Solved

Running SSL on Windows/Apache

Posted on 2006-07-20
6
302 Views
Last Modified: 2010-03-04
Here are the basics:

Two sites on one W2KSP4 server with two separate IPs. One runs on IIS/ASP (has to because of ties to an ERP), the other being developed on Apache2.2.2/PHP5.1.4. OpenSSLv.0.98b is also installed. I've generated a key for Thawte and received the certificate. Both are installed. I've modified the httpd.conf file to listen to port 443 and that works fine. However, when I put in the code that I think will enable SSL, both the secured AND unsecured sites become unavailable. (yes, mod_ssl is enabled). Obviously, the secured site doesn't work one way or another.
Here's the code:

Listen XX.XXX.X.X:80
Listen XX.XXX.X.X:443

...

LoadModule ssl_module modules/mod_ssl.so

...

# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf

# SSL StartUp
<VirtualHost XX.XXX.X.X:443>
DocumentRoot "D:/Inetpub/sitefolder"
ServerName www.website.com
ServerAdmin admin@site.com
ErrorLog logs/error.log
TransferLog logs/transfer.log
SSLEngine On
SSLCertificateFile ApacheCert/cert.crt
SSLCertificateKeyFile ApacheCert/cert.key
</VirtualHost>

#
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

The cert locations are correct and I obviously changed some of the IP and URL values in there. Apache starts up with no errors when this code is present but then the pages don't appear. Am I missing something here? 500 points for urgency.
0
Comment
Question by:cbeaudry1
  • 3
6 Comments
 
LVL 13

Expert Comment

by:rhickmott
ID: 17147735
Try

-------------------

Listen xxx.xxx.xxx.xxx:80

...

LoadModule ssl_module modules/mod_ssl.so

...


<IfModule mod_ssl.c>
         
      ## Handle SSL
      Listen xxx.xxx.xxx.xxx:443

      #SSL Types
      AddType application/x-x509-ca-cert .crt
      AddType application/x-pkcs7-crl    .crl

      SSLPassPhraseDialog  builtin
          SSLSessionCache none
      SSLSessionCacheTimeout  300      
      SSLMutex default
      SSLRandomSeed startup builtin
      SSLRandomSeed connect builtin
      SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
      
      <VirtualHost xxx.xxx.xxx.xxx:443>
            #  General setup for the virtual host
            DocumentRoot "D:/Inetpub/sitefolder"
            ServerName *:443
            ServerAdmin you@domain.com
            ErrorLog logs/error.log
            TransferLog logs/access.log
                  
            <Directory "D:/Inetpub/sitefolder">
                      Options FollowSymLinks
                      AllowOverride All
                      Order allow,deny
                      Allow from all
            </Directory>

            <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                      SSLOptions +StdEnvVars
            </Files>
            <Directory "cgi-bin">
                      SSLOptions +StdEnvVars
            </Directory>
      
            CustomLog logs/ssl_request_log \
                "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

            SSLEngine On
            SSLCertificateFile ApacheCert/cert.crt
            SSLCertificateKeyFile ApacheCert/cert.key
      </virtualhost>
</IfModule>


<VirtualHost xxx.xxx.xxx.xxx:443>
     SSLEngine On
     SSLCertificateFile ApacheCert/cert.crt
     SSLCertificateKeyFile ApacheCert/cert.key
</VirtualHost>


NameVirtualHost xxx.xxx.xxx.xxx:80

<VirtualHost xxx.xxx.xxx.xxx:80>
     DocumentRoot "D:/Inetpub/sitefolder"
</VirtualHost>
0
 

Author Comment

by:cbeaudry1
ID: 17148996
I tried that code and got the same result so I went back to the base code provided by Thawte and realized that the key screws things up on Windows if there is a passcode. So using OpenSSL, I removed the passcode.

The good news is that the SSL is now working and can display static pages and files like phpinfo.php

The bad news is that it doesn't display php files with dynamic content. The files connect to a separate SQL server.
0
 

Author Comment

by:cbeaudry1
ID: 17149211
...and that was because one of the developers had an include redirect to a bad URL until I got the SSL working:

<?php
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])
{
      header("Location: http:/" . $_SERVER['REQUEST_URI']);
}
?>

Everything works now.
0
 

Author Comment

by:cbeaudry1
ID: 17154987
The right code for Thawte certificates is outlined in the first post. Obviously, the folder locations and values will be specific to your site.

If using a Thawte certificate, follow the instructions provided by Thawte but do not enter a private key passphrase when generating your CSR if you have Apache installed on Windows. SSLPassPhraseDialog builtin is not supported on Win32. Doing so will prevent SSL from starting up and could disable your site entirely. If you did create a passphrase and need to remove it, use the following at a command prompt:

openssl rsa -in file1.key -out file2.key

0
 
LVL 1

Accepted Solution

by:
GhostMod earned 0 total points
ID: 17168681
Closed, 500 points refunded.

GhostMod
Community Support Moderator
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
Are you using email marketing software? If not, you're missing out on effortless marketing and the reaching of desired conversion rates through email marketing software.
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question