Configuring SSL
First we need to generate a self signed certificate that Apache can use. Since it is self signed, browsers will give a warning that forces you to do some extra clicks the first time the certificate is loaded.
We will need openssl to be able to generate the certificate so install it if it’s not already on the server by doing:
apt-get install openssl
After openssl is installed enter the /etc/ssl/private/ directory and run the following command to create a private key for Apache (you may use a different name for the key file):
cd /etc/ssl/private openssl genrsa -des3 -out debby.key 1024
You are asked to enter a passphrase for the key. We will remove this passphrase later on, so just enter whatever you like (just don’t forget it). Now we can make a certificate based on this key. Enter the /etc/ssl/certs/ directory and run the following command:
cd /etc/ssl/certs openssl req -new -x509 -days 365 -key ../private/debby.key -out debby.crt
First you are asked to enter the passphrase you used when creating the key. After that you are prompted for some more information like State, City and so forth. It’s important to write something when you are asked for “Common Name”. If you don’t do this you will have problems checking out the code from the Subversion repositories later on.
When done you will have a file called debby.crt (or whatever name you chose).
Now we need to get rid of the passphrase from the key file or else Apache will ask you for the passphrase every time you restart it. To do that run the following commands:
cd /etc/ssl/private cp debby.key debby.key.org openssl rsa -in debby.key.org -out debby.key chmod 400 debby.key debby.key.org
And thats that! The key no longer has a passphrase and it is only readable by the root user. Now we need to configure Apache so that SSL is enabled and that it uses the certificate we have just created.
On Debian the SSL module for Apache is installed together with the apache2 package, but not enabled. If your distro does not include the SSL module you will need to install it first.Now, let’s enable it and make some changes to the default configuration.
Enter the /etc/apache2/mods-enabled/ directory and make a couple of symlinks:
cd /etc/apache2/mods-enabled/ ln -s ../mods-available/ssl.load ln -s ../mods-available/ssl.conf
The next time Apache restarts it will load the SSL module and use the configuration from the ssl.conf file in the mods-enabled directory.
Now we want Apache to listen to port 443 instead of 80. This can be done by editing the ports.conf file in the /etc/apache2/ directory. Simply put in 443 instead of 80 and save the file.
We need to configure the SSL module to use the certificate we just created. Instead of editing the default configuration file we will create a file called ssl.conf in /etc/apache2/conf.d/ together with trac.conf and subversion.conf and make it look like this:
<VirtualHost _default_>
DocumentRoot "/services/apache/debby/html"
SSLEngine on
SSLCertificateFile /etc/ssl/certs/debby.crt
SSLCertificateKeyFile /etc/ssl/private/debby.key
</VirtualHost>
SSL is now enabled on the default virtual host on our Apache server and will use the certificate and key we just created. As you can see I have set the DocumentRoot of the default virtual host to a directory that does not yet exist. Create it by running the following command:
mkdir -p /services/apache/debby/html
Now we can restart Apache and we should have SSL support. I can now make a request to https://debby/trac and get the project listing. http will no longer work since the server only listens on port 443. The first time you request something from https you will get a warning about the certificate. In Firefox you can just make an exception in the rules and it will no longer nag about the certificate. You get this warning because the certificate is not signed by a Certifying Authority. The certificate will work just fine, except for the annoying warning the first time your browser loads it.
Now that we have SSL we can go ahead and configure authentication for our Trac and the Subversion repositories.