Debian Etch - Apache, SSL and vhosts

Securing connections to your website are vital when entering passwords or entering administration areas.

This article will take you through creating a self-signed certificate and configuring your virtual host to use https (port 443) connections.


Non commercial

Before we go any further I would point out that self-signed certificates will produce warnings when accessed via an https link.

They are not suitable for commercial sites or any public facing site but are ideal for personal administration areas.

There are many sites that specialise in issuing recognised and guaranteed certificates. A search for 'ssl certificates' in your favourite search engine will provide many links.

SSL directory

We can place the generated certificate anywhere but I like to keep them in one folder. Let's create that folder:

sudo mkdir /etc/apache2/ssl

Certificate

There are a couple of ways of creating self-signed certificates. The method used here creates a single file and does not require a passphrase on a reboot or Apache restart.

To start enter the following command:

sudo openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem

The initial output is as follows:

Generating a 1024 bit RSA private key
...........++++++
...........++++++
writing new private key to '/etc/apache2/ssl/apache.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

As indicated, you will be asked a series of questions:

Country:

Country Name (2 letter code) [AU]:

In my case, I entered 'GB' for Great Britain.

State:

State or Province Name (full name) [Some-State]:

You can leave this blank but for demonstration purposes I entered 'Nottinghamshire'

City:

Locality Name (eg, city) []:

Again, leave blank if you wish. I entered 'Nottingham'.

Organisation:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Here I entered 'PickledOnion Ltd'.

Unit:

Organizational Unit Name (eg, section) []:

I entered 'Web Development'

Name:

Common Name (eg, YOUR name) []:

Enter your domain address here - so you might enter something like admin.domain.com. Only use your URL's or IP address. I used admin.domain.com as an example.

Email:

Email Address []:

If you want your email address displayed on the certificate, then enter it here. If you are going to use a self-signed certificate for public facing sites then I would recommend entering a valid address as it gives them a person to contact.

Anyway, I entered 'webadmin@domain.com'

Done

You will be placed back at the command prompt and the certificate has been placed, as directed, in /etc/apache2/ssl/apache.pem.

mod_ssl

So now we have the certificate we need to enable Apache mod_ssl:

sudo a2enmod ssl

ports.conf

Next configure Apache to listen to port 443 (the default https port):

sudo nano /etc/apache2/ports.conf

Add port 443 to the list so the file looks like this:

Listen 80
Listen 443

Virtual Hosts

Now we get to configuring the virtual hosts to enable secure connections.

Remember that you can only have one certificate per IP address which means that if you enable SSL connections to more than one virtual host they will share the same certificate.

If you have multiple IPs for your Slice (yes, they are coming!) then you would configure the virtual hosts based on IP address and not necessarily based on named hosts (more on this when multiple IPs are available).

Let's start by enabling port 443 on the default vhost:

sudo nano /etc/apache2/sites-available/default

At the very top of the file you will see this:

NameVirtualHost *

<VirtualHost *>
...

Change these settings to listen to the default http port (80):

NameVirtualHost *:80

<VirtualHost *:80>
...

Now we need to add support for port 443.

Add 'NameVirtualHost *:443' so it looks like this:

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
...

So now the default virtual host is listening to both port 80 and port 443. However, we've only got settings for port 80: It won't know what to do with any connections to port 443.

Let's rectify that by copying the <VirtualHost *:80> settings:

<VirtualHost *:80>
...
...
</VirtualHost>

and paste them at the bottom of the file with the port changed to *:443 as follows:

<VirtualHost *:443>
...
...
</VirtualHost>

One final tweak to the pasted settings is the addition of these two lines:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem

Heh?

Don't worry if you got a bit lost there as I've attached a copy of what the finished virtual host file should look: view file

I haven't changed the default Debian Apache settings except to add port 443 access.

Reload

At this point, reload Apache for the new settings to take effect:

sudo /etc/init.d/apache2 force-reload

Warnings

Now when you browse to your IP address or whichever virtual host you setup to use SSL, you will see warnings similar to these:

Apache  SSL Warning

Clicking 'OK' will take you to a second warning:

Apache  SSL Warning #2

If you accept the certificate, you will then proceed to the site. However, as you can tell, a visitor receiving these warnings on a supposedly secure area of a public website will not be too impressed. They are, however, fine for personal use and for an administration area.

Other virtual hosts

Remember how we changed <VirtualHost *> to <VirtualHost *:80> in the default virtual hosts file? Well, we need to do the same for any other virtual hosts files.

Then, to add SSL support to any other virtual hosts simply repeat the procedure and have two configurations in each file. One for port 80 and one for port 443 - keep in mind that any configured virtual hosts will share the same certificate.

You don't need the NameVirtualHost settings in each file though. They only need to be in the default file.

Summary

Once you get used to the process, adding self-signed certificates and configuring virtual host support for SSL connections is relatively straight forward.

PickledOnion.

Article Comments:

James commented Wed Sep 26 07:33:33 UTC 2007:

Thanks for this helped alot, one note regarding the 2nd ssl certificate popop.. When creating the cert in openssl, when it asks who you are you should use you're site name.. Such as example.com. If you do this then it will not provide the 2nd popup regarding possible interception etc.. Basically it is thinking the there is something fishy going on because the name used to create the cert does not match the actual domain. How it searches (possibly regex matches?) im not sure.. So I don't know if example would match example.com or not. Full domain basenames seem to work fine tho.

PickledOnion commented Wed Sep 26 09:24:40 UTC 2007:

James,

You are quite right, as in the example I give when entering your Name during the certificate creation use your domain name (I used admin.domain.com).

As far as I am aware, you will need to full tld, such domain.com and not just domain.

If you enter anything that does not match the domain in use you will get the second error.

PickledOnion.

Jeff commented Tue Nov 13 18:41:13 UTC 2007:

Hi,

Is it possible to have two domains for the same IP address and access one of them only on port 80 and the other one only on port 443.

How do I avoid HTTP access to a directory, I mean can I have only HTTPS access to a directory?

Nathan commented Fri Jan 04 01:52:13 UTC 2008:

A very easy to follow article on setting it up! The first time I set up SSL on one of my home Debian machines it took a while to work it out using various information.

The only strange problem I had was these warnings when the server reloaded:

[Fri Jan 04 01:49:00 2008] [warn] NameVirtualHost *:443 has no VirtualHosts [Fri Jan 04 01:49:00 2008] [warn] NameVirtualHost *:80 has no VirtualHosts

The sites are working, but I'm not sure what these messages are on about...

SaraInDigital commented Mon Jan 14 16:56:08 UTC 2008:

Hi, this is also a usefull link : http://blog.innerewut.de/2006/06/21/mongrel-and-rails-behind-apache-2-2-and-ssl

This entry in virtual host config is pretty important when you use sslrequirement plugin: RequestHeader set XORIGINAL_PROTOCOL 'https'

S.

stephen mulcahy commented Mon Jan 21 11:29:26 UTC 2008:

Very nice procedure for enabling SSL. I've done it in the past on Debian but you saved me a half hour. Thanks.

Yeago commented Thu Jan 24 01:00:37 UTC 2008:

Nathan:

Not a problem. Sounds like you skipped a step and have no conf files with [VirtualHost *:80]

As for the second warning, you just have to add a vhost for 443! =)

/sites-available/secure.yoursite.com

[VirtualHost *.443] ServerName secure.yoursitecom

....

Tunny commented Sat Jan 26 13:56:30 UTC 2008:

Nathan I got that too.

It's because I tried to restart apache without using sudo.

Cameron commented Tue Apr 15 23:53:55 UTC 2008:

Very nice...thank you...but is there a tutorial out there for hosting multiple sites, each with its own SSL certificate under a single static IP address? I think Godaddy's basic certs are simply domain verified...and don't really care about what the IP it goes to is....but how do you get two different sites to listen on port 443 at the same time?

Mo commented Thu Apr 17 13:19:58 UTC 2008:

Due to the way how SSL works, you cannot host multiple certificates/sites on one IP.

You need one IP per certificate.

Jason Hendriks commented Fri Apr 25 05:04:03 UTC 2008:

Actually you can host multiple certificates on one IP, if you use different ports.

You need one IP-and-port per certificate.

For example:

Listen *.443 Listen *.8443 NameVirtualHost *:443 NameVirtualHost *:8443 <virtualhost> SSLCertificateFile <cert> <virtualhost> SSLCertificateFile <cert>

Ronnie commented Tue Jun 17 01:19:10 UTC 2008:

Thanks a lot for the nicely written tutorial, it saved me a lot of effort to dig around in setting this up. Much appreciated.

Peter Ellis commented Sun Aug 31 10:39:33 UTC 2008:

Great...simple...easy to follow tutorial! I have been looking for something like this for a long time!!!

boobaa commented Sun Nov 09 11:19:51 UTC 2008:

i'd followed this tuto but i'd this error when restarting apache2 web server: /etc/init.d/apache2 force-reload i get the following error: Forcing reload of web server (apache2)...apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.1.16 for ServerName httpd (no pid file) not running apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.1.16 for ServerName failed!

thank y for the help

PickledOnion commented Mon Nov 10 12:56:39 UTC 2008:

Boobaa,

It is dealt with in the Debian Apache articles:

http://articles.slicehost.com/2007/9/14/debian-etch-apache-configuration-2

PickledOnion

thinksys commented Thu Feb 12 13:13:20 UTC 2009:

i followed the above instructions but i am getting an error that says

[Thu Feb 12 12:39:52 2009] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

not sure how to fix this. apache fails to start. any clues?

Laurence DV commented Sun Jan 06 02:43:57 UTC 2013:

Thanks you very much, well explained and easily used as a reminder!

Immigration Advicers Ealing commented Fri Jul 26 19:45:26 UTC 2013:

I savor, cause I found exactly what I was taking a look for. You've ended my four day lengthy hunt! God Bless you man. Have a great day. Bye

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)