Installing SSL for Apache 2.2.4
I've been spending a bit of time over the past two days looking at how to run https under Apache 2.2.4 for windows. You'd expect it to be a relatively simple task, but it has become more difficult that i first thought. You'd also expect the Apache documentation to have a start to finish HOWTO or something similar.
Apache has mod_ssl.so included in the http.conf by default, but my first mistake was in actually thinking that the mod_ssl.so module was installed by default. Apparently, it's not included in the default build because of export restrictions.. but this is not mentioned in the Apache docs. To cut a long story short there is no consise information on where to get a win32 binary for the current version of Apache .. or even that you're required to go digging around trying to find one. There's always the option of compiling it from source, but if you go the the mod_ssl home page it says it, "provides strong cryptography for the Apache 1.3". that's it. Now what ??
So, more googling revealed a few HOWTO's for older versions of Apache, but nothing that actually included a complete solution. Eventually, I found this article which has a fairly good overview for an older version of apache and combined with this win32 build from ApacheLounge.com I thought i was onto a winner... but sadly no.. it wouldn't run.
Now, I'm throwing it into the too hard basket for a couple of days to try and actually get some work done. Somebody please tell me I've missed something.
Note: there are complete server suites around that include Apache, php, drupal, etc, etc, which are supposed to work, but I already have all of that stuff installed and don't want to wipe out my current config. There's more talk about that on Matt Woodward's blog.
Comments
using the build from apachelounge
1. Make sure httpd runs without ssl enabled
2. create a certificate and key via the directions in the article at http://www.jm-solutions.com/OpenSSL/Setup/setup02.php
briefly using openssl
a. Create a certificate request. >openssl req -config openssl.cnf -new -out my-server.csr
b. remove the passphrase. httpd on windows does not allow for encrypted keys >openssl rsa -in privkey.pem -out my-server.key
c. self sign the certificate request. openssl x509 -in my-server.csr -out my-server.crt -req -signkey my-server.key -days 365
3. Move the my-server.crt and my-server.key to a directory to which httpd has access. In my case C:/Apache2/conf/ssl/
4. I added the following to the end of the httpd.conf file
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
</VirtualHost>
<VirtualHost *:443>
<IfModule ssl_module>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#generated certificate - do not encrypt w/ passphrase - windows does not allow encrypted keys
SSLCertificateKeyFile C:/Apache2/conf/ssl/my-server.key
SSLCertificateFile C:/Apache2/conf/ssl/my-server.crt
<IfModule setenvif_module>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
</IfModule>
</VirtualHost>
I have had great success with the binary build posted at the site below. Granted I have only tried out the Apache 2.0.x w/SSL binaries but I am guess the 2.2 ones are good too.
http://hunter.campbus.com/
Here is another guide:
http://www.neilstuff.com/apache/apache2-ssl-windows.htm
You already have the next link: http://hunter.campbus.com/
Hi. I just tried installing apache 2.2.4 with ssl. All I did was enable the mod_ssl and include the ssl conf file frmo the Apache2.2\conf\extra folder. It wasn't working so I used the test configuration link(from start menu) and quickly realized that none of my folder strings were enclosed in double quotes in the httpd-ssl.conf file. I had to add quotes or make them relative paths. Stupid bug I guess.
Hope it helps!
Mat
This looks like a really good way to go:
http://sis36.berkeley.edu/projects/streek/howto/apache_2_0_49_mod_ssl-in...
I'm just getting into it now, but wanted to post it before I forgot. The drag is that latest available openssl binaries from http://hunter.campbus.com/
are for apache 2.2.3, and you have to dig around for a million years on apache.org before you find the archive where you can can older releases:
http://archive.apache.org/dist/httpd/
-Jon
After tried two days to installing apache 2.2.4 with ssl for my subversion server without success. I see above post by Mat. Yes, it's work for me too. Just add:
Include conf/extra/httpd-ssl.conf
to bottom of httpd.conf and some " to httpd-ssl.conf. use this comamd line to find where to add (change path acording to your install):
D:\Program Files\Apache Software Foundation\Apache2.2\bin>httpd -w -t -f "D:\Pro
gram Files\Apache Software Foundation\Apache2.2\conf\httpd.conf"
My apache 2.2.4 download from:
http://www.apache.org/dist/httpd/binaries/win32/apache_2.2.4-win32-x86-o...
Thank you Mat.
PS: It's work but has "Certificate Error" in IE 7, i'll find out tomorrow.
I spent a day trying to get openssl and mod_ssl.so working with 2.2.4. You MUST have a 2.2.4 version of the mod_ssl.so file for this to work right. I reverted to 2.2.3 for Apache and mod_ssl.so - you can install 2.2.4 if you want but download the 2.2.3 from hunter.campbus and swap that out with your Apache2 directory. There's still a ton of config you need to do but start with this...
Hey guys: I'm not sure if you solved Jason's original problem. And maybe I misunderstand it.
Today for the first time I decided to "compile" rather then "RPM".
I downloaded the latest openSSL and compiled it according to the instructions and it got installed in /usr/local/ssl on my Fedora 8.
Then I hit that "ssl snag" when I tried to compile Apache 2.2.4: no SSL after following this quick start instructions:
http://httpd.apache.org/docs/2.2/install.html
After GOOGLEing all around, I finally RTFM.
The key is to use ./configure to cause the compiler to include the mod_ssl in its work. The instructions are in this section:
http://httpd.apache.org/docs/2.2/install.html#configure
with greater detail here:
http://httpd.apache.org/docs/2.2/programs/configure.html
./configure --enable-ssl=share --with-ssl=/usr/local/ssl
mod_ssl is one of the disabled-by-default modules. I told the compiler to compile it and specifically to create it as a .so in the modules folder (after installation). The installer script is smart enought to "add" the needed loadmodule directive line to the httpd.conf...but you do have to uncomment the "include" state ment to bring in the extra/httpd-ssl.conf file.
Anyway I found this page because I also was having trouble getting Apache v2.2.4 SSL to "come into existance." It's working fine.
I am having an issue with my 2.2.4 install. Whenever trying to enable the mod_ssl in http.conf, I always get the "Operating system cannot open %1" error for the mod_ssl. I have even tried downloading the 2.2.3 version from http://hunter.campbus.com/ and still no luck. Do I need the 2.2.4 version? Also where can I find it, because after much googling, I still cannot find a 2.2.4 version of mod_ssl. I have to retrofit an ssl instalation in a 2.2.4 standard install because its on a live server that cannot be brought down for extended duration of time. Any help would be appreciated.
I recent found the site below which has a lot of good content and downloads for Apache on Windows. They have a build of Apache 2.2.5 with SSL available. Their forums seems pretty active and useful as well.
http://www.apachelounge.com/download/
Hi,
i have some issues with ssl on Apache 2.2.4, as i have added the:
Include conf/extra/httpd-ssl.conf
line to the httpd.conf
Although i my apache want start, as i have not added any " to the file:
httpd-ssl.conf
as i dont have a clue where to add them, i would be very appreciated if you can help me here.
As i need this working as soon as possible.
Thanks
I know this is an old post, but I just downloaded Apache 2.24 from the Apache site and it looks like it's equipped with all what you need for SSL. I remember when running 2.059 that I had to install some stuff manually that wasn't there with the install. I think if you uncomment the mod_ssl module and look at one of those guides from the links above on how to tgneerate a certificate, that will do the trick. I'm just basing this on my experience with Apache.
Thanks for the input guys. I'm in the middle of the heap of stuff right now and haven't had time to try any of your suggestions... I'm going to give this another try asap. I'll post back when i get it working. - thanks again.