In the previous post, we learned How to run apache httpd in cygwin.
In this article, we will configure the httpd for ssl support following apache httpd instructions:
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-httpd-secure-server.html
In order to support ssl, you need to install an extra tool httpd-mod_ssl besides httpd you already installed last time.
- re-run setup.exe, make sure you have the following modules installed:
under category NET: openssl
under category WEB: httpd, httpd-mod_ssl
- stop your httpd if it is running
$ whereis apachectl
apachectl: /usr/sbin/apachectl /usr/share/man/man8/apachectl.8.gz
demoAdmin@deomPC ~
$ /usr/sbin/apachectl graceful-stop
demoAdmin@deomPC ~
demoAdmin@deomPC ~
- backup your httpd.conf file.
demoAdmin@deomPC ~
$ find / -name httpd.conf
/etc/defaults/etc/httpd/conf/httpd.conf
/etc/defaults/etc/httpd/conf/original/httpd.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/conf/original/httpd.conf
demoAdmin@deomPC ~
$ cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.backup
- modify the httpd.conf, un-comment LoadModule and Include lines as follows:
demoAdmin@deomPC ~
$ vi /etc/httpd/conf/httpd.conf
demoAdmin@deomPC ~
$ diff /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.backup
89c89
< LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
---
> #LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
145c145
< LoadModule ssl_module modules/mod_ssl.so
---
> #LoadModule ssl_module modules/mod_ssl.so
521c521
< Include conf/extra/httpd-ssl.conf
---
> #Include conf/extra/httpd-ssl.conf
demoAdmin@deomPC ~
$ whereis apachectl
apachectl: /usr/sbin/apachectl /usr/share/man/man8/apachectl.8.gz
demoAdmin@deomPC ~
$ /usr/sbin/apachectl start
AH00526: Syntax error on line 144 of /etc/httpd/conf/extra/httpd-ssl.conf:
SSLCertificateFile: file '/etc/httpd/conf/server.crt' does not exist or is empty
/usr/sbin/apachectl: line 79: 9176 Segmentation fault (core dumped) $HTTPD -k $ARGV
- start httpd, what happened?
$ whereis apachectl
apachectl: /usr/sbin/apachectl /usr/share/man/man8/apachectl.8.gz
demoAdmin@deomPC ~
$ /usr/sbin/apachectl start
AH00526: Syntax error on line 144 of /etc/httpd/conf/extra/httpd-ssl.conf:
SSLCertificateFile: file '/etc/httpd/conf/server.crt' does not exist or is empty
/usr/sbin/apachectl: line 79: 7136 Segmentation fault (core dumped) $HTTPD -k $ARGV
demoAdmin@deomPC ~
- Let's exam the configuration file. You need to create a server.key and server.crt pair
$ vi /etc/httpd/conf/extra/httpd-ssl.conf
demoAdmin@deomPC ~
$ grep 'Listen\|server.key\|server.crt' /etc/httpd/conf/extra/httpd-ssl.conf
Listen 443
SSLCertificateFile "/etc/httpd/conf/server.crt"
SSLCertificateKeyFile "/etc/httpd/conf/server.key"
demoAdmin@deomPC ~
$ ls /etc/httpd/conf
extra httpd.conf httpd.conf.backup magic mime.types original
demoAdmin@deomPC ~
- Let's create a private key.
$ openssl genrsa -aes128 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.......................................................+++
.....................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
demoAdmin@deomPC ~
- Let's generate a self-signed certificate.
$ openssl req -new -x509 -key server.key -out server.crt
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NY
Locality Name (eg, city) []:NYC
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xyznetwork
Organizational Unit Name (eg, section) []:unix network
Common Name (e.g. server FQDN or YOUR name) []:xyznetwork.blogspot.com
Email Address []:xyznetwork@gmail.com
- Let's double check the certificate is correctly generated.
demoAdmin@deomPC ~
$ openssl x509 -in server.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
96:99:cb:91:cc:52:fd:b4
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=NY, L=NYC, O=xyznetwork, OU=unix network, CN=xyznetwork.blogspot.com/emailAddress=xyznetwork@gmail.com
Validity
Not Before: Aug 18 03:20:05 2017 GMT
Not After : Sep 17 03:20:05 2017 GMT
Subject: C=US, ST=NY, L=NYC, O=xyznetwork, OU=unix network, CN=xyznetwork.blogspot.com/emailAddress=xyznetwork@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e8:76:eb:62:68:ec:5e:55:0e:f5:77:b3:f6:7c:
25:55:ff:5b:18:0b:bf:86:f9:2d:63:a2:99:74:d1:
7e:37:a1:76:7e:89:12:f8:ad:2c:9a:3c:c4:1c:d2:
8e:44:b4:ab:bf:96:a1:aa:24:00:57:de:75:0a:8e:
69:ac:d3:a4:6f:15:df:74:f3:a9:2b:81:92:2b:53:
7a:ed:8e:e8:74:e2:e3:22:0b:8c:43:c3:67:1d:0e:
a2:b9:71:63:b2:66:5e:f2:d1:88:90:30:97:36:06:
04:ef:c3:15:30:a0:64:8a:ea:15:8d:bb:f2:e1:8d:
28:c7:3b:fa:d5:2c:0a:95:1d:f5:b7:c8:b1:18:3c:
c5:02:05:9b:fe:c2:cf:9a:7f:f6:bf:bc:9d:e2:3a:
b9:30:b4:46:65:79:c5:a6:42:0a:99:63:bc:70:b2:
99:33:64:7d:8a:e6:ce:58:06:d1:44:59:98:f2:11:
5c:fe:42:dc:a8:91:e9:c0:b2:55:9b:50:0d:5e:06:
c0:28:93:26:2d:98:58:65:ed:d1:cb:80:c9:b3:cd:
df:36:b0:70:10:e8:a8:d8:36:98:6d:7c:b1:3b:2e:
cb:b7:a1:89:6e:fc:cb:c1:fa:43:eb:a5:df:78:c9:
80:8a:64:9a:27:ce:d2:7d:f0:ca:0f:27:85:4b:d1:
34:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D7:82:CB:38:F5:09:5F:8C:BE:7D:44:E4:16:41:1F:93:E6:0E:F2:81
X509v3 Authority Key Identifier:
keyid:D7:82:CB:38:F5:09:5F:8C:BE:7D:44:E4:16:41:1F:93:E6:0E:F2:81
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
2e:9f:5f:a8:7f:28:ef:fd:80:9e:fc:74:06:be:f1:11:2f:6a:
a1:66:3f:1e:36:0f:40:00:b4:f5:7b:6f:60:fd:d7:e4:48:c5:
2d:e3:41:2d:f0:f6:7f:61:33:69:78:75:c2:6b:51:14:8f:ca:
d2:db:32:ef:1f:e2:53:8a:2c:8c:40:d0:6a:04:a1:15:c4:31:
61:79:15:36:d0:6e:8e:01:40:3b:98:a5:86:66:7c:26:2d:2d:
a2:cf:d8:c7:fa:f3:df:5a:a9:53:a3:12:77:f4:6c:fe:23:55:
6b:e6:8e:8d:b7:63:8a:bb:79:48:a5:09:5f:dc:89:c5:86:14:
43:e1:a7:e5:11:13:7f:d8:8f:73:b0:56:02:91:08:6b:8b:79:
9d:fa:0c:67:39:f0:a8:ea:d6:b8:26:59:3b:cf:62:2e:f5:6c:
76:e7:8f:ff:18:2e:a1:9a:ab:27:c6:ba:1a:46:c4:b6:fe:07:
de:a6:53:9e:71:4f:f9:7b:32:21:bd:f1:de:06:24:e3:44:19:
6b:f9:d2:32:38:85:74:56:59:7c:d5:39:e5:a0:4b:f2:cb:e9:
7d:29:27:9e:4f:ab:af:5e:6a:ac:65:78:8c:ff:c4:3c:d1:82:
8e:73:21:a0:80:ba:f9:a2:57:ba:a7:55:ec:bc:de:6d:4e:0e:
57:23:cd:13
demoAdmin@deomPC ~
- Let's copy the server.key and server.crt to the httpd expected location.
$ cp server.key server.crt /etc/httpd/conf/
demoAdmin@deomPC ~
$ ls /etc/httpd/conf
extra httpd.conf httpd.conf.backup magic mime.types original server.crt server.key
demoAdmin@deomPC ~
- start the service. No, not at the last step... crap, I got a bad cygwin version, with unlucky compatibility issues. Could try to run the setup.exe as admin, install different versions of openssl, httpd-mod_ssl, httpd etc from different download images. Not fun, It is easier to install a native apache httpd on windows than exam the core dump and try error cook with cygwin here...
$ whereis apachectl
apachectl: /usr/sbin/apachectl /usr/share/man/man8/apachectl.8.gz
demoAdmin@deomPC ~
$ /usr/sbin/apachectl start
[Thu Aug 17 23:26:28.742380 2017] [core:emerg] [pid 4816] (88)Function not implemented: AH00023: Couldn't create the mpm-accept mutex
(88)Function not implemented: could not create accept mutex
AH00015: Unable to open logs
/usr/sbin/apachectl: line 79: 4816 Segmentation fault (core dumped) $HTTPD -k $ARGV
demoAdmin@deomPC ~
No comments:
Post a Comment