• HttpsConfigurationFreeBSD

Apache HTTPS Configuration

Description of HTTPS configuration on honir.softxs.ch

General Notes

This description is applicable (tested) on FreeBSD 7.2 and 8.0, in an apache virtual host environment, where the same certificate is used for all virtual hosts.

Setup New DNS Name

Not needed. Use *.softxs.ch as common name.

Setup Certificates

OpenSSL should be installed. Use port security/openssl if CA.pl is not found.

• locate CA.pl
  ...
  /usr/src/crypto/openssl/apps/CA.pl
  ...
  
  cd /root
  mkdir -p work/certificates
  
  cd work/certificates
  cp /usr/src/crypto/openssl/apps/CA.pl .
  
  vi CA.pl
  # Change the following
  $DAYS="-days 365";
  # to
  $DAYS="-days 1825";
  :x

  perl CA.pl -newca
  CA certificate filename (or enter to create)
  
  Making CA certificate ...
  Generating a 1024 bit RSA private key
  .........++++++
  ...................++++++
  writing new private key to './demoCA/private/cakey.pem'
  Enter PEM pass phrase:
  Verifying - Enter PEM pass phrase:
  -----
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [AU]:CH
  State or Province Name (full name) [Some-State]:Zug
  Locality Name (eg, city) []:Zug
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:SoftXS GmbH
  Organizational Unit Name (eg, section) []:
  Common Name (eg, YOUR name) []:*.softxs.ch  # only 1 certificate is allowed -> use wildcard
  Email Address []:alan@softxs.ch

  perl CA.pl -newreq
  Generating a 1024 bit RSA private key
  ........++++++
  .............................................++++++
  writing new private key to 'newreq.pem'
  Enter PEM pass phrase:
  Verifying - Enter PEM pass phrase:
  -----
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [AU]:CH
  State or Province Name (full name) [Some-State]:Zug
  Locality Name (eg, city) []:Zug
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:SoftXS GmbH
  Organizational Unit Name (eg, section) []:
  Common Name (eg, YOUR name) []:*.softxs.ch
  Email Address []:alan@softxs.ch
  
  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:
  An optional company name []:
  Request (and private key) is in newreq.pem

  perl CA.pl -sign
  Using configuration from /etc/ssl/openssl.cnf
  Enter pass phrase for ./demoCA/private/cakey.pem:
  Check that the request matches the signature
  Signature ok
  Certificate Details:
          Serial Number:
              8f:db:ea:5b:29:35:12:0b
          Validity
              Not Before: Jul 31 10:46:16 2008 GMT
              Not After : Jul 31 10:46:16 2009 GMT
          Subject:
              countryName               = CH
              stateOrProvinceName       = Zug
              localityName              = Zug
              organizationName          = SoftXS GmbH
              commonName                = *.softxs.ch
              emailAddress              = alan@softxs.ch
          X509v3 extensions:
              X509v3 Basic Constraints:
                  CA:FALSE
              Netscape Comment:
                  OpenSSL Generated Certificate
              X509v3 Subject Key Identifier:
                  47:27:08:DB:DC:CA:53:36:53:DF:E7:EA:8A:8D:53:49:2E:1B:C6:98
              X509v3 Authority Key Identifier:
                  keyid:04:3F:E8:2C:28:CF:28:8A:EE:CF:95:F6:15:41:61:6E:DC:C2:4E:77
                  DirName:/C=CH/ST=Zug/L=Zug/O=SoftXS GmbH/CN=*.softxs.ch/emailAddress=alan@softxs.ch
                  serial:8F:DB:EA:5B:29:35:12:0A
  
  Certificate is to be certified until Jul 31 10:46:16 2009 GMT (365 days)
  Sign the certificate? [y/n]:y
  
  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
  Data Base Updated
  Signed certificate is in newcert.pem

Use everywhere "apache2" instead of "apache22" on older FreeBSD if appropriate.

• openssl rsa < newkey.pem > server_key.pem
  
  cp newcert.pem server_cert.pem
  
  cd /usr/local/etc/apache22
  mkdir ssl.crt ssl.key
  
  cd /root/work/certificates
  cp server_cert.pem     /usr/local/etc/apache22/ssl.crt/server.crt
  cp server_key.pem      /usr/local/etc/apache22/ssl.key/server.key
  cp ./demoCA/cacert.pem /usr/local/etc/apache22/ssl.crt/ca.crt
  
  cd /usr/local/etc/apache22
  
  cp httpd.conf httpd.conf-20100311
  cp extra/httpd-ssl.conf extra/httpd-ssl.conf-20100311

Update /etc/rc.conf

• vi /etc/rc.conf
  # add the following line if not added yet:
  apache2ssl_enable="YES"
  :x

Update /usr/local/etc/apache22/httpd.conf

Remove comments from httpd-vhosts.conf and httpd-ssl.conf

• [root@ymir /usr/local/etc/apache22]# diff httpd.conf-20100311 httpd.conf
  0a1,2
  > # 2010-03-11 TN: https configured
  > #
  1a4
  > #
  447c450
  < #Include etc/apache22/extra/httpd-vhosts.conf
  ---
  > Include etc/apache22/extra/httpd-vhosts.conf
  459c462
  < #Include etc/apache22/extra/httpd-ssl.conf
  ---
  > Include etc/apache22/extra/httpd-ssl.conf

