How to set up SSL with Apache 2 on SuSE 9.1

Installation

On SuSE 9.1, when you install your software, in YAST2, search for apache. Install all the apache2 items and none of the plain apache ones. If you are not running SuSE, the directory locations may change. Be sure to run the online update in Yast2 because there have been many fixes to both Apache and OpenSSH. If you use php, I have seen Web pages that advise upgrading to the latest versions.

In Yast2 you can configure the non-SSL server in Network Services/HTTP server. Do not turn on SSL in the default host or else the non-ssl host (on port 80) will try to look for certificates. Also, if you have the SuSE firewall turned on, be sure to allow port 443 (or the port you choose for SSL) through the firewall.

Starting Apache 2 automatically

As root,

cd /etc/init.d

and do

insserv apache2

This will insert apache 2 in the correct startup and shutdown scripts.

Overall guidance

There is a good quick start document in

/usr/share/doc/packages/apache2/README.QUICKSTART.SSL

But it is not quite enough to do the job.

Getting a certificate

If you installed all the apache2 modules, the manual should be available on your machine. Go to

http://localhost/manual/ssl/ssl_faq.html#aboutcerts

and either get a "real" certificate or create your own following the instructions there.

Eric Busse gave the following hints about generating your own certificate:

As opposed to manually creating a cert you can do the following

/usr/bin/gensslcert2 (claims SuSE) however in my experience it’s actually: /usr/bin/gensslcert

Shamelessly lifted from: http://portal.suse.com/sdb/en/2003/01/apache2-faq.html#ssl

If you are not going to be at the console whenever your computer reboots, follow the instructions for using an unencrypted (but protected) server key. Be sure it is protected with access permissions 400.

If you run gensslcert, you should look at the man page and run it with all of the arguments.

These options are recognized: Default:

-C Common name "$name"
-N comment "$comment"
-c country (two letters, e.g. DE) $C
-s state $ST
-l city $L
-o organisation "$O"
-u organisational unit "$U"
-n fully qualified domain name $CN (\$FQHOSTNAME)
-e email address of webmaster webmaster@$CN
-y days server cert is valid for $srvdays
-Y days CA cert is valid for $CAdays
-d run in debug mode
-h show usage

For example:

 /usr/bin/gensslcert -c US -s TN -l "Oak Ridge"    -o Your_organization -e your_name@your_isp.com -d -n 192.168.1.10

In particular the CN field is critical because it must be identical to the

ServerName 192.168.1.10

in the virtual host file (discussed later).

gensslcert will put the certificates in the correct directories. If you get a "real" certificate, install the server key in

/etc/apache2/ssl.key/server.key

and the server certificate in

/etc/apache2/ssl.crt/server.crt

Configuration

As root, you will need to edit several files.

/etc/sysconfig/apache2:
Add ssl to
APACHE_MODULES="access actions alias auth auth_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif status suexec userdir ssl"

Add the server flag SSL to turn on the SSL module configuration file (/etc/apache2/ssl.conf)
APACHE_SERVER_FLAGS="-D SSL"

Increase the startup timeout to allow a password entry if necessary
APACHE_START_TIMEOUT="5"

In /etc/apache2/vhosts.d,

cp vhost-ssl.template vhost-ssl.conf

You can also copy the vhost.template file to vhost.conf if you want a non-ssl server.

Then edit vhost-ssl.conf.

/etc/apache2/vhosts.d/vhost-ssl.conf:

You must configure the virtual directory for the server. You can put all the access control directives and the document root here.

## SSL Virtual Host Context

##
<VirtualHost _default_:443>
#  General setup for the virtual host

DocumentRoot "/srv/www/secdocs"

# The ServerName must be identical to the -n field in your certificate

ServerName 192.168.1.10

ServerAdmin your@email.address

ErrorLog /var/log/apache2/error_log

TransferLog /var/log/apache2/access_log


#Access controls for a directory called noCTRP

<directory /srv/www/secdocs/noCTRP>

AuthType Basic

AuthName "Password Required"

# The file for the passwords for this directory

AuthUserFile /srv/www/passwords/password.noCTRP

require user security

Options Indexes FollowSymLinks

</directory>

There seems to be another problem that several other frustrated people have run across. In spite of putting the

APACHE_SERVER_FLAGS="-D SSL"

in /etc/sysconfig/apache2 file, the system seems to ignore the directive. You can see if this is the case on your system.

As root run

JARDELL:SuSEconfig

JARDELL:/etc/apache2 # httpd2 -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443          192.168.1.10 (/etc/apache2/vhosts.d/vhost-ssl.conf:27)
*:80                   192.168.1.10 (/etc/apache2/vhosts.d/vhost.conf:1)
Syntax OK

If you do not see the vhost-ssl.conf file, something is rotten in Denmark. I was forced to modify the start of the vhost-ssl.cong file as follows:

#<IfDefine SSL>
# <IfDefine !NOSSL>
   Listen 443

and of course comment out the corresponding </IfDefine> lines at the end of the file.

Starting your server

As root run

rcapache2 start

This command can also be used to restart or stop your server.
Your server should be listening to port 443 on your host.

Be sure to place an index.html file in the main document directory, in my case /srv/www/secdocs.

If you have comments or suggestions, e-mail me at jar@ornl.gov Visitors since 19 June 2003: