QUICKSTART.SSL -- How to get your SSL server up and running as fast as possible You need to have read the README.QUICKSTART before going on with this one! o make sure that apache starts with mod_ssl loaded - a2enmod ssl It adapts /etc/sysconfig/apache2:APACHE_MODULES. o make sure that the SSL configuration is active - a2enflag SSL It adapts /etc/sysconfig/apache2:APACHE_SERVER_FLAGS. - the reason why the flag SSL is also needed is because it's enclosed in statements. This way it can be dormant until the necessary prerequisite are present (keys) and you want to use it. In addition, it can be useful to be able to start apache unattended at boot time even if you use encrypted keys that need a passphrase otherwise. o for a real SSL setup, I recommend TinyCA to create and manage a real ssl setup. It is available on SUSE Linux as package "tinyca2". Also, please refer to the mod_ssl documentation. o The following steps will create _dummy_ keys in a very simple way: - run /usr/bin/gensslcert - it will (over)write /etc/apache2/ssl.crt/ca.crt /etc/apache2/ssl.key/server.key /etc/apache2/ssl.crt/server.crt /etc/apache2/ssl.csr/server.csr - a copy of ca.crt will be installed as /srv/www/htdocs/CA.crt for download. - cp vhosts.d/vhost-ssl.template vhosts.d/vhost-ssl.conf and adapt vhosts.d/vhost-ssl.conf al gusto (note it must end in .conf to be read automatically) o to check your vhost setup, use "httpd2 -S -DSSL" o for all configuration questions, consult http://localhost/manual (if the apache2-doc package is installed), or http://httpd.apache.org/docs-2.2/ (the online version) - read the documentation under /usr/share/doc/packages/apache2/ (where you will also find example configuration files) o TROUBLESHOOTING -- if anything does not work: - fire up "tail -F /var/log/apache2/*_log &" in a root shell - reproduce what is not working (starting apache, doing client requests, or whatever), and see how it is reflected in the logs - read http://www.suse.com/~poeml/apache-faq.html - make use of http://bugzilla.novell.com if you suspect a bug o common symptom: - server logs this: [Thu Aug 28 21:07:39 2003] [error] [client 192.168.0.180] Invalid method in request j - client shows this: SSL error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol cause: client speaks HTTPS, server speaks HTTP. If that happens to be port 443, it means that the server is listening on the port but not with SSL. If it was the other way round (client speaks HTTP, server speaks HTTPS), the server would log 400 and the client show an error 400 (HTTP_BAD_REQUEST) page.