SSL apache tomcat ubuntu 11.04

http://www.howtoforge.com/how-to-set-up-an-ssl-vhost-under-apache2-on-ubuntu-9.10-debian-lenny

This article explains how you can set up an SSL vhost under Apache2 on Ubuntu 9.10 and Debian Lenny so that you can access the vhost over HTTPS (port 443). SSL is short for Secure Sockets Layer and is a cryptographic protocol that provides security for communications over networks by encrypting segments of network connections at the transport layer end-to-end. We use the mod_ssl Apache module here to provide strong cryptography for Apache2 via SSL by the help of the Open Source SSL toolkit OpenSSL.

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!

1 Preliminary Note

I'm assuming that you have a working LAMP setup on your Ubuntu 9.10 or Debian Lenny box, as shown in these tutorials:

I will set up SSL for my vhost v in this tutorial – hostmauritius.com is a domain that I own – replace it with your own domain. I will show how to use a self-signed certificate (this will result in a browser warning when you access https://v) and how to get a certificate from a trusted certificate authority (CA) such as Verisign, Thawte, Comodo, etc. – with a certificate from a trusted CA, your visitors won't see any browser warnings, as is the case with a self-signed certificate. I will use a certificate from CAcert.org – these certificates are free, but are not recognized by all browsers, but it should give you the idea how to install a certificate from a trusted CA.

It is important to know that you can have just one SSL vhost per IP address – if you want to host multiple SSL vhost, you need multiple IP addresses!

I'm running all the steps in this tutorial with root privileges, so make sure you're logged in as root. On Ubuntu, run

sudo su

to become the root user.

2 Enabling mod_ssl

To enable apache's SSL module, run…

a2enmod ssl

… and restart Apache:

/etc/init.d/apache2 restart

Apache should now be listening on port 443 (HTTPS):

netstat -tap | grep https

root@server1:~# netstat -tap | grep https
tcp6 0 0 [::]:https [::]:* LISTEN 1238/apache2
root@server1:~#

3 Setting Up The Vhost

I will now create the vhost server1.example.com with the document root /var/www/server1.example.com. First I create that directory:

mkdir /var/www/server1.example.com

Apache comes with a default SSL vhost configuration in the file /etc/apache2/sites-available/default-ssl. We use that file as a template for the server1.example.com vhost…

cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/server1.example.com-ssl

… and open /etc/apache2/sites-available/server1.example.com-ssl:

vi /etc/apache2/sites-available/server1.example.com-ssl

Make sure you use the correct IP address in the <VirtualHost xxx.xxx.xxx.xxx:443> line (192.168.0.100 in this example); Also fill in the correct ServerAdmin email address and add the ServerName line. Adjust the paths in the DocumentRoot line and in the <Directory > directives, if necessary:

									<IfModule mod_ssl.c>
			<VirtualHost 192.168.0.100:443>
			ServerAdmin
			webmaster@hostmauritius.com
			ServerName server1.example.com:443
			DocumentRoot /var/www/server1.example.com
			<Directory />
			Options FollowSymLinks
			AllowOverride None
			</Directory>
			
									<Directory /var/www/server1.example.com/>   Options
			Indexes FollowSymLinks MultiViews   AllowOverride None   Order allow,deny
			allow from all   </Directory>   ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/   <Directory
			
									#   SSL
			Engine Switch:
			#   Enable/Disable SSL for this virtual host.
			SSLEngine  on
			#   A  self-signed (snakeoil) certificate can be created by installing
			#   the ssl-cert package. See
			#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
			#   If both key and certificate are stored in the same file, only the
			#   SSLCertificateFile directive is needed.
			
						SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
			SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
			
			
									#   Server Certificate Chain:
			#   Point SSLCertificateChainFile at a file containing the
			#   concatenation of PEM encoded CA certificates which form the
			#   certificate chain for the server certificate. Alternatively
			#   the referenced file can be the same as SSLCertificateFile
			#   when the CA certificates are directly appended to the server
			#   certificate for convinience.
			

