Debian, Apache2 und SSL

Da es irgendwie nur magere Informationen im Netz bezüglich des Einrichtens von Apache2 unter Debian mit SSL gibt, hier zwei Links bei denen einem geholfen wird: Installing SSL on Debian Apache2 und Creating an SSL-certificate for my webserver.

Aus Archivierungszwecken hier nochmal der Inhalt dieser Links…[b]Installing SSL on Debian Apache2[/b]
Posted 10/21/2004

In the world of Debian, you have a couple choices when you want to install Apache version 1. There’s the plain apache package, but you can also apt-get the apache-ssl package. For a while I was running both– each of these packages installs its own server for regular and SSL traffic. With apache2, it’s a little different.

There’s still a selection of packages for Apache2, but they pertain to the inner workings of the server. For a while I was running apache2 and apache-ssl separately, but the redundancy started to get on my nerves. Why run two server when one will do just fine? Apache2 can be set up to handle SSL, so it’s just a matter of figuring out the right configuration.

That’s easier said than done. The documentation on Apache2 and SSL is thin, almost invisible thin. Google searches didn’t turn up much either. Here’s how I got things working.

First, get yourself squared away with regular apache2. One it’s up and running you’ve got two obstacles to cross. The first is creating your SSL certificate. In /etc/apache2/ you’ll find an ssl directory with nothing in it. As root, run the command [code]apache2-ssl-certificate[/code] to create a self-signed certificate. This will create two files in the ssl directory: apache.pem and some other randomly named file (mine is d41305d1.0).

If you had a real certificate, you’d skip the apache2-ssl-certificate script altogether and copy over your existing files. Regardless of where they come from I suppose you could put your certificate files anywhere you felt like putting them, but that ssl directory seems like it’s there for a reason, no?

The second obstacle is getting apache acquainted with your certificate, and more broadly, persuading it that it really can understand the lingo of SSL. Unless you’re incredibly interested in cipher suites, you’ll probably want to do what I did: use the sample ssl file provided in /usr/share/doc/apache2/examples/ssl.conf.gz. Unzip that file, then copy it to /etc/apache2/sites/available. Run [code]a2ensite ssl.conf [/code]. Also take this time to run [code]a2enmod ssl[/code] if you haven’t already. The first command sets up an SSL-aware virtual host, the second enables mod_ssl. Both feats are courtesy of nice Debian utility programs that create symlinks between mods-available/mods-enabled and sites-available/sites-enabled. Read the README in /etc/apache2 for more details, then feel smug at the fact that you’re doing things “the Debian way”.

Almost done! I found this last step to be the least obvious of them all. In ssl.conf, look for [code]SSLCertificateFile[/code] and set it to the apache.pem file in /etc/apache2/ssl. A few lines down from there find [code]SSLCertificateKeyFile[/code] and set that to the other file in the ssl directory.

Last but not least, add [code]Listen 443[/code] to /etc/apache2/ports.conf.

[b]Note, February 2005: Reader Hannes Fehr from Germany writes:[/b]

“When I did this, apache told me it couldn’t bind to that port. Turns out that this line was already in my /usr/share/doc/apache2/examples/ssl.conf.gz . I guess they changed the file? running Apache/2.0.52 btw”

If all goes according to plan you’ll have a virtual host running SSL in addition to your other non-ssl virtual hosts (or just the default, if you’re only running a single site). In retrospect the process seems pretty easy, and it is. It’s the lack of documentation to guide you on your way that makes things seem more complicated than they are.


[b]Creating an SSL-certificate for my webserver[/b]
Self-signed certificate

[code]#!/bin/sh
SERVER=ssl.brainstorm.zirndorf.de
PRIVATE_KEY=$SERVER.private.key
CERTIFICATE_FILE=$SERVER.crt
VALID_DAYS=365

echo Delete old private key
rm $PRIVATE_KEY
echo Create new private/public-keys without passphrase for server
openssl genrsa -out $PRIVATE_KEY 1024

echo Create selfsigned certificate
rm $CERTIFICATE_FILE
# From man req:
# -x509
# this option outputs a self signed certificate instead
# of a certificate request. This is typically used to
# generate a test certificate or a self signed root CA.
# The extensions added to the certificate (if any) are
# specified in the configuration file.

