Apache httpd/SSL
About
This page is about getting the Apache web server to work with SSL.
Question
- Q: Is it possible to serve https on multiple domains from a single IP address?
How To
To get SSL working with virtual hosting (or at all, really), I had to do the following:
- in apache2.conf:
# added above the "Include /etc/apache2/sites-enabled/" line: NameVirtualHost *:443 # added below it: SSLProtocol -all +TLSv1 +SSLv3 SSLCertificateFile /etc/apache2/certs/server.crt SSLCertificateKeyFile /etc/apache2/certs/server.key
- in ports.conf:
<IfModule mod_ssl.c> # SSL name based virtual hosts are not yet supported, therefore no # NameVirtualHost statement here Listen 443 https </IfModule>
- Pick which domain to serve for https requests, and add to that site's config file:
<VirtualHost *:443> SSLEngine on (copy of essential stuff from <VirtualHost:*>) </VirtualHost>
- (and finally...) Remember to forward port 443 on the router.
The exact filenames will be different depending on your Apache setup; these were in Ubuntu. "Listen 443" apparently also works (without the "https").
Notes
If the "Listen 443 https" statement is missing, the server may appear to be responding but having some kind of redirect issue. A sample openssl session:
openssl s_client -host domain.name -port 443
CONNECTED(00000003) 3074250904:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None Start Time: 1334194927 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
Since someone else fixed the problem, I'm not sure exactly what was required, but it appears that ssh may have been set to respond on port 443 as well as the standard port 22, making it appear that Apache was listening on 443 when it wasn't. Apache was also missing the "Listen 443" directive.
One way to test for this problem might have been to attempt to ssh to port 443.
Links
- Apache 2.2: official documentation
- mod_ssl: the Apache module which provides SSL/TLS support
- How To Generate SSL Key, CSR and Self Signed Certificate For Apache
- How to remove the passphrase from an Apache SSL Key: necessary if you want Apache to restart unattended after following the instructions from The Geek Stuff