• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 888
  • Last Modified:

General Apache2 help with SSL

I am a Windows guy so this "complie/source" lingo doesn't make much sense to me. Here is what I do know:

I have a RHEL3 box with Apache2 running 1 website that is accessible via the internet. I need to get this website SSL enabled. From what I have read, mod_ssl is included with Apache2. I have open_ssl installed and created a CSR and sent it to GeoTrust. They sent me the certificate file back and now I can't figure out what to do. Can someone walk me through the steps of getting this working? Where do I start? Thanks in advance.
0
bfilipek
Asked:
bfilipek
  • 15
  • 8
  • 4
  • +1
1 Solution
 
periwinkleCommented:
Go here:

http://www.geotrust.com/support/knowledge_base/index.asp

and put in the search word apache.  A few very relevent articles come up, including:

How to install a Web Server Certificate for Apache.
How to install a Web Server Certificate for Apache 2.x
How to install an SSL certificate on Apache 2.x in a Unix environment

These walk you through the process probably better than we can give you in words alone, as they are illustrated with screen shots.
0
 
ahoffmannCommented:
simply open your httpd.conf in your prefered editor, go down to the SSL section and read the commts,

fill in or change the values of the configuration directives as suggested and enable the directive (if commented out), then restart apache
0
 
bfilipekAuthor Commented:
I want to make sure that I have what I need to get SSL running first before I actually try to turn it on. I just want to be prepared. So how do I know if I have this mod_ssl thing installed and running properly? It is my understanding that it is included with Apache2?
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
bfilipekAuthor Commented:
Also, I have two httpd.conf files. Which one do I need to use?

/usr/local/apache2/conf/httpd.conf
/etc/httpd/conf/httpd.conf

??
0
 
periwinkleCommented:
Is one a symbolic link for the other?  Do:

ls -l /usr/local/apache2/conf/httpd.conf
ls -l /etc/httpd/conf/httpd.conf

and if one has an angle bracket pointing to the other, they are actually the same file.


0
 
bfilipekAuthor Commented:
[root@MYWEB user03]# ls -l /usr/local/apache2/conf/httpd.conf
-rw-r--r--    1 root     root        35410 Apr 12 09:40 /usr/local/apache2/conf/httpd.conf
[root@MYWEB user03]# ls -l /etc/httpd/conf/httpd.conf
-rw-------    1 root     root        32142 Jan  4  2005 /etc/httpd/conf/httpd.conf
[root@MYWEB user03]#

The time stamps are different too. How do I know which one to use?
0
 
periwinkleCommented:
Look at the /etc/rc.d/init.d/httpd file - which configuration file does it reference?  It's likely to be the one in the apache2 directory (which is more current, and which refers to apache2).

0
 
bfilipekAuthor Commented:
Here are the first several lines of that file:

#!/bin/bash
#
# Startup script for the Apache Web Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server.  It is used to serve \
#              HTML files and CGI.
# processname: httpd
# pidfile: /var/run/httpd.pid
# config: /etc/httpd/conf/httpd.conf

# Source function library.
. /etc/rc.d/init.d/functions

if [ -f /etc/sysconfig/httpd ]; then
        . /etc/sysconfig/httpd
fi

# This will prevent initlog from swallowing up a pass-phrase prompt if
# mod_ssl needs a pass-phrase from the user.
INITLOG_ARGS=""

# Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server
# with the thread-based "worker" MPM; BE WARNED that some modules may not
# work correctly with a thread-based MPM; notably PHP will refuse to start.

# Path to the apachectl script, server binary, and short-form for messages.
apachectl=/usr/sbin/apachectl
httpd=${HTTPD-/usr/sbin/httpd}
prog=httpd
RETVAL=0


Now if I do this:

/sbin/service httpd stop
/usr/local/apache2/bin/apachectl start

my website will not work.

If I do this:

/sbin/service httpd stop
/sbin/service httpd start

then the site works fine but the https still does not work.
0
 
bfilipekAuthor Commented:
CORRECTION IN MY PREVIOUS POST:

/usr/local/apache2/bin/apachectl start

is supposed to say

/usr/local/apache2/bin/apachectl startssl
0
 
periwinkleCommented:
have you tried /sbin/service httpd startssl ?
0
 
bfilipekAuthor Commented:
[root@MYWEB htdocs]# /sbin/service httpd stop
Stopping httpd:                                            [  OK  ]
[root@MYWEB htdocs]# /sbin/service httpd startssl
Usage: httpd {start|stop|restart|condrestart|reload|status|fullstatus|graceful|help|configtest}

It doesnt have httpd startssl as an option.
0
 
ahoffmannCommented:
> how do I know if I have this mod_ssl thing installed and running properly?
httpd -l

> Also, I have two httpd.conf files. Which one do I need to use?
hmm, I'd ask the person who installed them ;-)
but ..
> /usr/local/apache2/bin/apachectl startssl
so I guess that /usr/local/apache2/conf/httpd.conf is the correct one

I highly recommend to change your rc-script (/usr/local/apache2/bin/apachectl  if you use that) and add the -f option to the httpd call, something like:
   httpd -f /usr/local/apache2/conf/httpd.conf

> have you tried /sbin/service httpd startssl ?
> It doesnt have httpd startssl as an option.
the provided rc-script by apache isn't supposed to be integrated in every linux distribution, it's a poor (insecure) script too, unfortunatelly, to be used with /sbin/service or /sbin/chkcfg or similar in must comply to common syntax of an rc-script call which is usuall only start|stop|restart. You have to check your distributions docs for that.
Please use  /usr/local/apache2/bin/apachectl  now 'til your server is running. Integrated the script into your  system is another question/task.
0
 
bfilipekAuthor Commented:
[root@MYWEB conf]# httpd -l
bash: httpd: command not found
[root@MYWEB conf]#

> I highly recommend to change your rc-script (/usr/local/apache2/bin/apachectl  if you use that) and add the -f option to the httpd call, something like:
> httpd -f /usr/local/apache2/conf/httpd.conf

Not sure what you mean by the above.

Any idea why apachectl start causes my website to go down, yet httpd start works fine?
0
 
ahoffmannCommented:
> bash: httpd: command not found
you have to use a full path, probably:
  /usr/local/apache2/bin/httpd -l

> Not sure what you mean by the above.
edit the file and add the -f option to the call of httpd there

> Any idea why apachectl start causes my website to go down
see your error_log
0
 
bfilipekAuthor Commented:
[root@MYWEB conf]# /usr/local/apache2/bin/httpd -l
Compiled in modules:
  core.c
  mod_access.c
  mod_auth.c
  mod_include.c
  mod_log_config.c
  mod_env.c
  mod_setenvif.c
  prefork.c
  http_core.c
  mod_mime.c
  mod_status.c
  mod_autoindex.c
  mod_asis.c
  mod_cgi.c
  mod_negotiation.c
  mod_dir.c
  mod_imap.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_so.c
[root@SRVWEB conf]#


Does this mean I need to install mod_ssl or something?
0
 
ahoffmannCommented:
> Does this mean I need to install mod_ssl or something?
yes
but most likely it is installed. You just need to enable it in httpd.conf with LoadModule and AddModule, then test with
  /usr/local/apache2/bin/httpd -L
0
 
bfilipekAuthor Commented:
[root@SRVWEB modules]# locate mod_ssl
/usr/lib/httpd/modules/mod_ssl.so
/usr/local/apache2/include/mod_ssl.h
/usr/local/apache2/manual/mod/mod_ssl.xml.meta
/usr/local/apache2/manual/mod/mod_ssl.html
/usr/local/apache2/manual/mod/mod_ssl.xml
/usr/local/apache2/manual/mod/mod_ssl.html.en
/var/cache/mod_ssl

Ok now which of these do I need to add to the LoadModule section of httpd.conf? And what is the correct syntax to use? I did not find AddModule in the httpd.conf file.
0
 
ahoffmannCommented:
locate is unreliable

in httpd.conf add something like:

LoadModule ssl_module         libexec/libssl.so

where libexec/libssl.so has to be found in the directory specified with ServerRoot

If you don't have AddModule then you probably don't need it for mod_ssl too
0
 
bfilipekAuthor Commented:
libssl.so is located here > /usr/lib/libssl.so

So can I just copy that file and move it into the lib directory which is within the directory specified in ServerRoot?
0
 
bfilipekAuthor Commented:
Ok well I copied the file to the lib directory which is withing the ServerRoot directory and added:

LoadModule ssl_module lib/libssl.so

Then I ran httpd -l and it still does not show mod_ssl in the list.

What am I doing wrong?

Thanks.
0
 
ahoffmannCommented:
oops, I see it's apache2

please check if you have following file:
  <ServerRoot>/modules/mod_ssl.so

then add to your httpd.conf:

  LoadModule ssl_module    modules/mod_ssl.so

(remove the old line)
then restart apache *and* check your error_log
0
 
bfilipekAuthor Commented:
OK I added that line to httpd.conf and restarted apache:

[root@SRVWEB apache2]# /usr/local/apache2/bin/apachectl startssl
Syntax error on line 232 of /usr/local/apache2/conf/httpd.conf:
Cannot load /usr/local/apache2/lib/mod_ssl.so into server: /usr/local/apache2/lib/mod_ssl.so: undefined symbol: ap_hook_test_config

That is the error I get now. So I just started it with httpd start
0
 
ahoffmannCommented:
> undefined symbol: ap_hook_test_config
sounds like a broken apache2 installation

as you seem to have multiple versions of apache on your system (see http:#16436853 ) and you also copy what you think might be usefull from one location to another (see http:#16447617 ), I recommend that you remove *all* installations of apache and apache2, then install a new one from scratch
Then start apache without SSL and check if your site works and if you get messages in error_log. If it works (no errors!) then check your httpd.conf (including all files inclided there using the include directive) if and/or how to enable SSL (see previous comments here). After that start apache, check error_log, test your site, check error_log.
0
 
bfilipekAuthor Commented:
Well it looks like you are correct. It is using the other installation and other ssl.conf/httpd.conf files.

So I configured those files to get it running and the same thing happens. Does this make sense? I can go to http://myweb.mydomain.com:443 (without the s in http) but if I go to https://myweb.mydomain.com it does not work.
0
 
bfilipekAuthor Commented:
ahoffmann,

I did a "rpm -q apache" and it said "package apache is not installed" so how do I know what command to use to uninstall?

Also, if I uninstall and re-install, will I loose any data? I am going to make a backup of my web data but I would still like to know if that is going to be effected.

Thanks for your help.
0
 
ahoffmannCommented:
to backup you data you just need httpd.conf (and all files it includes), and what you have copied to the DocumentRoot and some other directories configured in httpd.conf (like ScriptAlias etc.)
To uninstall use the corresponding command you used for installation, if you installed from sources using make, then you can remove the installed files with rm from the installation directories.
0
 
bfilipekAuthor Commented:
Well it's working now. I had to change a few lines in the httpd.conf file. The VirtualHost was set to the IP address, so I changed it to *:80.

Then I changed:
Listen x.x.x.x:80 (x's were the IP address)
to
Listen 0.0.0.0:80

In ssh.conf I changed:
Listen x.x.x.x:443 (x's were the IP address)
to
Listen 0.0.0.0:443

All good now.
0
 
GranModCommented:
PAQed with points refunded (500)

GranMod
Community Support Moderator
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 15
  • 8
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now