bfilipek
asked on
General Apache2 help with SSL
I am a Windows guy so this "complie/source" lingo doesn't make much sense to me. Here is what I do know:
I have a RHEL3 box with Apache2 running 1 website that is accessible via the internet. I need to get this website SSL enabled. From what I have read, mod_ssl is included with Apache2. I have open_ssl installed and created a CSR and sent it to GeoTrust. They sent me the certificate file back and now I can't figure out what to do. Can someone walk me through the steps of getting this working? Where do I start? Thanks in advance.
I have a RHEL3 box with Apache2 running 1 website that is accessible via the internet. I need to get this website SSL enabled. From what I have read, mod_ssl is included with Apache2. I have open_ssl installed and created a CSR and sent it to GeoTrust. They sent me the certificate file back and now I can't figure out what to do. Can someone walk me through the steps of getting this working? Where do I start? Thanks in advance.
simply open your httpd.conf in your prefered editor, go down to the SSL section and read the commts,
fill in or change the values of the configuration directives as suggested and enable the directive (if commented out), then restart apache
fill in or change the values of the configuration directives as suggested and enable the directive (if commented out), then restart apache
ASKER
I want to make sure that I have what I need to get SSL running first before I actually try to turn it on. I just want to be prepared. So how do I know if I have this mod_ssl thing installed and running properly? It is my understanding that it is included with Apache2?
ASKER
Also, I have two httpd.conf files. Which one do I need to use?
/usr/local/apache2/conf/ht tpd.conf
/etc/httpd/conf/httpd.conf
??
/usr/local/apache2/conf/ht
/etc/httpd/conf/httpd.conf
??
Is one a symbolic link for the other? Do:
ls -l /usr/local/apache2/conf/ht tpd.conf
ls -l /etc/httpd/conf/httpd.conf
and if one has an angle bracket pointing to the other, they are actually the same file.
ls -l /usr/local/apache2/conf/ht
ls -l /etc/httpd/conf/httpd.conf
and if one has an angle bracket pointing to the other, they are actually the same file.
ASKER
[root@MYWEB user03]# ls -l /usr/local/apache2/conf/ht tpd.conf
-rw-r--r-- 1 root root 35410 Apr 12 09:40 /usr/local/apache2/conf/ht tpd.conf
[root@MYWEB user03]# ls -l /etc/httpd/conf/httpd.conf
-rw------- 1 root root 32142 Jan 4 2005 /etc/httpd/conf/httpd.conf
[root@MYWEB user03]#
The time stamps are different too. How do I know which one to use?
-rw-r--r-- 1 root root 35410 Apr 12 09:40 /usr/local/apache2/conf/ht
[root@MYWEB user03]# ls -l /etc/httpd/conf/httpd.conf
-rw------- 1 root root 32142 Jan 4 2005 /etc/httpd/conf/httpd.conf
[root@MYWEB user03]#
The time stamps are different too. How do I know which one to use?
Look at the /etc/rc.d/init.d/httpd file - which configuration file does it reference? It's likely to be the one in the apache2 directory (which is more current, and which refers to apache2).
ASKER
Here are the first several lines of that file:
#!/bin/bash
#
# Startup script for the Apache Web Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server. It is used to serve \
# HTML files and CGI.
# processname: httpd
# pidfile: /var/run/httpd.pid
# config: /etc/httpd/conf/httpd.conf
# Source function library.
. /etc/rc.d/init.d/functions
if [ -f /etc/sysconfig/httpd ]; then
. /etc/sysconfig/httpd
fi
# This will prevent initlog from swallowing up a pass-phrase prompt if
# mod_ssl needs a pass-phrase from the user.
INITLOG_ARGS=""
# Set HTTPD=/usr/sbin/httpd.work er in /etc/sysconfig/httpd to use a server
# with the thread-based "worker" MPM; BE WARNED that some modules may not
# work correctly with a thread-based MPM; notably PHP will refuse to start.
# Path to the apachectl script, server binary, and short-form for messages.
apachectl=/usr/sbin/apache ctl
httpd=${HTTPD-/usr/sbin/ht tpd}
prog=httpd
RETVAL=0
Now if I do this:
/sbin/service httpd stop
/usr/local/apache2/bin/apa chectl start
my website will not work.
If I do this:
/sbin/service httpd stop
/sbin/service httpd start
then the site works fine but the https still does not work.
