Setting up Apache HTTP Server with SSL support on Ubuntu/Debian


I need to set up a server to host our subversion in a secured fashion and to make it available on the Web. Therefore, I first install the Apache HTTP Server (httpd) and configure it to allow for SSL connections only.

If there are mistakes in this post, please comment. I’m eager to improve it and learn.

It took me quite some time to find some proper documentation on how to configure Apache2 on Ubuntu/Debian. I came across that interesting page on the apache Web site that pointed me to a README file: /usr/share/doc/apache2/README.Debian.gz that contains information on how to configure Apache2 on Debian.

Step 1: Install the Apache2 package

There is an Apache httpd package readily available for aptitude under the name apache2. To install it, run the following command from the terminal.

$ sudo apt-get install apache2

To test that the package was properly installed, open the following address in your browser: http://yourhostname. If the installation was successful, the browser shall display the following:

It works!

This is the default web page for this server.

The web server software is running but no content has been added, yet.

Step 2: Configure httpd to support SSL

The module mod_ssl (http://httpd.apache.org/docs/2.0/mod/mod_ssl.html) provides SSL/TLS support to httpd. It is available in the httpd installation as a part of the apache2-common package.

On Ubuntu/Debian, use the following commands to enable SSL

$ sudo a2ensite default-ssl

That yields

Enabling site default-ssl.
To activate the new configuration, you need to run:
service apache2 reload

$ sudo a2enmod ssl

That yields

Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restart

As written, let’s restart Apache2 to apply the changes with the following command:

$ sudo service apache2 restart

That command yields the following outcome:

* Restarting web server apache2 … waiting

and restart httpd:

$ sudo /etc/init.d/apache2 restart

Which yields again:

* Restarting web server apache2 … waiting

To test that the module was properly installed, open the following address in your browser: https://yourhostname. The first time you access the page, the browser will warn you that the certificate of the site is not trusted. You can proceed and you will get to the same page as before:

It works!

This is the default web page for this server.

The web server software is running but no content has been added, yet.

Step 3: Generate a self-signed certificate

To use a self-signed certificate, the package ssl-cert must be installed, which it was on my install.

I wanted to configure my own self-signed certificate for the server and to store it in /etc/apache2/ssl. To do so, run the following command from the terminal:

$ sudo mkdir /etc/apache2/ssl
$ sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.crt

The command prompts you to enter the hostname to use in the certificate. Once done, you can now see that there is a new file in the /etc/apache2/ssl directory:

drwxr-xr-x 2 root root 4096 2011-12-16 14:40 ./
drwxr-xr-x 8 root root 4096 2011-12-16 14:12 ../
lrwxrwxrwx 1 root root 10 2011-12-16 14:40 a9630d61 -> apache.crt
-rw——- 1 root root 2685 2011-12-16 14:40 apache.crt

That last command will have generated an apache.crt file that contains both the certificate and the key. Let’s now separate that file into two files:

  • apache.pem to store the certificate
  • apache.key to store the key

I will simply copy the original apache.crt file twice, one with each name and edit each file.

$ cd /etc/apache2/ssl
$ sudo cp apache.crt apache.pem
$ sudo cp apache.crt apache.key

The apache.pem file must contain everything from the beginning line to the ending line of the certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

The apache.key file must contain everything from the beginning line to the ending line of the key

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

Step 4: Configure httpd to use the certificate

Now, I have to configure httpd to use my new certificate. To do so, I edit the configuration with nano

$ sudo nano /etc/apache2/sites-enabled/default-ssl

We have to update the following two lines

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

with the following two lines

SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

The private key shall only be readable by root:

$ sudo chmod 600 /etc/apache2/ssl/apache.key

Let’s now restart Apache2

$ sudo /etc/init.d/apache2 restart

Step 5: Disable the HTTP port

On Ubuntu/Debian, the enabled ports are defined in /etc/apache2/ports.conf. As I want to disable the HTTP listener, I simply disable that port in that file by commenting out the following two lines:

#NameVirtualHost *:80
#Listen 80

Final test

To check that everything works fine, let’s try to access the page at http://localhost with curl

curl http://localhost
curl: (7) couldn’t connect to host

Let’s no try to access the page at https://localhost with curl -k. The -k is used to allow connections from sites without a certificate.

$ curl -k https://localhost</pre>
<h1>It works!</h1>
<pre>
This is the default web page for this server.

The web server software is running but no content has been added, yet.


That’s it.

%d bloggers like this: