[opensuse] Apache2 - 5 Minute basic SSL setup for basic https:// functionality with a self-signed certificate - openSUSE Users

8 May 2008

      Listmates:

	After working through the apache SSL setup from various pages, it was apparent 
that an openSuSE 10.3 howto wasn't available. So I thought I would pass along 
my learning and a quick script that will automate 90% of the process and 
configure apache correctly for SSL on openSuSE 10.3. Basically, the script will 
walk you through:

(1) setting the /etc/sysconfig/apache2 SSL flag;
(2) creating the new temporary directory new_sslkeyset in the present directory 
for your new server keys, etc..;
(3) generating the private server key: server.key;
(4) generating the certificate signing request: server.csr;
(5) removing the passwd from server.key to eliminate the passwd requirement on 
each apache server start;
(6) generating the self-signed certificate;
(7) copying server.crt, .key, and .csr to /etc/apache2/ssl.crt/, ../ssl.key/ 
and  ../ssl.csr/, respectively; and
(8) offering to copy /etc/apache2/vhosts.d/vhost-ssl.template to vhost-ssl.conf 
as a default file. (you really only have to change 2 lines)

	The script is self explanatory. When generating the certificates, you must use 
a fully qualified domain name as the common name (CN). (i.e. www.yoursever.com 
or host1name.yourserver.com)

	The password you select is temporary. It will be removed after the key is 
signed to prevent you from having to enter it each time the apache server is 
started.

	When you are done you must edit /etc/apache2/vhost-ssl.conf and enter your 
server name and email when done. A default vhost-ssl.conf is included in the 
script and displayed at the end of the script if you want to see it.

	NOTE: If you have name virtual hosts, they must be defined with a port and not 
just the *. Edit the vhost.conf file and make them *:80 or whatever your server 
runs on similar to this:

NameVirtualHost 192.168.7.15:80

     ServerAdmin root@rbpllc.com
     ServerName www.rbpllc.com
     DocumentRoot /srv/www/htdocs
</VirtualHost>

	This eliminates the ambiguity caused when vhost-ssl.conf installs https on 
port 443.

	That's it, you will now have basic ssl capability so if you are doing any 
basic authentication with the conf files or with .htaccess, you can do it with 
https:// and avoid sending passwords in plain text.

	Enjoy, the script follows: (of course use it, hack it whatever, it's yours now)

#!/bin/bash
#
## OS: openSuSE 10.3 (may apply to 10.2, but not tested)
#
## This script will build the SSL server keys, csr and crt, install them, and 
copy vhosts-ssl.conf
## to the appropriate directory in /etc/apache2 to provide basic https:// 
functionality on
## opensuse 10.3
#
## General Functions and Colors
#
green='\e[0;32m'
red='\e[0;31m'
lightred='\e[1;31m'
lightblue='\e[1;34m'
lightgray='\e[0;37m'
nc='\e[0m'

check_root () {

ROOT_UID=0
E_NOTROOT=67

if [ "$UID" -ne "$ROOT_UID" ]; then
	echo -e "\n${lightblue}You must be ${lightred}root${lightblue} to run this 
script.\nUser: ${lightgray}$USER${lightblue}, UID: ${lightgray}$UID${lightblue} 
can't!${nc}\n"
	exit $E_NOTROOT
#	return $E_NOTROOT
else
	return $ROOT_UID
fi
}
#
#check for root
#
check_root
#
## Intro Line
#
echo -e "\n\tThis will create apache2 SSL server.key, .csr and .crt and install 
them for basic\n https:// functionality on openSuSE 10.3. It will aslo set the 
apache2 SSL sysconfig flag. \nIn your key, your common name CN must be a FQDN. 
You must edit vhost-ssl.conf when done.\n"
read -p "        Continue  (y/n)? " key
if [ $key == "y" ] || [ $key == "Y" ]; then
	echo -e "${green}\n\tLet's begin!${nc}\n"
else
	echo -e "\n\t${lightgray}key = $key${lightblue} pressed, Apache2 SSL Config - 
${red}Canceled${nc}\n"
	exit 1
fi
echo -e "${nc}"
#
## Set SSL Flag
#
if a2enflag SSL; then
	echo -e "\n\t${lightblue}Server SSL Flag Successfully Set\n${nc}"
else
	echo -e "\n\t${lightblue}Server SSL Flag ${red}NOT ${lightblue}Set\nEdit 
/etc/sysconfig/apache2 manually\n${nc}"
fi
#
## Create Temp Directory
#
echo -en "\n\t${lightblue}Creating Directory for New SSL KeySet"

