Servicios

Web hosting
Ver »
Páginas Web
Ver »
Soporte UNIX
Ver »
UNIX TIPS
Ver »

SSL Certificate Configuration for Apache2 on Solaris 10

  1. Enable SSL Service Property if necessary. Log in as root and issue the following command:
     web# svcprop -p httpd/ssl svc:network/http:apache2
    If the response is "false", issue these three commands:
     web# svccfg -s http:apache2 setprop httpd/ssl=true
    web# svcadm refresh http:apache2
    web# svcprop -p httpd/ssl svc:network/http:apache2
    If the response is "true", continue to the next step.
  2. Create a Certificate Directory and a Key Directory.
     web# mkdir /etc/apache2/ssl.crt
    web# mkdir /etc/apache2/ssl.key
  3. Generate a RSA Key.
     web# /usr/sfw/bin/openssl genrsa -des3 1024 > /etc/apache2/ssl.key/server.key
    Generating RSA private key, 1024 bit long modulus
    ..........................++++++
    .........++++++
    e is 65537 (0x10001)
    Enter pass phrase: ********
    Verifying - Enter pass phrase: ********
  4. Generate a Certificate Request.
    web# /usr/sfw/bin/openssl req -new -key /etc/apache2/ssl.key/server.key > \
    > /etc/apache2/ssl.crt/server.csr
    Enter pass phrase for /etc/apache2/ssl.key/server.key: ********
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [US]::US
    State or Province Name (full name) [Some-State]:OR
    Locality Name (eg, city) []:Blodgett
    Organization Name (eg, company) [Unconfigured OpenSSL Installation]:DIS
    Organizational Unit Name (eg, section) []:IT
    Common Name (eg, YOUR name) []:Big Cheese
    Email Address []:meljr@meljr.com

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []: ********
    An optional company name []: Live Free or Die
  5. Install a Self-Signed Certificate. If you are going to install a certificate from an authoritative source, follow their instructions and skip this step.
    web# /usr/sfw/bin/openssl req -x509 -days 3650 -key \
    > /etc/apache2/ssl.key/server.key \
    > -in /etc/apache2/ssl.crt/server.csr > \
    > /etc/apache2/ssl.crt/server.crt
    Enter pass phrase for /etc/apache2/ssl.key/server.key: ********
  6. Modify the ssl.conf file to use your certificate.
    web# cd /etc/apache2
    web# ls -l
    total 334
    -rw-r--r-- 1 root bin 1987 Jan 6 21:10 highperformance-std.conf
    -rw-r--r-- 1 root bin 1987 Jan 6 21:10 highperformance.conf
    -rw-r--r-- 1 root bin 37519 Jan 6 21:10 httpd-std.conf
    -rw-r--r-- 1 root root 37660 Jan 18 21:49 httpd.conf
    -rw-r--r-- 1 root bin 37661 Jul 20 2005 httpd.conf-example
    -rw-r--r-- 1 root bin 12959 Jan 6 21:10 magic
    -rw-r--r-- 1 root bin 15020 Jan 6 21:10 mime.types
    -rw-r--r-- 1 root bin 10759 Jan 6 21:10 ssl-std.conf
    -rw-r--r-- 1 root bin 10996 Jan 6 21:10 ssl.conf
    drwxr-xr-x 2 root root 512 Jan 19 03:24 ssl.crt
    drwxr-xr-x 2 root root 512 Jan 19 02:52 ssl.key

    Edit the ssl.conf and change the line that begins with "ServerAdmin" to reflect an email address or alias for the Server's Administrator.

  7. Test the SSL Certificate with Apache2
    • If Apache2 is enabled, disable it during testing.
       web# svcs | grep -i apache2
      online 3:29:01 svc:/network/http:apache2
      web# svcadm disable apache2
    • Use the legacy script to manually test start Apache2 with SSL.
      web# /usr/apache2/bin/apachectl startssl
      Apache/2.0.52 mod_ssl/2.0.52 (Pass Phrase Dialog)
      Some of your private key files are encrypted for security reasons.
      In order to read them you have to provide us with the pass phrases.

      Server 127.0.0.1:443 (RSA)
      Enter pass phrase: ********

      Ok: Pass Phrase Dialog successful.

      If this test fails with an error similar to 'vhost.c:232 assertion "rv == APR_SUCCESS" failed on startssl', your server may not be configured to use DNS to resolve host names. This failure is due to a known bug in Apache2 2.0.nn. A quick fix is be to edit the hosts line in your server's /etc/nsswitch.conf to look like the following:

      hosts: files dns

      More information about this issue may be found at:

      http://issues.apache.org/bugzilla/show_bug.cgi?id=27525
      After editing /etc/nsswitch.conf or otherwise resolving the issue, repeat the test until you are able to manually start and stop Apache2 using your SSL Certificate and Pass Phrase.
      web# ps -ef | grep httpd
      root 1392 575 0 03:45:16 ? 0:01 /usr/apache2/bin/httpd -k start -DSSL
      root 1400 1116 0 03:45:51 pts/3 0:00 grep httpd
      webservd 1393 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
      webservd 1397 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
      webservd 1396 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
      webservd 1395 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
      webservd 1394 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
    • If your results are similar to the one above, use the legacy script to conclude the test. You may also want to verify that a client browser can access your site using https before continuing. Accept the self-signed Certificate if necessary.
       web# /usr/apache2/bin/apachectl stop
  8. Enable Apache2 with SSL to be started automatically as a service.
     web# cd /etc/apache2/ssl.key
    web# cp server.key server.key.org
    web# /usr/sfw/bin/openssl rsa -in server.key.org -out server.key
    Enter pass phrase for server.key.org: ********
    writing RSA key
    web# chmod 400 server.key
    web# svcadm enable apache2
    web# svcs | grep -i apache2
    online 4:29:01 svc:/network/http:apache2
Regresar

Random TIPS

UNIR TODAS LAS LINEAS DE UN ARCHIVO

# perl -i~ -pe 'y/\n//d' file.txt

# sed -n '1h;2,$H;${g;s/\n/,/g;s///g;p}' file.txt

free counters