Things look quiet here. But I've been doing a lot of blogging at
dan.langille.org because I prefer WordPress now.
Not all my posts there are FreeBSD related.
I am in the midst of migrating The FreeBSD Diary over to WordPress
(and you can read about that here).
Once the migration is completed, I'll move the FreeBSD posts into the
new FreeBSD Diary website.
I'm in the process of installing and configuring a web mail client.
I want to use one because I don't always have access to ssh from remote locations.
But they almost always have access to http. But everything in http is passed in
clear text. So I'm using SSL to encrypt the traffic. This will hide both my
password and my email from anyone who happens to be snooping. And That's A Good
Thing (tm).
WARNING: If you already have Apache installed, you may find that your
existing installation will be broken for a while. Take a backup. At least take
a copy of your existing Apache configuration files.
A port is easy to install. And because as I had all the port skeletons installed, I just had to do the following:
cd /usr/ports/www/apache13-modssl
make install
That will get the binaries installed. But I like to do more than just that.
What will Apache run as?
For example, I prefer to run apache as user www and group www.
This is mostly for security reasons. If an exploit is ever found for apache,
it means they are restricted to that group/user. That's simplified, but it's a good
start. You don't have to do this. It's fine with the default. Feel free
to ignore this section.
I have the following user. You can add this using adduser
or with vipw (and if you do use vipw, remember to use an unallocated number; 99
may already be in use on your machine; the first 99 is the User ID; the second 99 is the
group id; if you don't know what this means, then you should be using the adduser
command).
I also created the www group by adding this line to /etc/group (again, if you don't
know about this file, you should be using adduser):
www:*:99:
Configuration
There are a few things you should change in your Apache configuration file. By
default, this file is:
/usr/local/etc/apache/apache.conf
Note: sometimes this file is httpd.conf.
Here are the original entries and what I changed them to.
Original
New values
User nobody
Group nobody
User www
Group www
Only make this change if the user (www) and group (www)
exist.
ServerAdmin you@your.address
ServerAdmin
webmaster@example.org
Substitute your email address.
Testing the configuration
After making these changes, you should test them:
# /usr/local/sbin/apachectl configtest
Syntax OK
One day, at band camp, I found the following output:
# /usr/local/sbin/apachectl configtest
[Fri Jun 8 16:02:50 2001] [alert] httpd: Could not determine the server's
fully qualified domain name, using 127.0.0.1 for ServerName
Syntax OK
This can be fixed one of two ways. Either add something like this to /etc/hosts
192.168.0.23 dev.example.org
or something like this to your DNS zonefile:
dev IN A 192.168.0.23
The above solutions assume the host name is dev.example.org.
Starting and restarting the server
OK. Everything is fine. Now let's start the server:
# /usr/local/sbin/apachectl startssl
/usr/local/sbin/apachectl startssl: httpd started
It might take a while to start. It's creating a new random number for security reasons.
Let's say you made a change to the configuration file. Now you want Apache to
take notice of the change. Here's the command you can issue. You should first
do a configtest.
# tail apache_ssl_engine_log
[info] Init: 1st restart round (already detached)
[info] Init: Reinitializing OpenSSL library
[info] Init: Seeding PRNG with 1160 bytes of entropy
[info] Init: Configuring temporary RSA private keys (512/1024 bits)
[info] Init: Configuring temporary DH parameters (512/1024 bits)
[info] Init: Initializing (virtual) servers for SSL
[info] Init: Configuring server new.host.name:443 for SSL protocol
[warn] Init: (new.host.name:443) RSA server certificate CommonName
(CN) `www.snakeoil.dom' does NOT match server name!?
That "snakeoil" is the default SSL certificate which comes with the install.
We'll replace that later with our own test certificate.
Remember your firewall
If you have a firewall, remember to give access to port 443, which is https.
Browse!
Now point your browser at your web server. Try the address: http://server,
where sever is the IP address or name of your webserver. You should see something
like this:
Hey, it worked !
The SSL/TLS-aware Apache webserver was
successfully installed on this website.
Then try https://server which should give you the same screen.
Getting a certificate
I'm about to describe how to create your own testing certificate.
