mod_ssl
に関するインストールメモ(2002/06/21)
・Intel-Solaris8 2/02版で行いました。GNUmake, GNUpatch をインストールしている状態です。
・標準で入っている apache は、削除しました。
・apache-1.3.26 を使用しました(DSO を使用できるようにするため再コンパイルした)。
・OpenSSL(source)が必要である。
・ランダム発生デバイス(ANDIrand)が必要である。
Apache に Secureポート(https)を追加するモジュールです。
本家 : mod_ssl
参考 : fkimura's ほーむぺーじ
参考 : ApacheのSSL対応化と環境設定(IT@)
1.mod_ssl のインストール(既に、opensslがインストール済みであること)を行う。
% cd /opt/local/src
% wget http://www.modssl.org/source/mod_ssl-2.8.9-1.3.26.tar.gz
% gzip -cd mod_ssl-2.8.9-1.3.26.tar.gz | tar xf -
% cd mod_ssl-2.8.9-1.3.26
% ./configure --with-apache=../apache_1.3.26 --with-ssl=../openssl-0.9.6c
成功すると下記の様なメッセージがでる
Creating Makefile in src/support
Creating Makefile in src/os/unix
Creating Makefile in src/ap
Creating Makefile in src/main
Creating Makefile in src/modules/standard
Creating Makefile in src/modules/ssl
Now proceed with the following commands:
$ cd ../apache_1.3.26
$ make
$ make certificate
$ make install2.Apache の再コンパイルを行う。※ make install は、まだ行わない。
% cd /opt/local/src/apache_1.3.26
% env SSL_BASE=/opt/local/src/openssl-0.9.6c env CFLAGS=-O3 \
./configure --prefix=/opt/local/apache \
--enable-module=most --enable-shared=max \
--enable-module=ssl
% make3.証明書を発行する。
% make certificate
4.証明書の発行を行うために、いくつかの設問に答えていきます。赤印が答えた内容です。
make[1]: Entering directory `/opt/local/src/apache_1.3.26/src'
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.
Generating test certificate signed by Snake Oil CA [TEST]
WARNING: Do not use this for real-life/production systems
______________________________________________________________________
STEP 0: Decide the signature algorithm used for certificate
The generated X.509 CA certificate can contain either
RSA or DSA based ingredients. Select the one you want to use.
Signature Algorithm ((R)SA or (D)SA) [R]:R
______________________________________________________________________
STEP 1: Generating RSA private key (1024 bit) [server.key]
1559677 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
..................++++++
...............++++++
e is 65537 (0x10001)
______________________________________________________________________
STEP 2: Generating X.509 certificate signing request [server.csr]
Using configuration from .mkcert.cfg
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name (2 letter code) [XY]:JP
2. State or Province Name (full name) [Snake Desert]:Tokyo
3. Locality Name (eg, city) [Snake Town]:Akasaka
4. Organization Name (eg, company) [Snake Oil, Ltd]:Hoge
5. Organizational Unit Name (eg, section) [Webserver Team]:Network Administrator
6. Common Name (eg, FQDN) [www.snakeoil.dom]:www.sea-bird.org
7. Email Address (eg, name@FQDN) [www@snakeoil.dom]:webmaster@sea-bird.org
8. Certificate Validity (days) [365]:1000
______________________________________________________________________
STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt]
Certificate Version (1 or 3) [3]:3
Signature ok
subject=/C=JP/ST=Tokyo/L=Setagaya/O=rain/OU=Network Administrator/CN=www.sea-bird.org/Email=webmaster@sea-bird.org
Getting CA Private Key
Verify: matching certificate & key modulus
read RSA key
Verify: matching certificate signature
../conf/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil CA/Email=ca@snakeoil.dom
error 10 at 1 depth lookup:certificate has expired
OK
______________________________________________________________________
STEP 4: Enrypting RSA private key with a pass phrase for security [server.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]:Y
read RSA key
writing RSA key
Enter PEM pass phrase: ← 証明書作成で使用する文字列(必ず、覚えておくこと)
Verifying password - Enter PEM pass phrase: 証明書作成で使用する文字列を再度入力する
Fine, you're using an encrypted RSA private key.
