Apache httpd/SSL

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
Jump to navigation Jump to search

About

This page is about getting the Apache web server to work with SSL.

Question

  • Q: Is it possible to serve https on multiple domains from a single IP address?
    • I was originally told that this was technically impossible. I was later told that it is doable, but I haven't yet found instructions. --Woozle (talk) 11:53, 18 March 2015 (EDT)

How To

To get SSL working with virtual hosting (or at all, really), I had to do the following:

# added above the "Include /etc/apache2/sites-enabled/" line:
NameVirtualHost *:443
# added below it:
SSLProtocol -all +TLSv1 +SSLv3
SSLCertificateFile /etc/apache2/certs/server.crt
SSLCertificateKeyFile /etc/apache2/certs/server.key
<IfModule mod_ssl.c>
   # SSL name based virtual hosts are not yet supported, therefore no
   # NameVirtualHost statement here
   Listen 443 https
</IfModule>
  • Pick which domain to serve for https requests, and add to that site's config file:
<VirtualHost *:443>
       SSLEngine on
       (copy of essential stuff from <VirtualHost:*>)
</VirtualHost>
  • (and finally...) Remember to forward port 443 on the router.

The exact filenames will be different depending on your Apache setup; these were in Ubuntu. "Listen 443" apparently also works (without the "https").

Notes

If the "Listen 443 https" statement is missing, the server may appear to be responding but having some kind of redirect issue. A sample openssl session:

openssl s_client -host domain.name -port 443

CONNECTED(00000003)
3074250904:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1334194927
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Since someone else fixed the problem, I'm not sure exactly what was required, but it appears that ssh may have been set to respond on port 443 as well as the standard port 22, making it appear that Apache was listening on 443 when it wasn't. Apache was also missing the "Listen 443" directive.

One way to test for this problem might have been to attempt to ssh to port 443.

Links