Windows configuration Apache2.x+ssl Experience

Source: Internet
Author: User
Tags apache error log create index openssl openssl x509 win32 apache log tortoisesvn
Windows configuration Apache2.x+ssl Experience 2006-08-29 14:58

These days busy research to the Apache Configuration SSL protocol to provide support for HTTPS, the network gives a lot of configuration methods, but most of it belongs to the Apache1.3.37 version. Tried n times to fail, and referencing the TORTOISESVN help document was unsuccessful. These methods work best in all methods on the Web:
1, "Lazy people's education" constructs your Apache + SSL on Win32
2, the Apache + SSL on Win32 HOWTO
3. Windows installation Setting Apache2 + PHP5 + mod_ssl
After several attempts at the method given above, it was unsuccessful. Finally, directly using the compression package provided from the website http://hunter.campbus.com/apache_2.0.59-openssl_ 0.9.8b-win32.zip after decompression, in accordance with the methods given in the preceding articles to generate the relevant files and modify the configuration found after the successful configuration. Today, when I write a blog, I look back at the document discovery, previously because there was no copy Apache.exe to the Apache installation directory caused unsuccessful. The steps to correctly configure success are summarized as follows:
steps to download and install the appropriate package:
apache:2.0.59 version, download the address is:http://httpd.apache.org/, you can also download a new version of the;
Apache with SSL and OpenSSL libraries: Download address forhttp://hunter.campbus.com/, download the compression package corresponding to the Apache version and download the Apache_2.0.59-openssl_0.9.8b-win32.zip file relative to Apache2.0.59. In addition, also need to download openssl-x.x.x-win32.zip, I downloaded isOpenssl-0.9.8b-win32.zip
OPENSSL.CNF: Download Address: http://tud.at/programm/openssl.cnf
The Apache installation reference prompts are available, and the other two packages do not need to be installed separately.
Step two configure SSL support for Apache:
Unzip the Apache_2.0.59-openssl_0.9.8b-win32.zip, copy the bin directoryApache.exe, Ssleay32.dll and Libeay32.dllTo the Apache installation directory under the Bin directory, must replace the original Apache.exe, (note: can also copy openssl.exe, so do not need to extract Openssl-0.9.8b-win32.zip can generate signature certificate). Copy the ssl.conf and ssl.default.conf in the Conf directory to the Conf directory under the Apache installation directory, copy the modules directorymod_ssl.soAlso to be placed in the Apache directory of the modules.
Modify the ssl.conf file as follows: (refer to the TORTOISESVN help document)
Comment out the bottom few lines:
DocumentRoot "C:/apache/htdocs"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog Logs/error_log
Transferlog Logs/access_log () can also be modified as needed
Modify Sslcertificatefile conf/ssl.crt/server.crt to Sslcertificatefile CONF/SSL/MY-SERVER.CRT
Modify Sslcertificatekeyfile Conf/ssl.key/server.key to Sslcertificatekeyfile Conf/ssl/my-server.key
Modify Sslmutex File:logs/ssl_mutex for Sslmutex default
Modify Sslcertificatechainfile conf/ssl.crt/ca.crt for Sslcertificatechainfile conf/ssl/ca.crt (MS not also line)
Note: My-server.key for server KEY,MY-SERVER.CRT as server certificate, can be modified according to need
Comment out <ifdefine ssl> and </IfDefine> turn on SSL features
Modify the httpd.conf file as follows: Remove the comment that precedes #loadmodule ssl_module modules/mod_ssl.so.
In the Conf folder under the Apache installation directory, establish the SSL folder where the certificate files are stored.
Note: If your domain name is not available, you may need to change the servername in httpd.conf to: 127.0.0.1: Port. I use the default port, so instead: 127.0.0.1:80.
StepThe third generation certificate file (see OpenSSL Use guide for details)
Unzip the Openssl-0.9.8b-win32.zip, assuming to the directory E:/openssl.
Copy openssl.cnf to the directory E:/openssl and modify the Ca_default section as follows:
DIR = SSL
Certs = $dir//certs
Crl_dir = $dir//CRL
Database = $dir//index.txt
New_certs_dir = $dir
Certificate = $dir//cacert.pem
serial = $dir//serial
CRL = $dir//crl.pem
Private_key = $dir//privkey.pem
Randfile = $dir//privkey.rnd (MS SLR slashes can also)
Create a new folder SSL in the E:/openssl directory where you can create index.txt files (any content) and serial files (content is integers such as 01) to switch to E:/OPENSSL under the command line to run the following command:
OpenSSL genrsa-des3-out Ssl/ca.key 1024 generates CA private key
OpenSSL req-config openssl.cnf-new-key ssl/ca.key-out SSL/CA.CSR generate CA require cert, fill in the relevant information according to the description
OpenSSL x509-days 3650-req-signkey ssl/ca.key-in ssl/ca.csr-out ssl/ca.crt generate CA Public cert
OpenSSL genrsa-out ssl/server.key 1024 generates server private key
OpenSSL req-config openssl.cnf-new-key ssl/server.key-out SSL/SERVER.CSR produces server require CERT, the information is said to be best to be the same as the above
OpenSSL ca-config openssl.cnf-days 3650-cert ssl/ca.crt-keyfile ssl/ca.key-in-ssl/server.csr-out production Health Server Public Key
Successful execution of the above commands will generate CA.CRT, SERVER.CRT, and Server.key three files under the SSL folder just now, and copy them to the SSL folder set up in the front of the Apache directory under the directory under Conf. You can also generate a certificate file by following the methods in the TORTOISESVN help document.
Note: When filling in the above two steps, Common name (eg, your websites domain name) [] to fill in the same as the httpd.conf, otherwise there will be errors, in the Apache error log found that the error is "certificate and server name mismatch" (SA server certificate commonname (CN) ' 127.0.0.1 ' does not match server name!? )。 If servername is set to 127.0.0.1:80, Common name (eg, your websites domain Name) [] seems to be filled localhost and 127.0.0.1.
ServerName for the domain name of the situation did not try, in fact, I think servername and these two information to fill out, with their own IP may be the best choice.


Start the Apache server after completing the above operation, and you can use https://localhost/to access the server if there is no error.

When you are familiar with the Apache configuration of SSL, I believe you can modify the relevant parameters and more in-depth research.

When the Apache server does not start successfully, you can find a workaround by looking at Apache log.

References:
[1] "lazy" constructs your Apache + SSL on Win32
[2], Apache + SSL on Win32 HOWTO
[3] Windows installation Apache2 + PHP 5 + mod_ssl
[4] tortoisesvn help document

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.