| Deletions are marked like this. | Additions are marked like this. |
| Line 7: | Line 7: |
|
= General Notes = This description is applicable (tested) on FreeBSD 7.2 and 8.0, in an apache '''virtual host''' environment, where the same certificate is used for all virtual hosts. |
|
| Line 9: | Line 13: |
|
On idun and fs1 as root: {{{ cd /etc/namedb vi softxs.ch # Add the following line: secure IN CNAME honir ; For https access :x }}} Restart named |
Not needed. Use '''*.softxs.ch''' as common name. |
| Line 70: | Line 63: |
| Common Name (eg, YOUR name) []:secure.softxs.ch # Use *.softxs.ch on virtual hosts to match all servers (only 1 certificate is allowed!!!) | Common Name (eg, YOUR name) []:*.softxs.ch # only 1 certificate is allowed -> use wildcard |
| Line 95: | Line 88: |
| Common Name (eg, YOUR name) []:secure.softxs.ch | Common Name (eg, YOUR name) []:*.softxs.ch |
| Line 122: | Line 115: |
| commonName = secure.softxs.ch | commonName = *.softxs.ch |
| Line 133: | Line 126: |
| DirName:/C=CH/ST=Zug/L=Zug/O=SoftXS GmbH/CN=secure.softxs.ch/emailAddress=alan@softxs.ch | DirName:/C=CH/ST=Zug/L=Zug/O=SoftXS GmbH/CN=*.softxs.ch/emailAddress=alan@softxs.ch |
| Line 145: | Line 138: |
| Use averywhere "apache22" instead of "apache2" if appropriate. | Use everywhere "apache2" instead of "apache22" on older FreeBSD if appropriate. |
| Line 152: | Line 145: |
| cd /usr/local/etc/apache2 | cd /usr/local/etc/apache22 |
| Line 156: | Line 149: |
|
cp server_cert.pem /usr/local/etc/apache2/ssl.crt/server.crt cp server_key.pem /usr/local/etc/apache2/ssl.key/server.key cp ./demoCA/cacert.pem /usr/local/etc/apache2/ssl.crt/ca.crt cd /usr/local/etc/apache2 cp httpd.conf httpd.conf-20080731 cp ssl.conf ssl.conf-20080731 |
cp server_cert.pem /usr/local/etc/apache22/ssl.crt/server.crt cp server_key.pem /usr/local/etc/apache22/ssl.key/server.key cp ./demoCA/cacert.pem /usr/local/etc/apache22/ssl.crt/ca.crt cd /usr/local/etc/apache22 cp httpd.conf httpd.conf-20100311 cp extra/httpd-ssl.conf extra/httpd-ssl.conf-20100311 |
| Line 170: | Line 163: |
| # add the following line: | # add the following line if not added yet: |
| Line 175: | Line 168: |
|
= Update /usr/local/etc/apache2/httpd.conf = {{{ honir# diff httpd.conf-20080731 httpd.conf 333c333 < #ServerName www.example.com:80 --- > ServerName honir.softxs.ch:80 1201a1202,1230 > > # -- secure.softxs.ch > > <Directory "/home/www/shtml"> > Options Indexes > AllowOverride None > Order allow,deny > Allow from all |
= Update /usr/local/etc/apache22/httpd.conf = Remove comments from '''httpd-vhosts.conf''' and '''httpd-ssl.conf''' {{{ [root@ymir /usr/local/etc/apache22]# diff httpd.conf-20100311 httpd.conf 0a1,2 > # 2010-03-11 TN: https configured > # 1a4 > # 447c450 < #Include etc/apache22/extra/httpd-vhosts.conf --- > Include etc/apache22/extra/httpd-vhosts.conf 459c462 < #Include etc/apache22/extra/httpd-ssl.conf --- > Include etc/apache22/extra/httpd-ssl.conf }}} = Update /usr/local/etc/apache22/extra/httpd-ssl.conf = Move and set all common SSL settings '''outside(!!!)''' the section '''<VirtualHost _default_:443>'''. This section is unused: {{{ # Common SSL settings (1 key for all virtual hosts) SSLProtocol all SSLCipherSuite HIGH:MEDIUM SSLVerifyClient none # Server Certificate: SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/server.crt" # Server Private Key: SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/server.key" # Server Certificate Chain: SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/ca.crt" # Certificate Authority (CA): SSLCACertificatePath /usr/local/etc/apache22/ssl.crt SSLCACertificateFile /usr/local/etc/apache22/ssl.crt/ca.crt # Common SSL settings end }}} All changes: {{{ [root@ymir /usr/local/etc/apache22/extra]# diff httpd-ssl.conf-20100311 httpd-ssl.conf 69a70,85 > # Common SSL settings (1 key for all virtual hosts) > SSLProtocol all > SSLCipherSuite HIGH:MEDIUM > SSLVerifyClient none > > # Server Certificate: > SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/server.crt" > # Server Private Key: > SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/server.key" > # Server Certificate Chain: > SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/ca.crt" > # Certificate Authority (CA): > SSLCACertificatePath /usr/local/etc/apache22/ssl.crt > SSLCACertificateFile /usr/local/etc/apache22/ssl.crt/ca.crt > # Common SSL settings end > 99c115 < SSLCertificateFile "/usr/local/etc/apache22/server.crt" --- > #SSLCertificateFile "/usr/local/etc/apache22/server.crt" 107c123 < SSLCertificateKeyFile "/usr/local/etc/apache22/server.key" --- > #SSLCertificateKeyFile "/usr/local/etc/apache22/server.key" }}} = Update /usr/local/etc/apache22/extra/httpd-vhosts.conf = Add '''named virtual host''' option for port 443, and for all virtual host a '''VirtualHost''' and a '''Directory''' section. Example: {{{ NameVirtualHost *:443 # -- coya2.softxs.ch <VirtualHost *:443> DocumentRoot /home/www/shtml/coya ServerName coya2.softxs.ch Options -Indexes SSLEngine on </VirtualHost> <Directory /home/www/shtml/coya> Options None AllowOverride AuthConfig Limit Order allow,deny Allow from all </Directory> }}} All changes (virtual hosts lu.softxs.ch and coya2.softxs.ch, both are enabled on HTTP and HTTPS): {{{ [root@ymir /usr/local/etc/apache22/extra]# diff httpd-vhosts.conf-20100311 httpd-vhosts.conf 19a20 > NameVirtualHost *:443 28,33c29,31 < ServerAdmin webmaster@dummy-host.example.com < DocumentRoot "/usr/local/docs/dummy-host.example.com" < ServerName dummy-host.example.com < ServerAlias www.dummy-host.example.com < ErrorLog "/var/log/dummy-host.example.com-error_log" < CustomLog "/var/log/dummy-host.example.com-access_log" common --- > DocumentRoot /usr/local/www/apache22/data > ServerName lu.softxs.hu > Options -Indexes 37,41c35,37 < ServerAdmin webmaster@dummy-host2.example.com < DocumentRoot "/usr/local/docs/dummy-host2.example.com" < ServerName dummy-host2.example.com < ErrorLog "/var/log/dummy-host2.example.com-error_log" < CustomLog "/var/log/dummy-host2.example.com-access_log" common --- > DocumentRoot /home/www/shtml/coya > ServerName coya2.softxs.ch > Options -Indexes 43a40,70 > <VirtualHost *:443> > DocumentRoot /usr/local/www/apache22/data > ServerName lu.softxs.hu > Options -Indexes > > SSLEngine on > </VirtualHost> > > <Directory /usr/local/www/apache22/data> > Options None > AllowOverride AuthConfig Limit > Order allow,deny > Allow from all |
| Line 194: | Line 306: |
|
> <VirtualHost secure.softxs.ch:443> > DocumentRoot /home/www/shtml > ServerName secure.softxs.ch > ServerAlias honir.softxs.ch > |
> # -- coya2.softxs.ch > > <VirtualHost *:443> > DocumentRoot /home/www/shtml/coya > ServerName coya2.softxs.ch |
| Line 202: | Line 314: |
|
> SSLProtocol all > SSLCipherSuite HIGH:MEDIUM > > SSLCertificateFile /usr/local/etc/apache2/ssl.crt/server.crt > SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key > > SSLVerifyClient none > > SSLCACertificatePath /usr/local/etc/apache2/ssl.crt > SSLCACertificateFile /usr/local/etc/apache2/ssl.crt/ca.crt |
|
| Line 213: | Line 315: |
|
}}} = Update /usr/local/etc/apache/ssl.conf = {{{ honir# diff ssl.conf-20080731 ssl.conf 87,88c87,88 < ServerName www.example.com:443 < ServerAdmin you@example.com --- > ServerName secure.softxs.ch:443 > ServerAdmin webmaster@softxs.ch 126c126 < #SSLCertificateChainFile /usr/local/etc/apache2/ssl.crt/ca.crt --- > SSLCertificateChainFile /usr/local/etc/apache2/ssl.crt/ca.crt }}} |
> > <Directory /home/www/shtml/coya> > Options None > AllowOverride AuthConfig Limit > Order allow,deny > Allow from all > </Directory> }}} |
Apache HTTPS Configuration
Contents
Description of HTTPS configuration on honir.softxs.ch
General Notes
This description is applicable (tested) on FreeBSD 7.2 and 8.0, in an apache virtual host environment, where the same certificate is used for all virtual hosts.
