Personal tools
You are here: Home Complex Instructions Encyrption Setting up SSL on Apache2
 

Setting up SSL on Apache2

These are instructions for setting up SSL on Apache2 running on Debian.

These instructions assume that Apache2 is already installed and working on a Debian machine.  They also assume that OpenSSL is installed.  The procedures should be quite similar for other distributions of Linux.  All the commands listed below should be run as root.

1. Create a directory inside of /etc/apache2 called ssl.  This is where we will store our self-signed certificate and key.

mkdir /etc/apache2/ssl

2. From this directory run the following command to create a self-signed certificate and private key.  More information about options for this command can be found on the Apache website.  Of course, if you are paying a Certificate Authority to sign your key, you should follow their instructions.  (This is, as they say, SSL on the cheap.)

openssl req -new -x509 -nodes -days 3650 -out server.crt -keyout server.key

As part of the certificate creation process, when it asks for the Common Name, use the fully qualified domain name of your server--for example www.sbtechsolutions.biz.  Otherwise you will make visiting browsers even less happy.  This command creates two files.  server.crt is the certificate that is transferred to the web browser visiting your secure site.  The browser uses the information in the certificate to encrypt the information it sends you.  server.key is the private key that allows your server to decrypt the information it receives. -days 3650 creates a certificate that is valid for 10 years. 365 would be one year. If -days is not included the certificate is valid for 1 month.

3. Edit /etc/apache2/sites-available/default, changing the first line to explicitly state that they are only listening to port 80.  This will allow you to continue to use your webserver in non-ssl mode.  If you don't need to do this, you can skip to step 4 and delete /etc/apache2/sites-available/default when you are done.  The first line of /etc/apache2/sites-available/default should look as follows:

<VirtualHost *:80>

4. Create a copy of /etc/apache2/sites-available/default called "ssl."

cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl

Edit the new ssl file and change the first line to listen on port 443 (the default for https).  Also add lines telling Apache where to find your certificate and key.  They beginning of your file should look as follows:

<VirtualHost *:443>
        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.key

5. **Optional** Beginning with Apache 2.2.12, you can now host multiple SSL sites with different SSL Certificates on one IP Address/Port combination.  This is possible because of a new addition to the SSL Protocol called Server Name Indication (SNI).  This allows the browser to submit the requested URL to the server in an optional unencrypted field when requesting an encrypted webpage.  More information about SNI can be found on Daniel Lange's Blog.

An Apache ssl config file using SNI would look as follows:

NameVirtualHost *:443

<VirtualHost *:443>
        ServerName www.domain1.com

        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/server1.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server1.key
</VirtualHost>

<VirtualHost *:443>
        ServerName www.domain2.com

        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/server2.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server2.key
</VirtualHost>

If you previously had several VirtualHosts being served up from one Apache ssl server, when you upgrade to Apache 2.2.12 you will likely receive the following error message in your /var/log/apache2/error.log:

[error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]

This is caused because the required previous configuration was to place the SSL Certificate information only in the first VirtualHost, which would then be automatically used for the other VirtualHosts.  Now that Server Name Indication has been implimented, the SSL Certificate information must be explicitely stated in each VirtualHost.  Unfortunately, the error message isn't very helpful in diagnosing the problem.  As I was trying to diagnose the error message on my initial upgrade, I moved around several of my config options and produced the following error in /var/log/apache2/error.log before I figured out what was going on:

[error] Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!)

Gotta love the "theoretically" in that error message.

6. Now you can create a link to your "ssl" file in the sites-enabled directory.

ln -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/ssl

7. Enable the ssl module by creating a link to the mods-enabled directory.

ln -s /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled/ssl.load

8. Restart Apache.

*These instructions come in part from those found at http://mario.espaciolinux.com/apache2_ssl.html
Document Actions