Solved

Running SSL on Windows/Apache

Posted on 2006-07-20
6
295 Views
Last Modified: 2010-03-04
Here are the basics:

Two sites on one W2KSP4 server with two separate IPs. One runs on IIS/ASP (has to because of ties to an ERP), the other being developed on Apache2.2.2/PHP5.1.4. OpenSSLv.0.98b is also installed. I've generated a key for Thawte and received the certificate. Both are installed. I've modified the httpd.conf file to listen to port 443 and that works fine. However, when I put in the code that I think will enable SSL, both the secured AND unsecured sites become unavailable. (yes, mod_ssl is enabled). Obviously, the secured site doesn't work one way or another.
Here's the code:

Listen XX.XXX.X.X:80
Listen XX.XXX.X.X:443

...

LoadModule ssl_module modules/mod_ssl.so

...

# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf

# SSL StartUp
<VirtualHost XX.XXX.X.X:443>
DocumentRoot "D:/Inetpub/sitefolder"
ServerName www.website.com
ServerAdmin admin@site.com
ErrorLog logs/error.log
TransferLog logs/transfer.log
SSLEngine On
SSLCertificateFile ApacheCert/cert.crt
SSLCertificateKeyFile ApacheCert/cert.key
</VirtualHost>

#
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

The cert locations are correct and I obviously changed some of the IP and URL values in there. Apache starts up with no errors when this code is present but then the pages don't appear. Am I missing something here? 500 points for urgency.
0
Comment
Question by:cbeaudry1
  • 3
6 Comments
 
LVL 13

Expert Comment

by:rhickmott
Comment Utility
Try

-------------------

Listen xxx.xxx.xxx.xxx:80

...

LoadModule ssl_module modules/mod_ssl.so

...


<IfModule mod_ssl.c>
         
      ## Handle SSL
      Listen xxx.xxx.xxx.xxx:443

      #SSL Types
      AddType application/x-x509-ca-cert .crt
      AddType application/x-pkcs7-crl    .crl

      SSLPassPhraseDialog  builtin
          SSLSessionCache none
      SSLSessionCacheTimeout  300      
      SSLMutex default
      SSLRandomSeed startup builtin
      SSLRandomSeed connect builtin
      SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
      
      <VirtualHost xxx.xxx.xxx.xxx:443>
            #  General setup for the virtual host
            DocumentRoot "D:/Inetpub/sitefolder"
            ServerName *:443
            ServerAdmin you@domain.com
            ErrorLog logs/error.log
            TransferLog logs/access.log
                  
            <Directory "D:/Inetpub/sitefolder">
                      Options FollowSymLinks
                      AllowOverride All
                      Order allow,deny
                      Allow from all
            </Directory>

            <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                      SSLOptions +StdEnvVars
            </Files>
            <Directory "cgi-bin">
                      SSLOptions +StdEnvVars
            </Directory>
      
            CustomLog logs/ssl_request_log \
                "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

            SSLEngine On
            SSLCertificateFile ApacheCert/cert.crt
            SSLCertificateKeyFile ApacheCert/cert.key
      </virtualhost>
</IfModule>


<VirtualHost xxx.xxx.xxx.xxx:443>
     SSLEngine On
     SSLCertificateFile ApacheCert/cert.crt
     SSLCertificateKeyFile ApacheCert/cert.key
</VirtualHost>


NameVirtualHost xxx.xxx.xxx.xxx:80

<VirtualHost xxx.xxx.xxx.xxx:80>
     DocumentRoot "D:/Inetpub/sitefolder"
</VirtualHost>
0
 

Author Comment

by:cbeaudry1
Comment Utility
I tried that code and got the same result so I went back to the base code provided by Thawte and realized that the key screws things up on Windows if there is a passcode. So using OpenSSL, I removed the passcode.

The good news is that the SSL is now working and can display static pages and files like phpinfo.php

The bad news is that it doesn't display php files with dynamic content. The files connect to a separate SQL server.
0
 

Author Comment

by:cbeaudry1
Comment Utility
...and that was because one of the developers had an include redirect to a bad URL until I got the SSL working:

<?php
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])
{
      header("Location: http:/" . $_SERVER['REQUEST_URI']);
}
?>

Everything works now.
0
 

Author Comment

by:cbeaudry1
Comment Utility
The right code for Thawte certificates is outlined in the first post. Obviously, the folder locations and values will be specific to your site.

If using a Thawte certificate, follow the instructions provided by Thawte but do not enter a private key passphrase when generating your CSR if you have Apache installed on Windows. SSLPassPhraseDialog builtin is not supported on Win32. Doing so will prevent SSL from starting up and could disable your site entirely. If you did create a passphrase and need to remove it, use the following at a command prompt:

openssl rsa -in file1.key -out file2.key

0
 
LVL 1

Accepted Solution

by:
GhostMod earned 0 total points
Comment Utility
Closed, 500 points refunded.

GhostMod
Community Support Moderator
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting http://domain.com (http://domain.com) to http…
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now