How to install Apache 2 with SSL on Linux (with mod_ssl, openssl)

This article gives step by step instructions on how to install Apache 2 with mod_ssl.
I prefer to install Apache from source, as it gives me more flexibility on exactly what modules I want to enable or disable, and I can also upgrade or apply patch immediately after it is released by the Apache foundation.

1. Download Apache

Download Apache from httpd.apache.org. The current stable release is 2.4.9.

Once you get the direct URL to download the latest stable version of Apache, use wget as shown below to download it directly to you server.

cd ~
wget http://mirror.sdunix.com/apache//httpd/httpd-2.4.9.tar.gz

2. Install Apache with SSL/TLS

View all available Apache installation and configuration options as shown below.

cd httpd-2.4.9
./configure –help

To install an Apache module, you would typically say –enable-{module-name}. For example, to install SSL with Apache, it is –enable-ssl. To install ldap module, it is –enable-ldap.

To uninstall any default module that comes with Apache, you would typically say –disable-{module-name}. For example, to disable basic authentication in Apache, it is –disable-auth-basic

In this example, we will install Apache with all default modules, with addition of –enable-ssl (to install mod_ssl for SSL support), and –enable-so, which helps to load modules in Apache during run-time via the Dynamic Shared Object (DSO) mechanism, rather than requiring a recompilation.

./configure --enable-ssl --enable-so
make
make install

Note: By default the above installs Apache under /usr/local/apache2. If you like to change this location, use –prefix option in the ./configure

3. Enable SSL in httpd.conf

Apache configuration file httpd.conf is located under /usr/local/apache2/conf.

Uncomment the httpd-ssl.conf Include line in the /usr/local/apache2/conf/httpd.conf file.

# vi /usr/local/apache2/conf/httpd.conf
Include conf/extra/httpd-ssl.conf

View the httpd-ssl.conf to review all the default SSL configurations. For most cases, you don’t need to modify anything in this file.

vi /usr/local/apache2/conf/extra/httpd-ssl.conf

The SSL certificate and key are required before we start the Apache. The server.crt and server.key file mentioned in the httpd-ssl.conf needs to be created before we move forward.

 egrep ‘server.crt|server.key’ httpd-ssl.conf

SSLCertificateFile “/usr/local/apache2/conf/server.crt”
SSLCertificateKeyFile “/usr/local/apache2/conf/server.key”

4. Create server.crt and server.key file

First, Generate the server.key using openssl.

cd ~
openssl genrsa -des3 -out server.key 1024

The above command will ask for the password. Make sure to remember this password. You need this while starting your Apache later.

If you don’t provide a password, you’ll get the following error message.

2415:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You must type in 4 to 8191 characters

Next, generate a certificate request file (server.csr) using the above server.key file.

openssl req -new -key server.key -out server.csr

Finally, generate a self signed ssl certificate (server.crt) using the above server.key and server.csr file.

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

For more details refer to: How To Generate SSL Key, CSR and Self Signed Certificate For Apache

5. Copy the server.key and server.crt

Copy the server.key and server.crt file to appropriate Apache configuration directory location.

cd ~
cp server.key /usr/local/apache2/conf/
cp server.crt /usr/local/apache2/conf/

6. Start the apache and verify SSL

Start the Apache as shown below.

/usr/local/apache2/bin/apachectl start

This will prompt you to enter the password for your private key.

Apache/2.2.17 mod_ssl/2.2.17 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server www.example.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.

By default Apache SSL runs on 443 port. Open a web browser and verify that you can access your Apache using https://{your-ip-address}

Be the first to comment

Leave a Reply