周二 23 5月 2006
Apache2.2.2 + mod_ssl @ fedora4
Posted by Semon under DEV
[13] Comments
本文从网上抄æ¥å®žè·µï¼Œç”±äºŽç‰ˆæœ¬ä¸åŒï¼Œç•¥æœ‰æ”¹å˜ï¼Œæ‰€å˜ä»¥çº¢è‰²ç²—ä½“æ ‡å‡º
原始地å€ï¼šhttp://blog.csdn.net/myhan/archive/2004/08/10/69941.aspx
环境:
Fedora Core 4
说明:
使用$ 开头的是普通用户身份执行的命令
使用# 开头的是rootå¸å·æ‰§è¡Œçš„命令
å‰ä¼ :安装openssl
看这里:http://blog.csdn.net/myhan/archive/2004/08/10/69959.aspx
ä¸è¿‡ä¸€èˆ¬å®‰è£…的时候都会被装好,如果没有的è¯å°±å‚考一下。
第一æ¥ï¼šå®‰è£…apache
下载apache2: http://httpd.apache.org/download.cgi
我需è¦mod_ssl的支æŒï¼Œå’Œapache1ä¸åŒçš„是,mod_sslä¸åœ¨æ˜¯å•ç‹¬çš„模å—,而是放在apacheå‘行包里é¢äº†ï¼Œé»˜è®¤æ˜¯ä¸å¯ç”¨çš„,config的时候选择上就å¯ä»¥äº†ã€‚
我使用DSOæ–¹å¼ç¼–译安装apache,åŒæ—¶å°†å…¨éƒ¨æ¨¡å—都编译好,以方便åŽæ¥å¯èƒ½çš„需è¦ã€‚åªè¦ç¼–辑httpd.conf,在里é¢åŽ»æŽ‰ä¸æƒ³è¦çš„模å—ï¼ˆæ³¨é‡Šæˆ–è€…åˆ é™¤å¯¹åº”æ¨¡å—çš„LoadModule行),就å¯ä»¥å®šåˆ¶è‡ªå·±çš„apache咯。
$ tar zxvf httpd-2.2.2.tar.gz
$ ./configure –-enable-layout=Apache –enable-so –enable-ssl=shared –with-ssl=/usr/local/ssl
$ make
$ su
# make install
[原文编译带了–enable-mods-shared=allå‚数,由于apache2.2之åŽï¼Œå¸¸ç”¨æ¨¡å—被é™æ€å†…置,所以带上这个å‚æ•°åŽä¼šéœ€è¦æ‰‹åŠ¨åŠ 载所有模å—,å¦åˆ™ä¼šæŠ¥é”™]
Apache有两ç§ä½¿ç”¨æ¨¡å—的方法,其一是永久性包å«è¿›æ ¸å¿ƒï¼›
如果æ“作系统支æŒåŠ¨æ€å…±äº«å¯¹è±¡(DSO),而且能为autoconf所检测,则模å—还å¯ä»¥è¢«åŠ¨æ€ç¼–译。
DSO模å—çš„å˜å‚¨æ˜¯ç‹¬ç«‹ä¸Žæ ¸å¿ƒçš„,å¯ä»¥è¢«æ ¸å¿ƒä½¿ç”¨ç”±mod_so模å—æ供的è¿è¡Œæ—¶åˆ»é…置指令包å«æˆ–排除。
如果编译ä¸åŒ…å«æœ‰ä»»ä½•åŠ¨æ€æ¨¡å—,则mod_so模å—会被自动包å«è¿›æ ¸å¿ƒã€‚å¦‚æžœå¸Œæœ›æ ¸å¿ƒèƒ½å¤Ÿè£…è½½DSO,而ä¸å®žé™…编译任何动æ€æ¨¡å—,需è¦æ˜Žç¡®æŒ‡å®š–enable-so。
(http://kajaa.bbs.us/ApacheManual/install.html)
第一次按照上述方法编译的apache,å¯åŠ¨çš„时候会报错:
# cd /usr/local/apache2
# ./bin/apachectl startssl
Syntax error on line 251 of /usr/local/apache/conf/httpd.conf:
Cannot load /usr/local/apache/modules/mod_ssl.so into server: /usr/local/apache/modules/mod_ssl.so: undefined symbol: X509_free
åŽŸå› æ˜¯ä»€ä¹ˆå‘¢ï¼Ÿçœ‹ http://www.smartframeworks.com/qt-apache-ssl.html
å› ä¸ºæŒ‰ç…§ä¸‹é¢çš„方法(å‚看:Apache2 + mod_ssl + php5 完全安装实录(2))安装的openssl默认是没有编译æˆåŠ¨æ€é“¾æŽ¥åº“çš„ï¼Œå› ä¸ºå…¶æ–‡æ¡£è¯´openssl的动æ€é“¾æŽ¥åº“还ä¸æˆç†Ÿï¼Œå¯ä»¥ä½¿ç”¨ ./config shared 编译带动æ€é“¾æŽ¥åº“çš„openssl,但是还处于试验阶段。
解决这个问题的办法是:将mod_sslé™æ€çš„编译到apache里é¢ã€‚
请使用下é¢çš„方法é‡æ–°æ¥è¿‡ï¼šï¼‰
$ ./configure –prefix=/usr/local/apache2 –enable-so –enable-ssl=static –with-ssl=/usr/local/ssl (如果还è¦åŠ ä½ è‡ªå·±çš„å…¶ä»–æ¨¡å—别忘记补上)
$ make
$ su
# make install
这次å¯åŠ¨apache的时候åˆå‘现一个错误:
# cd /usr/local/apache2
# ./bin/apachectl startssl
Syntax error on line 108 of /usr/local/apache2/conf/ssl.conf:
SSLCertificateFile: file ‘/usr/local/apache2/conf/ssl.crt/server.crt’ does not exist or is empty
è¿™åˆæ˜¯ä»€ä¹ˆåŽŸå› å‘¢ï¼Ÿå› ä¸ºæˆ‘ä»¬æ²¡æœ‰é…ç½®ssl,需è¦ç”Ÿæˆssl需è¦çš„è¯ä¹¦ã€‚
以å‰ä½¿ç”¨apache1+mod_ssl的时候,make之åŽæœ‰ä¸€ä¸ªè¿™æ ·çš„æ¥éª¤
$ make certificate
å¯ä»¥ç”¨æ¥ç”Ÿæˆssl所用到的è¯ä¹¦ã€‚
