×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Apache SSL / Win 2000

How do I set up SSL on Apache and Win 2000/XP by Tracey
Posted: 16 Oct 03 (Edited 20 Mar 05)

This article is base on information from http://www.serverwatch.com/tutorials/article.php/10825_1437211 and http://plone.org/documentation/developer/ApacheSSLWindows/wikipage_view
 
The serverwatch article was very helpful in the setup of ssl on windows, however it is written with Apache 1.3.26 / Mod_SSL 2.8.10 in mind, so I did not achieve complete success with this alone.  Oh sure, it seemed successful on the local machine, but when it came to accessing an actual domain name, things changed.

I was getting errors like:
(OS10048) Only one usage of each socket address (protocol/network address/port) is normally permitted. :make_sock could not bind to address 0.0.0.0:443 no listening sockets available, shutting down, unable to open logs.

And of course, nothing I tried seemed to work.  Adding the ip address in front of the Listen directive just changed the IP address in the error message.  Removing the listen 443 directive revealed the next error message:
Only one usage of each socket address (protocol/network address/port) is normally permitted. :make_sock could not bind to address 0.0.0.0:80 no listening sockets available, shutting down, unable to open logs.

So, once I had achieved success, I decided to document the process in case I have to do it again and need a memory jogger.  I recommend you visit the two sites I used as reference, as they have a lot of useful links.

This document assumes an existing installation of Apache 2.0.xx.

Text taken from the above article is in bold italics.

The system I have running uses Apache 2.0.47 (win32) mod_ssl / 2.0.47 OpenSSL / 0.9.7b.  I had Apache 2.0.36 with no SSL prior to this install.

At the time of the writing of this, there is no binary release of apache2 with SSL compiled-in, due to the US authorities limiting export of encryption software. See http://www.apacheweek.com/features/ssl

Before you start

BACKUP your entire Apache directory.  
Delete all subdirectories and files from your c:\apache folder.

Navigate to http://hunter.campbus.com/ and download the latest Apache2_openssl zip file (Apache_2.0.47-OpenSSL_0.9.7b-win32.zip at time of writing)
You will also need a config file, which you can download from http://www.tud.at/programm/openssl.cnf (right click this link and select ôsave target as.. save as openssl.cnfö)

Now begin:

Extract the zip file into your c:\apache directory.
Create a directory c:\apache\openssl
Now create another directory c:\apache\openssl\bin

Extract/copy openssl.exe to c:\apache\openssl\bin.
Extract/copy libeay32.dll and ssleay32.dll to c:\WINNT\system32

To create a test certificate for using SSL, open a command prompt window, enter a change directory command:
    cd C:\Apache\openssl\bin
and then enter the following commands:

    openssl req -config openssl.cnf -new -out localhost.csr
    openssl rsa -in privkey.pem -out localhost.key
    openssl x509 -in localhost.csr -out localhost.cert -req -signkey localhost.key -days 5000
    openssl x509 -in localhost.cert -out localhost.der.crt -outform DER

Then create a C:\Apache\conf\ssl directory, and move localhost.key, localhost.cert, and localhost.der.crt into it.

Note: The selection of 5000 days to certificate expiration is arbitrary.

The following exerts are my httpd.conf and ssl.conf directives required to get this to work:
#most comments have been removed from these files for ease of reading.  Refer to your ssl.default.conf and httpd.default.conf for information on these directives.  Also, for more detailed info, browse to http://httpd.apache.org/docs-2.0/mod/mod_ssl.html or http://www.modssl.org/docs/


Httpd.conf

*************************************************************
ServerRoot "C:/Apache"
PidFile logs/httpd.pid
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15

<IfModule mpm_winnt.c>
ThreadsPerChild 250
MaxRequestsPerChild 0
</IfModule>

Listen 80  # !! see note later in article about this directive.

LoadModule access_module modules/mod_access.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_module modules/mod_auth.so
#LoadModule auth_anon_module modules/mod_auth_anon.so
#LoadModule auth_dbm_module modules/mod_auth_dbm.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule cgi_module modules/mod_cgi.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule headers_module modules/mod_headers.so
LoadModule imap_module modules/mod_imap.so
LoadModule include_module modules/mod_include.so
#LoadModule info_module modules/mod_info.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule negotiation_module modules/mod_negotiation.so
#LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule status_module modules/mod_status.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule userdir_module modules/mod_userdir.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule ssl_module modules/mod_ssl.so


ServerAdmin name@company.co.nz
ServerName machinename  #this will be your domain name eg name.domain.com
UseCanonicalName On

HostnameLookups on
ErrorLog logs/error.log

CustomLog logs/access.log combined

ServerTokens Full

ServerSignature Off

Include conf/ssl.conf  #do not wrap with <IfModule mod_ssl.c></IfModule>

# see http://www.modssl.org/docs/2.8/ssl_reference.html for more info
SSLMutex default
SSLRandomSeed startup builtin
SSLSessionCache none

SSLProtocol -all +SSLv3
SSLCipherSuite HIGH:MEDIUM

*************************************************************

Ssl.conf

*************************************************************

<IfDefine SSL>  #you can remove these directives if you want.. be sure to remove the end tag too (</IfDefine>)

Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin

SSLSessionCache         dbm:logs/ssl_scache
SSLSessionCacheTimeout  300

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost _default_:443>

DocumentRoot &quot;c:/apache/htdocs&quot;
ServerName machinename  #this will be your domain name eg name.domain.com
ServerAdmin name@company.com
ErrorLog logs/error_log
TransferLog logs/access_log

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile c:/apache/conf/ssl/localhost.der.crt
SSLCertificateKeyFile c:/apache/conf/ssl/localhost.key

<Files ~ &quot;\.(cgi|shtml|phtml|php3?)$&quot;>
    SSLOptions +StdEnvVars
</Files>
<Directory &quot;c:/apache/cgi-bin&quot;>
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent &quot;.*MSIE.*&quot;          nokeepalive ssl-unclean-shutdown          downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log           &quot;%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \&quot;%r\&quot; %b&quot;

</VirtualHost>                                  
</IfDefine>


*************************************************************

Testing

To test the syntax of the httpd.conf file: at a command prompt in the C:\Apache directory enter the command:
    apache -t

Start your Apache service via the ApacheMonitor.exe as normal.  
Test your configuration by navigating to http://yoururl (http://localhost to start)

Now, from this point, it gets a little weird.  This is what I spent 4 days trying to get to workà.

Now, with Apache running, edit your httpd.conf and comment out the
Listen 80 directive

#Listen 80

Open a command prompt, navigate to your apache/bin directory, then enter the following:

Apache ûD SSL

If there are any problems with your SSL setup, this will show any relevant error messages.  If you do not comment out the Listen directive in httpd.conf before running this command, you will get those error messages I referred to earlier.

If you get no messages, move onto the next step:

Test your ssl config; navigate to https://yoururl (https://localhost to start).  Once you have success here, move onto the next step.  

Uncomment the Listen 80 directive again,

The last step was found on the following site
http://plone.org/documentation/developer/ApacheSSLWindows/wikipage_view

If you use IfDefine SSL in the ssl.conf (default) and start apache as a service, you need to edit the apache command line in the registry. In this case, the option -D SSL has to be appended to the value of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apache2.

Restart your service.  You should now have both https and http running.



Back to Linux (server) FAQ Index
Back to Linux (server) Forum

My Archive

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close