Warning: Declaration of syntax_plugin_translation::handle($match, $state, $pos, &$handler) should be compatible with DokuWiki_Syntax_Plugin::handle($match, $state, $pos, Doku_Handler $handler) in /home/www/readm3.org/lib/plugins/translation/syntax.php on line 55

Warning: Declaration of syntax_plugin_translation::render($format, &$renderer, $data) should be compatible with DokuWiki_Syntax_Plugin::render($format, Doku_Renderer $renderer, $data) in /home/www/readm3.org/lib/plugins/translation/syntax.php on line 62
app:apache-http-server:apache2-ssl-tls-debian-ubuntu - readm3.org - IT wiki

SSL/TLS with Apache 2.2 on Debian/Ubuntu Linux

This article provides basic knowledge and exemplary configurations to use SSL/TLS with Apache.

It is assumed that you got a working Apache HTTP server and you can access the computer's terminal with root privileges (e.g. via SSH).

The following commands and configurations are examples to help understanding the SSL/TLS configuration at all. You need to adapt them to your needs.

Things you should know before you start

  1. Why can't I use SSL with name-based/non-IP-based virtual hosts? But there is some light at the end of the tunnel: VhostTaskForce
  2. If done right, TLS is not computationally expensive any more. Many years ago it might have been true, but it's just not the case any more. If you want to know more about, have a look at the article Overclocking SSL.
  3. TLS makes the communication with your website more secure, but it does not protect against all kind of attacks and tracking. E.g. If an attacker is ablte to track your traffic, it should be still possible to know which pages you visisted (based on size of submitted data).

Necessary preparations

Set up the certificate

Import and use an existing certificate

FIXME

Create and use a new certificate

Many articles you on the web are using apache2-ssl-certificate to create a certificate, but this information is outdated. The script/command is not available for Apache 2.2 on Debian/Ubuntu.

Weak, self-signed certificate for private usage or testing purpose

This is a good starting point. Create a weak and self-signed certificate to test and configure everything and switch over to a better certificate signed by a trusted third party afterwards.

  • Create the TLS/SSL directory if it is not existing:
    sudo mkdir -p -v -m 0700 /etc/apache2/ssl/
  • Create the certificate (replace server with your domain name or your server's IP, e.g. *.example.com, www.example.com in all following commands):
    sudo openssl req -new -x509 -nodes -out /etc/apache2/ssl/server.crt -keyout /etc/apache2/ssl/server.key
  • Set the correct permissions:
    sudo chown -R root /etc/apache2/ssl/
    sudo chmod -R 400 /etc/apache2/ssl/

Strong certificate for professional usage

  • Create the TLS/SSL directory if it is not existing:
    sudo mkdir -p -v -m 0700 /etc/apache2/ssl/

    You can use

    sudo openssl ciphers -v

    to check which encryption algorithms are available on your system. If available, I would recommend AES256-SHA or AES128-SHA. The genrsa OpenSSL documentation is also helpful.

  • Create the certificate (replace server with your domain name or your server's IP, e.g. *.example.com, www.example.com in all following commands):
    • 1st variant (without password, useful for common servers):
      sudo openssl genrsa -out /etc/apache2/ssl/server.key 1024
    • 2nd variant (including password - you have to type this whenever Apache starts):
      sudo openssl genrsa -aes256 -out /etc/apache2/ssl/server.key 1024
  • Create a Certificate Signing Request (CSR):
    sudo openssl req -new -key /etc/apache2/ssl/server.key -out /etc/apache2/ssl/server.csr

    When you are asked for the “CommonName”, use your server's FQDN (“Fully Qualified Domain Name”, e.g. www.example.com). Wildcards like *.example.com are working, but you may have to escape the * with a backslash.

  • Check everything:
    openssl req -noout -text -in /etc/apache2/ssl/server.csr
  • Take the CSR file and send it to a Root-CA to sign it. You will get back a signed certificate (normally as plain text: —–BEGIN CERTIFICATE—– […] —–END CERTIFICATE—–). Store this certificate <wrap important> without any white-space begind —–END CERTIFICATE—– into /etc/apache2/ssl/server.crt.
  • Set the correct permissions:
    sudo chown -R root /etc/apache2/ssl/
    sudo chmod -R 400 /etc/apache2/ssl/

Configure Apache

The basic configuration is done. Now you can add all needed configuration directives to make it fit your needs. Simply couch your needs in terms, google it and have a look at the Apache documentation to find the needed directives.

Some additional hints:

  • Directives to use within a vHost or global config:
    #SSL/TLS
    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/example.crt
    SSLCertificateKeyFile /etc/apache2/ssl/example.key

See also

Print/export
QR Code
QR Code app:apache-http-server:apache2-ssl-tls-debian-ubuntu (generated for current page)
Languages
Translations of this page: