Results 1 to 6 of 6

Thread: HOWTO: Apache2 Self-Signed Certificates (No Password Prompting)

  1. #1
    Join Date
    Jul 2005
    Location
    Remote Desert, USA
    Beans
    683

    HOWTO: Apache2 Self-Signed Certificates (No Password Prompting)

    If you are a web developer trying to test https:// connections to your local web server running Ubuntu, or just have some special web app that needs SSL locally and don't have customers who expect you to have a real Thawte or Verisign certificate, then this document for at least Ubuntu 8.04 might help:

    https://help.ubuntu.com/8.04/serverguide/C/httpd.html

    However, if you follow its advice, you will end up with SSL and self-signed certificates that, upon reboot of the Apache2 service, will prompt you for a password. This might be annoying, but is actually a good security measure according to the doc above.

    Now, if you are a developer who doesn't want this annoyance and doesn't have real reason to worry about the security problem of not prompting for a password, you can do the self-signed certificate a different way.

    Self-Signed Certs on Ubuntu 8.04 (No Apache Service Start Password Version)
    {Note this may work in future releases of Ubuntu past 8.04, but I have only tested on Ubuntu 8.04 workstation and Ubuntu 8.04 server.}

    1. Tell Apache2 to enable the SSL module.

    # sudo a2enmod ssl

    2. Generate our certificate...

    # cd /tmp
    # sudo openssl req -new > new.cert.csr

    ...when prompted for info, fill it out. Here's what I typed...

    US
    Florida
    Orlando
    SpacemanWorld
    (enter)
    Jack Spaceman
    jackh@spacemanxworld.net
    (enter)
    (enter)

    ...and now we continue...

    # sudo openssl rsa -in privkey.pem -out new.cert.key
    # sudo openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 1825
    # sudo cp new.cert.cert /etc/ssl/certs/server.crt
    # sudo cp new.cert.key /etc/ssl/private/server.key


    3. Now we need to tell Apache2 to use this.

    # sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
    # sudo vi /etc/apache2/sites-available/default


    Change:
    Code:
    NameVirtualHost: *
    To:
    Code:
    NameVirtualHost: *:80
    Change:
    Code:
    <VirtualHost *>
    To:
    Code:
    <VirtualHost *:80>
    # sudo vi /etc/apache2/sites-available/ssl

    Change:
    Code:
    NameVirtualHost: *
    To:
    Code:
    NameVirtualHost: *:443
    Change:
    Code:
    <VirtualHost *>
    To:
    Code:
    <VirtualHost *:443>
    After the "DocumentRoot" line, add the following:
    Code:
    SSLEngine on
    SSLOptions +StrictRequire
    SSLCertificateFile /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/private/server.key

    # sudo cd /etc/apache2/sites-enabled
    # sudo a2ensite ssl


    4. Now we need to adjust /etc/hosts if necessary, using the vi command:

    Note this might already be done for you -- just doublecheck.

    # sudo vi /etc/hosts

    Code:
    127.0.0.1 localhost localhost.localdomain {your system name}
    127.0.1.1 {your system name}
    {static IP if you you have one} {fully qualified DNS host name if you have one}
    5. Now we restart our Apache2 service.

    # sudo /etc/init.d/apache2 restart

    6. Test your server. You should be able to reach your pages on both http and https. Remember, this goal here was only to get your pages to work on https for doing things like web development testing, such as testing some eCommerce pages. However, you don't want people reaching a secured page on http when they should be on https, so remember that you'll want to trap for that in your .htaccess file in your website folder and redirect users back to the page under https.

    SOURCES (HAD TO COMBINE AND GLEAN):

    https://help.ubuntu.com/8.04/serverguide/C/httpd.html
    http://www.linuxquestions.org/linux/...ache_SSL_Howto
    http://www.tc.umn.edu/~brams006/selfsign_ubuntu.html
    Last edited by slavik; April 4th, 2009 at 10:52 AM.
    SuperMike
    When in doubt, follow the penguins.
    Evil Kitty is watching you

  2. #2
    Join Date
    Jan 2006
    Beans
    Hidden!
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: HOWTO: Apache2 Self-Signed Certificates (No Password Prompting)

    This is a good tutorial. Finally, someone writes up a good one.
    Last edited by slavik; April 4th, 2009 at 10:52 AM.
    I am infallible, you should know that by now.
    "My favorite language is call STAR. It's extremely concise. It has exactly one verb '*', which does exactly what I want at the moment." --Larry Wall
    (02:15:31 PM) ***TimToady and snake oil go way back...
    42 lines of Perl - SHI - Home Site

  3. #3
    Join Date
    May 2009
    Beans
    1
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: HOWTO: Apache2 Self-Signed Certificates (No Password Prompting)

    Thanks for the tutorial, I can verify works with 9.10 server and desktop.

  4. #4
    Join Date
    Aug 2007
    Beans
    29

    Re: HOWTO: Apache2 Self-Signed Certificates (No Password Prompting)

    yaaay! finally a good tutorial!
    thx for posting!
    fedora convert.

  5. #5
    Join Date
    Jun 2006
    Location
    Neither here nor there
    Beans
    3,289
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: HOWTO: Apache2 Self-Signed Certificates (No Password Prompting)

    Quote Originally Posted by ravimannan2002 View Post
    yaaay! finally a good tutorial!
    thx for posting!
    Yes, excellent. Works well in 10.04.1 as well.
    Linux & MythTV 4 Life
    Running ubuntu on an Atom 330, Atom D525, Turion 64 X2 TL-56, X2 3800, X2 4200, X2 4600, E2180, Core i5 450M, and a Core i7-2600
    My Hardware

  6. #6
    Join Date
    Aug 2012
    Beans
    22

    Re: HOWTO: Apache2 Self-Signed Certificates (No Password Prompting)

    Hi,SuperMike

    Great post tnx.
    But i have a problem ... i think you can help me. After following your steps i get this error message ..

    1.)[Sun Aug 19 06:32:28 2012] [warn] RSA server certificate CommonName (CN) `UbuntuMail' does NOT match server name!?
    2.)File does not exist: /var/www/favicon.ico
    3.)[Thu Aug 23 11:53:17 2012] [notice] caught SIGTERM, shutting down
    [Thu Aug 23 13:01:19 2012] [warn] RSA server certificate CommonName (CN) `IvanUbuntuMailServer' does NOT match server name!?
    [Thu Aug 23 13:01:19 2012] [error] Unable to configure RSA server private key
    [Thu Aug 23 13:01:19 2012] [error] SSL Library Error: 185073780 error:0B080074509 certificate routines:X509_check_private_key:key values mismatch
    [Thu Aug 23 13:10:34 2012] [error] Unable to configure RSA server private key
    [Thu Aug 23 13:10:34 2012] [error] SSL Library Error: 185073780 error:0B080074509 certificate routines:X509_check_private_key:key values mismatch


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •