# Apache2 with OpenSSL[solved]

## insaan

Hi all,

I am configuring OpenSSL for Apache2.  I have created for keys in /etc/ssl/; mycert.key,  mycert.csr, mycert.cert and mycert.der.crt. I followed the steps described in  http://www.gentoo.org/doc/en/virt-mail-howto.xml but it doesn't work. I get no connection to the server. Is there someone, who could give me some hints or some good links.

CheersLast edited by insaan on Tue Jan 18, 2005 3:52 pm; edited 1 time in total

----------

## tuxmin

The initial connection to the server does not depend on your certificates! Most likely your apache isn't listening on port 443. Die you enable SSL in /etc/conf.d/apache2 and did you configure apache accordingly?

You can tell if apache listens on port 443 using "netstat -anp | grep LISTEN".

Besides, did you copy the certificate and key to the porper location at the end (following Code Listing 8.2 is this document you mention)?

Hth, Alex!!!

----------

## insaan

Hallo Alex,

first thanks for your reply. I have created four keys in /etc/ssl.

1. openssl req -congig openssl.cnf -new -out mycert.csr

2. openssl rsa -in privkey.pem -out mycert.key

3. openssl x509 -in mycert.csr -out -mycert.cert -req -signkey mycert.key -days 365

4. openssl x509 -in mycert.cert -out mycert.der.crt -out form DER

I created server.{crt,key}, when I configured Apache2. 

Therafter I copied the server.{crt,key} files and mycert.{cert,key} into /etc/apache2/conef/ssl. As SSL-Settings ars defined in /etc/apache/conf/vhosts/ssl.default-vhost.con, so I copied the server.{crt,key} files and mycert.{cert,key} in the same directory. I also changed the port 80 to 443 in apache2.conf and apache.cone as well.

I am sure, I am making here some mistakes. Could you see here, what I am doing wrong? Must I touch some files in /etc/apache, as I am running Apache2?

Cheers Insaan

----------

## tuxmin

First of all: you definitely need a line

```

APACHE2_OPTS="-D SSL"

```

in your /etc/conf.d/apache2 or all your efforts will be nought.

Second: all config files you need are in /etc/apache2/conf

The piece of config that comes into play when you add -D SSL now is called

```

/etc/apache2/conf/modules.d/40_mod_ssl.conf and

/etc/apache2/conf/modules.d/41_mod_ssl.default-vhost.conf

```

Have a close look at these files and try to understand what they do! Especially at the lines

```

SSLCertificateFile conf/ssl/server.crt

SSLCertificateKeyFile conf/ssl/server.key

```

in 41...

Make sure the values here match path and name of your cert and key. Wether cert/key files you use doesn't matter at first, just get it running. As your certificate is self sigened your browser will whine anyway that your server is not trustworthy ;P

And revert the Port directive to 80!!!

Regards, Alex!!!

----------

## insaan

Hi again,

I did, as u described.  Added  

APACHE_OPTS="D SSL" in apache2.conf/

The file modules.d/41_mod_ssl.default/vhost.conf contains the following lines

SSLCertificateFile conf/ssl/server.crt 

SSLCertificateKeyFile conf/ssl/server.key 

In file modules.d/40_mod_ssl:

SSLMutex  points to file:/var/cache/apache2/ssl_mutex, which does not exist. I tried to find it on the szstem, but there no file with this name.

SSLRandonSeed startup builtin

SSLRandomSeed connect builitin

When I run

#apache -t apache2.conf

alert apache:Could not find the serverss full qualified name using 127.0.0.1 for ServerName

Syntax ok

and

#apache2 -k start

Syntax error in apache2.conf

Invaild command APACHE2_OPTS="-D'

and error in /usr/lib/apache2/logs/error_log: 

client IP_Fron_Where_I_Call_Apache File does not exist: /var/ww/localhost/htdocs/favicon.ico

I found this file on the system and copied into htdocs, but the same error again.

I googled this error and found only one result to mz error, but it was in polnish :}

Thanks again Alex

----------

## tuxmin

You should read my posting more carefully: 

 *Quote:*   

> 
> 
> First of all: you definitely need a line 
> 
> Code:
> ...

 

/var/cache/apache2/ssl_mutex will be created upon startup. No need to create the file. I strongly suggest you read about all directives you don't fully understand here

And make it APACHE2_OPTS. APACHE_OPTS will not work!

----------

## mccubbin

I just worked through this problem.  It was tough on a guy who knows little about ssl  :Smile:   Anyway, there are a few directories missing is all.   You have to create them by hand then everything falls into place.

First emerge --unmerge apache

Then make a the new directories:

  cd /etc/apache2/conf

see if ssl is there - if not:

  mkdir ssl

Then:

  cd /var/cache/apache2

see if ssl_mutex is there, and if not:

  mkdir ssl_mutex

Then you can reemerge apache and the certificates should be autogenerated.  

The other problem was that there was no /var/cache/apache2/ssl_mutex directory for the other "whateveritis"  to be autogenerated it.  That solved the initial can't find the certificate problem, then solved the [!!] error on startup with no explanation.  I found that one in the logs. 

Hope that helps some.

----------

## Chris..S

 *mccubbin wrote:*   

> ...
> 
> Then:
> 
>   cd /var/cache/apache2
> ...

 

Are you sure about the mkdir ssl_mutex

I have just completed a successful installation of apache2 (2.0.52 r1) 

To get apache up and running with SSL, the only changes I needed to make after emerge weremkdir /var/log/apache2

mkdir /var/cache/apache2

mkdir /etc/apache2/conf/ssl

generate a certificate (server.crt & server.key) in /etc/apache2/conf/ssl

uncomment  APACHE2_OPTS="-D SSL" in /etc/conf.d/apache2

set a value for ServerName in /etc/apache2/conf/apache2.conf

Then  /etc/init.d/apache2 start

 :Smile: 

There was one other change to also get PHP working, but that was it.

----------

## insaan

Hi chris,

thanks for your reply. I did as u described, but still get the following problem coz of APACHE2_OPTS="-D SSL"

Syntax error on line 107 of /etc/apache2/conf/apache2.conf:

Invalid command 'APACHE2_OPTS="-D', perhaps mis-spelled or defined by a module not included in the server configuration 

When I comment out APACHE2_OPTS="-D SSL", it apache runs but without ssl  :Sad: 

Thanks

----------

## Falador

Not been nasty insaan but you really should read the posts more carefully.

APACHE2_OPTS="-D SSL" needs to be in /etc/conf.d/apache2 not  /etc/apache2/conf/apache2.conf

This has been stated more than once.

----------

## insaan

Thanks!! The last post I read in a hurry, and made a mistake. However, it works now   :Very Happy: 

One thing, what wonders me is that, my apache works with and without SSL. That is; httP://localhost and also https://localhost. Now, how can I deactivate http so that only https is allowed?

Thanks a lot

INSAAN

----------