#!/bin/bash
#
# Startup script for the Apache Web Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server. It is used to serve \
# HTML files and CGI.
# processname: httpd
# pidfile: /var/run/httpd.pid
# config: /etc/httpd/conf/httpd.conf
# Source function library.
. /etc/rc.d/init.d/functions
if [ -f /etc/sysconfig/httpd ]; then
. /etc/sysconfig/httpd
fi
# This will prevent initlog from swallowing up a pass-phrase prompt if
# mod_ssl needs a pass-phrase from the user.
INITLOG_ARGS=""
# Set HTTPD=/usr/sbin/httpd.work
# with the thread-based "worker" MPM; BE WARNED that some modules may not
# work correctly with a thread-based MPM; notably PHP will refuse to start.
# Path to the apachectl script, server binary, and short-form for messages.
apachectl=/usr/sbin/apache
httpd=${HTTPD-/usr/sbin/ht
prog=httpd
RETVAL=0
Now if I do this:
/sbin/service httpd stop
/usr/local/apache2/bin/apa
my website will not work.
If I do this:
/sbin/service httpd stop
/sbin/service httpd start
then the site works fine but the https still does not work.
ASKER
CORRECTION IN MY PREVIOUS POST:
/usr/local/apache2/bin/apa chectl start
is supposed to say
/usr/local/apache2/bin/apa chectl startssl
/usr/local/apache2/bin/apa
is supposed to say
/usr/local/apache2/bin/apa
have you tried /sbin/service httpd startssl ?
ASKER
[root@MYWEB htdocs]# /sbin/service httpd stop
Stopping httpd: [ OK ]
[root@MYWEB htdocs]# /sbin/service httpd startssl
Usage: httpd {start|stop|restart|condre start|relo ad|status| fullstatus |graceful| help|confi gtest}
It doesnt have httpd startssl as an option.
Stopping httpd: [ OK ]
[root@MYWEB htdocs]# /sbin/service httpd startssl
Usage: httpd {start|stop|restart|condre
It doesnt have httpd startssl as an option.
> how do I know if I have this mod_ssl thing installed and running properly?
httpd -l
> Also, I have two httpd.conf files. Which one do I need to use?
hmm, I'd ask the person who installed them ;-)
but ..
> /usr/local/apache2/bin/apa chectl startssl
so I guess that /usr/local/apache2/conf/ht tpd.conf is the correct one
I highly recommend to change your rc-script (/usr/local/apache2/bin/ap achectl if you use that) and add the -f option to the httpd call, something like:
httpd -f /usr/local/apache2/conf/ht tpd.conf
> have you tried /sbin/service httpd startssl ?
> It doesnt have httpd startssl as an option.
the provided rc-script by apache isn't supposed to be integrated in every linux distribution, it's a poor (insecure) script too, unfortunatelly, to be used with /sbin/service or /sbin/chkcfg or similar in must comply to common syntax of an rc-script call which is usuall only start|stop|restart. You have to check your distributions docs for that.
Please use /usr/local/apache2/bin/apa chectl now 'til your server is running. Integrated the script into your system is another question/task.
httpd -l
> Also, I have two httpd.conf files. Which one do I need to use?
hmm, I'd ask the person who installed them ;-)
but ..
> /usr/local/apache2/bin/apa
so I guess that /usr/local/apache2/conf/ht
I highly recommend to change your rc-script (/usr/local/apache2/bin/ap
httpd -f /usr/local/apache2/conf/ht
> have you tried /sbin/service httpd startssl ?
> It doesnt have httpd startssl as an option.
the provided rc-script by apache isn't supposed to be integrated in every linux distribution, it's a poor (insecure) script too, unfortunatelly, to be used with /sbin/service or /sbin/chkcfg or similar in must comply to common syntax of an rc-script call which is usuall only start|stop|restart. You have to check your distributions docs for that.
Please use /usr/local/apache2/bin/apa
ASKER
[root@MYWEB conf]# httpd -l
bash: httpd: command not found
[root@MYWEB conf]#
> I highly recommend to change your rc-script (/usr/local/apache2/bin/ap achectl if you use that) and add the -f option to the httpd call, something like:
> httpd -f /usr/local/apache2/conf/ht tpd.conf
Not sure what you mean by the above.