As you see, this vhost uses the default self-signed snakeoil certificate that comes with Ubuntu/Debian:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Now disable the default SSL vhost (if it is enabled), enable the server1.example.com vhost and reload apache:

a2dissite default-ssl
a2ensite server1.example.com-ssl
/etc/init.d/apache2 reload

Now open a browser and go to your new SSL vhost (https://server1.example.com in this case). Because we are using Debian's/Ubuntu's default self-signed certificates, we should get a warning that the connection is untrusted (to use that web site anyway, click on I Understand the Risks and follow the instructions in your browser):

4 Creating A Self-Signed Certificate

Until now, we've used Debian's/Ubuntu's default self-signed certificate. I will now show you how to create your own self-signed certificate. With this certificate, you will still get browser warnings, but this certificate is required to get a trusted certificate from a trusted CA later on.

Make sure that the package ssl-cert is installed:

aptitude install ssl-cert

You can now create a self-signed certificate for server1.example.com as follows:

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/server1.example.com.crt

You will be asked for the hostname:

Host name: <– server1.example.com

This will create the self-signed certificate and the private key in one file, /etc/ssl/private/server1.example.com.crt:

cat /etc/ssl/private/server1.example.com.crt

															-----BEGIN RSA PRIVATE KEY-----
			MIICXgIBAAKBgQDWuQUCXjDucCdKnowwclux0Tb392+I/KSLkqp4bY577U4EcS0V
			J28eWIYOTiA38UDteLMXZSFyzWtq1QREzU0sPeQXWjJ/r6sDGSNlOFxnBJlg/ll2
			2JHTeMZQZ4QoLejaS8SBU2v8mQFIZrvT+/RUsAyFNVvfVA+dm5bQS9dH5QIDAQAB
			AoGBAMBwsfydTl1kRtKpphsFYwjK6Ojz6hJr20z79axZBAotdG6mwDDlVsFrtTm8
			
															60M4BWjPdDLTgFbTpCHrKBhBp5cJqgSXntd2i2JjOFpIQSlinGJ6HncFEC3AAxeE
			PVTH77k2sVckwQ5tnOVX6gGuYt5E5wd3J43mLyyHCpFXz4dBAkEA/O4q2CpCXlT0
			Mklt/8rlzzIhxyoOuPI3WH+lr5tO3LSNpLbzW74l/lTvFhCbQCKsb3eyZVhzE+f+
			9ZJM+ao5kwJBANlUJPyc2bYpY2124c83rYtK6Xth9c+sxxUdWbkkyEdaF1ixlR+r
			8Qoze+ISHBr9DCZWbQGZirwoX/+qufvFA6cCQHECcT44U4MWbi1xxaY+n8Od4J2+
			Wumjv7rY/cyile/i9E6eN8nMAenLRTAUp2lWlLkRQDIr/O7t/2r1vVLoDeUCQQCO
			5R+opS0U9CO27srMZ+yIwMnB4Ygxc4Y24OSEsqWpHJhrLeBCQdir/2v+GjA2oplh
			f8QOoDkzPEzamxPMch7TAkEAyLke88CR1awZQQnTGKho6g5npdGgntjBVO+ZEl18
			PfCIyGk5bsLrAsprgS+Xp5SSQfAG2fUatpXqsYGBO8q2dA==
			-----END RSA PRIVATE KEY-----
			-----BEGIN CERTIFICATE-----
			MIIBqzCCARQCCQDDCFjQ7Ii1gjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw93
			d3cuZXhhbXBsZS5jb20wHhcNMTAwMTEyMTY1NDI2WhcNMjAwMTEwMTY1NDI2WjAa
			MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
			MIGJAoGBANa5BQJeMO5wJ0qejDByW7HRNvf3b4j8pIuSqnhtjnvtTgRxLRUnbx5Y
			hg5OIDfxQO14sxdlIXLNa2rVBETNTSw95BdaMn+vqwMZI2U4XGcEmWD+WXbYkdN4
			xlBnhCgt6NpLxIFTa/yZAUhmu9P79FSwDIU1W99UD52bltBL10flAgMBAAEwDQYJ
			KoZIhvcNAQEFBQADgYEAJ/tYRc3CImo2c4FyG+UJTUIgu+p8IcMH9egGaMc335a5
			IwA2BBsiS3YAux8mteE2N03Nae6wTVbgEl8J68z1XyzklGtC/EG7ygtnOlfFTJWn
			U5HMaGOGBvOnFViF4e/DuBs7VPePKzqF2mmKIeAvoMA5GTH/iA4yJIFlgHhCMU8=
			-----END CERTIFICATE-----
			

