Ssl
From Logicalwebhost-Wiki
How to make a SSL work, most of the time. This is done on Debian/Ubuntu, you'll have to adapt the paths to other Linux variants.
1. generate a SSL
cd /etc/apache2/ssl/ apt-get install openssl openssl genrsa -des3 -out www.somedomain.com.key 1024 openssl req -new -key www.somedomain.com.key -out www.somedomain.com.csr
then you take the .csr you made and cut/paste it into whomever is giving you the cert, i.e. Godaddy. They have to be able to resolve to the hostname, which is the chicken/egg problem, so you have to make an apache entry to point to the CSR (example below you can cut/paste) and start apache with that enabled, before you can ask godaddy or whoever for the certificate. They basically look for the correct path to https://www.yourdomain.com and then hopefully apache will tell them a directory to look in which will be holding the matching csr, then they'll give you the CRT, which you then have to put in that same directory, add the apache config line that tells apache to look for it (example below), and then you're good to go...whew! So here's roughly how I do it:
2. make a somedomain-ssl file in /etc/apache2/sites-available/
- copy the guts out of the example below, it will be easier
3. vi /etc/network/interfaces
- add the IP you just used above a a virtual interface, so like eth0:5 or something hopefully put comments in there for which site it goes to (ssl's have to go to a static IP for security reasons)
4. ifup eth0:5 (debian)
- brings up the virtual interface you just made
- run ifconfig and see if it's really there, if not, fix before proceeding, trust me :)
5. /etc/init.d/apache2 reload
- reloads the apache config so it will see the SSL
6. cat mydomain.csr
- cut/paste the information into the official SSL place you bought the cert from, this will tell them where to find the certificate file...hopefully, they're really picky on this step.
7. install the certificate
- once you get the .crt from whoever gave you the official SSL, then you can point apache directive to the .crt file and reload apache and it should be happy
8. if apache hangs and behave evil, run this:
mv mydomain.com.key mydomain.com.key.with_password openssl rsa -in mydomain.com.key.with_password -out mydomain.com.key enter passphrase for mydomain.com.key.with_password: writing RSA key
9. In Debian, you have to enable ssl by installing
apt-get install openssl ssl-cert
10. Enable is by running
a2enable ssl /etc/init.d/apache2 force-reload /etc/init.d/apache2 restart
and doing other stuff found in the article in Debian admin like enabling port 443 adding the line:
Listen 443
to /etc/apache2/ports.conf
here's an example of an apache config that works, YMMV
NameVirtualHost 1.2.3.4:443
<VirtualHost 1.2.3.4:443>
#
# SSL Configuration, this is what will screw up most likely
# when you're configuring stuff, you'll have to uncomment this next line and
# comment out the one below that ends in .crt, then restart apache, look for
# errors. Then after you get the CRT from godaddy or wherever, comment back
# out the .csr one and uncomment .crt one, then restart apache again...
# yeah, I know, it sucks, but that's how you have to do it.
#
# SSLCertificateFile /etc/apache2/ssl/www.somedomain.com.csr
#
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/www.somedomain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.somedomain.com.key
SSLCertificateChainFile /etc/apache2/ssl/sf_issuing.crt
# the main other configuration stuff
ServerAdmin webmaster@somedomain.com
DocumentRoot /var/www/
ScriptAlias /cgi-bin/ /var/cgi/
ServerName www.somedomain.com
ErrorLog /var/www/apache/error.log
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog "|/usr/bin/cronolog /var/logs/apache/%Y/%m/%d/access.log" combined
<Directory />
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
