killdurst
asked on
How to create a https virtual host?
Hi, let's say I have a site called abc.net. In "/etc/httpd/conf/httpd.con f", the VirtualHost configuration for the site looks like the following...
First, I generated an RSA key...
In httpd.conf, below "Listen *:80", I added "Listen *:443".
Below the "VirtualHost" block above, I added the following...
From my steps above, where did I go wrong and what did I miss out? Thanks!
<VirtualHost 10.10.11.155:80>
ServerName abc.net
ServerAlias www.abc.net
ServerAlias webmail.abc.net
...
...
...
</VirtualHost>
So, abc.net is working fine so far, but now I want to create a https version of the site...First, I generated an RSA key...
openssl genrsa -des3 -out privkey.pem 2048
Then I created a self-signed test certificate...openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
In httpd.conf, below "Listen *:80", I added "Listen *:443".
Below the "VirtualHost" block above, I added the following...
<VirtualHost 10.10.11.155:443>
ServerName abc.net
ServerAlias www.abc.net
ServerAlias webmail.abc.net
...
...
...
SSLEngine on
SSLCertificateFile /home/cwpi/tmp/certs/privkey.pem
SSLCertificateKeyFile /home/cwpi/tmp/certs/privkey.pem
SSLCACertificateFile /home/cwpi/tmp/certs/cacert.pem
</VirtualHost>
Then I restarted the httpd service. But I still can't access my site at https://www.abc.net. The "http" one still works fine though.From my steps above, where did I go wrong and what did I miss out? Thanks!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
below list must be uncommented
include conf.d/ssl.conf
TY/sA
include conf.d/ssl.conf
TY/sA
ASKER
Yup, "Include conf.d/*.conf" is uncommented.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
what is the error message you are getting ?
are you able to access the webpage locally i mean via elinks ?
are you able to access the webpage locally i mean via elinks ?
ASKER
Going to the https site now in IE shows a "Certificate error" icon in the address bar.
Viewing the certificate shows that it's valid from 3 Dec 2012 to 3 Dec 2013.
So I think there is already a certificate, just that it's expired.
There is a file called "localhost.crt" at "/etc/pki/tls/certs" and "localhost.key" at "/etc/pki/tls/private".
There are two lines in "/etc/httpd/conf.d/ssl.con f" that look like the following...
- cd /etc/pki/tls/private
- openssl genrsa -des3 -out localhost.key 1024
- cd /etc/pki/tls/certs
- openssl req -new -key ../private/localhost.key -out localhost.csr
- openssl x509 -req -days 365 -in localhost.csr -signkey ../private/localhost.key -out localhost.crt
- service httpd graceful
Output is as follows...
[Tue Feb 04 10:45:38 2014] [warn] module ssl_module is already loaded, skipping
httpd: apr_sockaddr_info_get() failed for UNIX-998A-SG
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Tue Feb 04 10:45:43 2014] [warn] NameVirtualHost 10.10.10.48:80 has no VirtualHosts
[Tue Feb 04 10:45:43 2014] [warn] NameVirtualHost *:80 has no VirtualHosts
Going to the site now shows a "Page cannot be displayed" error message.
So I had to restore the original .key and .crt files and restart the httpd service again, to get the site to work properly again.
Viewing the certificate shows that it's valid from 3 Dec 2012 to 3 Dec 2013.
So I think there is already a certificate, just that it's expired.
There is a file called "localhost.crt" at "/etc/pki/tls/certs" and "localhost.key" at "/etc/pki/tls/private".
There are two lines in "/etc/httpd/conf.d/ssl.con
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
So I proceeded to do the following...- cd /etc/pki/tls/private
- openssl genrsa -des3 -out localhost.key 1024
- cd /etc/pki/tls/certs
- openssl req -new -key ../private/localhost.key -out localhost.csr
- openssl x509 -req -days 365 -in localhost.csr -signkey ../private/localhost.key -out localhost.crt
- service httpd graceful
Output is as follows...
[Tue Feb 04 10:45:38 2014] [warn] module ssl_module is already loaded, skipping
httpd: apr_sockaddr_info_get() failed for UNIX-998A-SG
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Tue Feb 04 10:45:43 2014] [warn] NameVirtualHost 10.10.10.48:80 has no VirtualHosts
[Tue Feb 04 10:45:43 2014] [warn] NameVirtualHost *:80 has no VirtualHosts
Going to the site now shows a "Page cannot be displayed" error message.
So I had to restore the original .key and .crt files and restart the httpd service again, to get the site to work properly again.
ASKER
Ok, I found a script called "/etc/pki/tls/certs/make-d ummy-cert" .
So I went to the folder and executed "./make-dummy-cert dummy.crt".
The dummy.crt file contained both a private key and certificate.
So I copied the private key and certificate and paste it in "/etc/pki/tls/private/loca lhost.key" and "/etc/pki/tls/certs/localh ost.crt".
Then I gracefully restarted httpd.
This time the http version is still ok, and the certificate error displayed is slightly different.
It now shows that the validity of the certificate is from 4 Feb 2014 to 4 Feb 2015.
So I guess the new certificate is correctly loaded.
The error now is...
This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store.
Edit: Going to the http version, site loads fine. But going to the https version, I see an empty page.
So I went to the folder and executed "./make-dummy-cert dummy.crt".
The dummy.crt file contained both a private key and certificate.
So I copied the private key and certificate and paste it in "/etc/pki/tls/private/loca
Then I gracefully restarted httpd.
This time the http version is still ok, and the certificate error displayed is slightly different.
It now shows that the validity of the certificate is from 4 Feb 2014 to 4 Feb 2015.
So I guess the new certificate is correctly loaded.
The error now is...
This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store.
Edit: Going to the http version, site loads fine. But going to the https version, I see an empty page.
ASKER
Update:
I've re-inserted the "<VirtualHost 10.10.11.155:443>" block back into httpd.conf, and added in the following in the block...
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localho st.crt
SSLCertificateKeyFile /etc/pki/tls/private/local host.key
Applied the changes, and the https version of the site is now working!
I've re-inserted the "<VirtualHost 10.10.11.155:443>" block back into httpd.conf, and added in the following in the block...
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localho
SSLCertificateKeyFile /etc/pki/tls/private/local
Applied the changes, and the https version of the site is now working!
excellent stuff....
ASKER
Another thing, I find it to be quite redundant if every site needs to have 2 "VirtualHost" blocks in httpd.conf if I want the site to be accessible from both port 80 and 443. For example, for http access through port 80...
<VirtualHost 10.10.11.155:443>
ServerName abc.net
ServerAlias www.abc.net
ServerAlias webmail.abc.net
...
...
...
</VirtualHost>
And for https access through port 443...<VirtualHost 10.10.11.155:443>
ServerName abc.net
ServerAlias www.abc.net
ServerAlias webmail.abc.net
...
...
...
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/abc.crt
SSLCertificateKeyFile /etc/pki/tls/private/abc.key
</VirtualHost>
Is it possible to set the 443 directive within the same virtual host as the port 80? Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Cool! Thanks guys! Will be closing this question soon and distributing points if all goes well... :)
ASKER