Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 318
  • Last Modified:

Running SSL on Windows/Apache

Here are the basics:

Two sites on one W2KSP4 server with two separate IPs. One runs on IIS/ASP (has to because of ties to an ERP), the other being developed on Apache2.2.2/PHP5.1.4. OpenSSLv.0.98b is also installed. I've generated a key for Thawte and received the certificate. Both are installed. I've modified the httpd.conf file to listen to port 443 and that works fine. However, when I put in the code that I think will enable SSL, both the secured AND unsecured sites become unavailable. (yes, mod_ssl is enabled). Obviously, the secured site doesn't work one way or another.
Here's the code:

Listen XX.XXX.X.X:80
Listen XX.XXX.X.X:443

...

LoadModule ssl_module modules/mod_ssl.so

...

# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf

# SSL StartUp
<VirtualHost XX.XXX.X.X:443>
DocumentRoot "D:/Inetpub/sitefolder"
ServerName www.website.com
ServerAdmin admin@site.com
ErrorLog logs/error.log
TransferLog logs/transfer.log
SSLEngine On
SSLCertificateFile ApacheCert/cert.crt
SSLCertificateKeyFile ApacheCert/cert.key
</VirtualHost>

#
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

The cert locations are correct and I obviously changed some of the IP and URL values in there. Apache starts up with no errors when this code is present but then the pages don't appear. Am I missing something here? 500 points for urgency.
0
cbeaudry1
Asked:
cbeaudry1
  • 3
1 Solution
 
rhickmottCommented:
Try

-------------------

Listen xxx.xxx.xxx.xxx:80

...

LoadModule ssl_module modules/mod_ssl.so

...


<IfModule mod_ssl.c>
         
      ## Handle SSL
      Listen xxx.xxx.xxx.xxx:443

      #SSL Types
      AddType application/x-x509-ca-cert .crt
      AddType application/x-pkcs7-crl    .crl

      SSLPassPhraseDialog  builtin
          SSLSessionCache none
      SSLSessionCacheTimeout  300      
      SSLMutex default
      SSLRandomSeed startup builtin
      SSLRandomSeed connect builtin
      SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
      
      <VirtualHost xxx.xxx.xxx.xxx:443>
            #  General setup for the virtual host
            DocumentRoot "D:/Inetpub/sitefolder"
            ServerName *:443
            ServerAdmin you@domain.com
            ErrorLog logs/error.log
            TransferLog logs/access.log
                  
            <Directory "D:/Inetpub/sitefolder">
                      Options FollowSymLinks
                      AllowOverride All
                      Order allow,deny
                      Allow from all
            </Directory>

            <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                      SSLOptions +StdEnvVars
            </Files>
            <Directory "cgi-bin">
                      SSLOptions +StdEnvVars
            </Directory>
      
            CustomLog logs/ssl_request_log \
                "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

            SSLEngine On
            SSLCertificateFile ApacheCert/cert.crt
            SSLCertificateKeyFile ApacheCert/cert.key
      </virtualhost>
</IfModule>


<VirtualHost xxx.xxx.xxx.xxx:443>
     SSLEngine On
     SSLCertificateFile ApacheCert/cert.crt
     SSLCertificateKeyFile ApacheCert/cert.key
</VirtualHost>


NameVirtualHost xxx.xxx.xxx.xxx:80

<VirtualHost xxx.xxx.xxx.xxx:80>
     DocumentRoot "D:/Inetpub/sitefolder"
</VirtualHost>
0
 
cbeaudry1Author Commented:
I tried that code and got the same result so I went back to the base code provided by Thawte and realized that the key screws things up on Windows if there is a passcode. So using OpenSSL, I removed the passcode.

The good news is that the SSL is now working and can display static pages and files like phpinfo.php

The bad news is that it doesn't display php files with dynamic content. The files connect to a separate SQL server.
0
 
cbeaudry1Author Commented:
...and that was because one of the developers had an include redirect to a bad URL until I got the SSL working:

<?php
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])
{
      header("Location: http:/" . $_SERVER['REQUEST_URI']);
}
?>

Everything works now.
0
 
cbeaudry1Author Commented:
The right code for Thawte certificates is outlined in the first post. Obviously, the folder locations and values will be specific to your site.

If using a Thawte certificate, follow the instructions provided by Thawte but do not enter a private key passphrase when generating your CSR if you have Apache installed on Windows. SSLPassPhraseDialog builtin is not supported on Win32. Doing so will prevent SSL from starting up and could disable your site entirely. If you did create a passphrase and need to remove it, use the following at a command prompt:

openssl rsa -in file1.key -out file2.key

0
 
GhostModCommented:
Closed, 500 points refunded.

GhostMod
Community Support Moderator
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now