[SOLVED] Apache Win and SSL

[DeNiro]

Hi folks. I am currently configuring Apache 2.2.3 for the win32 platform and need to implement secure connections (SSL) support for it. I´ve OpenSSL installed and now i need some help. I need to make a self signed certificate for Apache, what is the command line syntax for that? Also, when this is accomplished, how do i configure Apache to use https connections [b]ONLY[/b]? Been studying documentation both for Apache and OpenSSL but cant really find the answers there......

[steviewdr]

Take a look at:
http://tud.at/programm/apache-ssl-win32-howto.php3

for generating a ssl cert for apache on windows.

If you only want apache to run on 443 you can do a few things:
Remove Listen 80
from your apache.conf - however ppl will HAVE TO specify https://yourwebsite.

Normally what is done - apache is allowed to run on port 80 - but an automatic redirect to https is done.

Good luck with it.

-steve

[DeNiro]

[quote author=steviewdr link=topic=118904.msg486620#msg486620 date=1166358573]
Take a look at:
http://tud.at/programm/apache-ssl-win32-howto.php3

for generating a ssl cert for apache on windows.

If you only want apache to run on 443 you can do a few things:
Remove Listen 80
from your apache.conf - however ppl will HAVE TO specify https://yourwebsite.

Normally what is done - apache is allowed to run on port 80 - but an automatic redirect to https is done.

Good luck with it.

-steve
[/quote]

Thanks a lot stevie, i´ll check that website asap.

[DeNiro]

Hi, its me again  ;D

I´ve come a bit further down the road now, sslmod installed, openssl installed, certificate made, server starts fine, listening on port 443.
But it wont accept https connections, only standard http. An error message pops up, "<servername> has sent an incorrect or unexpected message. Error code: -12263". The error.log files says "Invalid method in request \x16\x03\x01". Its obviously something wrong with the SSL configuration and i´ve searched hi and lo for possible misconfigurations but i cant find anything. Hmmm, pretty frustrating this.  >:(

[steviewdr]

Humm....not sure. Double check your openssl installation and check your certs are in the correct format.

-steve

[DeNiro]

[quote author=steviewdr link=topic=118904.msg488049#msg488049 date=1166521281]
Humm....not sure. Double check your openssl installation and check your certs are in the correct format.

-steve
[/quote]

Thanks for answer. The openssl installation seems to be correct, the files needed is in c:\windows\system32 and the server´s starting just fine through Apache Monitor or from command line. The files i generated with opensll has the extension .key and .crt. Apache Monitor indicates that i am running Apache 2.2.3, modssl and opensll 0.9.8d.

[steviewdr]

Not sure. You'll have to google for that error you are getting.

Happy Christmas,
Steve

[DeNiro]

[quote author=steviewdr link=topic=118904.msg489528#msg489528 date=1166699456]
Not sure. You'll have to google for that error you are getting.

Happy Christmas,
Steve
[/quote]

And a Merry Christmas to you too, Steve!

I googled for it, but there was no answer that could help me fix it. Seems like it could be one of many errors in the configuration.....using http://my.server.com:443 is working great, using https://my.server.com gives me the error. The server itself seems to be working fine, but the SSL setup is somewhat faulty......the lack of proper documentation for setting up a Windows Apache server with SSL is really annoying  >:(

[apacheguy]

Do you have something like this in your config file?

<IfModule mod_ssl.c>
  Include "conf/ssl.conf"
</IfModule>
SSLMutex default
SSLRandomSeed startup builtin
SSLSessionCache none

The way I have it configured is I have setup a separate file for ssl.  The ssl file looks like this:

#
#
# $---> Section 1: HTTPS Specifics <---$
#
#
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#<IfDefine SSL>
#
Listen 443
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
#
SSLPassPhraseDialog  builtin
#
#SSLSessionCache        none
#SSLSessionCache        shmht:logs/ssl_scache(512000)
#SSLSessionCache        shmcb:logs/ssl_scache(512000)
SSLSessionCache        dbm:logs/ssl_scache
SSLSessionCacheTimeout  300
#
SSLMutex  default
#
#</IfDefine>

P.S. Give credit to Straybullet - he was the one who helped me set this up. 

[DeNiro]

Hi apacheguy, and thanks for answer. Yes, i have those lines in the config file. This looks interesting, and you are using Apache Win, right? Could you amplify a few parts for me, please? This is a separate file, right? Where to put it? And should it be somewhat included in the httpd.conf file?

[apacheguy]

The way I have it setup is I have the 1st part in my httpd.  What it says is if the ssl module is enabled then also include ssl.conf in the configuration.  I put ssl.conf in the same dir. as the httpd.  The contents of the ssl.conf file are the second part of my previous post.

[DeNiro]

[quote author=apacheguy link=topic=118904.msg491089#msg491089 date=1166977130]
The way I have it setup is I have the 1st part in my httpd.  What it says is if the ssl module is enabled then also include ssl.conf in the configuration.  I put ssl.conf in the same dir. as the httpd.  The contents of the ssl.conf file is the second part of my previous post.
[/quote]

Right, got it. I [b]might[/b] have found some errors in my setup, i´ll check these first and then try your solution. You put me on the right track though, thanks a bunch.  ;D

[DeNiro]

Nope, my changes didnt help, same error message as before and exactly the same behavior as before, working with http on port 443, but not https  :'( This is amazingly crappy......now i am majorly p****d off.....

Apacheguy, your ssl.conf seems a bit short, where have you defined your .key and .crt files? Or is it only a part of the ssl.conf?

[apacheguy]

I have the certificate files defined in another file.  Check to make sure you have your sslengine set to "on"

[DeNiro]

[quote author=apacheguy link=topic=118904.msg491217#msg491217 date=1167011432]
I have the certificate files defined in another file.  Check to make sure you have your sslengine set to "on"
[/quote]

Aah, that explains it. Yes, SSLEngine On is defined in ssl.conf. Theres no error whatsoever when starting the server, all looks perfect and it works just fine using http. Been googling hi and lo for answers about the given error messages, but there´s no clear answer anywhere.

[DeNiro]

Praise the Lord, i finally made it working! Used the included httpd-ssl.conf, renamed it and changed only the essential settings and voilá! Working perfectly! Now i am a happy camper  ;D Thanks a lot for your help, dudes, much appreciated!

[Stray_Bullet]

[quote author=apacheguy link=topic=118904.msg490827#msg490827 date=1166909406]
P.S. Give credit to Straybullet - he was the one who helped me set this up. 
[/quote]

Haha, just scanning the forums... OT but hey Apacheguy! I just got around to upgrading from 2.2.2 to 2.2.3. I just did the upgrade the other day. I have not got around to messing with it much but I have not been able to get SSL running on 2.2.3 with the same config files as 2.2.2 either...

If I get it working I'll let you know...