60 lines
2.7 KiB
Plaintext
60 lines
2.7 KiB
Plaintext
|
|
QUICKSTART.SSL -- How to get your SSL server up and running as fast as possible
|
|
|
|
You need to have read the README.QUICKSTART before going on with
|
|
this one!
|
|
|
|
|
|
o make sure that apache starts with mod_ssl loaded
|
|
- a2enmod ssl
|
|
It adapts /etc/sysconfig/apache2:APACHE_MODULES.
|
|
|
|
o make sure that the SSL configuration is active
|
|
- a2enflag SSL
|
|
It adapts /etc/sysconfig/apache2:APACHE_SERVER_FLAGS.
|
|
- the reason why the flag SSL is also needed is because it's enclosed in
|
|
<IfDefine> statements. This way it can be dormant until the necessary
|
|
prerequisite are present (keys) and you want to use it. In addition, it
|
|
can be useful to be able to start apache unattended at boot time even if
|
|
you use encrypted keys that need a passphrase otherwise.
|
|
|
|
o for a real SSL setup, I recommend TinyCA to create and manage a real ssl setup.
|
|
It is available on SUSE Linux as package "tinyca2".
|
|
Also, please refer to the mod_ssl documentation.
|
|
|
|
o The following steps will create _dummy_ keys in a very simple way:
|
|
- run /usr/bin/gensslcert
|
|
- it will (over)write /etc/apache2/ssl.crt/ca.crt
|
|
/etc/apache2/ssl.key/server.key
|
|
/etc/apache2/ssl.crt/server.crt
|
|
/etc/apache2/ssl.csr/server.csr
|
|
- a copy of ca.crt will be installed as /srv/www/htdocs/CA.crt for download.
|
|
- cp vhosts.d/vhost-ssl.template vhosts.d/vhost-ssl.conf
|
|
and adapt vhosts.d/vhost-ssl.conf al gusto
|
|
(note it must end in .conf to be read automatically)
|
|
|
|
o to check your vhost setup, use "httpd2 -S -DSSL"
|
|
|
|
o for all configuration questions, consult
|
|
http://localhost/manual (if the apache2-doc package is installed), or
|
|
http://httpd.apache.org/docs-2.2/ (the online version)
|
|
- read the documentation under /usr/share/doc/packages/apache2/ (where you
|
|
will also find example configuration files)
|
|
|
|
o TROUBLESHOOTING -- if anything does not work:
|
|
- fire up "tail -F /var/log/apache2/*_log &" in a root shell
|
|
- reproduce what is not working (starting apache, doing client requests,
|
|
or whatever), and see how it is reflected in the logs
|
|
- read http://www.suse.com/~poeml/apache-faq.html
|
|
- make use of http://bugzilla.novell.com if you suspect a bug
|
|
|
|
o common symptom:
|
|
- server logs this: [Thu Aug 28 21:07:39 2003] [error] [client 192.168.0.180] Invalid method in request j
|
|
- client shows this: SSL error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
|
|
cause: client speaks HTTPS, server speaks HTTP. If that happens to be port
|
|
443, it means that the server is listening on the port but not with
|
|
SSL. If it was the other way round (client speaks HTTP, server
|
|
speaks HTTPS), the server would log 400 and the client show an error
|
|
400 (HTTP_BAD_REQUEST) page.
|
|
|