if mkdir -p new_sslkeyset && cd new_sslkeyset; then
	echo -e " - ${green}OK${nc}\n"	
else
	echo -e " - ${red}FAILED. Exiting...${nc}\n"
	exit 1
fi
#
## Generate Private Server Key
#

echo -e "\n\t${lightblue}Generating Private Server Key\n${nc}"
openssl genrsa -des3 -out server.key 1024

#
## Generate Certificate Signing Request (CSR)
#

echo -e "\n\t${lightblue}Generating Certificate Signing Request (CSR)\n${nc}"
openssl req -new -key server.key -out server.csr

#
## Remove Passphrase from Key
#

echo -e "\n\t${lightblue}Removing Passphrase From Key To Eliminate PW Request 
On Server Start\n${nc}"
cp server.key server.key.protected
openssl rsa -in server.key.protected -out server.key

#
## Generating a Self-Signed Certificate
#

echo -e "\n\t${lightblue}Generating Self-Signed Certificate\n${nc}"
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

#
## Installing the Private Key and Certificates
#

echo -e "\n\t${lightblue}Installing server.crt, server.key and server.csr in 
/etc/apache2/<dir>${nc}\n"

if cp server.crt /etc/apache2/ssl.crt && cp server.key /etc/apache2/ssl.key && 
cp server.csr /etc/apache2/ssl.csr; then
	echo -e "\n\t${lightblue}Key, CSR and Certificate install 
${green}Succeeded${nc}\n"
else
	echo -e "\n\t${lightblue}Key, CSR and Certificate install ${red}Failed${nc}\n"
fi

#
## Config Reminder
#

echo -e "${lightblue}\n\tDon't forget to create 
/etc/apache2/vhosts.d/vhost-ssl.conf by copying 
\n/etc/apache2/vhosts.d/vhost-ssl.template to 
/etc/apache2/vhosts.d/vhost-ssl.conf and editing as \nnecessary. You can check 
this script for the comments that contain a working example of a 
\nvhost-ssl.conf${green}\n"
read -p "        Would you like to copy 
/etc/apache2/vhosts.d/vhost-ssl.template to vhost-ssl.conf now (y/n)? " key

if [ $key == "y" ] || [ $key == "Y" ]; then
	cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/vhost-ssl.conf
fi

echo -e "\n\t${green}All Done! ${lightblue}Remember to edit 
${red}vhost-ssl.conf ${lightblue}as required and restart apache2\n\n${nc}"

read -p "        Would you like to see the example vhost-ssl.conf? " key
if [ $key == "y" ] || [ $key == "Y" ]; then
echo '
#
## Virtual Host Configuration (/etc/apache2/vhosts.d/vhost-ssl.conf)
#
<IfDefine SSL>

<VirtualHost _default_:443>
         DocumentRoot "/srv/www/htdocs"
fix ->  #ServerName www.yourhost.com:443
     ->  #ServerAdmin youremail@yourhost.com
         ErrorLog /var/log/apache2/error_log
         TransferLog /var/log/apache2/access_log
         SSLEngine on
         SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
         SSLCertificateFile /etc/apache2/ssl.crt/server.crt
         SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
         SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

             SSLOptions +StdEnvVars
         </Files>

             SSLOptions +StdEnvVars
         </Directory>
         SetEnvIf User-Agent ".*MSIE.*" \
                  nokeepalive ssl-unclean-shutdown \
                  downgrade-1.0 force-response-1.0
         CustomLog /var/log/apache2/ssl_request_log   ssl_combined
</VirtualHost>
</IfDefine>
</IfDefine>'
fi
exit 0

-- 
David C. Rankin, J.D., P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
Telephone: (936) 715-9333
Facsimile: (936) 715-9339
www.rankinlawfirm.com
-- 
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse+help@opensuse.org

[opensuse] Apache2 - 5 Minute basic SSL setup for basic https:// functionality with a self-signed certificate

David C. Rankin

tags

participants (1)