apache2/apache2-README.QUICKSTART.SSL

60 lines
2.7 KiB
Plaintext
Raw Normal View History

QUICKSTART.SSL -- How to get your SSL server up and running as fast as possible
You need to have read the README.QUICKSTART before going on with
this one!
o make sure that apache starts with mod_ssl loaded
- a2enmod ssl
It adapts /etc/sysconfig/apache2:APACHE_MODULES.
o make sure that the SSL configuration is active
- a2enflag SSL
It adapts /etc/sysconfig/apache2:APACHE_SERVER_FLAGS.
- the reason why the flag SSL is also needed is because it's enclosed in
<IfDefine> statements. This way it can be dormant until the necessary
prerequisite are present (keys) and you want to use it. In addition, it
can be useful to be able to start apache unattended at boot time even if
you use encrypted keys that need a passphrase otherwise.
o for a real SSL setup, I recommend TinyCA to create and manage a real ssl setup.
It is available on SUSE Linux as package "tinyca2".
Also, please refer to the mod_ssl documentation.
o The following steps will create _dummy_ keys in a very simple way:
- run /usr/bin/gensslcert
- it will (over)write /etc/apache2/ssl.crt/ca.crt
/etc/apache2/ssl.key/server.key
/etc/apache2/ssl.crt/server.crt
/etc/apache2/ssl.csr/server.csr
- a copy of ca.crt will be installed as /srv/www/htdocs/CA.crt for download.
- cp vhosts.d/vhost-ssl.template vhosts.d/vhost-ssl.conf
and adapt vhosts.d/vhost-ssl.conf al gusto
(note it must end in .conf to be read automatically)
o to check your vhost setup, use "httpd2 -S -DSSL"
o for all configuration questions, consult
http://localhost/manual (if the apache2-doc package is installed), or
http://httpd.apache.org/docs-2.2/ (the online version)
- read the documentation under /usr/share/doc/packages/apache2/ (where you
will also find example configuration files)
o TROUBLESHOOTING -- if anything does not work:
- fire up "tail -F /var/log/apache2/*_log &" in a root shell
- reproduce what is not working (starting apache, doing client requests,
or whatever), and see how it is reflected in the logs
- read http://www.suse.com/~poeml/apache-faq.html
- make use of http://bugzilla.novell.com if you suspect a bug
o common symptom:
- server logs this: [Thu Aug 28 21:07:39 2003] [error] [client 192.168.0.180] Invalid method in request j
- client shows this: SSL error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
cause: client speaks HTTPS, server speaks HTTP. If that happens to be port
443, it means that the server is listening on the port but not with
SSL. If it was the other way round (client speaks HTTP, server
speaks HTTPS), the server would log 400 and the client show an error
400 (HTTP_BAD_REQUEST) page.