cbeaudry1
asked on
Running SSL on Windows/Apache
Here are the basics:
Two sites on one W2KSP4 server with two separate IPs. One runs on IIS/ASP (has to because of ties to an ERP), the other being developed on Apache2.2.2/PHP5.1.4. OpenSSLv.0.98b is also installed. I've generated a key for Thawte and received the certificate. Both are installed. I've modified the httpd.conf file to listen to port 443 and that works fine. However, when I put in the code that I think will enable SSL, both the secured AND unsecured sites become unavailable. (yes, mod_ssl is enabled). Obviously, the secured site doesn't work one way or another.
Here's the code:
Listen XX.XXX.X.X:80
Listen XX.XXX.X.X:443
...
LoadModule ssl_module modules/mod_ssl.so
...
# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
# SSL StartUp
<VirtualHost XX.XXX.X.X:443>
DocumentRoot "D:/Inetpub/sitefolder"
ServerName www.website.com
ServerAdmin admin@site.com
ErrorLog logs/error.log
TransferLog logs/transfer.log
SSLEngine On
SSLCertificateFile ApacheCert/cert.crt
SSLCertificateKeyFile ApacheCert/cert.key
</VirtualHost>
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
The cert locations are correct and I obviously changed some of the IP and URL values in there. Apache starts up with no errors when this code is present but then the pages don't appear. Am I missing something here? 500 points for urgency.
Two sites on one W2KSP4 server with two separate IPs. One runs on IIS/ASP (has to because of ties to an ERP), the other being developed on Apache2.2.2/PHP5.1.4. OpenSSLv.0.98b is also installed. I've generated a key for Thawte and received the certificate. Both are installed. I've modified the httpd.conf file to listen to port 443 and that works fine. However, when I put in the code that I think will enable SSL, both the secured AND unsecured sites become unavailable. (yes, mod_ssl is enabled). Obviously, the secured site doesn't work one way or another.
Here's the code:
Listen XX.XXX.X.X:80
Listen XX.XXX.X.X:443
...
LoadModule ssl_module modules/mod_ssl.so
...
# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
# SSL StartUp
<VirtualHost XX.XXX.X.X:443>
DocumentRoot "D:/Inetpub/sitefolder"
ServerName www.website.com
ServerAdmin admin@site.com
ErrorLog logs/error.log
TransferLog logs/transfer.log
SSLEngine On
SSLCertificateFile ApacheCert/cert.crt
SSLCertificateKeyFile ApacheCert/cert.key
</VirtualHost>
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
The cert locations are correct and I obviously changed some of the IP and URL values in there. Apache starts up with no errors when this code is present but then the pages don't appear. Am I missing something here? 500 points for urgency.
ASKER
I tried that code and got the same result so I went back to the base code provided by Thawte and realized that the key screws things up on Windows if there is a passcode. So using OpenSSL, I removed the passcode.
The good news is that the SSL is now working and can display static pages and files like phpinfo.php
The bad news is that it doesn't display php files with dynamic content. The files connect to a separate SQL server.
The good news is that the SSL is now working and can display static pages and files like phpinfo.php
The bad news is that it doesn't display php files with dynamic content. The files connect to a separate SQL server.
ASKER
...and that was because one of the developers had an include redirect to a bad URL until I got the SSL working:
<?php
if(isset($_SERVER['HTTPS']
{
header("Location: http:/" . $_SERVER['REQUEST_URI']);
}
?>
Everything works now.
<?php
if(isset($_SERVER['HTTPS']
{
header("Location: http:/" . $_SERVER['REQUEST_URI']);
}
?>
Everything works now.
ASKER
The right code for Thawte certificates is outlined in the first post. Obviously, the folder locations and values will be specific to your site.
If using a Thawte certificate, follow the instructions provided by Thawte but do not enter a private key passphrase when generating your CSR if you have Apache installed on Windows. SSLPassPhraseDialog builtin is not supported on Win32. Doing so will prevent SSL from starting up and could disable your site entirely. If you did create a passphrase and need to remove it, use the following at a command prompt:
openssl rsa -in file1.key -out file2.key
If using a Thawte certificate, follow the instructions provided by Thawte but do not enter a private key passphrase when generating your CSR if you have Apache installed on Windows. SSLPassPhraseDialog builtin is not supported on Win32. Doing so will prevent SSL from starting up and could disable your site entirely. If you did create a passphrase and need to remove it, use the following at a command prompt:
openssl rsa -in file1.key -out file2.key
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
-------------------
Listen xxx.xxx.xxx.xxx:80
...
LoadModule ssl_module modules/mod_ssl.so
...
<IfModule mod_ssl.c>
## Handle SSL
Listen xxx.xxx.xxx.xxx:443
#SSL Types
AddType application/x-x509-ca-cert
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache none
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA
<VirtualHost xxx.xxx.xxx.xxx:443>
# General setup for the virtual host
DocumentRoot "D:/Inetpub/sitefolder"
ServerName *:443
ServerAdmin you@domain.com
ErrorLog logs/error.log
TransferLog logs/access.log
<Directory "D:/Inetpub/sitefolder">
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Files ~ "\.(cgi|shtml|phtml|php3?)
SSLOptions +StdEnvVars
</Files>
<Directory "cgi-bin">
SSLOptions +StdEnvVars
</Directory>
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine On
SSLCertificateFile ApacheCert/cert.crt
SSLCertificateKeyFile ApacheCert/cert.key
</virtualhost>
</IfModule>
<VirtualHost xxx.xxx.xxx.xxx:443>
SSLEngine On
SSLCertificateFile ApacheCert/cert.crt
SSLCertificateKeyFile ApacheCert/cert.key
</VirtualHost>
NameVirtualHost xxx.xxx.xxx.xxx:80
<VirtualHost xxx.xxx.xxx.xxx:80>
DocumentRoot "D:/Inetpub/sitefolder"
</VirtualHost>