This is not a certificate which you can use for public consumption. If the public
are going to be using your website, then you should get a proper certificate. How
you do that is beyond the scope of this article. I'm now going to show you how I
generated my testing certificate.
The commands I issued are:
# cd /usr/ports/www/apache13-modssl
# make certificate
I changed the value for the fields I knew and accepted the defaults for everything
else. This will create the certificates in the following directory:
Look for two sub-directories, ssl.crt and ssl.key. The
contents of these directories will be copied to the apache home directory. But
first, I saved the existing certificates in case I needed them:
Then you need to restart Apache. I originally tried just a "graceful",
but that failed to pick up the new certificate. So I did a stop and then a start.
Here's what I saw:
# /usr/local/sbin/apachectl startssl
Apache/1.3.14 mod_ssl/2.7.1 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server new.host.name:443 (RSA)
Enter pass phrase:
Ok: Pass Phrase Dialog successful.
/usr/local/sbin/apachectl startssl: httpd started
This is good. I added a passphrase when creating the certificate. This
passphrase is required when starting up the webserver. Therefore, I had to enter it
manually. I don't know what I'll do upon startup.
There are security issues associated with passphrase
removal. Read the above URL and make your own decision.
Confirming the encryption
I wanted to confirm that my https connection was indeed encrypted.
Under Netscape, I looked at View->Page Info. Included on that page was this
message:
Security:
This is a secure document that uses a high-grade
encryption key for U.S. domestic use only (RC4, 128 bit).
That indicates the document *is* indeed encrypted. That's good enough for me.
Problems I encountered
When I tried to browse to the website from Netscape 4.74, I was created
with the following message box:
SSL has recieved an error from the server indicating an incorrect Message
Authentication Code. This could indicate a network error, a bad server implementation, or
a security violation.
The following errors were found in /var/log/apache_error_log:
[error] mod_ssl: SSL handshake failed (server new.host.name:443,
client 10.0.0.99) (OpenSSL library error follows)
[error] OpenSSL: error:0407106B::lib(4) :func(113) :reason(107)
[error] OpenSSL: error:04065072::lib(4) :func(101) :reason(114)
[error] OpenSSL: error:1408F071::lib(20) :SSL3_GET_RECORD:bad
mac decode [Hint: Browser still remembered details of a
re-created server certificate?]
If I used IE4, I didn't have a problem. I was confused.
The next day, I tried Netscape again. It worked. I think it was because I
had restarted the Netscape session (i.e. stopped Netscape and ran it again). I
conclude that because Netscape went through the "Oh, here's a new certificate, but it
doesn't look quite right to me..." messages. Then Netscape worked just fine
with https.
See the next section for the solution to the above.
Error solution13 July 2001
It's always good when someone else writes in with a solution to a perplexing problem.
Date sent: Fri, 13 Jul 2001 08:23:26 -0400
From: "Callum M. Duncan"
To: comments at freebsddiary in dot org
Subject: Apache with SSL certificate error
I ran across the same error the other day while building Apache + SSL +
(countless other modules) Everytime I built Apache, I just ran another
`make certificate`... just a test cert, so I didn't care about keeping
the old one.
Obviously Netscape had issues when my new Apache presented a certificate
that did not match the original The trick was to delete the old
certificate(s).
The certificates can be found by digging through the following menus:
Window
Tools
Security Info
Hopefully this will same some people some confusion, or at least having to
wait around.(Though I am surprised that worked, but maybe you set a very
low expiry)
Anyway, thank you for such a great FreeBSD resource!
Cheers,
Callum
Indeed that did solve the problem. I can now use Netscape for that URL. For those with
an older version of netscape, the menu location is Communicator | Tools | Security Info.
Today I wanted to install SSL on an existing webserver. In fact, it was
the one on which FreshPorts runs. When I
followed the above instructions, I wound up with a completely new install of Apache.
Even the old one wouldn't work. So here, in brief, is what I did:
I made a back up of everything.
Deinstalled all apache, ssl, and php (see the output from pkg_info and use pkg_delete to
remove them).
Did the install as detailed in this article.
Installed mod_php4 (I took the opportunity to upgrade from mod_php3).
Because many of my existing .php3 files, I made sure the following items where in my
Apache configuration file:
