RedHatサーバインストール
mod_sslを使ったApacheのSSL対応
HTTPの暗号化
webサーバを Apacheで構築する際、通信を暗号化するための方法
- Apache に mod_ssl と言う ssl モジュールを組み込む
- Apache のソースに Apachessl というパッチを当ててコンパイルする
- proxy サーバを利用する
今回は
- 最新のApacheに対応した Apachessl がない( 2005/6/8 現在 )
- porxy サーバを立てるとレスポンスが遅くなる
という理由から mod_ssl を組み込む方法に決定
インストール前の準備
ソースの取得
apache1.3.33
URL : http://www.apache.org/dist/httpd/
から apache_1.3.33.tar.gz を選択してダウンロード(約 2.4 Mbyte)
openssl-0.9.7g
URL : http://www.openssl.org/source/
から openssl-0.9.7g.tar.gz を選択してダウンロード(約 3.0 Mbyte)
mod_ssl-2.8.22-1.3.33
URL : http://www.modssl.org/source/ または hrhttp://www.modssl.org/
から mod_ssl-2.8.22-1.3.33.tar.gz (Apache 1.3.33 用)を選択してダウンロード(約 0.7 Mbyte)
旧 Apache の削除
今回の環境ではOSインストール時に rpm 版の Apache がインストールされていたので削除
現在インストールされている rpm の確認
rootでログイン
> rpm -qa | grep apache
apache-1.3.19-5
apacheconf-0.7-2
Apache-1.3.19-5 を削除
> rpm -e apache-1.3.19-5
エラー:これらのパッケージを削除すると依存性を破棄します:
apacheは apacheconf-0.7-2
apache = 1.3.19-5は mod_ssl-2.8.1-5 に必要とされています
webserverは mod_dav-1.0.2-4 に必要とされています
webserverは mod_perl-1.24_01-2 に必要とされています
エラーが出るので依存関係にあるパッケージを削除
> rpm -e mod_perl-1.24_01-2
> rpm -e mod_dav-1.0.2-4
> rpm -e mod_ssl-2.8.1-5
エラー: removal of /var/cache/ssl_gcache_data.sem failed: そのようなファイルやディレクトリはありません
エラー: removal of /var/cache/ssl_gcache_data.pag failed: そのようなファイルやディレクトリはありません
エラー: removal of /var/cache/ssl_gcache_data.dir failed: そのようなファイルやディレクトリはありません
エラー: cannot remove /etc/httpd/conf/ssl.key - directory not empty
エラー: cannot remove /etc/httpd/conf/ssl.crt - directory not empty
その他の依存関係はないようなので apacheconf を削除
> rpm -e apacheconf-0.7.2
その後 Apache 削除
> rpm -e apache-1.3.19-5
エラー: cannot remove /var/www/html - directry not empty
エラー: cannot remove /var/www - directory not empty
エラー: cannot remove /usr/lib/apache - directory not empty
エラー: cannot remove /etc/httpd/conf - directory not empty
エラー: cannot remove /etc/httpd - directory not empty
/var/www/
/etc/httpd/
remove
/var/www と /etc/httpd は前の Apache の残骸と思われるので削除
> cd /var
> rm -rf www
> cd /etc
> rm -rf httpd
ソースの解凍・展開
ソースのあるディレクトリ (今回は /tmp ) へ移動して解凍・展開
※Apache と mod_sslのコンフィギュアーは同時に行なうので先に展開しておく
> cd /tmp
> tar xvfz openssl-0.9.7g.tar.gz
> tar xvfz apache_1.3.33.tar.gz
> tar xvfz mod_ssl-2.8.22-1.3.33.tar.gz
openssl のインストール
コンフィギュアー
※ ./configure ではなく ./config
> cd /tmp/openssl-0.9.7g
> ./config --prefix=/usr/local --openssldir=/usr/local/openssl -fPIC
Confiugured for linux-elf
メーク/インストール
> make
> make install
installing libcrypto.a
installing libssl.a
Apache + mod_ssl のインストール準備
コンフィギュアー
※ Apache のコンフィギュアーも同時に行なうので必要に応じて追加する
> cd /tmp/mod_ssl-2.8.22-1.3.33
> ./configure --with-apache=../apache_1.3.33 --with-ssl=../openssl-0.9.7g --prefix=/usr/local/apache --enable-rule=SHARED_CORE --enable-module=so --enable-shared=ssl
Now proceed with the following command:
$ cd ../apache
$ make
$ make certificate
$ make install
メーク
> cd ../apache
> make
+---------------------------------------------------------------------+
| Before you install the package you now should prepare the SSL |
| certificate system by running the 'make certificate' command. |
| For different situations the following variants are provided: |
| |
| % make certificate TYPE=dummy (dummy self-signed Snake Oil cert) |
| % make certificate TYPE=test (test cert signed by Snake Oil CA) |
| % make certificate TYPE=custom (custom cert signed by own CA) |
| % make certificate TYPE=existing (existing cert) |
| CRT=/path/to/your.crt [KEY=/path/to/your.key] |
| |
| Use TYPE=dummy when you're a vendor package maintainer, |
| the TYPE=test when you're an admin but want to do tests only, |
| the TYPE=custom when you're an admin willing to run a real server |
| and TYPE=existing when you're an admin who upgrades a server. |
| (The default is TYPE=test) |
| |
| Additionally add ALGO=RSA (default) or ALGO=DSA to select |
| the signature algorithm used for the generated certificate. |
| |
| Use 'make certificate VIEW=1' to display the generated data. |
| |
| Thanks for using Apache & mod_ssl. Ralf S. Engelschall |
| rse@engelschall.com |
| www.engelschall.com |
+---------------------------------------------------------------------+
暗号鍵の作成
ローカル CA で暗号鍵を作成する場合は TYPE=custom を指定する
> make certificate TYPE=custom
※青文字は入力した部分
STEP 0
Signature Algorithm をたずねられるので RSA ( R )を選択
-------------------------------------------------------------------
STEP 0: Decide the signature algorithm used for certificates
The generated X.509 certificates can contain either
RSA or DSA based ingredients. Select the one you want to use.
Signature Algorithm ((R)SA or (D)SA) [R]:R
STEP 1
STEP 1 での入力はなし
-------------------------------------------------------------------
STEP 1: Generating RSA private key for CA (1024 bit) [ca.key]
275576 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.......++++++
...++++++
e is 65537 (0x10001)
STEP 2
ローカルCAの情報を入力
※JP の Nagano の Matsumoto にある Information Strategy Laboratory という会社の System department という部署に ISL_PF CA というローカルCAを立てる
※登録するメールアドレスは account@domain.co.jp で 1000 日間有効
-------------------------------------------------------------------
STEP 2: Generating X.509 certificate signing request for CA [ca.csr]
Using configuration from .mkcert.cfg
you are about to be asked to enter information that will be incorparated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN
There are quite a few fields but you can leave same blank
For some fields there will be a default value,
If you enter '.', the field will be left black.
-----
1. Country Name (2 letter code) [XY]:JP
2. State or Province Name (full name) [Snake Desert]:Nagano
3. Locality Name (eg, city) [Snake Town]:Matsumoto
4. Organization Name (eg, company) [Snake Oil, Ltd]:Information Strategy Laboratory
5. Organizational Unit Name (eg, section) [Certificate Authority]:System department
6. Common Name (eg, CA name) [Snake Oil CA]:ISL_PF CA
7. Email Address (eg, name@FQDN) [ca@snakeoil.dom]:account@domain.co.jp
8. Certificate Validity (days) [365]:1000
STEP 3
暗号鍵のバージョンを 3 と選択すると STEP 2 で入力した内容が出力されるので確認
-------------------------------------------------------------------
STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]
Certificate Version (1 or 3) [3]: 3
Signature OK
subject=/C=JP/ST=Nagano/L=Matsumoto/O=Information Strategy Laboratory/OU=System department/CN=ISL_PF CA/Email=account@domain.co.jp
Getting Private Key
Verify: matching certificate & key modulus
read RSA key
Verify: matching certificate signature
../conf/ssl.crt/ca.crt: /C=JP/ST=Nagano/L=Matsumoto/O=Information Strategy Laboratory/OU=System department/CN=ISL_PF CA/Email=account@domain.co.jp
error 18 at 0 depth lookup:self signed certificate
OK
STEP 4
STEP 4 での入力はなし
-------------------------------------------------------------------
STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key]
275576 semi-random semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...++++++
...++++++
e is 65537 (0x10001)
STEP 5
サーバの情報を入力
※JP の Nagano の Matsumoto にある Information Strategy Laboratory という会社の System department の www.isl.ne.jp というサーバの鍵を作成
※登録するメールアドレスは account@domain.co.jp で 1000 日間有効
-------------------------------------------------------------------
STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]
Using configuration from .mkcert.cfg
you are about to be asked to enter information that will be incorparated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN
There are quite a few fields but you can leave same blank
For some fields there will be a default value,
If you enter '.', the field will be left black.
