httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yehuda Katz <yeh...@ymkatz.net>
Subject Re: [users@httpd] https
Date Thu, 03 Apr 2014 14:46:50 GMT
Debian/Ubuntu have a slightly different default layout and include some
tools to help you work with it. The tools just create the symlinks for you,
but the major benefit is that all of them support tab-completion, so you
know what is available.

a2enmod / a2dismod: enable or disable apache modules
a2ensite / a2dissite: enable or disable apache vhosts
a2enconf / a2disconf: enable or disable apache configuration files (added
in Ubuntu 13.10)

The first this to check is that you have loaded mod_ssl, either by running
`a2enmod ssl` or looking at the modules-enabled directory.
You are probably not listening on 443 since it is inside the <ifmodule> and
the module is not loaded.

You should have Ubuntu's default SSL vhost in
sites-available/default-ssl.conf and you can enable it using the tool (or
manual symlink).

You can enable any vhost for SSL by adding a few directives to it (it will
stop listening on non-ssl):
- Change the vritualhost port to 443
- SSLEngine on
- SSLCertificateFile      /etc/apache2/ssl/example.com.crt
- (SSLCertificateKeyFile /etc/apache2/ssl/example.com.key if the key is not
in the same file)

There are a few other default things in the default-ssl vhost to fix buggy
browsers and provide more info to cgi-scripts.

- Y



On Thu, Apr 3, 2014 at 6:10 AM, Andy Canfield <andycanfield@yandex.com>wrote:

>
> Files:
>
> -rw-r--r-- 1 root 859 Apr  3 11:45 /etc/apache2/ssl/crt/vhost1.crt
>
> -rw-r--r-- 1 root 916 Apr  3 11:45 /etc/apache2/ssl/key/vhost1.key
>
> So AFAIK I've got a certificate I've generated myself. Nobody vouches for
> me but it shoud enable encryption and make my TCP/IP packets hard to read.
>
> Contents of /etc/apache2/ports.conf:
> NameVirtualHost *:80
> Listen 80
>
> <IfModule mod_ssl.c>
>     Listen 443
> </IfModule>
> <IfModule mod_gnutls.c>
>     Listen 443
> </IfModule>
>
> Files:
>
> -rw-r--r-- 1 andy 1439 Apr  3 14:48 /etc/apache2/sites-available/default
> -rw-r--r-- 1 andy 7485 Jun 16  2011
> /etc/apache2/sites-available/default-ssl
> -rw-r--r-- 1 root 7469 Feb  7  2012
> /etc/apache2/sites-available/default-ssl.original
> -rw-r--r-- 1 root  950 Feb  7  2012
> /etc/apache2/sites-available/default.original
>
> I see here that /etc/apache2/sites-available has one symbolic link to
> /etc/apache2/sites-available/default, and no symbolic links to any of the
> other entries in the sites-available directory. Also all the other entries
> in /etc/apache2/sites-available are symbolic links to configuration files
> such as
>
> lrwxrwxrwx 1 root 21 May  6  2012 /etc/apache2/sites-enabled/opal.conf -> /www/opal/apache.conf
>
> These links have been working fine for years as links into the site
> control directory and not into 'sites-available'. But perhaps that is wrong.
>
> Maybe what I need is a symbolic link from sites-enabled to
> ../sites-available/default-ssl ? Nope, tested, did not solve the problem....
>
> When I give this command (as root) -
>
>     /etc/init.d/apache2 restart
>
> I see only this output:
>
> apache2: Could not reliably determine the server's fully qualified domain
> name, using 192.168.1.112 for ServerName
>  ... waiting apache2: Could not reliably determine the server's fully
> qualified domain name, using 192.168.1.112 for ServerName
>
> [ OK ]
>
> But nmap still says that nothing is listening to port 443.
>
> Thank you Oren.
>
>
> On 04/03/2014 04:04 PM, Oren wrote:
>
> Hi Andy.
> Process basically include getting/creating a certificate, define it on
> your site and reload apache.
> here is a centos manual which is not exactly the same on ubuntu but pretty
> much explains the order of things
> http://wiki.centos.org/HowTos/Https
>
> on ubuntu you will have to open the 443 port
> <IfModule mod_ssl.c>
>     Listen 443
> </IfModule>
>
> once the https is ready, you can do a redirect to the https site from
> http. (with mod_rewrite)
>
> do you have logs or any information on what is not working?
>
> Oren
>
> On 04/03/2014 11:39 AM, Andy Canfield wrote:
>
> I have been using apache for maybe ten years now, and maintain two
> servers in addition to the apache on my notebook computer for testing.
> All using Ubuntu Linux *.04 LTS. It now appears that I ought to convert
> from http to https.
>
> But the documentation is insane. A piece here, a piece there, have to do
> X (but first? and afterwards?). Assuming everything is else is OK, this
> is way you edit this line in VirtualHost file (there is no
> "/etc/apache2/.../VirtualHost" file!)
>
> I figure that I need to do it in two steps:
> [1] Get the https version up and running, and
> [2] Make the http version automatically switch to https.
>
> But I can't get https working at all, for anything. There's a "Listen
> 443" in /etc/apache2/ports.conf but 'nmap localhost' says 443 is a
> closed port.
>
> Has anybody else ever converted a hosted site from http to https? What
> did you have to do to get the secure one working?
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> .
>
>
>

Mime
View raw message