Listmates:
After working through the apache SSL setup from various pages, it was apparent
that an openSuSE 10.3 howto wasn't available. So I thought I would pass along
my learning and a quick script that will automate 90% of the process and
configure apache correctly for SSL on openSuSE 10.3. Basically, the script will
walk you through:
(1) setting the /etc/sysconfig/apache2 SSL flag;
(2) creating the new temporary directory new_sslkeyset in the present directory
for your new server keys, etc..;
(3) generating the private server key: server.key;
(4) generating the certificate signing request: server.csr;
(5) removing the passwd from server.key to eliminate the passwd requirement on
each apache server start;
(6) generating the self-signed certificate;
(7) copying server.crt, .key, and .csr to /etc/apache2/ssl.crt/, ../ssl.key/
and ../ssl.csr/, respectively; and
(8) offering to copy /etc/apache2/vhosts.d/vhost-ssl.template to vhost-ssl.conf
as a default file. (you really only have to change 2 lines)
The script is self explanatory. When generating the certificates, you must use
a fully qualified domain name as the common name (CN). (i.e. www.yoursever.com
or host1name.yourserver.com)
The password you select is temporary. It will be removed after the key is
signed to prevent you from having to enter it each time the apache server is
started.
When you are done you must edit /etc/apache2/vhost-ssl.conf and enter your
server name and email when done. A default vhost-ssl.conf is included in the
script and displayed at the end of the script if you want to see it.
NOTE: If you have name virtual hosts, they must be defined with a port and not
just the *. Edit the vhost.conf file and make them *:80 or whatever your server
runs on similar to this:
NameVirtualHost 192.168.7.15:80
ServerAdmin root@rbpllc.com
ServerName www.rbpllc.com
DocumentRoot /srv/www/htdocs
</VirtualHost>
This eliminates the ambiguity caused when vhost-ssl.conf installs https on
port 443.
That's it, you will now have basic ssl capability so if you are doing any
basic authentication with the conf files or with .htaccess, you can do it with
https:// and avoid sending passwords in plain text.
Enjoy, the script follows: (of course use it, hack it whatever, it's yours now)
#!/bin/bash
#
## OS: openSuSE 10.3 (may apply to 10.2, but not tested)
#
## This script will build the SSL server keys, csr and crt, install them, and
copy vhosts-ssl.conf
## to the appropriate directory in /etc/apache2 to provide basic https://
functionality on
## opensuse 10.3
#
## General Functions and Colors
#
green='\e[0;32m'
red='\e[0;31m'
lightred='\e[1;31m'
lightblue='\e[1;34m'
lightgray='\e[0;37m'
nc='\e[0m'
check_root () {
ROOT_UID=0
E_NOTROOT=67
if [ "$UID" -ne "$ROOT_UID" ]; then
echo -e "\n${lightblue}You must be ${lightred}root${lightblue} to run this
script.\nUser: ${lightgray}$USER${lightblue}, UID: ${lightgray}$UID${lightblue}
can't!${nc}\n"
exit $E_NOTROOT
# return $E_NOTROOT
else
return $ROOT_UID
fi
}
#
#check for root
#
check_root
#
## Intro Line
#
echo -e "\n\tThis will create apache2 SSL server.key, .csr and .crt and install
them for basic\n https:// functionality on openSuSE 10.3. It will aslo set the
apache2 SSL sysconfig flag. \nIn your key, your common name CN must be a FQDN.
You must edit vhost-ssl.conf when done.\n"
read -p " Continue (y/n)? " key
if [ $key == "y" ] || [ $key == "Y" ]; then
echo -e "${green}\n\tLet's begin!${nc}\n"
else
echo -e "\n\t${lightgray}key = $key${lightblue} pressed, Apache2 SSL Config -
${red}Canceled${nc}\n"
exit 1
fi
echo -e "${nc}"
#
## Set SSL Flag
#
if a2enflag SSL; then
echo -e "\n\t${lightblue}Server SSL Flag Successfully Set\n${nc}"
else
echo -e "\n\t${lightblue}Server SSL Flag ${red}NOT ${lightblue}Set\nEdit
/etc/sysconfig/apache2 manually\n${nc}"
fi
#
## Create Temp Directory
#
echo -en "\n\t${lightblue}Creating Directory for New SSL KeySet"
if mkdir -p new_sslkeyset && cd new_sslkeyset; then
echo -e " - ${green}OK${nc}\n"
else
echo -e " - ${red}FAILED. Exiting...${nc}\n"
exit 1
fi
#
## Generate Private Server Key
#
echo -e "\n\t${lightblue}Generating Private Server Key\n${nc}"
openssl genrsa -des3 -out server.key 1024
#
## Generate Certificate Signing Request (CSR)
#
echo -e "\n\t${lightblue}Generating Certificate Signing Request (CSR)\n${nc}"
openssl req -new -key server.key -out server.csr
#
## Remove Passphrase from Key
#
echo -e "\n\t${lightblue}Removing Passphrase From Key To Eliminate PW Request
On Server Start\n${nc}"
cp server.key server.key.protected
openssl rsa -in server.key.protected -out server.key
#
## Generating a Self-Signed Certificate
#
echo -e "\n\t${lightblue}Generating Self-Signed Certificate\n${nc}"
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
#
## Installing the Private Key and Certificates
#
echo -e "\n\t${lightblue}Installing server.crt, server.key and server.csr in
/etc/apache2/<dir>${nc}\n"
if cp server.crt /etc/apache2/ssl.crt && cp server.key /etc/apache2/ssl.key &&
cp server.csr /etc/apache2/ssl.csr; then
echo -e "\n\t${lightblue}Key, CSR and Certificate install
${green}Succeeded${nc}\n"
else
echo -e "\n\t${lightblue}Key, CSR and Certificate install ${red}Failed${nc}\n"
fi
#
## Config Reminder
#
echo -e "${lightblue}\n\tDon't forget to create
/etc/apache2/vhosts.d/vhost-ssl.conf by copying
\n/etc/apache2/vhosts.d/vhost-ssl.template to
/etc/apache2/vhosts.d/vhost-ssl.conf and editing as \nnecessary. You can check
this script for the comments that contain a working example of a
\nvhost-ssl.conf${green}\n"
read -p " Would you like to copy
/etc/apache2/vhosts.d/vhost-ssl.template to vhost-ssl.conf now (y/n)? " key
if [ $key == "y" ] || [ $key == "Y" ]; then
cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/vhost-ssl.conf
fi
echo -e "\n\t${green}All Done! ${lightblue}Remember to edit
${red}vhost-ssl.conf ${lightblue}as required and restart apache2\n\n${nc}"
read -p " Would you like to see the example vhost-ssl.conf? " key
if [ $key == "y" ] || [ $key == "Y" ]; then
echo '
#
## Virtual Host Configuration (/etc/apache2/vhosts.d/vhost-ssl.conf)
#
<IfDefine SSL>
<VirtualHost _default_:443>
DocumentRoot "/srv/www/htdocs"
fix -> #ServerName www.yourhost.com:443
-> #ServerAdmin youremail@yourhost.com
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLOptions +StdEnvVars
</Files>
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/apache2/ssl_request_log ssl_combined
</VirtualHost>
</IfDefine>
</IfDefine>'
fi
exit 0
--
David C. Rankin, J.D., P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
Telephone: (936) 715-9333
Facsimile: (936) 715-9339
www.rankinlawfirm.com
--
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse+help@opensuse.org