Configure Apache2 SSL on Debian
Well there is the standard way to do things and then there is my way. The key difference, I've generated my own certificates, without a passphrase. See Installing Secure IRC for instructions on setting up and testing your own certificates.
Usefull Links
The Usual Way
Assuming you haven't created your own certificates and you really only care about making http secure you should follow these instructions. apache2-ssl-certificate is a shell script you run to generate your certificates.
# try aptitude inplace of apt-get apt-get install apache2 # this is shell script you run apache2-ssl-certificate
Now create a config file for your SSL server. Note: /etc/apache2/sites-enabled/ssl will now be known as the ssl config file.
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl ln -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/ssl
We need to edit both the default and ssl config file and tell them when each is used. We do this by changing the virtual host section of each file.
ssl fileNameVirtualHost *:443 <VirtualHost *:443> ...rest of configdefault file
NameVirtualHost *:80 <VirtualHost *:80> ...rest of config
Now add the new port to /etc/apache2/ports.conf
Listen 443
In the ssl config file add the following withing the VirtualHost directive
SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem
Finally enable your modules and restart
sudo ln -s /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled/ssl.load sudo ln -s /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-enabled/ssl.conf sudo /usr/sbin/apache2ctl restart
You will be prompted for a passphrase when apache starts up. In you aren't around to enter the passphrase it will just hang.
Roll Your Own Certs
Assuming you need certificates for several applications and you want to store them in a single location. You may generate your own certs by following the instructions in Installing Secure IRC
# aptitude is a nice alternative to apt-get apt-get install apache2
First create a config file for your SSL server. Note: /etc/apache2/sites-enabled/ssl will now be known as the ssl config file.
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl ln -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/ssl
We need to edit both the default and ssl config file and tell them when each is used. We do this by changing the virtual host section of each file. Now my apache server really listens on port 8000 and port 443. I port forward the traffic from 80 to 8000. My default file has the NameVirtualHost, which is the port the outside world sees and the apache VirtualHost port, which apache is listening to.
ssl fileNameVirtualHost *:443 <VirtualHost *:443> ...rest of configdefault file
NameVirtualHost *:80 <VirtualHost *:8000>
Now add the new port to /etc/apache2/ports.conf
Listen 443
In the ssl config file add the following withing the VirtualHost directive. Notice the three keys because we are self signed.
SSLEngine On
SSLCertificateFile /${SSLDIR}/certs/sitecert.pem
SSLCertificateKeyFile /${SSLDIR}/certs/sitekey.pem
SSLCACertificateFile /${SSLDIR}/private/CAcert.pem
Almost there, now edit your modules and comment out the SSLPassPhraseDialog line. I can do this because I stripped the pass phrase from the keys. Again see Installing Secure IRC for directions on stripping the passphrase.
sudo vi /etc/apache2/mods-avalible/ssl.conf # No passphrase we comment out #SSLPassPhraseDialog builtin
Finally enable your modules and restart
sudo ln -s /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled/ssl.load sudo ln -s /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-enabled/ssl.conf sudo /usr/sbin/apache2ctl restart