______________________________________________________________________
RESULT: Server Certification Files
o conf/ssl.key/server.key
The PEM-encoded RSA private key file which you configure
with the 'SSLCertificateKeyFile' directive (automatically done
when you install via APACI). KEEP THIS FILE PRIVATE!
o conf/ssl.crt/server.crt
The PEM-encoded X.509 certificate file which you configure
with the 'SSLCertificateFile' directive (automatically done
when you install via APACI).
o conf/ssl.csr/server.csr
The PEM-encoded X.509 certificate signing request file which
you can send to an official Certificate Authority (CA) in order
to request a real server certificate (signed by this CA instead
of our demonstration-only Snake Oil CA) which later can replace
the conf/ssl.crt/server.crt file.
WARNING: Do not use this for real-life/production systems
make[1]: Leaving directory `/opt/local/src/apache_1.3.23/src'5.Apacheのインストールし直しとSSL用のドキュメントルートディレクトリの作成を行う。
% su
# make install
# cd /opt/local/apache
# mkdir ssl-cgi-bin6.http.conf ファイルの修正を行う。
% su
# cd /opt/local/apache/conf
# vi httpd.conf
LoadModule ssl_module libexec/libssl.so
AddModule mod_ssl.c
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the <VirtualHost>
# directive.
#
#Listen 3000
#Listen 12.34.56.78:80
Listen 80
# Apache+mod-ssl
Listen 443
<VirtualHost _default_:443>
DocumentRoot "/opt/local/apache/ssl-cgi-bin"
SSLEngine On
SSLCertificateKeyFile /opt/local/apache/conf/ssl.key/server.key
SSLCertificateFile /opt/local/apache/conf/ssl.crt/server.crt
CustomLog /opt/local/apache/logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x%{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>7.秘密鍵の複合化を行う。
% su
# cd /opt/local/apache/conf/ssl.key
# mv server.key default_server.key
# /usr/local/bin/openssl rsa -in default_server.key -out server.key
read RSA key
Enter PEM pass phrase: ← 証明書の作成で入力した文字列を入力する
writing RSA key
# chmod 400 server.key8.ssl-apache を起動してみる・・・・・しかし
# /opt/local/apache/bin/apachectl startssl
[Sun Mar 17 16:18:47 2002] [warn] Loaded DSO libexec/libdav.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI)
[Sun Mar 17 16:18:47 2002] [warn] Loaded DSO libexec/mod_encmssjis.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI)
[Sun Mar 17 16:18:47 2002] [warn] Loaded DSO libexec/libphp4.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI)
およ? mod_関係が crash?こわれた? どないして?9.mod_ssl を入れる場合、他のmod関係は "-DEAPI"を付加して再コンパイルが必要 らしい・・・泪
mod_dav
% cd /opt/local/src/mod_dav-1.0.3-1.3.6
% env CFLAGS="-O3 -DEAPI" \
./configure --with-apxs=/opt/local/apache/bin/apxs \
--with-apache=/opt/local/apache --with-expat=/usr/local
% make
% su
# make install
mod_encmssjis
% cd /opt/local/src/mod_encmssjis
% env CFLAGS="-O3 -DEAPI" /opt/local/apache/bin/apxs -c mod_encmssjis.c
% su
# /opt/local/apache/bin/apxs -i mod_encmssjis.so
mod_php4
% cd /opt/local/src/php-4.1.2
% env CFLAGS="-O3 -DEAPI" \
./configure --with-pgsql --with-apxs=/opt/local/apache/bin/apxs \
--with-pgsql=/opt/local/pgsql10.気をとりなおして・・・再度 ssl-apache を起動してみる・・・・・またもや (>_<)
# /opt/local/apache/bin/apachectl startssl
[Sun Mar 17 18:02:00 2002] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA rivate key (OpenSSL library error follows)
[Sun Mar 17 18:02:00 2002] [error] OpenSSL: error:24064064:random number enerator:SSLEAY_RAND_BYTES:PRNG not seeded
[Sun Mar 17 18:02:00 2002] [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib
random(乱数)発生するデバイスが無い? ほえ?11.3分調べたら・・・ありました。Intel-Soalris8 では、ランダム発生デバイスが無いそうなんです。しかたありません ANDIrand を入れましょう。
% cd /opt/local/pkg
% wget http://www.cosy.sbg.ac.at/~andi/SUNrand/pkg/ANDIrand-0.7-5.8-x86-1.pkg
# pkgadd -d ANDIrand-0.7-5.8-x86-1.pkg12.三度 (^◇^) 今度は、無事okで立ち上がりました。証明書がちゃんと発行されていないサイトで危ないかもよ?いいの?ってきかれますがかまわず ok ! アクセスできましたね。
https://localhost/