This document serves to describe the steps to install SSL on an Apache 2.0.42 webserver running on Windows 2000. There are several how-to's on the web, but I have found that none includes all that is necessary or it has information switched, making it very hard for the unexperienced webmaster to figure out what to do. So this document might be redundant, but I hope it will help new webmasters to get SSL running. I will try to include the links to referenced documents whenever possible.
Note: I used Apache version 2.0.42 and OpenSSL version 0.9.6g. The files used here probably won't work with later versions of Apache. For sure they won't work with earlier versions!
23.10.2002:
Now there are the same files available for Apache 2.0.43. Simply go to http://hunter.campbus.com and download the distribution with the right version number. Then follow this steps.
11.04.2003:
The site http://hunter.campbus.com now has the version 2.0.45 with OpenSSL 0.9.7a available. I have noticed that the directories bin, lib and modules have some differnet content and that there is a new directory include - who installs the new version (recommended) can simply unpack and copy the whole directory in question. Since version 2.0.42 the modules are compatible in between versions, so there are no problems.
Please read this document carefully when following it step-by-step.
(you might as well download them right now)
Right click -> Save Target As...
) (ca. 10 Kbyte)Apache-Dir: The directory where your Apache is installed, i.e.
"C:\Program Files\Apache Group\Apache2".
Archive: The archive of Apache with OpenSSL in
needed files that you downloaded.
WebRoot: Where your webpages are kept.
Taken from http://www.raibledesigns.com/tomcat/ssl-howto.html.
Change at least the following parameters in "Apache-Dir/conf/httpd.conf":
www.my-server.dom
with your
real domain name!Port 80
to # Port 80
(Comment it out; Port is not
necessary (and obsolete in 2.0.42), Listen overrides it later.)Listen 80
DocumentRoot
and the corresponding
<Directory some-dir>
to your WebRootInstall/start the Apache service. Verify that everything works before proceeding to the SSL installation because this limits the possible errors.
Taken from http://www.raibledesigns.com/tomcat/ssl-howto.html.
From the "bin" directory in the Archive, copy the files "ssleay32.dll" and "libeay32.dll" to the directory "WINNT/system32" on your webserver. Copy the file "openssl.exe" to the "Apache-Dir\bin" directory of your webserver.
Put the configuration file for OpenSSL in the "Apache-Dir\bin" directory on your webserver.
Taken from http://tud.at/programm/apache-ssl-win32-howto.php3.
Open a DOS-prompt and go to the "Apache-Dir\bin" directory.
Common Name (eg, your websites domain name)
", give the
exact domain name of your web server (e.g. www.my-server.dom). The certificate
belongs to this server name and browsers complain if the name doesn't match.If you have users with MS Internet Explorer 4.x and want them to be able to
install the certificate into their certificate storage (by downloading and
opening it), you need to create a DER-encoded version of the certificate by
typing
"openssl x509 -in my-server.cert -out my-server.der.crt
-outform DER".
Create an "Apache-Dir/conf/ssl" directory and move "my-server.key" and "my-server.cert" into it.
Taken from http://www.raibledesigns.com/tomcat/ssl-howto.html.
Stop the Apache service.
Copy the file "mod_ssl.so" from the "modules" directory inside the Archive into the directory "Apache-Dir\modules" of your webserver.
Find the LoadModule
directives in your "httpd.conf"
file and add this after the existing ones:
LoadModule ssl_module modules/mod_ssl.soIf the line is already there, but commented, just un-comment it.
In newer versions of the distribution, it could also be necessary to add
AddModule mod_ssl.cafter the AddModule lines that are already in the config file (not necessary for 2.0.42).
Copy "ssl.conf" from the Archive to "Apache-Dir\conf". Make sure and change the following things:
DocumentRoot
, ServerAdmin
and
ServerName
values.SSLCertificateFile
value (if you followed the examples, change it to
conf/ssl/my-server.cert
).SSLCertificateKeyFile
value (if you followed the examples, change it to
conf/ssl/my-server.key
).It should have at least the following lines (check the names of your certificates):
Listen 443 # see http://www.modssl.org/docs/2.4/ssl_reference.html for more info SSLMutex sem SSLRandomSeed startup builtin SSLSessionCache none ErrorLog logs/ssl.log LogLevel info # You can later change "info" to "warn" if everything is OK <VirtualHost www.my-server.dom:443> SSLEngine On SSLCertificateFile conf/ssl/my-server.cert SSLCertificateKeyFile conf/ssl/my-server.key </VirtualHost>
You need to use the -D SSL option if the IfDefine
directive
is active in the config file to start Apache with SSL.
The best is to comment out the IfDefine
start/end tags in
"ssl.conf".
Start the server, this time from the command prompt (not as a service) in order to see the error messages that prevent Apache from starting (type "apache -k start"). If everything is OK, (optionally) press CTRL+C to stop the server and start it as a service if you prefer.
If it doesn't work, Apache should write meaningful messages to the screen and/or
into the "error.log" and "SSL.log" files in the
"Apache-Dir/logs" directory.
If something doesn't work and you can't figure it out, try setting all
LogLevels to the maximum and look into the logfiles. They are very helpful.
Try to access through https://www.my-server.dom:443/
. It should
ask you to install a certificate and then direct you to your page.
make_sock
not being able to bind
to the port 443, then you need to check that no other application has that port open.
Type "netstat -na" at the command prompt and look for the
port.Listen 443
.
There must not be more than one of those lines!VirtualHost
are overlapping, you defined
the same VirtualHost
two or more times. Check your configuration files
again. If you have two VirtualHost
for the same IP then at least
the port needs to be different for each.VirtualHost
directive.<VirtualHost address:443> ... </VirtualHost>You can not use the
_default_
for this.
HKEY_LOCAL_MACHINE\SOFTWARE\Apache Group\Apache\X.Y.Z
to the correct number if
you use the "apache.exe" from "modssl.org/contrib" and it
is not the same version as the previously installed one. Althogh this seems not to be
necessary with recent versions.[error] VirtualHost _default_:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined resultsWhen using SSL with multiple Virtual Hosts, you must use an ip-based configuration. This is because SSL requires you to configure a specific port (443), whereas name-based specifies all ports (*). You get the error if you try to mix name-based virtual hosts with SSL.
If you encounter any other problems when installing Apache for the first time, be sure to check the Apache website.
Before you email us asking questions, check the following resources first (because that's what I did)! A lot of people have tried to do this and they have been helped.
©2002 Op3racional. Author Sabine Dinis Blochberger. Suport email suporte@op3racional.de