[NBLUG/talk] Enabling SSL in Apache2?

Troy Arnold troy at zenux.net
Fri Aug 25 18:47:15 PDT 2006


On Fri, Aug 25, 2006 at 06:23:00PM -0700, Lincoln Peters wrote:
> On Wednesday 23 August 2006 00:19, Troy Arnold wrote:
> > Something like:
> > <VirtualHost 192.168.1.80:443>
> > SSLEngine on
> > SSLCertificateKeyFile /etc/apache2/ssl/secure.private.key
> > SSLCertificateFile /etc/apache2/ssl/secure.crt
> > SSLOptions +StdEnvVars
> > [...]
> > </VirtuaHost>
> 
> That seems to have been part of the problem.  However, now that I've set that 
> up, instead of getting "connection refused", I get no response at all from 
> the server when I try to connect via HTTPS.  So I'm not sure where to go from 
> here.
> 
> Here's the VirtualHost definition from my apache2.conf file:
> <VirtualHost odysseus.peterslan:443>

Can apache correctly resolve that name?

What happens if you telnet to port 443 on the webserver from the webserver
itself and also from another host on the LAN?

> I did find out that the Debian package for Apache doesn't seem to install an 
> SSL key or certificate by default.  So in case anyone else finds themselves 
> wanting to try this, here's what I did to generate the certificate:
> 
> # cd /etc/apache2/ssl/
> # openssl genrsa -aes256 > /etc/apache2/ssl/secure.private.key
> # openssl req -new -key /etc/httpd/conf/ssl.key/server.key -x509 \
>   -days 365 -out /etc/httpd/conf/ssl.crt/server.crt
> 
> Or if you want to request a certificate from your local certificate authority 
> (VeriSign?):
> # openssl req -new -key /etc/apache2/ssl/secure.private.key \
>   -out /etc/apache2/ssl/secure.csr

Also check out the free certs from cacert.org.  Their root cert is already
in Debian, Gentoo, Fedora and others, and is in progress for inclusion into
Mozilla distributions.  In the meantime adding their root cert to your
browser is pretty much a two-click process.  (If your browser or OS trusts
the cacert root certificate, then you don't get any warnings when visiting
a site secured with one of their certs.)

-troy



More information about the talk mailing list