Original address: http://blog.njmars.com/myhan/archive/2004/07/16/210.aspx
Environment:
RedHat 9.0
Note:
Commands starting with $ are executed as normal users.
The command starting with # is run by the root account.
Step 1: install Apache
Download apache2: http://httpd.apache.org/download.cgi
I need mod_ssl support. Unlike apache1, mod_ssl is not a separate module, but is placed in the Apache release package. It is disabled by default, select Config.
I used DSO to compile and install Apache, and compiled all the modules to facilitate future needs. You only need to edit httpd. conf and remove unwanted modules (comment out or delete the loadmodule line of the corresponding module). Then you can customize your own Apache.
$ Tar zxvf httpd-2.0.50.tar.gz
$. /Configure -- prefix =/usr/local/apache2 -- enable-so -- enable-SSL = shared -- enable-mods-shared = all -- With-SSL =/usr/local/SSL
$ Make
$ Su
# Make install
Apache has two ways to use modules. One is to permanently include them into the core;
If the operating system supports dynamic shared objects (DSO) and can be detected by Autoconf, the module can also be dynamically compiled.
The storage of the DSO module is independent of the core and can be included or excluded by the core using the runtime configuration commands provided by the mod_so module.
If any dynamic module is included in the compilation, the mod_so module is automatically included in the core. If you want the core to be able to load DSO without actually compiling any dynamic modules, you must specify -- enable-so.
Http://kajaa.bbs.us/ApacheManual/install.html)
The first time Apache is compiled according to the above method, an error will be reported during startup:
# Cd/usr/local/apache2
#./Bin/apachectl startssl
Syntax Error on line 251 of/usr/local/Apache/CONF/httpd. conf:
Cannot load/usr/local/Apache/modules/mod_ssl.so into server:/usr/local/Apache/modules/mod_ssl.so: Undefined Symbol: x509_free
Why? View http://www.smartframeworks.com/qt-apache-ssl.html
Because OpenSSL installed according to the following method (see apache2 + mod_ssl + PhP5 full installation real-time (2) is not compiled into a dynamic link library by default, this document indicates that the dynamic link library of OpenSSL is not mature and can be used. /config shared compile OpenSSL with dynamic link library, but it is still in the test phase.
To solve this problem, compile mod_ssl to Apache.
Please use the following method to try again :)
$. /Configure -- prefix =/usr/local/apache2 -- enable-so -- enable-SSL = static -- With-SSL =/usr/local/SSL -- enable-mod-shared = all
$ Make
$ Su
# Make install
Another error was found when Apache was started this time:
# Cd/usr/local/apache2
#./Bin/apachectl startssl
Syntax Error on line 108 of/usr/local/apache2/CONF/SSL. conf:
Sslcertificatefile: File '/usr/local/apache2/CONF/SSL. CRT/server. CRT' does not exist or is empty
What is the reason for this? Because SSL is not configured, You need to generate the certificate required for SSL.
Before using apache1 + mod_ssl, make has this step
$ Make Certificate
It can be used to generate certificates used by SSL.
Now there is no this tool, you can only generate their own, not familiar with the certificate, there is a tool can use: http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
# Cd/usr/local/apache2/Conf
# Tar zxvf ssl.ca-0.1.tar.gz
# Cd SSL. ca-0.1
#./New-root-ca.sh (generate Root Certificate)
No Root CA key round. Generating One
Generating RSA private key, 1024 bit long Modulus
...
... ++
E is 65537 (0x10001)
Enter pass phrase for Ca. Key: (enter a password)
Verifying-enter pass phrase for Ca. Key: (enter the password again)
......
Self-sign the root Ca... (sign the root certificate)
Enter pass phrase for Ca. Key: (enter the password you just set)
........
...... (Signing starts below)
Country name (2 letter code) [my]: CN
State or province name (full name) [Perak]: Jiangsu
Locality name (eg, city) [sitiawan]: Nanjing
Organization Name (eg, company) [My directory Sdn Bhd]: wiscom System Co., Ltd
Organizational unit name (eg, section) [Certification Services Division]: acstar
Common name (eg, MD Root CA) []: wiscom ca
Email Address []: acmail@wiscom.com.cn
In this way, the Ca. Key and Ca. CRT files are generated. The following also generates a certificate for our server:
#./New-server-cert.sh server (the Certificate Name is server)
......
......
Country name (2 letter code) [my]: CN
State or province name (full name) [Perak]: Jiangsu
Locality name (eg, city) [sitiawan]: Nanjing
Organization Name (eg, company) [My directory Sdn Bhd]: wiscom System Co., Ltd
Organizational unit name (eg, section) [Secure Web Server]: acstar
Common name (eg, www.domain.com) []: acmail.wiscom.com.cn
Email Address []: acmail@wiscom.com.cn
In this way, the two files server. CSR and server. Key are generated.
You need to sign the signature before using it:
#./Sign-server-cert.sh Server
CA signing: Server. CSR-> server. CRT:
Using configuration from CA. config
Enter pass phrase for./CA. Key: (enter the root certificate password set above)
Check that the request matches the signature
Signature OK
The subject's distinguished name is as follows
Countryname: printable: 'cn'
Stateorprovincename: printable: 'jiangsu'
Localityname: printable: 'nanjing'
Organizationname: printable: 'wiscom System Co., Ltd'
Organizationalunitname: printable: 'acstar'
CommonName: printable: 'acmail .wiscom.com.cn'
Emailaddress: ia5string: 'acmail @ wiscom.com.cn'
Certificate is to be certified until Jul 16 12:55:34 2005 GMT (365 days)
Sign the certificate? [Y/n]: Y
1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base updated
CA verifying: Server. CRT <-> Ca Cert
Server. CRT: OK
(If an error occurs here, you 'd better try again, delete the directory SSL. ca-0.1 and start again from the extract .)
Set the Certificate in SSL. conf to the appropriate location.
# Chmod 400 server. Key
# CD ..
# Mkdir SSL. Key
# Mv SSL. ca-0.1/server. Key SSL. Key
# Mkdir SSL. CRT
# Mv SSL: ca-0.1/server. crt ssl. CRT
Then you can start it!
# Cd/usr/local/apache2
#./Bin/apachectl startssl
For this prompt:
Httpd: cocould not determine the server's fully qualified domain name, using 127.0.0.1 for servername
You only need to edit httpd. conf, find the servername XXXX line, and remove the preceding comment.