Any idea why apachectl start causes my website to go down, yet httpd start works fine?
bash: httpd: command not found
[root@MYWEB conf]#
> I highly recommend to change your rc-script (/usr/local/apache2/bin/ap
> httpd -f /usr/local/apache2/conf/ht
Not sure what you mean by the above.
Any idea why apachectl start causes my website to go down, yet httpd start works fine?
> bash: httpd: command not found
you have to use a full path, probably:
/usr/local/apache2/bin/htt pd -l
> Not sure what you mean by the above.
edit the file and add the -f option to the call of httpd there
> Any idea why apachectl start causes my website to go down
see your error_log
you have to use a full path, probably:
/usr/local/apache2/bin/htt
> Not sure what you mean by the above.
edit the file and add the -f option to the call of httpd there
> Any idea why apachectl start causes my website to go down
see your error_log
ASKER
[root@MYWEB conf]# /usr/local/apache2/bin/htt pd -l
Compiled in modules:
core.c
mod_access.c
mod_auth.c
mod_include.c
mod_log_config.c
mod_env.c
mod_setenvif.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_asis.c
mod_cgi.c
mod_negotiation.c
mod_dir.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_so.c
[root@SRVWEB conf]#
Does this mean I need to install mod_ssl or something?
Compiled in modules:
core.c
mod_access.c
mod_auth.c
mod_include.c
mod_log_config.c
mod_env.c
mod_setenvif.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_asis.c
mod_cgi.c
mod_negotiation.c
mod_dir.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_so.c
[root@SRVWEB conf]#
Does this mean I need to install mod_ssl or something?
> Does this mean I need to install mod_ssl or something?
yes
but most likely it is installed. You just need to enable it in httpd.conf with LoadModule and AddModule, then test with
/usr/local/apache2/bin/htt pd -L
yes
but most likely it is installed. You just need to enable it in httpd.conf with LoadModule and AddModule, then test with
/usr/local/apache2/bin/htt
ASKER
[root@SRVWEB modules]# locate mod_ssl
/usr/lib/httpd/modules/mod _ssl.so
/usr/local/apache2/include /mod_ssl.h
/usr/local/apache2/manual/ mod/mod_ss l.xml.meta
/usr/local/apache2/manual/ mod/mod_ss l.html
/usr/local/apache2/manual/ mod/mod_ss l.xml
/usr/local/apache2/manual/ mod/mod_ss l.html.en
/var/cache/mod_ssl
Ok now which of these do I need to add to the LoadModule section of httpd.conf? And what is the correct syntax to use? I did not find AddModule in the httpd.conf file.
/usr/lib/httpd/modules/mod
/usr/local/apache2/include
/usr/local/apache2/manual/
/usr/local/apache2/manual/
/usr/local/apache2/manual/
/usr/local/apache2/manual/
/var/cache/mod_ssl
Ok now which of these do I need to add to the LoadModule section of httpd.conf? And what is the correct syntax to use? I did not find AddModule in the httpd.conf file.
locate is unreliable
in httpd.conf add something like:
LoadModule ssl_module libexec/libssl.so
where libexec/libssl.so has to be found in the directory specified with ServerRoot
If you don't have AddModule then you probably don't need it for mod_ssl too
in httpd.conf add something like:
LoadModule ssl_module libexec/libssl.so
where libexec/libssl.so has to be found in the directory specified with ServerRoot
If you don't have AddModule then you probably don't need it for mod_ssl too
ASKER
libssl.so is located here > /usr/lib/libssl.so
So can I just copy that file and move it into the lib directory which is within the directory specified in ServerRoot?
So can I just copy that file and move it into the lib directory which is within the directory specified in ServerRoot?
ASKER
Ok well I copied the file to the lib directory which is withing the ServerRoot directory and added:
LoadModule ssl_module lib/libssl.so
Then I ran httpd -l and it still does not show mod_ssl in the list.
What am I doing wrong?
Thanks.
LoadModule ssl_module lib/libssl.so
Then I ran httpd -l and it still does not show mod_ssl in the list.
What am I doing wrong?
