I expect to be accessing some services on my laptop via Apache over an untrusted network in the near future, so I need to turn on SSL.
As usual, turn on the Apache SSL module:
and the default SSL configuration:cd /etc/apache2/mods-enabled/ ln -s ../mods-available/ssl.conf . ln -s ../mods-available/ssl.load .
cd /etc/apache2/sites-enabled/ ln -s ../sites-available/default-ssl 001-default-ssl
Now restart Apache and it just works!? Apparently there is a "snakeoil" certificate already in place to get the job done. Trivial. Thank you, Debian Apache packagers.
Generally speaking, it would appear that a vanilla single root SSL certificate, self-signed or otherwise, is only good for exactly one domain that corresponds exactly to the "common name" used in creating the certificate.
Some vendors sell something called a "wildcard" certificate, where the common name on the certificate takes the form of "*.domain.com", and can be used to secure multiple sub-domains. Such a "wildcard" certificate, not suprisingly, seems to be considerably more expensive then a single root certificate. Apache even provides a built-in mechanism using a document root wildcard for mapping each sub-domain to a different document root.
Some vendors like Godaddy sell multiple domain certificates which seem to provide a discount to purchasing the same number of single root certificates.
A good source for a free certificate is cacert.org. cacert.org will sign a certificate for you for a domain if your e-mail address is in the whois record for the domain (this is an automated process on their end, they verify your identity by sending you a link in an e-mail ....) The Apache website has a nice concise explanation of how to create a server key and certificate signing request for cacert.org (or anyone else....)
Basically the process is:
openssl req -nodes -new -keyout try.key -out try.csr
openssl req -noout -text -in try.csr
cacert.org certificates seem to be good for six months. They send you an e-mail in advance of expiry.
For a particular SSL-enabled Apache virtual host, force users to always use https by placing a redirect in http virtual host, ie.:
DocumentRoot /var/www/vsc/apps ServerName apps.vancouversolidcomputing.com ServerAlias apps.vancouversolidcomputing.com ServerAdmin firstname.lastname@example.org CustomLog /var/log/apache2/access.log combined Redirect / https://apps.vancouversolidcomputing.com/
As I noted in an earlier post, name-based virtual hosting "seemed" to be working. "Seemed". In fact, the virtual hosts were finding the correct web root and loading the correct site, but browsers were consistently giving an error to the effect that the domain name in the certificate and the domain name the browser was pointed to were not the same.
Someone on the cacert.org e-mail list set me straight:
From: Pete Stephenson To: email@example.com Subject: Re: Certificate somehow associated with wrong sub-domain? Both subdomains share the same IP address. SSL is IP-based, rather than name-based. Specifically, when a client connects to a server, it establishes the SSL connection prior to sending the HTTP Host header, so the server has no idea which specific certificate to send. Depending on the server, it may send the first certificate mentioned in the configuration file or do something else entirely. You can solve this by adding multiple SubjectAltNames to a certificate (e.g. you'd have a SAN for apps.vancouversolidcomputing.com and another one for vsc.vancouversolidcomputing.com all in a single certificate) and telling your server to use the same certificate for both subdomains. More details, including a handy shell script which can generate the required CSR (some options, like the RSA key length are manually configurable in the shell script; it doesn't prompt the user for the keylength), are available here: http://wiki.cacert.org/wiki/VhostTaskForce Cheers! -Pete
So what I take from this is:
This page talks about the issue in general, and the various somewhat fuzzy and partially supported options -- "Currently the different browsers, servers and CAs all implement different and incompatible ways to use SSL certificates for several VHosts on the same server" -- this situation has not been entirely standardized yet!
This page seems to recommend the cacert.org way to setup Apache with the right kind of multiple SubjectAltName certificate, complete with a script for generating an appropriate Certificate Request and associated key. I used the script to generate the request, and sure enough:
# openssl req -noout -text -in vancouversolidcomputing_csr.pem Certificate Request: Data: Version: 0 (0x0) Subject: CN=www.vancouversolidcomputing.com Requested Extensions: X509v3 Subject Alternative Name: DNS:www.vancouversolidcomputing.com, DNS:vancouversolidcomputing.com, DNS:printshopdemo.vancouversolidcomputing.com, DNS:vsc.vancouversolidcomputing.com , DNS:solid.vancouversolidcomputing.com, DNS:apps.vancouversolidcomputing.com, DNS:ofri.vancouversolidcomputing.com
out comes a Certificate Request with multiple SubjectAltNames.
I then replaced *all* certificates in my Apache virtual hosts with this new certificate, ie.
in each virtual host block for each sub-domain / web root.
The certificate now works flawlessly in Iceape (which apparently contains the cacert.org Certificate Authority information) and Internet Explorer still complains about an untrusted Certificate Authority. Neither complains about domain names not matching, which was happening before.
 contained several other directives in each of the SSL virtual host blocks:
SSLProtocol all -SSLv2
but I have so far found these unnecessary.
Turn on the SSL module:
cd /etc/apache2/mods-enabled/ ln -s ../mods-available/ssl.conf . ln -s ../mods-available/ssl.load . /etc/init.d/apache2 restart
In Debian, /etc/apache2/mods-enabled/ports.conf should already have logic to listen on the default port 443 if the SSL module is loaded.
Now create a self-signed certificate (tinyca is a nice simple GUI that will do the job....) Just enter minimal information, and export the newly generated cert and key to files, being careful to set the expiration date nice and long, and export the key WITHOUT a password (otherwise you will have to provide a password every time apache is restarted).
Copy the exported certificate files to your server, into directory /etc/apache2/ssl. Now create an SSL block in the Apache Virtual Host where you would like SSL. The *:80 block will respond to normal http requests, and the *:443 block will respond to https (SSL) requests:
DocumentRoot /var/www/webroot ServerName subdomain.domain.com ServerAlias subdomain.domain.com ServerAdmin firstname.lastname@example.org CustomLog /var/log/apache2/access.log combinedNameVirtualHost *:443 DocumentRoot /var/www/webroot ServerName subdomain.domain.com ServerAlias subdomain.domain.com ServerAdmin email@example.com CustomLog /var/log/apache2/access.log combined SSLEngine on SSLCertificateFile /etc/apache2/ssl/cert.pem SSLCertificateKeyFile /etc/apache2/ssl/key.pem
I am not sure why the 443 block requires a NameVirtualHost line and the 80 block does not. Interestingly enough, this says "Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol", which might have something to do with it? But despite this I currently HAVE got name-based virtual hosting working on SSL, unless there is something I do not understand here.
Here is a useful reference, in addition to the installed apache docs.