Setup New DNS Name
Not needed. Use *.softxs.ch as common name.
Setup Certificates
OpenSSL should be installed. Use port security/openssl if CA.pl is not found.
locate CA.pl ... /usr/src/crypto/openssl/apps/CA.pl ... cd /root mkdir -p work/certificates cd work/certificates cp /usr/src/crypto/openssl/apps/CA.pl . vi CA.pl # Change the following $DAYS="-days 365"; # to $DAYS="-days 1825"; :x
perl CA.pl -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key .........++++++ ...................++++++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CH State or Province Name (full name) [Some-State]:Zug Locality Name (eg, city) []:Zug Organization Name (eg, company) [Internet Widgits Pty Ltd]:SoftXS GmbH Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:*.softxs.ch # only 1 certificate is allowed -> use wildcard Email Address []:alan@softxs.ch
perl CA.pl -newreq Generating a 1024 bit RSA private key ........++++++ .............................................++++++ writing new private key to 'newreq.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CH State or Province Name (full name) [Some-State]:Zug Locality Name (eg, city) []:Zug Organization Name (eg, company) [Internet Widgits Pty Ltd]:SoftXS GmbH Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:*.softxs.ch Email Address []:alan@softxs.ch Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request (and private key) is in newreq.pem
perl CA.pl -sign Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 8f:db:ea:5b:29:35:12:0b Validity Not Before: Jul 31 10:46:16 2008 GMT Not After : Jul 31 10:46:16 2009 GMT Subject: countryName = CH stateOrProvinceName = Zug localityName = Zug organizationName = SoftXS GmbH commonName = *.softxs.ch emailAddress = alan@softxs.ch X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 47:27:08:DB:DC:CA:53:36:53:DF:E7:EA:8A:8D:53:49:2E:1B:C6:98 X509v3 Authority Key Identifier: keyid:04:3F:E8:2C:28:CF:28:8A:EE:CF:95:F6:15:41:61:6E:DC:C2:4E:77 DirName:/C=CH/ST=Zug/L=Zug/O=SoftXS GmbH/CN=*.softxs.ch/emailAddress=alan@softxs.ch serial:8F:DB:EA:5B:29:35:12:0A Certificate is to be certified until Jul 31 10:46:16 2009 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem
Use everywhere "apache2" instead of "apache22" on older FreeBSD if appropriate.
