WARNING: If you already have Apache installed, you may find that your existing installation will be broken for a while.  Take a backup.  At least take a copy of your existing Apache configuration files.

If you do want to add SSL to an existing installation, read Integration with an existing Apache first.

cd /usr/ports/www/apache13-modssl
make install

That will get the binaries installed.  But I like to do more than just that.

I have the following user.  You can add this using adduser or with vipw (and if you do use vipw, remember to use an unallocated number; 99 may already be in use on your machine; the first 99 is the User ID; the second 99 is the group id; if you don't know what this means, then you should be using the adduser command). 

www:*:99:99::0:0:apache Daemon:/nonexistent:/sbin/nologin

I also created the www group by adding this line to /etc/group (again, if you don't know about this file, you should be using adduser):

www:*:99:

/usr/local/etc/apache/apache.conf

Note: sometimes this file is httpd.conf.

Here are the original entries and what I changed them to.

# /usr/local/sbin/apachectl configtest
Syntax OK

One day, at band camp, I found the following output:

# /usr/local/sbin/apachectl configtest
[Fri Jun  8 16:02:50 2001] [alert] httpd: Could not determine the server's
fully qualified domain name, using 127.0.0.1 for ServerName
Syntax OK

This can be fixed one of two ways. Either add something like this to /etc/hosts

192.168.0.23    dev.example.org

dev         IN      A     192.168.0.23

# /usr/local/sbin/apachectl startssl
/usr/local/sbin/apachectl startssl: httpd started

It might take a while to start. It's creating a new random number for security reasons.

Let's say you made a change to the configuration file.  Now you want Apache to take notice of the change.  Here's the command you can issue.  You should first do a configtest.

# /usr/local/sbin/apachectl graceful
/usr/local/sbin/apachectl graceful: httpd gracefully restarted

# tail tail apache_ssl_engine_log
[notice] SIGUSR1 received.  Doing graceful restart
[notice] Apache/1.3.14 (Unix) mod_ssl/2.7.1 OpenSSL/0.9.4 
                 configured -- resuming normal operations

Similarly, remember to check the SSL engine log:

# tail apache_ssl_engine_log
[info]  Init: 1st restart round (already detached)
[info]  Init: Reinitializing OpenSSL library
[info]  Init: Seeding PRNG with 1160 bytes of entropy
[info]  Init: Configuring temporary RSA private keys (512/1024 bits)
[info]  Init: Configuring temporary DH parameters (512/1024 bits)
[info]  Init: Initializing (virtual) servers for SSL
[info]  Init: Configuring server new.host.name:443 for SSL protocol
[warn]  Init: (new.host.name:443) RSA server certificate CommonName 
               (CN) `www.snakeoil.dom' does NOT match server name!?

That "snakeoil" is the default SSL certificate which comes with the install.   We'll replace that later with our own test certificate.

Hey, it worked !
The SSL/TLS-aware Apache webserver was
successfully installed on this website.

Then try https://server which should give you the same screen.

The commands I issued are:

# cd /usr/ports/www/apache13-modssl
# make certificate

I changed the value for the fields I knew and accepted the defaults for everything else.  This will create the certificates in the following directory:

/usr/ports/www/apache13-modssl/work/apache_1.3.14/conf

Look for two sub-directories, ssl.crt and ssl.key.  The contents of these directories will be copied to the apache home directory.  But first, I saved the existing certificates in case I needed them:

# cd /usr/local/etc/apache
# mv ssl.crt ssl.crt-default
# mv ssl.key ssl.key-default

Then I copied the new keys over:

# cd /usr/ports/www/apache13-modssl/work/apache_1.3.14/conf
# cp -rp ssl.key /usr/local/etc/apache
# cp -rp ssl.crt /usr/local/etc/apache

Then you need to restart Apache.  I originally tried just a "graceful", but that failed to pick up the new certificate.  So I did a stop and then a start.   Here's what I saw:

# /usr/local/sbin/apachectl startssl
Apache/1.3.14 mod_ssl/2.7.1 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.

Server new.host.name:443 (RSA)
Enter pass phrase:

Ok: Pass Phrase Dialog successful.
/usr/local/sbin/apachectl startssl: httpd started

This is good.  I added a passphrase when creating the certificate.  This passphrase is required when starting up the webserver.  Therefore, I had to enter it manually.  I don't know what I'll do upon startup.

There are security issues associated with passphrase removal.  Read the above URL and make your own decision.

Security:

This is a secure document that uses a high-grade encryption key for U.S. domestic use only (RC4, 128 bit).

 

That indicates the document *is* indeed encrypted.  That's good enough for me.

SSL has recieved an error from the server indicating an incorrect Message Authentication Code. This could indicate a network error, a bad server implementation, or a security violation.

The following errors were found in /var/log/apache_error_log:

[error] mod_ssl: SSL handshake failed (server new.host.name:443, 
         client 10.0.0.99) (OpenSSL library error follows)
[error] OpenSSL: error:0407106B::lib(4) :func(113) :reason(107)
[error] OpenSSL: error:04065072::lib(4) :func(101) :reason(114)
[error] OpenSSL: error:1408F071::lib(20) :SSL3_GET_RECORD:bad 
         mac decode [Hint: Browser still remembered details of a 
         re-created server certificate?]

If I used IE4, I didn't have a problem.  I was confused.

The next day, I tried Netscape again.  It worked.  I think it was because I had restarted the Netscape session (i.e. stopped Netscape and ran it again).  I conclude that because Netscape went through the "Oh, here's a new certificate, but it doesn't look quite right to me..." messages.  Then Netscape worked just fine with https.

See the next section for the solution to the above.

It's always good when someone else writes in with a solution to a perplexing problem.

Date sent:      	Fri, 13 Jul 2001 08:23:26 -0400
From:           	"Callum M. Duncan"
To:             	comments at freebsddiary in dot org
Subject:        	Apache with SSL certificate error

I ran across the same error the other day while building Apache + SSL +
(countless other modules) Everytime I built Apache, I just ran another 
`make certificate`... just a test cert, so I didn't care about keeping 
the old one.

Obviously Netscape had issues when my new Apache presented a certificate
that did not match the original The trick was to delete the old 
certificate(s).

The certificates can be found by digging through the following menus:

Window
Tools
Security Info

Hopefully this will same some people some confusion, or at least having to
wait around.(Though I am surprised that worked, but maybe you set a very 
low expiry)

Anyway, thank you for such a great FreeBSD resource!
Cheers,
Callum

Indeed that did solve the problem. I can now use Netscape for that URL. For those with an older version of netscape, the menu location is Communicator | Tools | Security Info.

• I made a back up of everything.
• Deinstalled all apache, ssl, and php (see the output from pkg_info and use pkg_delete to remove them).
• Did the install as detailed in this article.
• Installed mod_php4 (I took the opportunity to upgrade from mod_php3).
• Because many of my existing .php3 files, I made sure the following items where in my Apache configuration file:

  DirectoryIndex index.php index.html index.php3
  AddType application/x-httpd-php .php .php3

I modified these two lines to ensure that .php3 files worked for me.