You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Andy Canfield <an...@yandex.com> on 2014/04/03 10:39:07 UTC
[users@httpd] https
I have been using apache for maybe ten years now, and maintain two
servers in addition to the apache on my notebook computer for testing.
All using Ubuntu Linux *.04 LTS. It now appears that I ought to convert
from http to https.
But the documentation is insane. A piece here, a piece there, have to do
X (but first? and afterwards?). Assuming everything is else is OK, this
is way you edit this line in VirtualHost file (there is no
"/etc/apache2/.../VirtualHost" file!)
I figure that I need to do it in two steps:
[1] Get the https version up and running, and
[2] Make the http version automatically switch to https.
But I can't get https working at all, for anything. There's a "Listen
443" in /etc/apache2/ports.conf but 'nmap localhost' says 443 is a
closed port.
Has anybody else ever converted a hosted site from http to https? What
did you have to do to get the secure one working?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] https
Posted by Andy Canfield <an...@yandex.com>.
Thank you very much, Pete. Your answer was most helpful. I was dumb
because the 'man req 1' page describes the '-subj' parameter in line 81
and in line 154 but the text you sent me is in lines 482++. Similarly
the openssl.cnf file never mentions "-subj" at all. I will read that web
page you listed for me.
Thanks.
- Andy
On 04/04/2014 07:37 PM, Pete Houston wrote:
> From the openssl documentation at http://www.openssl.org/docs/apps/req.html
> is this list of example field values:
>
> [ req_distinguished_name ]
> C = GB
> ST = Test State or Province
> L = Test Locality
> O = Organization Name
> OU = Organizational Unit Name
> CN = Common Name
> emailAddress = test@email.address
>
> Note that this is a copy of the req man page which you referred to
> says. In the case of a server certificate, the Common Name is the FQDN
> of the server, eg: www.example.com. The "company name" which you refer
> to below] should always go in the O field.
>
> There's also some really good documentation on the apache site at
> http://httpd.apache.org/docs/2.4/ssl/ssl_intro.html which I would
> recommend going through if all this is new to you.
>
> HTH,
>
> Pete
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] https
Posted by Pete Houston <ph...@openstrike.co.uk>.
From the openssl documentation at http://www.openssl.org/docs/apps/req.html
is this list of example field values:
[ req_distinguished_name ]
C = GB
ST = Test State or Province
L = Test Locality
O = Organization Name
OU = Organizational Unit Name
CN = Common Name
emailAddress = test@email.address
Note that this is a copy of the req man page which you referred to
says. In the case of a server certificate, the Common Name is the FQDN
of the server, eg: www.example.com. The "company name" which you refer
to below] should always go in the O field.
There's also some really good documentation on the apache site at
http://httpd.apache.org/docs/2.4/ssl/ssl_intro.html which I would
recommend going through if all this is new to you.
HTH,
Pete
On Fri, Apr 04, 2014 at 06:47:47PM +0700, Andy Canfield wrote:
> Well, "a while" turned out to be one day. Stuck again.
>
> I found a web page that had some info on it, It shows a command (openssl
> req) to create a privately signed SSL key. Unfortunately, it doesn't
> explain that command, but 'man req 1' has more information such as what
> '-x509' does for me (this has got to be one of the greatest parameter
> keywords of all time). However, the example include this on the openssl
> command line:
>
> -subj /O=VirtualH/OU=Virtual/CN=127.0.0.1
>
> The man req 1 page says this consists of a subject line with sub-options
> /O as "VirtualH", /OH as "Virtual", and "CN" as "127.0.0.1", and no
> blanks. But I can find nothing, NOTHING, that explain what the
> suboptions of the -subj parameter are. What is O? What is OU? What is
> CN? Is 'VirtualH' a name for the virtual host? Where is that documented,
> does anyone know?
>
> I'd like to get the company name into that certificate somewhere, but
> don't yet see how.
>
> Thank you.
--
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107
Re: [users@httpd] https
Posted by Andy Canfield <an...@yandex.com>.
Well, "a while" turned out to be one day. Stuck again.
I found a web page that had some info on it, It shows a command (openssl
req) to create a privately signed SSL key. Unfortunately, it doesn't
explain that command, but 'man req 1' has more information such as what
'-x509' does for me (this has got to be one of the greatest parameter
keywords of all time). However, the example include this on the openssl
command line:
-subj /O=VirtualH/OU=Virtual/CN=127.0.0.1
The man req 1 page says this consists of a subject line with sub-options
/O as "VirtualH", /OH as "Virtual", and "CN" as "127.0.0.1", and no
blanks. But I can find nothing, NOTHING, that explain what the
suboptions of the -subj parameter are. What is O? What is OU? What is
CN? Is 'VirtualH' a name for the virtual host? Where is that documented,
does anyone know?