Update /usr/local/etc/apache22/extra/httpd-ssl.conf

Move and set all common SSL settings outside(!!!) the section <VirtualHost _default_:443>. This section is unused:

• # Common SSL settings (1 key for all virtual hosts)
  SSLProtocol                 all
  SSLCipherSuite              HIGH:MEDIUM
  SSLVerifyClient       none
  
  #   Server Certificate:
  SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/server.crt"
  #   Server Private Key:
  SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/server.key"
  #   Server Certificate Chain:
  SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/ca.crt"
  #   Certificate Authority (CA):
  SSLCACertificatePath  /usr/local/etc/apache22/ssl.crt
  SSLCACertificateFile  /usr/local/etc/apache22/ssl.crt/ca.crt
  # Common SSL settings end

All changes:

• [root@ymir /usr/local/etc/apache22/extra]# diff httpd-ssl.conf-20100311 httpd-ssl.conf
  69a70,85
  > # Common SSL settings (1 key for all virtual hosts)
  > SSLProtocol                 all
  > SSLCipherSuite              HIGH:MEDIUM
  > SSLVerifyClient       none
  >
  > #   Server Certificate:
  > SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/server.crt"
  > #   Server Private Key:
  > SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/server.key"
  > #   Server Certificate Chain:
  > SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/ca.crt"
  > #   Certificate Authority (CA):
  > SSLCACertificatePath  /usr/local/etc/apache22/ssl.crt
  > SSLCACertificateFile  /usr/local/etc/apache22/ssl.crt/ca.crt
  > # Common SSL settings end
  >
  99c115
  < SSLCertificateFile "/usr/local/etc/apache22/server.crt"
  ---
  > #SSLCertificateFile "/usr/local/etc/apache22/server.crt"
  107c123
  < SSLCertificateKeyFile "/usr/local/etc/apache22/server.key"
  ---
  > #SSLCertificateKeyFile "/usr/local/etc/apache22/server.key"

Update /usr/local/etc/apache22/extra/httpd-vhosts.conf

Add named virtual host option for port 443, and for all virtual host a VirtualHost and a Directory section. Example:

• NameVirtualHost *:443
  
  # -- coya2.softxs.ch
  
  <VirtualHost *:443>
    DocumentRoot  /home/www/shtml/coya
    ServerName    coya2.softxs.ch
    Options       -Indexes
  
    SSLEngine             on
  </VirtualHost>
  
  <Directory /home/www/shtml/coya>
    Options None
    AllowOverride AuthConfig Limit
    Order allow,deny
    Allow from all
  </Directory>

All changes (virtual hosts lu.softxs.ch and coya2.softxs.ch, both are enabled on HTTP and HTTPS):

• [root@ymir /usr/local/etc/apache22/extra]# diff httpd-vhosts.conf-20100311 httpd-vhosts.conf
  19a20
  > NameVirtualHost *:443
  28,33c29,31
  <     ServerAdmin webmaster@dummy-host.example.com
  <     DocumentRoot "/usr/local/docs/dummy-host.example.com"
  <     ServerName dummy-host.example.com
  <     ServerAlias www.dummy-host.example.com
  <     ErrorLog "/var/log/dummy-host.example.com-error_log"
  <     CustomLog "/var/log/dummy-host.example.com-access_log" common
  ---
  >   DocumentRoot  /usr/local/www/apache22/data
  >   ServerName lu.softxs.hu
  >   Options       -Indexes
  37,41c35,37
  <     ServerAdmin webmaster@dummy-host2.example.com
  <     DocumentRoot "/usr/local/docs/dummy-host2.example.com"
  <     ServerName dummy-host2.example.com
  <     ErrorLog "/var/log/dummy-host2.example.com-error_log"
  <     CustomLog "/var/log/dummy-host2.example.com-access_log" common
  ---
  >   DocumentRoot  /home/www/shtml/coya
  >   ServerName    coya2.softxs.ch
  >   Options       -Indexes
  43a40,70
  > <VirtualHost *:443>
  >   DocumentRoot  /usr/local/www/apache22/data
  >   ServerName lu.softxs.hu
  >   Options       -Indexes
  >
  >   SSLEngine             on
  > </VirtualHost>
  >
  > <Directory /usr/local/www/apache22/data>
  >   Options None
  >   AllowOverride AuthConfig Limit
  >   Order allow,deny
  >   Allow from all
  > </Directory>
  >
  > # -- coya2.softxs.ch
  >
  > <VirtualHost *:443>
  >   DocumentRoot  /home/www/shtml/coya
  >   ServerName    coya2.softxs.ch
  >   Options       -Indexes
  >
  >   SSLEngine             on
  > </VirtualHost>
  >
  > <Directory /home/www/shtml/coya>
  >   Options None
  >   AllowOverride AuthConfig Limit
  >   Order allow,deny
  >   Allow from all
  > </Directory>