-----
1. Country Name (2 letter code) [XY]:JP
2. State or Province Name (full name) [Snake Desert]:Nagano
3. Locality Name (eg, city) [Snake Town]:Matsumoto
4. Organization Name (eg, company) [Snake Oil, Ltd]:Information Strategy Laboratory
5. Organizational Unit Name (eg, section) [Certificate Authority]:System department
6. Common Name (eg, FQDN) [www.snakeoil.dom]:www.isl.ne.jp
7. Email Address (eg, name@fqdn) [www@snakeoil.dom]:account@domain.co.jp
8. Certificate Validity (days) [365]:1000
STEP 6
暗号鍵のバージョンを 3 と選択すると STEP 5 で入力した内容が出力されるので確認
-------------------------------------------------------------------
STEP 6: Generating X.509 certificate signed by own CA [server.crt]
Certificate Version (1 or 3) [3]:3
Signature OK
subject=/C=JP/ST=Nagano/L=Matsumoto/O=Information Strategy Laboratory/OU=System department/CN=www.isl.ne.jp/Email=account@domain.co.jp
Getting CA Private Key
Verify: matching certificate & key modulus
read RSA key
Verify: matching certificate signature
../conf/ssl.crt/server.crt: OK
STEP 7
Encrypt the private key now? と聞かれるので Y を選択し、暗号鍵[ ca.key ]を使用する時のパスフェーズ(パスワード)を入力
-------------------------------------------------------------------
STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key]
The contents of the ca.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]:Y
read RSA key
writing RSA key
Enter PEM pass phrase:XXXXXXXXXX
Verifying password - Enter PEM pass phrase:XXXXXXXXXX
Fine, you're using an encrypted private key.
STEP 8
Encrypt the private key now? と聞かれるので Y を選択し、暗号鍵[ server.key ]を使用する時のパスフェーズ(パスワード)を入力
-------------------------------------------------------------------
STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security [server.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]:Y
read RSA key
writing RSA key
Enter PEM pass phrase:XXXXXXXXXX
Verifying password - Enter PEM pass phrase:XXXXXXXXXX
Fine, you're using an encrypted private key.
RESULT
鍵が作成されたので結果を確認
-------------------------------------------------------------------
RESULT: CA and Server Certification Files
o conf/ssl.key/ca.key
The PEM-encoded RSA private key file of the CA which you can
use to sign other servers or clients. KEEP THIS FILE PRIVATE!
o conf/ssl.crt/ca.crt
The PEM-encoded X.509 certificate file of the CA which you use to
sign other servers or clients. When you sign clients with it (for
SSL client authentication) you can configure this file with the
'SSLCACertificateFile' directive.
o conf/ssl.key/server.key
The PEM-encoded RSA private key file of the server which you configure
with the 'SSLCertificateKeyFile' directive (automatically done
when you install via APACI). KEEP THIS FILE PRIVATE!
o conf/ssl.crt/server.crt
The PEM-encoded X.509 certificate file of the server which you configure
with the 'SSLCertificateFile' directive (automatically done
when you install via APACI).
o conf/ssl.csr/server.csr
The PEM-encoded X.509 certificate signing request of the server file which
you can send to an official Certificate Authority (CA) in order
to request a real server certificate (signed by this CA instead
of our own CA) which later can replace the conf/ssl.crt/server.crt
file.
Congratulations that you establish your server with real certificates.
Apache のインストール
> make install
+--------------------------------------------------------+
| You now have successfully built and installed the |
| Apache 1.3 HTTP server. To verify that Apache actually |
| works correctly you now should first check the |
| (initially created or preserved) configuration files |
| |
| /usr/local/apache/conf/httpd.conf
| |
| and then you should be able to immediately fire up |
| Apache the first time by running: |
| |
| /usr/local/apache/bin/apachectl start
| |
| Or when you want to run it with SSL enabled use: |
| |
| /usr/local/apache/bin/apachectl startssl
| |
| Thanks for using Apache. The Apache Group |
| http://www.apache.org/ |
+--------------------------------------------------------+
起動・確認
Apache + SSL で起動
※ ./apachectl startssl で443ポート (暗号化する場合) と80ポート (しない場合) の両方起動する
> cd /usr/local/apache/bin
> ./apachectl startssl
パスフェーズを要求されるので鍵を作成した時の STEP 8 で指定したパスフェーズを入力
※青文字は入力した部分
[Fri Nov 16 16:36:17 2001] [alert] httpd: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
Apache/1.3.20 mod_ssl/2.8.4 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server terra:443 (RSA)
Enter pass phrase:XXXXXXXXXX
Ok: Pass Phrase Dialog successful.
./apachectl startssl: httpd started
起動確認
サーバ側での確認
> ps -ef | grep httpd
クライアントからの確認
ブラウザから
https://192.168.1.XXX(IPアドレス) で443ポートの確認
http://192.168.1.XXX(IPアドレス) で80ポートも確認
ブラウザに「あなたの予想に反して…」という Apache ロゴ付きのページが表示されれば成功!!