I'd like to get the company name into that certificate somewhere, but
don't yet see how.
Thank you.
> Thank you very much Yehuda. I think I am launched and can follow
> on for a while by myself.
>
>
>>
>>
>> On Thu, Apr 3, 2014 at 6:10 AM, Andy Canfield
>> <andycanfield@yandex.com <ma...@yandex.com>> wrote:
>>
>>
>> Files:
>>
>> -rw-r--r-- 1 root 859 Apr 3 11:45 /etc/apache2/ssl/crt/vhost1.crt
>>
>> -rw-r--r-- 1 root 916 Apr 3 11:45 /etc/apache2/ssl/key/vhost1.key
>>
>> So AFAIK I've got a certificate I've generated myself. Nobody
>> vouches for me but it shoud enable encryption and make my
>> TCP/IP packets hard to read.
>>
>> Contents of /etc/apache2/ports.conf:
>> NameVirtualHost *:80
>> Listen 80
>>
>> <IfModule mod_ssl.c>
>> Listen 443
>> </IfModule>
>> <IfModule mod_gnutls.c>
>> Listen 443
>> </IfModule>
>>
>> Files:
>>
>> -rw-r--r-- 1 andy 1439 Apr 3 14:48
>> /etc/apache2/sites-available/default
>> -rw-r--r-- 1 andy 7485 Jun 16 2011
>> /etc/apache2/sites-available/default-ssl
>> -rw-r--r-- 1 root 7469 Feb 7 2012
>> /etc/apache2/sites-available/default-ssl.original
>> -rw-r--r-- 1 root 950 Feb 7 2012
>> /etc/apache2/sites-available/default.original
>>
>> I see here that /etc/apache2/sites-available has one symbolic
>> link to /etc/apache2/sites-available/default, and no symbolic
>> links to any of the other entries in the sites-available
>> directory. Also all the other entries in
>> /etc/apache2/sites-available are symbolic links to
>> configuration files such as
>>
>> lrwxrwxrwx 1 root 21 May 6 2012 /etc/apache2/sites-enabled/opal.conf -> /www/opal/apache.conf
>>
>> These links have been working fine for years as links into
>> the site control directory and not into 'sites-available'.
>> But perhaps that is wrong.
>>
>> Maybe what I need is a symbolic link from sites-enabled to
>> ../sites-available/default-ssl ? Nope, tested, did not solve
>> the problem....
>>
>> When I give this command (as root) -
>>
>> /etc/init.d/apache2 restart
>>
>> I see only this output:
>>
>> apache2: Could not reliably determine the server's fully
>> qualified domain name, using 192.168.1.112 for ServerName
>> ... waiting apache2: Could not reliably determine the
>> server's fully qualified domain name, using 192.168.1.112 for
>> ServerName
>>
>> [ OK ]
>>
>> But nmap still says that nothing is listening to port 443.
>>
>> Thank you Oren.
>>
>>
>> On 04/03/2014 04:04 PM, Oren wrote:
>>> Hi Andy.
>>> Process basically include getting/creating a certificate,
>>> define it on your site and reload apache.
>>> here is a centos manual which is not exactly the same on
>>> ubuntu but pretty much explains the order of things
>>> http://wiki.centos.org/HowTos/Https
>>>
>>> on ubuntu you will have to open the 443 port
>>> <IfModule mod_ssl.c>
>>> Listen 443
>>> </IfModule>
>>>
>>> once the https is ready, you can do a redirect to the https
>>> site from http. (with mod_rewrite)
>>>
>>> do you have logs or any information on what is not working?
>>>
>>> Oren
>>>
>>> On 04/03/2014 11:39 AM, Andy Canfield wrote:
>>>> I have been using apache for maybe ten years now, and
>>>> maintain two
>>>> servers in addition to the apache on my notebook computer
>>>> for testing.
>>>> All using Ubuntu Linux *.04 LTS. It now appears that I
>>>> ought to convert
>>>> from http to https.
>>>>
>>>> But the documentation is insane. A piece here, a piece
>>>> there, have to do
>>>> X (but first? and afterwards?). Assuming everything is else
>>>> is OK, this
>>>> is way you edit this line in VirtualHost file (there is no
>>>> "/etc/apache2/.../VirtualHost" file!)
>>>>
>>>> I figure that I need to do it in two steps:
>>>> [1] Get the https version up and running, and
>>>> [2] Make the http version automatically switch to https.
>>>>
>>>> But I can't get https working at all, for anything. There's
>>>> a "Listen
>>>> 443" in /etc/apache2/ports.conf but 'nmap localhost' says
>>>> 443 is a
>>>> closed port.
>>>>
>>>> Has anybody else ever converted a hosted site from http to
>>>> https? What
>>>> did you have to do to get the secure one working?
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>>
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> <ma...@httpd.apache.org>
>>>> For additional commands, e-mail:
>>>> users-help@httpd.apache.org
>>>> <ma...@httpd.apache.org>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>>
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> <ma...@httpd.apache.org>
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>> <ma...@httpd.apache.org>
>>>
>>>
>>> .
>>>
>>
>>
>
>
Re: [users@httpd] https
Posted by Yehuda Katz <ye...@ymkatz.net>.
On Fri, Apr 4, 2014 at 12:55 AM, Andy Canfield <an...@yandex.com>wrote:
> There are several lines in places that read
> <IfModule mod_ssl.c>
> There is no file on my hard disk named "mod_ssl.c". There is, however, a
> file named
> /usr/lib/apache2/modules/mod_ssl.so
> Is there some magic connection between "mod_ssl.c" and "mod_ssl.so"? Like
> was the ssl module written in C?
>
http://httpd.apache.org/docs/2.2/mod/core.html#ifmodule
<IfModule *module*>:
The module argument can be either the module identifier or the file name of
the module, at the time it was compiled. For example, rewrite_module is the
identifier and mod_rewrite.c is the file name.
On 04/03/2014 09:46 PM, Yehuda Katz wrote:
>
> Debian/Ubuntu have a slightly different default layout and include some
> tools to help you work with it. The tools just create the symlinks for you,
> but the major benefit is that all of them support tab-completion, so you
> know what is available.
>
> a2enmod / a2dismod: enable or disable apache modules
> a2ensite / a2dissite: enable or disable apache vhosts
> a2enconf / a2disconf: enable or disable apache configuration files
> (added in Ubuntu 13.10)
>
> The first this to check is that you have loaded mod_ssl, either by
> running `a2enmod ssl` or looking at the modules-enabled directory.
> You are probably not listening on 443 since it is inside the <ifmodule>
> and the module is not loaded.
>
>
> Then as instructed by a2enmod I ran the command
> service apache2 restart
> I normally use '/etc/init.d/apache2 restart' but I did it with 'service'
> this time.
>
They do the same thing in this case.
I usually run apache2ctl configtest before I restart to make sure that I
will not discover a problem when the server is in the process of restarting.
> After some editing for fixing up things like DocumentRoot (changed to my
> own) I got it to restart with no errors.
>
>
> You should have Ubuntu's default SSL vhost in
> sites-available/default-ssl.conf and you can enable it using the tool (or
> manual symlink).
>
> There is no file extension on "/etc/apache2/sites-available/default-ssl",
> I assume that file is correct. It starts with these two lines:
> <IfModule mod_ssl.c>
> <VirtualHost _default_:443>
>
> The above has they keyword "_default_" in the VirtualHost line. All of my
> existing http config files read like this:
> <VirtualHost *:80>
> There is no Virtual Host name in that line, so presumably they all share
> the same virtual host, yes? Do I need multiple virtual hosts for https, or
> will one virtual host be OK for all the sites?
>
An HTTPS vhost is exactly the same as an HTTP vhost except for the
certificate configuration.
If you want multiple vhosts with HTTPS though, you either need an IP
address for each or all of your users need to support SNI in their browsers
(any modern browser should).
This wiki page is a bit old, but still looks correct:
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
Wonderful! I rebooted the computer just to make 100% sure of my restarting
> EVERYTHING, and then ran 'nmap localhost' and it finally showed me this
> line:
> 443/tcp open https
> Great! Now somebody is listening.
>
> I sent Firefox to "https://localhost/" <https://localhost/> and after a
> bunch of crabbing about the certificate I got to see the same site. So now
> I have to figure out how to make a certificate (FYI I am an anarchist).
>
> I went to one of my sites and followed a link and discovered that it
> switched back to "http://" because that is what is in the HTML. Gotta fix
> that.
>
>
> You can enable any vhost for SSL by adding a few directives to it (it
> will stop listening on non-ssl):
> - Change the vritualhost port to 443
> - SSLEngine on
> - SSLCertificateFile /etc/apache2/ssl/example.com.crt
> - (SSLCertificateKeyFile /etc/apache2/ssl/example.com.key if the key is
> not in the same file)
>
> There are a few other default things in the default-ssl vhost to fix
> buggy browsers and provide more info to cgi-scripts.
>
> "buggy browsers" as in Internet Explorer, right? These are intra-company
> web sites, and we simply tell people not to use IE.
>
>
> - Y
>
> Thank you very much Yehuda. I think I am launched and can follow on for a
> while by myself.
>
>
>
>
> On Thu, Apr 3, 2014 at 6:10 AM, Andy Canfield <an...@yandex.com>wrote:
>
>>
>> Files:
>>
>> -rw-r--r-- 1 root 859 Apr 3 11:45 /etc/apache2/ssl/crt/vhost1.crt
>>
>> -rw-r--r-- 1 root 916 Apr 3 11:45 /etc/apache2/ssl/key/vhost1.key
>>
>> So AFAIK I've got a certificate I've generated myself. Nobody vouches for
>> me but it shoud enable encryption and make my TCP/IP packets hard to read.
>>
>> Contents of /etc/apache2/ports.conf:
>> NameVirtualHost *:80
>> Listen 80
>>
>> <IfModule mod_ssl.c>
>> Listen 443
>> </IfModule>
>> <IfModule mod_gnutls.c>
>> Listen 443
>> </IfModule>
>>
>> Files:
>>
>> -rw-r--r-- 1 andy 1439 Apr 3 14:48 /etc/apache2/sites-available/default
>> -rw-r--r-- 1 andy 7485 Jun 16 2011
>> /etc/apache2/sites-available/default-ssl
>> -rw-r--r-- 1 root 7469 Feb 7 2012
>> /etc/apache2/sites-available/default-ssl.original
>> -rw-r--r-- 1 root 950 Feb 7 2012
>> /etc/apache2/sites-available/default.original
>>
>> I see here that /etc/apache2/sites-available has one symbolic link to
>> /etc/apache2/sites-available/default, and no symbolic links to any of the
>> other entries in the sites-available directory. Also all the other entries
>> in /etc/apache2/sites-available are symbolic links to configuration files
>> such as
>>
>> lrwxrwxrwx 1 root 21 May 6 2012 /etc/apache2/sites-enabled/opal.conf -> /www/opal/apache.conf
>>
>> These links have been working fine for years as links into the site
>> control directory and not into 'sites-available'. But perhaps that is wrong.
>>
>> Maybe what I need is a symbolic link from sites-enabled to
>> ../sites-available/default-ssl ? Nope, tested, did not solve the problem....
>>
>> When I give this command (as root) -
>>
>> /etc/init.d/apache2 restart
>>
>> I see only this output:
>>
>> apache2: Could not reliably determine the server's fully qualified domain
>> name, using 192.168.1.112 for ServerName
>> ... waiting apache2: Could not reliably determine the server's fully
>> qualified domain name, using 192.168.1.112 for ServerName
>>
>> [ OK ]
>>
>> But nmap still says that nothing is listening to port 443.
>>
>> Thank you Oren.
>>
>>
>> On 04/03/2014 04:04 PM, Oren wrote:
>>
>> Hi Andy.
>> Process basically include getting/creating a certificate, define it on
>> your site and reload apache.
>> here is a centos manual which is not exactly the same on ubuntu but
>> pretty much explains the order of things
>> http://wiki.centos.org/HowTos/Https
>>
>> on ubuntu you will have to open the 443 port
>> <IfModule mod_ssl.c>
>> Listen 443
>> </IfModule>
>>
>> once the https is ready, you can do a redirect to the https site from
>> http. (with mod_rewrite)
>>
>> do you have logs or any information on what is not working?
>>
>> Oren
>>
>> On 04/03/2014 11:39 AM, Andy Canfield wrote:
>>
>> I have been using apache for maybe ten years now, and maintain two
>> servers in addition to the apache on my notebook computer for testing.
>> All using Ubuntu Linux *.04 LTS. It now appears that I ought to convert
>> from http to https.
>>
>> But the documentation is insane. A piece here, a piece there, have to do
>> X (but first? and afterwards?). Assuming everything is else is OK, this
>> is way you edit this line in VirtualHost file (there is no
>> "/etc/apache2/.../VirtualHost" file!)
>>
>> I figure that I need to do it in two steps:
>> [1] Get the https version up and running, and
>> [2] Make the http version automatically switch to https.
>>
>> But I can't get https working at all, for anything. There's a "Listen
>> 443" in /etc/apache2/ports.conf but 'nmap localhost' says 443 is a
>> closed port.
>>
>> Has anybody else ever converted a hosted site from http to https? What
>> did you have to do to get the secure one working?
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>> .
>>
>>
>>
>
>
Re: [users@httpd] https
Posted by Andy Canfield <an...@yandex.com>.
There are several lines in places that read
<IfModule mod_ssl.c>
There is no file on my hard disk named "mod_ssl.c". There is, however, a
file named
/usr/lib/apache2/modules/mod_ssl.so
Is there some magic connection between "mod_ssl.c" and "mod_ssl.so"?
Like was the ssl module written in C?
On 04/03/2014 09:46 PM, Yehuda Katz wrote:
> Debian/Ubuntu have a slightly different default layout and include
> some tools to help you work with it. The tools just create the
> symlinks for you, but the major benefit is that all of them support
> tab-completion, so you know what is available.
>
> a2enmod / a2dismod: enable or disable apache modules
> a2ensite / a2dissite: enable or disable apache vhosts
> a2enconf / a2disconf: enable or disable apache configuration files
> (added in Ubuntu 13.10)
>
> The first this to check is that you have loaded mod_ssl, either by
> running `a2enmod ssl` or looking at the modules-enabled directory.
> You are probably not listening on 443 since it is inside the
> <ifmodule> and the module is not loaded.
Then as instructed by a2enmod I ran the command
service apache2 restart
I normally use '/etc/init.d/apache2 restart' but I did it with 'service'
this time.
After some editing for fixing up things like DocumentRoot (changed to my
own) I got it to restart with no errors.
>
> You should have Ubuntu's default SSL vhost in
> sites-available/default-ssl.conf and you can enable it using the tool
> (or manual symlink).
There is no file extension on
"/etc/apache2/sites-available/default-ssl", I assume that file is
correct. It starts with these two lines:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
The above has they keyword "_default_" in the VirtualHost line. All of
my existing http config files read like this:
<VirtualHost *:80>
There is no Virtual Host name in that line, so presumably they all share
the same virtual host, yes? Do I need multiple virtual hosts for https,
or will one virtual host be OK for all the sites?
Wonderful! I rebooted the computer just to make 100% sure of my
restarting EVERYTHING, and then ran 'nmap localhost' and it finally
showed me this line:
443/tcp open https
Great! Now somebody is listening.
I sent Firefox to "https://localhost/" and after a bunch of crabbing
about the certificate I got to see the same site. So now I have to
figure out how to make a certificate (FYI I am an anarchist).
I went to one of my sites and followed a link and discovered that it
switched back to "http://" because that is what is in the HTML. Gotta
fix that.
> You can enable any vhost for SSL by adding a few directives to it (it
> will stop listening on non-ssl):
> - Change the vritualhost port to 443
> - SSLEngine on
> - SSLCertificateFile /etc/apache2/ssl/example.com.crt
> - (SSLCertificateKeyFile /etc/apache2/ssl/example.com.key if the key
> is not in the same file)
>
> There are a few other default things in the default-ssl vhost to fix
> buggy browsers and provide more info to cgi-scripts.
"buggy browsers" as in Internet Explorer, right? These are intra-company
web sites, and we simply tell people not to use IE.
>
> - Y
Thank you very much Yehuda. I think I am launched and can follow on for
a while by myself.
>
>
> On Thu, Apr 3, 2014 at 6:10 AM, Andy Canfield <andycanfield@yandex.com
> <ma...@yandex.com>> wrote:
>
>
> Files:
>
> -rw-r--r-- 1 root 859 Apr 3 11:45 /etc/apache2/ssl/crt/vhost1.crt
>
> -rw-r--r-- 1 root 916 Apr 3 11:45 /etc/apache2/ssl/key/vhost1.key
>
> So AFAIK I've got a certificate I've generated myself. Nobody
> vouches for me but it shoud enable encryption and make my TCP/IP
> packets hard to read.
>
> Contents of /etc/apache2/ports.conf:
> NameVirtualHost *:80
> Listen 80
>
> <IfModule mod_ssl.c>
> Listen 443
> </IfModule>
> <IfModule mod_gnutls.c>
> Listen 443
> </IfModule>
>
> Files:
>
> -rw-r--r-- 1 andy 1439 Apr 3 14:48
> /etc/apache2/sites-available/default
> -rw-r--r-- 1 andy 7485 Jun 16 2011
> /etc/apache2/sites-available/default-ssl
> -rw-r--r-- 1 root 7469 Feb 7 2012
> /etc/apache2/sites-available/default-ssl.original
> -rw-r--r-- 1 root 950 Feb 7 2012
> /etc/apache2/sites-available/default.original
>
> I see here that /etc/apache2/sites-available has one symbolic link
> to /etc/apache2/sites-available/default, and no symbolic links to
> any of the other entries in the sites-available directory. Also
> all the other entries in /etc/apache2/sites-available are symbolic
> links to configuration files such as
>
> lrwxrwxrwx 1 root 21 May 6 2012 /etc/apache2/sites-enabled/opal.conf -> /www/opal/apache.conf
>
> These links have been working fine for years as links into the
> site control directory and not into 'sites-available'. But perhaps
> that is wrong.
