test me

Site Search:

How to configure apache httpd with ssl support (not working)

Back>

In the previous post, we learned How to run apache httpd in cygwin.
In this article, we will configure the httpd for ssl support following apache httpd instructions:
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-httpd-secure-server.html

In order to support ssl, you need to install an extra tool httpd-mod_ssl besides httpd you already installed last time.


  • re-run setup.exe, make sure you have the following modules installed: 

under category NET: openssl
under category WEB: httpd, httpd-mod_ssl




  • stop your httpd if it is running

$ whereis apachectl

apachectl: /usr/sbin/apachectl /usr/share/man/man8/apachectl.8.gz

demoAdmin@deomPC ~


$ /usr/sbin/apachectl graceful-stop

demoAdmin@deomPC ~
  • backup your httpd.conf file.

demoAdmin@deomPC ~
$ find / -name httpd.conf
/etc/defaults/etc/httpd/conf/httpd.conf
/etc/defaults/etc/httpd/conf/original/httpd.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/conf/original/httpd.conf

demoAdmin@deomPC ~
$ cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.backup

  • modify the httpd.conf, un-comment LoadModule and Include lines as follows:
demoAdmin@deomPC ~
$ vi /etc/httpd/conf/httpd.conf

demoAdmin@deomPC ~
$ diff /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.backup
89c89
< LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
---
> #LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
145c145
< LoadModule ssl_module modules/mod_ssl.so
---
> #LoadModule ssl_module modules/mod_ssl.so
521c521
< Include conf/extra/httpd-ssl.conf
---
> #Include conf/extra/httpd-ssl.conf

demoAdmin@deomPC ~
$ whereis apachectl
apachectl: /usr/sbin/apachectl /usr/share/man/man8/apachectl.8.gz

demoAdmin@deomPC ~
$ /usr/sbin/apachectl start
AH00526: Syntax error on line 144 of /etc/httpd/conf/extra/httpd-ssl.conf:
SSLCertificateFile: file '/etc/httpd/conf/server.crt' does not exist or is empty
/usr/sbin/apachectl: line 79:  9176 Segmentation fault      (core dumped) $HTTPD -k $ARGV

  • start httpd, what happened? 
$ whereis apachectl
apachectl: /usr/sbin/apachectl /usr/share/man/man8/apachectl.8.gz

demoAdmin@deomPC ~
$ /usr/sbin/apachectl start
AH00526: Syntax error on line 144 of /etc/httpd/conf/extra/httpd-ssl.conf:
SSLCertificateFile: file '/etc/httpd/conf/server.crt' does not exist or is empty
/usr/sbin/apachectl: line 79:  7136 Segmentation fault      (core dumped) $HTTPD -k $ARGV

demoAdmin@deomPC ~

  • Let's exam the configuration file. You need to create a server.key and server.crt pair
$ vi /etc/httpd/conf/extra/httpd-ssl.conf

demoAdmin@deomPC ~
$ grep 'Listen\|server.key\|server.crt' /etc/httpd/conf/extra/httpd-ssl.conf
Listen 443
SSLCertificateFile "/etc/httpd/conf/server.crt"
SSLCertificateKeyFile "/etc/httpd/conf/server.key"

demoAdmin@deomPC ~
$ ls /etc/httpd/conf
extra  httpd.conf  httpd.conf.backup  magic  mime.types  original

demoAdmin@deomPC ~

  • Let's create a private key.
$ openssl genrsa -aes128 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.......................................................+++
.....................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