openssl rsa < newkey.pem > server_key.pem cp newcert.pem server_cert.pem cd /usr/local/etc/apache22 mkdir ssl.crt ssl.key cd /root/work/certificates cp server_cert.pem /usr/local/etc/apache22/ssl.crt/server.crt cp server_key.pem /usr/local/etc/apache22/ssl.key/server.key cp ./demoCA/cacert.pem /usr/local/etc/apache22/ssl.crt/ca.crt cd /usr/local/etc/apache22 cp httpd.conf httpd.conf-20100311 cp extra/httpd-ssl.conf extra/httpd-ssl.conf-20100311
Update /etc/rc.conf
vi /etc/rc.conf # add the following line if not added yet: apache2ssl_enable="YES" :x
Update /usr/local/etc/apache22/httpd.conf
Remove comments from httpd-vhosts.conf and httpd-ssl.conf
[root@ymir /usr/local/etc/apache22]# diff httpd.conf-20100311 httpd.conf 0a1,2 > # 2010-03-11 TN: https configured > # 1a4 > # 447c450 < #Include etc/apache22/extra/httpd-vhosts.conf --- > Include etc/apache22/extra/httpd-vhosts.conf 459c462 < #Include etc/apache22/extra/httpd-ssl.conf --- > Include etc/apache22/extra/httpd-ssl.conf
Update /usr/local/etc/apache22/extra/httpd-ssl.conf
Move and set all common SSL settings outside(!!!) the section <VirtualHost _default_:443>. This section is unused:
# Common SSL settings (1 key for all virtual hosts) SSLProtocol all SSLCipherSuite HIGH:MEDIUM SSLVerifyClient none # Server Certificate: SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/server.crt" # Server Private Key: SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/server.key" # Server Certificate Chain: SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/ca.crt" # Certificate Authority (CA): SSLCACertificatePath /usr/local/etc/apache22/ssl.crt SSLCACertificateFile /usr/local/etc/apache22/ssl.crt/ca.crt # Common SSL settings end
All changes:
[root@ymir /usr/local/etc/apache22/extra]# diff httpd-ssl.conf-20100311 httpd-ssl.conf 69a70,85 > # Common SSL settings (1 key for all virtual hosts) > SSLProtocol all > SSLCipherSuite HIGH:MEDIUM > SSLVerifyClient none > > # Server Certificate: > SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/server.crt" > # Server Private Key: > SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/server.key" > # Server Certificate Chain: > SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/ca.crt" > # Certificate Authority (CA): > SSLCACertificatePath /usr/local/etc/apache22/ssl.crt > SSLCACertificateFile /usr/local/etc/apache22/ssl.crt/ca.crt > # Common SSL settings end > 99c115 < SSLCertificateFile "/usr/local/etc/apache22/server.crt" --- > #SSLCertificateFile "/usr/local/etc/apache22/server.crt" 107c123 < SSLCertificateKeyFile "/usr/local/etc/apache22/server.key" --- > #SSLCertificateKeyFile "/usr/local/etc/apache22/server.key"
Update /usr/local/etc/apache22/extra/httpd-vhosts.conf
Add named virtual host option for port 443, and for all virtual host a VirtualHost and a Directory section. Example:
NameVirtualHost *:443 # -- coya2.softxs.ch <VirtualHost *:443> DocumentRoot /home/www/shtml/coya ServerName coya2.softxs.ch Options -Indexes SSLEngine on </VirtualHost> <Directory /home/www/shtml/coya> Options None AllowOverride AuthConfig Limit Order allow,deny Allow from all </Directory>
All changes (virtual hosts lu.softxs.ch and coya2.softxs.ch, both are enabled on HTTP and HTTPS):
[root@ymir /usr/local/etc/apache22/extra]# diff httpd-vhosts.conf-20100311 httpd-vhosts.conf 19a20 > NameVirtualHost *:443 28,33c29,31 < ServerAdmin webmaster@dummy-host.example.com < DocumentRoot "/usr/local/docs/dummy-host.example.com" < ServerName dummy-host.example.com < ServerAlias www.dummy-host.example.com < ErrorLog "/var/log/dummy-host.example.com-error_log" < CustomLog "/var/log/dummy-host.example.com-access_log" common --- > DocumentRoot /usr/local/www/apache22/data > ServerName lu.softxs.hu > Options -Indexes 37,41c35,37 < ServerAdmin webmaster@dummy-host2.example.com < DocumentRoot "/usr/local/docs/dummy-host2.example.com" < ServerName dummy-host2.example.com < ErrorLog "/var/log/dummy-host2.example.com-error_log" < CustomLog "/var/log/dummy-host2.example.com-access_log" common --- > DocumentRoot /home/www/shtml/coya > ServerName coya2.softxs.ch > Options -Indexes 43a40,70 > <VirtualHost *:443> > DocumentRoot /usr/local/www/apache22/data > ServerName lu.softxs.hu > Options -Indexes > > SSLEngine on > </VirtualHost> > > <Directory /usr/local/www/apache22/data> > Options None > AllowOverride AuthConfig Limit > Order allow,deny > Allow from all > </Directory> > > # -- coya2.softxs.ch > > <VirtualHost *:443> > DocumentRoot /home/www/shtml/coya > ServerName coya2.softxs.ch > Options -Indexes > > SSLEngine on > </VirtualHost> > > <Directory /home/www/shtml/coya> > Options None > AllowOverride AuthConfig Limit > Order allow,deny > Allow from all > </Directory>