>
> Maybe what I need is a symbolic link from sites-enabled to
> ../sites-available/default-ssl ? Nope, tested, did not solve the
> problem....
>
> When I give this command (as root) -
>
> /etc/init.d/apache2 restart
>
> I see only this output:
>
> apache2: Could not reliably determine the server's fully qualified
> domain name, using 192.168.1.112 for ServerName
> ... waiting apache2: Could not reliably determine the server's
> fully qualified domain name, using 192.168.1.112 for ServerName
>
> [ OK ]
>
> But nmap still says that nothing is listening to port 443.
>
> Thank you Oren.
>
>
> On 04/03/2014 04:04 PM, Oren wrote:
>> Hi Andy.
>> Process basically include getting/creating a certificate, define
>> it on your site and reload apache.
>> here is a centos manual which is not exactly the same on ubuntu
>> but pretty much explains the order of things
>> http://wiki.centos.org/HowTos/Https
>>
>> on ubuntu you will have to open the 443 port
>> <IfModule mod_ssl.c>
>> Listen 443
>> </IfModule>
>>
>> once the https is ready, you can do a redirect to the https site
>> from http. (with mod_rewrite)
>>
>> do you have logs or any information on what is not working?
>>
>> Oren
>>
>> On 04/03/2014 11:39 AM, Andy Canfield wrote:
>>> I have been using apache for maybe ten years now, and maintain two
>>> servers in addition to the apache on my notebook computer for
>>> testing.
>>> All using Ubuntu Linux *.04 LTS. It now appears that I ought to
>>> convert
>>> from http to https.
>>>
>>> But the documentation is insane. A piece here, a piece there,
>>> have to do
>>> X (but first? and afterwards?). Assuming everything is else is
>>> OK, this
>>> is way you edit this line in VirtualHost file (there is no
>>> "/etc/apache2/.../VirtualHost" file!)
>>>
>>> I figure that I need to do it in two steps:
>>> [1] Get the https version up and running, and
>>> [2] Make the http version automatically switch to https.
>>>
>>> But I can't get https working at all, for anything. There's a
>>> "Listen
>>> 443" in /etc/apache2/ports.conf but 'nmap localhost' says 443 is a
>>> closed port.
>>>
>>> Has anybody else ever converted a hosted site from http to
>>> https? What
>>> did you have to do to get the secure one working?
>>>
>>>
>>> ---------------------------------------------------------------------
>>>
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> <ma...@httpd.apache.org>
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>> <ma...@httpd.apache.org>
>>>
>>
>> ---------------------------------------------------------------------
>>
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> <ma...@httpd.apache.org>
>> For additional commands, e-mail: users-help@httpd.apache.org
>> <ma...@httpd.apache.org>
>>
>>
>> .
>>
>
>
Re: [users@httpd] https
Posted by Yehuda Katz <ye...@ymkatz.net>.
Debian/Ubuntu have a slightly different default layout and include some
tools to help you work with it. The tools just create the symlinks for you,
but the major benefit is that all of them support tab-completion, so you
know what is available.
a2enmod / a2dismod: enable or disable apache modules
a2ensite / a2dissite: enable or disable apache vhosts
a2enconf / a2disconf: enable or disable apache configuration files (added
in Ubuntu 13.10)
The first this to check is that you have loaded mod_ssl, either by running
`a2enmod ssl` or looking at the modules-enabled directory.
You are probably not listening on 443 since it is inside the <ifmodule> and
the module is not loaded.
You should have Ubuntu's default SSL vhost in
sites-available/default-ssl.conf and you can enable it using the tool (or
manual symlink).
You can enable any vhost for SSL by adding a few directives to it (it will
stop listening on non-ssl):
- Change the vritualhost port to 443
- SSLEngine on
- SSLCertificateFile /etc/apache2/ssl/example.com.crt
- (SSLCertificateKeyFile /etc/apache2/ssl/example.com.key if the key is not
in the same file)
There are a few other default things in the default-ssl vhost to fix buggy
browsers and provide more info to cgi-scripts.
- Y
On Thu, Apr 3, 2014 at 6:10 AM, Andy Canfield <an...@yandex.com>wrote:
>
> Files:
>
> -rw-r--r-- 1 root 859 Apr 3 11:45 /etc/apache2/ssl/crt/vhost1.crt
>
> -rw-r--r-- 1 root 916 Apr 3 11:45 /etc/apache2/ssl/key/vhost1.key
>
> So AFAIK I've got a certificate I've generated myself. Nobody vouches for
> me but it shoud enable encryption and make my TCP/IP packets hard to read.
>
> Contents of /etc/apache2/ports.conf:
> NameVirtualHost *:80
> Listen 80
>
> <IfModule mod_ssl.c>
> Listen 443
> </IfModule>
> <IfModule mod_gnutls.c>
> Listen 443
> </IfModule>
>
> Files:
>
> -rw-r--r-- 1 andy 1439 Apr 3 14:48 /etc/apache2/sites-available/default
> -rw-r--r-- 1 andy 7485 Jun 16 2011
> /etc/apache2/sites-available/default-ssl
> -rw-r--r-- 1 root 7469 Feb 7 2012
> /etc/apache2/sites-available/default-ssl.original
> -rw-r--r-- 1 root 950 Feb 7 2012
> /etc/apache2/sites-available/default.original
>
> I see here that /etc/apache2/sites-available has one symbolic link to
> /etc/apache2/sites-available/default, and no symbolic links to any of the
> other entries in the sites-available directory. Also all the other entries
> in /etc/apache2/sites-available are symbolic links to configuration files
> such as
>
> lrwxrwxrwx 1 root 21 May 6 2012 /etc/apache2/sites-enabled/opal.conf -> /www/opal/apache.conf
>
> These links have been working fine for years as links into the site
> control directory and not into 'sites-available'. But perhaps that is wrong.
>
> Maybe what I need is a symbolic link from sites-enabled to
> ../sites-available/default-ssl ? Nope, tested, did not solve the problem....
>
> When I give this command (as root) -
>
> /etc/init.d/apache2 restart
>
> I see only this output:
>
> apache2: Could not reliably determine the server's fully qualified domain
> name, using 192.168.1.112 for ServerName
> ... waiting apache2: Could not reliably determine the server's fully
> qualified domain name, using 192.168.1.112 for ServerName
>
> [ OK ]
>
> But nmap still says that nothing is listening to port 443.
>
> Thank you Oren.
>
>
> On 04/03/2014 04:04 PM, Oren wrote:
>
> Hi Andy.
> Process basically include getting/creating a certificate, define it on
> your site and reload apache.
> here is a centos manual which is not exactly the same on ubuntu but pretty
> much explains the order of things
> http://wiki.centos.org/HowTos/Https
>
> on ubuntu you will have to open the 443 port
> <IfModule mod_ssl.c>
> Listen 443
> </IfModule>
>
> once the https is ready, you can do a redirect to the https site from
> http. (with mod_rewrite)
>
> do you have logs or any information on what is not working?
>
> Oren
>
> On 04/03/2014 11:39 AM, Andy Canfield wrote:
>
> I have been using apache for maybe ten years now, and maintain two
> servers in addition to the apache on my notebook computer for testing.
> All using Ubuntu Linux *.04 LTS. It now appears that I ought to convert
> from http to https.
>
> But the documentation is insane. A piece here, a piece there, have to do
> X (but first? and afterwards?). Assuming everything is else is OK, this
> is way you edit this line in VirtualHost file (there is no
> "/etc/apache2/.../VirtualHost" file!)
>
> I figure that I need to do it in two steps:
> [1] Get the https version up and running, and
> [2] Make the http version automatically switch to https.
>
> But I can't get https working at all, for anything. There's a "Listen
> 443" in /etc/apache2/ports.conf but 'nmap localhost' says 443 is a
> closed port.
>
> Has anybody else ever converted a hosted site from http to https? What
> did you have to do to get the secure one working?
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> .
>
>
>
Re: [users@httpd] https
Posted by Andy Canfield <an...@yandex.com>.
Files:
-rw-r--r-- 1 root 859 Apr 3 11:45 /etc/apache2/ssl/crt/vhost1.crt
-rw-r--r-- 1 root 916 Apr 3 11:45 /etc/apache2/ssl/key/vhost1.key
So AFAIK I've got a certificate I've generated myself. Nobody vouches
for me but it shoud enable encryption and make my TCP/IP packets hard to
read.
Contents of /etc/apache2/ports.conf:
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
Files:
-rw-r--r-- 1 andy 1439 Apr 3 14:48 /etc/apache2/sites-available/default
-rw-r--r-- 1 andy 7485 Jun 16 2011 /etc/apache2/sites-available/default-ssl
-rw-r--r-- 1 root 7469 Feb 7 2012
/etc/apache2/sites-available/default-ssl.original
-rw-r--r-- 1 root 950 Feb 7 2012
/etc/apache2/sites-available/default.original
I see here that /etc/apache2/sites-available has one symbolic link to
/etc/apache2/sites-available/default, and no symbolic links to any of
the other entries in the sites-available directory. Also all the other
entries in /etc/apache2/sites-available are symbolic links to
configuration files such as
lrwxrwxrwx 1 root 21 May 6 2012 /etc/apache2/sites-enabled/opal.conf -> /www/opal/apache.conf
These links have been working fine for years as links into the site
control directory and not into 'sites-available'. But perhaps that is wrong.
Maybe what I need is a symbolic link from sites-enabled to
../sites-available/default-ssl ? Nope, tested, did not solve the problem....
When I give this command (as root) -
/etc/init.d/apache2 restart
I see only this output:
apache2: Could not reliably determine the server's fully qualified
domain name, using 192.168.1.112 for ServerName
... waiting apache2: Could not reliably determine the server's fully
qualified domain name, using 192.168.1.112 for ServerName
[ OK ]
But nmap still says that nothing is listening to port 443.
Thank you Oren.
On 04/03/2014 04:04 PM, Oren wrote:
> Hi Andy.
> Process basically include getting/creating a certificate, define it on
> your site and reload apache.
> here is a centos manual which is not exactly the same on ubuntu but
> pretty much explains the order of things
> http://wiki.centos.org/HowTos/Https
>
> on ubuntu you will have to open the 443 port
> <IfModule mod_ssl.c>
> Listen 443
> </IfModule>
>
> once the https is ready, you can do a redirect to the https site from
> http. (with mod_rewrite)
>
> do you have logs or any information on what is not working?
>
> Oren
>
> On 04/03/2014 11:39 AM, Andy Canfield wrote:
>> I have been using apache for maybe ten years now, and maintain two
>> servers in addition to the apache on my notebook computer for testing.
>> All using Ubuntu Linux *.04 LTS. It now appears that I ought to convert
>> from http to https.
>>
>> But the documentation is insane. A piece here, a piece there, have to do
>> X (but first? and afterwards?). Assuming everything is else is OK, this
>> is way you edit this line in VirtualHost file (there is no
>> "/etc/apache2/.../VirtualHost" file!)
>>
>> I figure that I need to do it in two steps:
>> [1] Get the https version up and running, and
>> [2] Make the http version automatically switch to https.
>>
>> But I can't get https working at all, for anything. There's a "Listen
>> 443" in /etc/apache2/ports.conf but 'nmap localhost' says 443 is a
>> closed port.
>>
>> Has anybody else ever converted a hosted site from http to https? What
>> did you have to do to get the secure one working?
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> .
>
Re: [users@httpd] https
Posted by Oren <or...@taykey.com>.
Hi Andy.
Process basically include getting/creating a certificate, define it on
your site and reload apache.
here is a centos manual which is not exactly the same on ubuntu but
pretty much explains the order of things
http://wiki.centos.org/HowTos/Https
on ubuntu you will have to open the 443 port
<IfModule mod_ssl.c>
Listen 443
</IfModule>
once the https is ready, you can do a redirect to the https site from
http. (with mod_rewrite)
do you have logs or any information on what is not working?
Oren
On 04/03/2014 11:39 AM, Andy Canfield wrote:
> I have been using apache for maybe ten years now, and maintain two
> servers in addition to the apache on my notebook computer for testing.
> All using Ubuntu Linux *.04 LTS. It now appears that I ought to convert
> from http to https.
>
> But the documentation is insane. A piece here, a piece there, have to do
> X (but first? and afterwards?). Assuming everything is else is OK, this
> is way you edit this line in VirtualHost file (there is no
> "/etc/apache2/.../VirtualHost" file!)
>
> I figure that I need to do it in two steps:
> [1] Get the https version up and running, and
> [2] Make the http version automatically switch to https.
>
> But I can't get https working at all, for anything. There's a "Listen
> 443" in /etc/apache2/ports.conf but 'nmap localhost' says 443 is a
> closed port.
>
> Has anybody else ever converted a hosted site from http to https? What
> did you have to do to get the secure one working?
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org