I will now split up that file in two, the private key /etc/ssl/private/server1.example.com.key and the self-signed certificate /etc/ssl/certs/server1.example.com.pem:

vi /etc/ssl/private/server1.example.com.key

This file must contain the part beginning with —–BEGIN RSA PRIVATE KEY—– and ending with —–END RSA PRIVATE KEY—–:

															-----BEGIN CERTIFICATE-----
			MIIBqzCCARQCCQDDCFjQ7Ii1gjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw93
			d3cuZXhhbXBsZS5jb20wHhcNMTAwMTEyMTY1NDI2WhcNMjAwMTEwMTY1NDI2WjAa
			MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
			MIGJAoGBANa5BQJeMO5wJ0qejDByW7HRNvf3b4j8pIuSqnhtjnvtTgRxLRUnbx5Y
			hg5OIDfxQO14sxdlIXLNa2rVBETNTSw95BdaMn+vqwMZI2U4XGcEmWD+WXbYkdN4
			xlBnhCgt6NpLxIFTa/yZAUhmu9P79FSwDIU1W99UD52bltBL10flAgMBAAEwDQYJ
			KoZIhvcNAQEFBQADgYEAJ/tYRc3CImo2c4FyG+UJTUIgu+p8IcMH9egGaMc335a5
			IwA2BBsiS3YAux8mteE2N03Nae6wTVbgEl8J68z1XyzklGtC/EG7ygtnOlfFTJWn
			U5HMaGOGBvOnFViF4e/DuBs7VPePKzqF2mmKIeAvoMA5GTH/iA4yJIFlgHhCMU8=
			-----END CERTIFICATE-----
			

The key must be readable and writable by root only:

chmod 600 /etc/ssl/private/server1.example.com.key

vi /etc/ssl/certs/server1.example.com.pem

This file must contain the part beginning with —–BEGIN CERTIFICATE—– and ending with —–END CERTIFICATE—–:

															-----BEGIN CERTIFICATE-----
			MIIBqzCCARQCCQDDCFjQ7Ii1gjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw93
			d3cuZXhhbXBsZS5jb20wHhcNMTAwMTEyMTY1NDI2WhcNMjAwMTEwMTY1NDI2WjAa
			MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
			MIGJAoGBANa5BQJeMO5wJ0qejDByW7HRNvf3b4j8pIuSqnhtjnvtTgRxLRUnbx5Y
			hg5OIDfxQO14sxdlIXLNa2rVBETNTSw95BdaMn+vqwMZI2U4XGcEmWD+WXbYkdN4
			xlBnhCgt6NpLxIFTa/yZAUhmu9P79FSwDIU1W99UD52bltBL10flAgMBAAEwDQYJ
			KoZIhvcNAQEFBQADgYEAJ/tYRc3CImo2c4FyG+UJTUIgu+p8IcMH9egGaMc335a5
			IwA2BBsiS3YAux8mteE2N03Nae6wTVbgEl8J68z1XyzklGtC/EG7ygtnOlfFTJWn
			U5HMaGOGBvOnFViF4e/DuBs7VPePKzqF2mmKIeAvoMA5GTH/iA4yJIFlgHhCMU8=
			-----END CERTIFICATE-----
			

Now we can delete the /etc/ssl/private/server1.example.com.crt file:

rm -f /etc/ssl/private/server1.example.com.crt

Next we adjust our SSL vhost to use the new private key and the self-signed certificate:

vi /etc/apache2/sites-available/server1.example.com-ssl

			[...]
			#   A self-signed (snakeoil) certificate can be created by installing
			#   the ssl-cert package. See
			#/usr/share/doc/apache2.2-common/README.Debian.gz for more info.
			#   If both key and certificate are stored in the same file, only the
			#   SSLCertificateFile directive is needed.
			
			SSLCertificateFile  /etc/ssl/certs/server1.example.com.pem
			
			SSLCertificateKeyFile /etc/ssl/private/server1.example.com.key
			
			SSLEngine  on
			

Reload Apache:

/etc/init.d/apache2 reload

The SSL vhost will now use your new private key and self-signed certificate for encryption (but because it is a self-signed certificate, you will still get the browser warning when you access https://server1.example.com).


Tag Cloud