users and not programmers. If your needs are so special, you are better off with a Debian GNU/Linux or OpenBSD server. It will save you lots of trouble. Really. LinksApache Web Server: http://www.apache.org mod_ssl: http://www.modssl.org mod_ssl configuration: http://www.modssl.org/docs/2.4/ssl_reference.html OpenSSL: http://www.openssl.org PHP Hypertext preprocessor: http://www.php.net Author of this document: Balázs Bárány (http://tud.at) (mail me your questions, but only after having looked into the error logs with . You can mail me in English, German and Hungarian. If I am constantly ignoring your e-mail, read all the hints in the HOWTO about how to e-mail me.) Contributor: Horst Bräuner (OpenSSL configuration on NT) Contributor: Christoph Zich (Windows 98) Contributor: Torsten Stanienda (Test with 1.3.12, IfDefine directive) Contributor: Peter Holm (Listen and Port directives) Last change: 2002-05-18 This document can be redistributed under the GNU Free Documentation License. © Balázs Bárány 1999-2002 These instructions were tested by Matt Raible on Windows XP (SP1) and Red Hat Linux 7.3 with Apache 2.0.42.
|
<script type="text/javascript" src="http://www.google-analytics.com/urchin.js"> </script> <script type="text/javascript"> _uacct = "UA-141007-1"; urchinTracker(); </script>