Howtos:Configurer SSL sur Debian Lenny

From OCS Inventory NG
Jump to: navigation, search

Contents

Configuration of SSL on Apache

Enable mod SSL

a2enmod ssl

If all is okey, this message should appear :

Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!

Create VirtualHost

Creation of file /etc/apache2/sites-available/ssl :

#NameVirtualHost *:443
<VirtualHost nunux.home:443>
        ServerAdmin moi@myrpovider.com
ServerName nunux.home

DocumentRoot /var/www/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>
        ErrorLog /var/log/apache2/error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        SSLEngine On
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateKeyFile /etc/apache2/ssl/server.key
        SSLCertificateFile /etc/apache2/ssl/server.crt
        CustomLog /var/log/apache2/access.log combined
        ServerSignature On
    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>
</VirtualHost>

Create public and private SSL keys

openssl genrsa -des3 -out server.key 1024

If all is okey, this message should appear :

Generating RSA private key, 1024 bit long modulus
.................++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase for ardonroyan.key: salut
Verifying - 
Enter pass phrase for ardonroyan.key:salut

Fix configuration

Save the passphrase in the file for failing to inform each boot:

mv server.key server-old.key 
openssl rsa -in server-old.key -out server.key

If all is okey, this message should appear :

Enter pass phrase for ardonroyan-old.key: salut
writing RSA key

Create certificate

openssl req -new -key server.key -out server.csr

Answer to questions :

        You are about to be asked to enter information that will be incorporated
        into your certificate request.
        What you are about to enter is what is called a Distinguished Name or a DN.
        There are quite a few fields but you can leave some blank
        For some fields there will be a default value,
        If you enter '.', the field will be left blank.
        -----
        Country Name (2 letter code) [AU]:FR
        State or Province Name (full name) [Some-State]:
        Locality Name (eg, city) []:MAVILLE
        Organization Name (eg, company) [Internet Widgits Pty Ltd]:MABOITE
        Organizational Unit Name (eg, section) []:
        Common Name (eg, YOUR name) []:
        Email Address []:moi@monFAI.com

        Please enter the following 'extra' attributes
        to be sent with your certificate request
        A challenge password []:  <<<<------- vous n'êtes pas obligé de spécifier un mot de passe (ENTREE pour continuer)
        An optional company name []:

Self-signed certificate

openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

If all is okey, this message should appear :

Signature ok
subject=/C=FR/ST=Some
State/L%3DMAVILLE/O%3DMABOITE/emailAddress%3Dmoi@monFAI.com State/L=MAVILLE/O=MABOITE/emailAddress=moi@myprovider.com
Getting Private key

Include certificate

We store 2 files in apache's sub-directory :

mkdir /etc/apache2/ssl
cp server.crt /etc/apache2/ssl/
cp server.key /etc/apache2/ssl/


Enable SSL VirtualHost

We enable VHost

a2ensite ssl

We reboot apache and test with browser https://IP_Server

/etc/init.d/apache2 restart
Personal tools