Environment
Apache2 on SLES
SSL
Retain (all versions)
Situation
Resolution
We've created the following instructions for setting up SSL for Apache2 on SLES. These instructions were validated on a SuSE Linux (SLES) 11 SP3 server. You might find it easiest to perform these steps in a terminal session so that you can easily copy/paste the command to create the cert.
It's best if you purchase a certificate from a reputable certificate of authority. That certificate should be created with your Retain server's DNS hostname. For testing purposes on a test system, you can follow the instructions on creating a self-signed certificate.
Add Your Certificate
Create a directory called /certs.
Change to the /certs directory.
For purchased certificates, download the certificate into the /certs directory.
For testing purposes where you need to create a self-signed certificate, do the following:
openssl req -new -x509 -days [# of days cert is valid] -sha1 -newkey rsa:1024 \-nodes -keyout server.key -out server.crt \-subj '/O=[company]/OU=[department]/CN=[DNS or IP Address of the server where Apache is running]'
Example:
openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 \-nodes -keyout server.key -out server.crt \-subj '/O=Acme/OU=IT/CN=it.acme.com'
NOTE: There should be no space between the backslash “\” between “rsa:1024” and “-nodes…”. The same applies to the backslash between “server.crt” and “-subj”.
Configure Apache to Use a Virtual Host and the Certificate / Key
1. Change to the /etc/apache2/vhosts.d directory.
This is the Apache Virtual Hosts Configuration folder.
There should be a file called “vhost-ssl.template”. This file is installed with Apache as an template for an Apache Virtual Host.
2. Copy this file to a *.conf filename.
For example, if using the name host1.conf, type:
cp vhost-ssl.template host1.conf
By having the file called *.conf, Apache will automatically discover, read it, and configure a virtual host.
3. Open/edit the virtual host’s configuration file - in this example, host1.conf.
a. Look for the line that reads: <VirtualHost _default_:443>
Change the line to: <VirtualHost *:443>
Note: there is a space between "VirtualHost" and the asterisk " * "
b. Look for the line that reads: SSLProtocol all -SSLv2 -SSLv3
What this line is saying is, “use all SSL protocols except SSLv2 and SSLv3”. So, it depends on what protocols you will allow. If you don’t mind allowing all, then...
Remove the -SSLv3 statement so the line reads:
SSLProtocol all -SSLv2
If you get any application errors about SSLv2, the "-SSLv2" can also be removed; however, v2 and v3 should not be used anymore if possible because it is not as secure (primarily because of the poodle exploit).
c. Look for the line that reads:
SSLCertificateFile /etc/apache2/ssl.crt/[certificate filename]
Change it to read:
SSLCertificateFile /certs/[certificate filename]
d. Look for the line that reads:
SSLCertificateKeyFile /etc/apache2/ssl.key/[key filename]
Change it to read:
SSLCertificateFile /certs/[key filename]
4. Save host1.conf.
Enable SSL for Apache
1. Change to the /etc/sysconfig/ directory.
2. Open/edit the Apache System Configuration file, “apache2”.
a. Look for the line that reads:
APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 reqtimeout"
Confirm that the ssl module is enabled, it is by default:
APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 reqtimeout"
There are a couple of references to “APACHE_MODULES” make sure you are editing the line that is actually being used and is not remarked out.
b. Look for the line that reads:
APACHE_SERVER_FLAGS=""
Change it to read (adding “-DSSL”):
APACHE_SERVER_FLAGS="-DSSL"
3. Save apache2.
4. Restart Apache:
rcapache2 restart
or
/etc/init.d/apache2 restart
5. Test the SSL for Apache (optional)
a. Make sure that there is an index.html for Apache to open.
Here is a sample index.html file if one does not exist: index.html.txt
Just save the file, rename it to "index.html" and copy it to your Apache server's /srv/www/htdocs directory.
b. In a web browser, to to the URL to the server you just configured using https:
https://it.acme.com
At this point, a natural step might be to make sure that all requests to the Apache server are redirected to an HTTPS session if the user only requests an HTTP session. Reference our KB: "Force Redirection to SSL Apache (SLES Version)".