Home

SSL with Apache2 in Debian

2007, November 14 - 18:14 — müzso
With Apache 1.3.x it was easy: just install the apache-ssl package and you're all set up. However, this way you had to maintain two separate configs, one for the apache Debian package and one for the apache-ssl package. With Apache 2.x the *-ssl package disappeared and now you can easily maintain a single Apache config including both the normal HTTP and the SSL listeners and virtualhosts.

There's a fairly straight-forward description at debian-administration.org, but it seems that the apache2-ssl-certificate script is missing from the current stable Apache 2.x Debian packages. Of course creating a self-signed certificate is not exactly rocket-science, but I understand the annoyance that many feel for the lack of simplicity here.

I'll summerize the steps that I used instead of the description mentioned above.
  1. apt-get install apache2-doc apache2-mpm-prefork apache2-utils apache2.2-common
    (These are the packages installed by the Debian 4.0r1 network installer too, if you choose the "web server" profile.)
  2. The only extra package that you'll need is:
    apt-get install openssl
  3. Now generate a self-signed certificate as described here:
    mkdir /etc/apache2/ssl
    openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt -days 1825 -nodes
    cat server.key server.crt > /etc/apache2/ssl/apache2.pem
    chmod 0600 /etc/apache2/ssl/apache2.pem
    rm server.key server.crt
  4. Enable the SSL module:
    a2enmod ssl
  5. Add port 443 to the list of listeners:
    grep -qisE 'listen[^a-zA-Z0-9]+443([^0-9]|$)' /etc/apache2/ports.conf || echo "Listen 443" >> /etc/apache2/ports.conf
  6. Create a virtualhost config for the SSL port (eg.
    /etc/apache2/sites-available/ssl):
    NameVirtualHost *:443
    <VirtualHost *:443>
      ServerName www.example.com

      DocumentRoot /var/www/
      <Directory />
        Options FollowSymLinks
        AllowOverride None
      </Directory>
      <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
      </Directory>

      LogLevel Warn
      ErrorLog /var/log/apache2/error.log
      CustomLog /var/log/apache2/access.log combined
      ServerSignature Prod

      SSLEngine on
      SSLCertificateFile /etc/apache2/ssl/apache2.pem
    </VirtualHost>
  7. Enable the new config:
    a2ensite ssl
  8. Reload apache config:
    /etc/init.d/apache2 force-reload
Syndicate content