openssl req -new -days $VALID_DAYS -key $PRIVATE_KEY
\-x509 -out $CERTIFICATE_FILE

echo private-keyfile is $PRIVATE_KEY
echo server-certificate-file is $CERTIFICATE_FILE

ls -l $PRIVATE_KEY $CERTIFICATE_FILE[/code]

[b]Create a request for an official certificate[/b]

This is the shellscript I do it with, default-values are taken from the file /etc/ssl/openssl.cnf:

[code]#!/bin/sh
SERVER=ssl.yourserver.de
PRIVATE_KEY=$SERVER.private.key
CERTIFICATE_FILE=$SERVER.crt
SIGNING_REQUEST=$SERVER.signing.request
VALID_DAYS=365

echo Delete old private key
rm $PRIVATE_KEY
echo Create new private/public-keys without passphrase for server
openssl genrsa -out $PRIVATE_KEY 1024

echo Create file for signing request
rm $SIGNING_REQUEST
openssl req -new -days $VALID_DAYS
\-key $PRIVATE_KEY -out $SIGNING_REQUEST

echo Filename for signing request is: $SIGNING_REQUEST
echo Send the content of the file to the certification authority.
echo For example: Christian Heutger [c.heutger@psw.biz]
echo from http://www.ssl-certs.de
cat $SIGNING_REQUEST

echo You can check this request at
echo https://secure.comodo.net/utilities/decodeCSR.html[/code]

The procedure looks like this:

[code]# ./create_signing_request.sh
Delete old private key
Create new private/public-keys without passphrase for server
Generating RSA private key, 1024 bit long modulus
…………………………………………..++++++
……++++++
e is 65537 (0x10001)
Create file for signing request
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [DE]: DE
State or Province Name (full name) [Some-State]:Bayern
Locality Name (eg, city) []:Zirndorf
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany AG
Organizational Unit Name (eg, section) []:EDV
Common Name (eg, YOUR name) []:ssl.yourserver.de
Email Address []:edv@mycompany.ag

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Filename for signing request is: ssl.yourserver.de.signing.request
Send the content of the file to the certification authority.
For example: Christian Heutger [c.heutger@psw.biz]
from http://www.ssl-certs.de
—–BEGIN CERTIFICATE REQUEST—–
MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xETAP

lEA=
—–END CERTIFICATE REQUEST—–
You can check this request at
https://secure.comodo.net/utilities/decodeCSR.html[/code]

Check your request at https://secure.comodo.net/utilities/decodeCSR.html
Do the request at the trustcenter

* http://www.ssl-certs.de
* I chose the Bronze-Certificate and wrote a mail to the people containing my signing-request, my address, email, phone-number and a photocopy of my id-card.
* I had to accept this and that via a webpage.
* I got an email with this:
[code]Your Web Server Certificate:
—–BEGIN CERTIFICATE—–
MIIEP…

jXxxxx
—–END CERTIFICATE—–[/code]

Activate everything in Apache2

Copy the certificate-file from the email to /etc/apache2/ssl/ssl.brainstorm/brainstorm.crt
This file looks like this:
[code]—–BEGIN CERTIFICATE—–
MIIEP…

jXxxxx
—–END CERTIFICATE—– [/code]
Copy the file ssl.brainstorm.zirndorf.de.private.key to /etc/apache2/ssl/ssl.brainstorm/brainstorm.private.key
This file looks like this:
[code]—–BEGIN RSA PRIVATE KEY—–
MII…

gfjxxx
—–END RSA PRIVATE KEY—–[/code]
I had to active this in my apache-config-file for the ssl-Server:
SSLCertificateKeyFile /etc/apache2/ssl/ssl.brainstorm/brainstorm.private.key
SSLCertificateFile /etc/apache2/ssl/ssl.brainstorm/brainstorm.crt
I had to enable these modules in /etc/apache2/mods-enabled/ (Debian):
[code]ssl.conf
ssl.load[/code]


Anmerkung: bei cacert.org gibts kostenlose Zertifikate genau für diesen Zweck. In den neueren Browsern (Firefox!) ist cacert.org auch schon als Root-CA gelistet, d.h. es kommt keine Abfrage beim Aufruf einer mit dieser CA signierten Website.