现在没有这个工具了,åªèƒ½è‡ªå·±åŠ¨æ‰‹ç”Ÿæˆäº†ï¼Œå¯¹è¯ä¹¦ä¸ç†Ÿæ‚‰çš„人,有一个工具å¯ä»¥ä½¿ç”¨ï¼šhttp://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
# cd /usr/local/apache2/conf
# tar zxvf ssl.ca-0.1.tar.gz
# cd ssl.ca-0.1
# ./new-root-ca.sh (生æˆæ ¹è¯ä¹¦)
No Root CA key round. Generating one
Generating RSA private key, 1024 bit long modulus
………………………++++++
….++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key: (输入一个密ç )
Verifying – Enter pass phrase for ca.key: (å†è¾“入一次密ç )
……
Self-sign the root CA… (ç¾ç½²æ ¹è¯ä¹¦)
Enter pass phrase for ca.key: (输入刚刚设置的密ç )
……..
…….. (下é¢å¼€å§‹ç¾ç½²)
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:JiangSu
Locality Name (eg, city) [Sitiawan]:NanJing
Organization Name (eg, company) [My Directory Sdn Bhd]:Wiscom System Co.,Ltd
Organizational Unit Name (eg, section) [Certification Services Division]:ACSTAR
Common Name (eg, MD Root CA) []:WISCOM CA
Email Address []:acmail@wiscom.com.cn
è¿™æ ·å°±ç”Ÿæˆäº†ca.keyå’Œca.crt两个文件,下é¢è¿˜è¦ä¸ºæˆ‘们的æœåŠ¡å™¨ç”Ÿæˆä¸€ä¸ªè¯ä¹¦ï¼š
# ./new-server-cert.sh server (这个è¯ä¹¦çš„åå—是server)
……
……
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:JiangSu
Locality Name (eg, city) [Sitiawan]:NanJing
Organization Name (eg, company) [My Directory Sdn Bhd]:Wiscom System Co.,Ltd
Organizational Unit Name (eg, section) [Secure Web Server]:ACSTAR
Common Name (eg, www.domain.com) []:acmail.wiscom.com.cn
Email Address []:acmail@wiscom.com.cn
è¿™æ ·å°±ç”Ÿæˆäº†server.csrå’Œserver.key这两个文件。
还需è¦ç¾ç½²ä¸€ä¸‹æ‰èƒ½ä½¿ç”¨çš„:
# ./sign-server-cert.sh server
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key: (输入上é¢è®¾ç½®çš„æ ¹è¯ä¹¦å¯†ç )
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’JiangSu’
localityName :PRINTABLE:’NanJing’
organizationName :PRINTABLE:’Wiscom System Co.,Ltd’
organizationalUnitName:PRINTABLE:’ACSTAR’
commonName :PRINTABLE:’acmail.wiscom.com.cn’
emailAddress :IA5STRING:’acmail@wiscom.com.cn’
Certificate is to be certified until Jul 16 12:55:34 2005 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK (如果这里出现错误,最好é‡æ–°æ¥è¿‡ï¼Œåˆ 除ssl.ca-0.1这个目录,从解压缩处é‡æ–°å¼€å§‹ã€‚)
下é¢è¦æŒ‰ç…§ssl.conf里é¢çš„设置,将è¯ä¹¦æ”¾åœ¨é€‚当的ä½ç½®ã€‚
# chmod 400 server.key
# cd ..
# mkdir ssl.key
# mv ssl.ca-0.1/server.key ssl.key
# mkdir ssl.crt
# mv ssl.ca-0.1/server.crt ssl.crt
然åŽå°±å¯ä»¥å¯åŠ¨å•¦ï¼
# cd /usr/local/apache2
# ./bin/apachectl startssl
æ…¢ï¼å…¶å®žè¿˜æ˜¯éœ€è¦åŠ¨ä¸‹æ‰‹è„šçš„,主è¦æœ‰ä»¥ä¸‹å‡ 个:
1,去掉httpd.conf里对Include conf/extra/httpd-ssl.conf的注释
2,编辑上é¢è¿™ä¸ªé…置文件,在æ£ç¡®é…置虚拟主机ä¸çš„å‚数,特别是*.keyå’Œ*.crt文件的路径
3,直接按照普通方å¼é‡èµ·apacheå°±å¯æˆåŠŸäº†ï¼Œstartssl在这个版本里已ç»å–消了。
对于这个æ示:
httpd: Could not determine the server’s fully qualified domain name, using 127.0.0.1 for ServerName
åªéœ€è¦ç¼–辑httpd.conf,找到ServerName xxxx这一行,去掉å‰é¢çš„注释å³å¯ã€‚
13 Responses to “ Apache2.2.2 + mod_ssl @ fedora4 ”