demoAdmin@deomPC ~

  • Let's generate a self-signed certificate.
$ openssl req -new -x509 -key server.key -out server.crt
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NY
Locality Name (eg, city) []:NYC
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xyznetwork
Organizational Unit Name (eg, section) []:unix network
Common Name (e.g. server FQDN or YOUR name) []:xyznetwork.blogspot.com
Email Address []:xyznetwork@gmail.com
  • Let's double check the certificate is correctly generated.
demoAdmin@deomPC ~
$ openssl x509 -in server.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            96:99:cb:91:cc:52:fd:b4
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=NY, L=NYC, O=xyznetwork, OU=unix network, CN=xyznetwork.blogspot.com/emailAddress=xyznetwork@gmail.com
        Validity
            Not Before: Aug 18 03:20:05 2017 GMT
            Not After : Sep 17 03:20:05 2017 GMT
        Subject: C=US, ST=NY, L=NYC, O=xyznetwork, OU=unix network, CN=xyznetwork.blogspot.com/emailAddress=xyznetwork@gmail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e8:76:eb:62:68:ec:5e:55:0e:f5:77:b3:f6:7c:
                    25:55:ff:5b:18:0b:bf:86:f9:2d:63:a2:99:74:d1:
                    7e:37:a1:76:7e:89:12:f8:ad:2c:9a:3c:c4:1c:d2:
                    8e:44:b4:ab:bf:96:a1:aa:24:00:57:de:75:0a:8e:
                    69:ac:d3:a4:6f:15:df:74:f3:a9:2b:81:92:2b:53:
                    7a:ed:8e:e8:74:e2:e3:22:0b:8c:43:c3:67:1d:0e:
                    a2:b9:71:63:b2:66:5e:f2:d1:88:90:30:97:36:06:
                    04:ef:c3:15:30:a0:64:8a:ea:15:8d:bb:f2:e1:8d:
                    28:c7:3b:fa:d5:2c:0a:95:1d:f5:b7:c8:b1:18:3c:
                    c5:02:05:9b:fe:c2:cf:9a:7f:f6:bf:bc:9d:e2:3a:
                    b9:30:b4:46:65:79:c5:a6:42:0a:99:63:bc:70:b2:
                    99:33:64:7d:8a:e6:ce:58:06:d1:44:59:98:f2:11:
                    5c:fe:42:dc:a8:91:e9:c0:b2:55:9b:50:0d:5e:06:
                    c0:28:93:26:2d:98:58:65:ed:d1:cb:80:c9:b3:cd:
                    df:36:b0:70:10:e8:a8:d8:36:98:6d:7c:b1:3b:2e:
                    cb:b7:a1:89:6e:fc:cb:c1:fa:43:eb:a5:df:78:c9:
                    80:8a:64:9a:27:ce:d2:7d:f0:ca:0f:27:85:4b:d1:
                    34:61
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                D7:82:CB:38:F5:09:5F:8C:BE:7D:44:E4:16:41:1F:93:E6:0E:F2:81
            X509v3 Authority Key Identifier:
                keyid:D7:82:CB:38:F5:09:5F:8C:BE:7D:44:E4:16:41:1F:93:E6:0E:F2:81

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         2e:9f:5f:a8:7f:28:ef:fd:80:9e:fc:74:06:be:f1:11:2f:6a:
         a1:66:3f:1e:36:0f:40:00:b4:f5:7b:6f:60:fd:d7:e4:48:c5:
         2d:e3:41:2d:f0:f6:7f:61:33:69:78:75:c2:6b:51:14:8f:ca:
         d2:db:32:ef:1f:e2:53:8a:2c:8c:40:d0:6a:04:a1:15:c4:31:
         61:79:15:36:d0:6e:8e:01:40:3b:98:a5:86:66:7c:26:2d:2d:
         a2:cf:d8:c7:fa:f3:df:5a:a9:53:a3:12:77:f4:6c:fe:23:55:
         6b:e6:8e:8d:b7:63:8a:bb:79:48:a5:09:5f:dc:89:c5:86:14:
         43:e1:a7:e5:11:13:7f:d8:8f:73:b0:56:02:91:08:6b:8b:79:
         9d:fa:0c:67:39:f0:a8:ea:d6:b8:26:59:3b:cf:62:2e:f5:6c:
         76:e7:8f:ff:18:2e:a1:9a:ab:27:c6:ba:1a:46:c4:b6:fe:07:
         de:a6:53:9e:71:4f:f9:7b:32:21:bd:f1:de:06:24:e3:44:19:
         6b:f9:d2:32:38:85:74:56:59:7c:d5:39:e5:a0:4b:f2:cb:e9:
         7d:29:27:9e:4f:ab:af:5e:6a:ac:65:78:8c:ff:c4:3c:d1:82:
         8e:73:21:a0:80:ba:f9:a2:57:ba:a7:55:ec:bc:de:6d:4e:0e:
         57:23:cd:13

demoAdmin@deomPC ~

  • Let's copy the server.key and server.crt to the httpd expected location.
$ cp server.key server.crt /etc/httpd/conf/

demoAdmin@deomPC ~
$ ls /etc/httpd/conf
extra  httpd.conf  httpd.conf.backup  magic  mime.types  original  server.crt  server.key

demoAdmin@deomPC ~

  • start the service. No, not at the last step... crap, I got a bad cygwin version, with unlucky compatibility issues. Could try to run the setup.exe as admin, install different versions of openssl, httpd-mod_ssl, httpd etc from different download images. Not fun, It is easier to install a native apache httpd on windows than exam the core dump and try error cook with cygwin here...
$ whereis apachectl
apachectl: /usr/sbin/apachectl /usr/share/man/man8/apachectl.8.gz

demoAdmin@deomPC ~
$ /usr/sbin/apachectl start
[Thu Aug 17 23:26:28.742380 2017] [core:emerg] [pid 4816] (88)Function not implemented: AH00023: Couldn't create the mpm-accept mutex
(88)Function not implemented: could not create accept mutex
AH00015: Unable to open logs
/usr/sbin/apachectl: line 79:  4816 Segmentation fault      (core dumped) $HTTPD -k $ARGV

demoAdmin@deomPC ~