Apache's HTTPS

Apache's HTTPS

Installing OpenSSL

___________________________________________________________

http://www.openssl.org/source/    #下载openssl [[Email protected]_server src]# tar  xf openssl-1.0.1s.tar.gz[[email protected]_server src]# cd openssl-1.0.1s[[ email protected]_server openssl-1.0.1s]# ./config [[email protected]_server  Openssl-1.0.1s]# make && make install------------------------------------Source Installation method [[ email protected]_server src]# wget http://mirrors.cnnic.cn/apache/httpd/ Httpd-2.2.31.tar.gz[[email protected]_server src]# tar xvf httpd-2.2.31.tar.gz[[email  PROTECTED]_SERVER SRC] #cd  httpd-2.2.31[[email protected]_server httpd-2.2.31]#./ Configure --prefix=/usr/local/apache2 --with-included-apr --enable-so --enable-deflate= Shared --enable-expires=shared --enable-rewrite=shared --with-pcre --enable-ssl=shared  --with-ssl=/usr/local/ssl      #此处选择动态模式,--enable-ssl=static --with-ssl=/usr/local/ SSL Select static------------------------------------add extension mode [[email protected]_server openssl-1.0.1s]#  cd /usr/local/src/httpd-2.2.31/modules/ssl    #务必进入httpd源码目录 [[Email protected]_server  ssl]# /usr/local/apache2/bin/apxs  -i -c -a -d have_openssl=1 -i  /usr/lib/openssl/engines/lib -lcrypto -lssl -ldl *.c     #

Error one, error "unrecognized SSL toolkit!, declaration for parameter ' XXXXXX ' but no such parameter

FIX: Add-D have_openssl=1

Error two, undefined Symbol:ssl_cmd_sslmutex

FIX: Apxs compiled append module succeeded, but Apache failed to start. After this error occurs, I change the mod_ssl.c to *.c when I run APXS. Unlike adding mod_deflate, SSL contains multiple source code files

Error three, undefined symbol:x509_info_free

Workaround: The workaround is to add the-LCRYPTO-LSSL-LDL parameter as a result of statically connecting the OpenSSL library (default)

Create a private key

___________________________________________________________

[Email protected]_server modules]# cd/usr/local/ssl/bin/[[email protected]_server bin]# OpenSSL genrsa-out se Rver.key 2048[[email protected]_server bin]# CP Server.key/usr/local/apache2/conf/ssl.key

Generate a certificate request (CSR) file

___________________________________________________________

[[Email protected]_server bin]# openssl req -new -key server.key -out  certreq.csr Country Name  (2 letter code)  [XX]:cn                   #所在国家的ISO标准代号, China for Cnstate or  Province Name  (Full name)  []:zj              #单位所在地省/Municipality locality name  (eg, city)  [default city]:zs              #单位所在地的市/county/District Organization name   (Eg, company)  [default company ltd]:d x       #单位/agency/ Corporate legal name organizational unit name  (eg, section)  []:zwy                  #部门名称  Common Name  (eg,  your name or your&Nbsp;server ' S hostname)  []:zwy     #此项必须与访问提供SSL服务的服务器时所应用的域名完全匹配     Email Address []:        #邮件地址, do not enter, direct enter Skip "extra" attributes                           #以下信息不必输入, enter skip until the command is complete

Back up the private key and submit a certificate request

___________________________________________________________

Please submit the certificate request file CERTREQ.CSR to the CA service provider (such as Tianwei integrity), and back up save certificate private key file Server.key, waiting for the certificate to be issued. The server certificate key pair must be paired and the loss of the private key file will cause the certificate to be unusable

Obtain the server Certificate Intermediate CA Certificate

___________________________________________________________  

To ensure server certificate compatibility on the client side, the server certificate requires the installation of two intermediate CA certificates (different brand certificates, possibly one intermediate certificate).

To obtain the intermediate CA certificate from the message:

Paste the two intermediate CA certificate contents (including "-----Begin CERTIFICATE-----" and "-----End CERTIFICATE-----") from begin to end in the certificate issuance message into a text editor such as Notepad, The middle is separated by a carriage return line break. Modify the file name extension to save as a conf/ssl.crt/intermediatebundle.crt file (if you have only one intermediate certificate, you only need to save and install one intermediate certificate).

Obtaining an EV server certificate

___________________________________________________________  

Paste the server certificate contents (including "-----Begin CERTIFICATE-----" and "-----End CERTIFICATE-----") from begin to end in the certificate issuance message into a text editor such as Notepad, Save As SSL.CRT/SERVER.CRT file

Apache Configuration

___________________________________________________________  

[[email protected]_server ~]# vim /usr/local/apache2/conf/httpd.conf listen   443[[email protected]_server ~]#  vim /usr/local/apache2/conf/extra/ Httpd-vhosts.confnamevirtualhost *:443<virtualhost *:443>    documentroot   "/data/web/www"     ServerName aaa.com:443    ErrorLog  "Logs/error.log"     CustomLog  "Logs/access.log"  combined      <IfModule mod_ssl.c>        SSLEngine on         sslcertificatefile /usr/local/apache/conf/ssl.crt/server.crt         sslcertificatekeyfile /usr/local/apache/conf/ssl.key/ server.key        sslcertificatechainfile /usr/local/apache/conf/ ssl.crt/intermediatebundle.crt    </ifmodule></virtualhost> 

wrong error : Curl: (+) Error:140770fc:ssl Routines:SSL23_GET_SERVER_HELLO:unknown protocol

Solution: Put 443 virtualhost in front of 80 virtualhost, 80 part namevirtualhost *443 part namevirtualhost *:443

This article is from the "Fuqin Wine" blog, please make sure to keep this source http://szk5043.blog.51cto.com/8456440/1761069

Apache's HTTPS