Solved

How to create a https virtual host?

Posted on 2014-01-28
13
576 Views
Last Modified: 2014-02-10
Hi, let's say I have a site called abc.net. In "/etc/httpd/conf/httpd.conf", the VirtualHost configuration for the site looks like the following...
<VirtualHost 10.10.11.155:80>
ServerName abc.net
ServerAlias www.abc.net
ServerAlias webmail.abc.net
...
...
...
</VirtualHost>

Open in new window

So, abc.net is working fine so far, but now I want to create a https version of the site...

First, I generated an RSA key...
openssl genrsa -des3 -out privkey.pem 2048

Open in new window

Then I created a self-signed test certificate...
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

Open in new window


In httpd.conf, below "Listen *:80", I added "Listen *:443".
Below the "VirtualHost" block above, I added the following...
<VirtualHost 10.10.11.155:443>
ServerName abc.net
ServerAlias www.abc.net
ServerAlias webmail.abc.net
...
...
...
SSLEngine on
SSLCertificateFile /home/cwpi/tmp/certs/privkey.pem
SSLCertificateKeyFile /home/cwpi/tmp/certs/privkey.pem
SSLCACertificateFile /home/cwpi/tmp/certs/cacert.pem
</VirtualHost>

Open in new window

Then I restarted the httpd service. But I still can't access my site at https://www.abc.net. The "http" one still works fine though.
From my steps above, where did I go wrong and what did I miss out? Thanks!
0
Comment
Question by:killdurst
13 Comments
 
LVL 19

Assisted Solution

by:Patricksr1972
Patricksr1972 earned 83 total points
ID: 39817076
Hi

Did you open port 443 in the firewall?
0
 
LVL 1

Author Comment

by:killdurst
ID: 39817088
I think it's already open... From my PC, I can "telnet www.abc.net 443".
0
 
LVL 13

Expert Comment

by:Sandy
ID: 39817132
below list must be uncommented

include conf.d/ssl.conf

TY/sA
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 1

Author Comment

by:killdurst
ID: 39817153
Yup, "Include conf.d/*.conf" is uncommented.
0
 
LVL 5

Assisted Solution

by:NARANTHIRAN
NARANTHIRAN earned 83 total points
ID: 39817494
Hi, Have to changed the following line in the httpd.confi file.

NameVirtualHost *:443

If not  change  and try loading the web page...
0
 
LVL 13

Expert Comment

by:Sandy
ID: 39817542
what is the error message you are getting ?

are you able to access the webpage locally i mean via elinks ?
0
 
LVL 1

Author Comment

by:killdurst
ID: 39831434
Going to the https site now in IE shows a "Certificate error" icon in the address bar.
Viewing the certificate shows that it's valid from 3 Dec 2012 to 3 Dec 2013.
So I think there is already a certificate, just that it's expired.
There is a file called "localhost.crt" at "/etc/pki/tls/certs" and "localhost.key" at "/etc/pki/tls/private".
There are two lines in "/etc/httpd/conf.d/ssl.conf" that look like the following...
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Open in new window

So I proceeded to do the following...
 - cd /etc/pki/tls/private
 - openssl genrsa -des3 -out localhost.key 1024
 - cd /etc/pki/tls/certs
 - openssl req -new -key ../private/localhost.key -out localhost.csr
 - openssl x509 -req -days 365 -in localhost.csr -signkey ../private/localhost.key -out localhost.crt
 - service httpd graceful

Output is as follows...
[Tue Feb 04 10:45:38 2014] [warn] module ssl_module is already loaded, skipping
httpd: apr_sockaddr_info_get() failed for UNIX-998A-SG
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Tue Feb 04 10:45:43 2014] [warn] NameVirtualHost 10.10.10.48:80 has no VirtualHosts
[Tue Feb 04 10:45:43 2014] [warn] NameVirtualHost *:80 has no VirtualHosts

Going to the site now shows a "Page cannot be displayed" error message.

So I had to restore the original .key and .crt files and restart the httpd service again, to get the site to work properly again.
0
 
LVL 1

Author Comment

by:killdurst
ID: 39831449
Ok, I found a script called "/etc/pki/tls/certs/make-dummy-cert".
So I went to the folder and executed "./make-dummy-cert dummy.crt".
The dummy.crt file contained both a private key and certificate.
So I copied the private key and certificate and paste it in "/etc/pki/tls/private/localhost.key" and "/etc/pki/tls/certs/localhost.crt".
Then I gracefully restarted httpd.
This time the http version is still ok, and the certificate error displayed is slightly different.
It now shows that the validity of the certificate is from 4 Feb 2014 to 4 Feb 2015.
So I guess the new certificate is correctly loaded.
The error now is...
This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store.

Edit: Going to the http version, site loads fine. But going to the https version, I see an empty page.
0
 
LVL 1

Author Comment

by:killdurst
ID: 39831507
Update:

I've re-inserted the "<VirtualHost 10.10.11.155:443>" block back into httpd.conf, and added in the following in the block...

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Applied the changes, and the https version of the site is now working!
0
 
LVL 13

Expert Comment

by:Sandy
ID: 39831622
excellent stuff....
0
 
LVL 1

Author Comment

by:killdurst
ID: 39834397
Another thing, I find it to be quite redundant if every site needs to have 2 "VirtualHost" blocks in httpd.conf if I want the site to be accessible from both port 80 and 443. For example, for http access through port 80...
<VirtualHost 10.10.11.155:443>
ServerName abc.net
ServerAlias www.abc.net
ServerAlias webmail.abc.net
...
...
...
</VirtualHost>

Open in new window

And for https access through port 443...
<VirtualHost 10.10.11.155:443>
ServerName abc.net
ServerAlias www.abc.net
ServerAlias webmail.abc.net
...
...
...
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/abc.crt
SSLCertificateKeyFile /etc/pki/tls/private/abc.key
</VirtualHost>

Open in new window

Is it possible to set the 443 directive within the same virtual host as the port 80? Thanks.
0
 
LVL 13

Accepted Solution

by:
Sandy earned 334 total points
ID: 39834735
You can use any # of hosts and ports in a single Virtualhost directive.

<VirtualHost addr[:port] [addr[:port]] ...> ... </VirtualHost>

Example

<VirtualHost *:80 *:443>
  ServerName loop.lk

 ....
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/local.crt

</VirtualHost>

TY/SA
0
 
LVL 1

Author Comment

by:killdurst
ID: 39834787
Cool! Thanks guys! Will be closing this question soon and distributing points if all goes well... :)
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Coding C# in Linux 8 71
AWS Central Authentication 1 67
How to install a renewed SSL certificate on Windows 2012 server 7 74
Sonicwall SHA issue 4 30
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question