[MacPorts] howto/Apache2 modified
MacPorts
noreply at macports.org
Sat Jan 10 03:14:41 PST 2015
Page "howto/Apache2" was changed by magill at icloud.com
Diff URL: <https://trac.macports.org/wiki/howto/Apache2?action=diff&version=11>
Revision 11
Comment: clean up ssl instructions
Changes:
-------8<------8<------8<------8<------8<------8<------8<------8<--------
Index: howto/Apache2
=========================================================================
--- howto/Apache2 (version: 10)
+++ howto/Apache2 (version: 11)
@@ -163,23 +163,76 @@
}}}
and then accessing: ''http://<servername>/manual/''
-=== Secure Sockets (https) === #ssl
-'''Note:''' Establishing Secure Sockets is a fairly extensive process. This is simply a shortcut for testing purposes.
-
-This works for a development system (not recommended for production!).
-
-{{{
-openssl genrsa -des3 -out server.key 1024
-# [enter your passphrase, a simple password we will remove soon]
-openssl req -new -key server.key -out server.csr
+=== Apache SSL/TLS Encryption (aks Secure Sockets or https) === #ssl
+'''Note:''' Establishing Secure Sockets is a fairly extensive process. One should first read the current Apache2 documentation found in the Apache2 manual:
+{{{
+http://httpd.apache.org/docs/2.2/ssl/
+}}}
+==== Generate a self-signed certificate ====
+The following instructions are to generate a "self-signed" certificate.\\
+This is simply a shortcut for testing purposes (a self-signed certificate is not recommended for production!).\\
+The complete dialog is listed here for reference. The commands necessary are prefixed as "$ sudo", with comments prefixed with a #.\\
+
+{{{
+$ sudo openssl genrsa -des3 -out server.key 1024
+# Enter pass phrase for server.key [enter your passphrase, a simple password we will remove soon]
+
+Generating RSA private key, 1024 bit long modulus
+.....++++++
+................++++++
+e is 65537 (0x10001)
+Enter pass phrase for server.key:
+Verifying - Enter pass phrase for server.key:
+
+
+$ sudo openssl req -new -key server.key -out server.csr
+#
# [you can accept all the defaults, it does not matter, or customize it to your liking]
-openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
-# [will ask for passphrase]
-cp server.key server.key.bak
-openssl rsa -in server.key.bak -out server.key
-# [passphrase needs to be typed]
-sudo cp server.crt /opt/local/apache2/conf/
-sudo cp server.key /opt/local/apache2/conf/
+
+Enter pass phrase for server.key:
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [AU]:
+State or Province Name (full name) [Some-State]:
+Locality Name (eg, city) []:
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:
+Organizational Unit Name (eg, section) []:
+Common Name (e.g. server FQDN or YOUR name) []:
+Email Address []:
+
+Please enter the following 'extra' attributes
+to be sent with your certificate request
+A challenge password []:
+An optional company name []:
+
+
+$ sudo openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
+# [will ask for passphrase - the same as you entered in the first step]
+
+Signature ok
+subject=/C=US/ST=Pennsylvania/L=Elizabethtown/O=MVE/OU=Elizabethtown/CN=mcgillsociety.org/emailAddress=magill at icloud.com
+Getting Private key
+Enter pass phrase for server.key:
+
+$ sudo cp server.key server.key.bak
+$ sudo openssl rsa -in server.key.bak -out server.key
+# [will ask for passphrase - the same as you entered in the first step]
+
+Enter pass phrase for server.key.bak:
+writing RSA key
+
+$ sudo cp server.crt /opt/local/apache2/conf/
+$ sudo cp server.key /opt/local/apache2/conf/
+}}}
+'''Note:''' Certificate generation can be accomplished in any directory. If you did so in ''"/opt/local/apache2/conf"'' the last two copy commands are redundant, and will generate the following errors respectively:
+{{{
+cp: /opt/local/apache2/conf/server.crt and server.crt are identical (not copied).
+cp: /opt/local/apache2/conf/server.key and server.key are identical (not copied).
}}}
Then enable the following in {{{/opt/local/apache2/conf/httpd.conf}}}
@@ -190,5 +243,25 @@
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
}}}
+After each change to the config file, you should again verify the file syntax, and then you need to stop and restart Apache for the changes to take effect.
+{{{
+$ /opt/local/apache2/bin/apachectl -t
+$ sudo port unload apache2
+$ sudo port load apache2
+}}}
+
+The most likely error you will receive is:
+{{{
+Syntax error on line 120 of /opt/local/apache2/conf/extra/httpd-ssl.conf:
+SSLCertificateFile: file '/opt/local/apache2/conf/server.crt' does not exist or is empty
+}}}
+If so, simply revisit the instructions above to create a self-signed certificate.
+
+==== Verify your success ====
+
+type ''"https://<your server address>"'' in Safari. \\
+Safari should return the pop-up: "Safari can't verify the identity of the website "<your server address>" \\
+At which point you can view the details of your certificate and select your appropriate actions.
+
[wiki:howto <- Back to the HOWTO section]
-------8<------8<------8<------8<------8<------8<------8<------8<--------
--
Page URL: <https://trac.macports.org/wiki/howto/Apache2>
MacPorts <https://www.macports.org/>
Ports system for OS X
This is an automated message. Someone added your email address to be
notified of changes on 'howto/Apache2' page.
If it was not you, please report to .
More information about the macports-changes
mailing list