Thanks.
oops, I see it's apache2
please check if you have following file:
<ServerRoot>/modules/mod_s sl.so
then add to your httpd.conf:
LoadModule ssl_module modules/mod_ssl.so
(remove the old line)
then restart apache *and* check your error_log
please check if you have following file:
<ServerRoot>/modules/mod_s
then add to your httpd.conf:
LoadModule ssl_module modules/mod_ssl.so
(remove the old line)
then restart apache *and* check your error_log
ASKER
OK I added that line to httpd.conf and restarted apache:
[root@SRVWEB apache2]# /usr/local/apache2/bin/apa chectl startssl
Syntax error on line 232 of /usr/local/apache2/conf/ht tpd.conf:
Cannot load /usr/local/apache2/lib/mod _ssl.so into server: /usr/local/apache2/lib/mod _ssl.so: undefined symbol: ap_hook_test_config
That is the error I get now. So I just started it with httpd start
[root@SRVWEB apache2]# /usr/local/apache2/bin/apa
Syntax error on line 232 of /usr/local/apache2/conf/ht
Cannot load /usr/local/apache2/lib/mod
That is the error I get now. So I just started it with httpd start
> undefined symbol: ap_hook_test_config
sounds like a broken apache2 installation
as you seem to have multiple versions of apache on your system (see http:#16436853 ) and you also copy what you think might be usefull from one location to another (see http:#16447617 ), I recommend that you remove *all* installations of apache and apache2, then install a new one from scratch
Then start apache without SSL and check if your site works and if you get messages in error_log. If it works (no errors!) then check your httpd.conf (including all files inclided there using the include directive) if and/or how to enable SSL (see previous comments here). After that start apache, check error_log, test your site, check error_log.
sounds like a broken apache2 installation
as you seem to have multiple versions of apache on your system (see http:#16436853 ) and you also copy what you think might be usefull from one location to another (see http:#16447617 ), I recommend that you remove *all* installations of apache and apache2, then install a new one from scratch
Then start apache without SSL and check if your site works and if you get messages in error_log. If it works (no errors!) then check your httpd.conf (including all files inclided there using the include directive) if and/or how to enable SSL (see previous comments here). After that start apache, check error_log, test your site, check error_log.
ASKER
Well it looks like you are correct. It is using the other installation and other ssl.conf/httpd.conf files.
So I configured those files to get it running and the same thing happens. Does this make sense? I can go to http://myweb.mydomain.com:443 (without the s in http) but if I go to https://myweb.mydomain.com it does not work.
So I configured those files to get it running and the same thing happens. Does this make sense? I can go to http://myweb.mydomain.com:443 (without the s in http) but if I go to https://myweb.mydomain.com it does not work.
ASKER
ahoffmann,
I did a "rpm -q apache" and it said "package apache is not installed" so how do I know what command to use to uninstall?
Also, if I uninstall and re-install, will I loose any data? I am going to make a backup of my web data but I would still like to know if that is going to be effected.
Thanks for your help.
I did a "rpm -q apache" and it said "package apache is not installed" so how do I know what command to use to uninstall?
Also, if I uninstall and re-install, will I loose any data? I am going to make a backup of my web data but I would still like to know if that is going to be effected.
Thanks for your help.
to backup you data you just need httpd.conf (and all files it includes), and what you have copied to the DocumentRoot and some other directories configured in httpd.conf (like ScriptAlias etc.)
To uninstall use the corresponding command you used for installation, if you installed from sources using make, then you can remove the installed files with rm from the installation directories.
To uninstall use the corresponding command you used for installation, if you installed from sources using make, then you can remove the installed files with rm from the installation directories.
ASKER
Well it's working now. I had to change a few lines in the httpd.conf file. The VirtualHost was set to the IP address, so I changed it to *:80.
Then I changed:
Listen x.x.x.x:80 (x's were the IP address)
to
Listen 0.0.0.0:80
In ssh.conf I changed:
Listen x.x.x.x:443 (x's were the IP address)
to
Listen 0.0.0.0:443
All good now.
Then I changed:
Listen x.x.x.x:80 (x's were the IP address)
to
Listen 0.0.0.0:80
In ssh.conf I changed:
Listen x.x.x.x:443 (x's were the IP address)
to
Listen 0.0.0.0:443
All good now.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.geotrust.com/support/knowledge_base/index.asp
and put in the search word apache. A few very relevent articles come up, including:
How to install a Web Server Certificate for Apache.
How to install a Web Server Certificate for Apache 2.x
How to install an SSL certificate on Apache 2.x in a Unix environment
These walk you through the process probably better than we can give you in words alone, as they are illustrated with screen shots.