end0tknr's kipple - 新web写経開発

http://d.hatena.ne.jp/end0tknr/ から移転しました

apache 2.2系に openssl 1.0系は使えません。 0.9.8を使いましょう

openssl 1.0.1fのinstall後、apache 2.2.26 のconfigureを行おうと、次のようなerrorとなります。

wget http://ftp.yz.yamagata-u.ac.jp/pub/network/apache/httpd/httpd-2.2.26.tar.gz
tar -zxvf httpd-2.2.26.tar.gz 
cd httpd-2.2.26
$ ./configure --prefix=/usr/local/apache22 \
              --with-mpm=prefork \
              --enable-proxy \
              --enable-modules=ssl \
              --with-ssl=/usr/local/openssl \
              --enable-rewrite=shared \
              --enable-so
 :
checking for SSL_CTX_new... no
checking for ENGINE_init... no
checking for ENGINE_load_builtin_engines... no
checking for SSL_set_cert_store... no
configure: error: ... Error, SSL/TLS libraries were missing or unusable

opnesslは、現在、0.9.8 , 1.0.0 , 1.0.1 の3系統がメンテナンスされているので、apache 2.2系には、openssl 0.9.8を使いましょう。

以下は、openssl , apache のinstall手順と、オレオレ証明書の設定登録手順。

参考url http://www.whitemark.co.jp/tec/apache/apache-openssl1.html

openssl

$ wget https://www.openssl.org/source/openssl-0.9.8y.tar.gz
$ tar -zxvf openssl-0.9.8y.tar.gz
$ cd openssl-0.9.8y
$ ./config --prefix=/usr/local/openssl 
$ make
$ make test
$ su
# make install
$ su - 
# vi /etc/ld.so.conf
↓追加
/usr/local/openssl/lib
# ldconfig

apache

$ wget http://ftp.yz.yamagata-u.ac.jp/pub/network/apache/httpd/httpd-2.2.26.tar.gz
$ tar -zxvf httpd-2.2.26.tar.gz 
$ cd httpd-2.2.26
$ ./configure --prefix=/usr/local/apache22 \
              --with-mpm=prefork \
              --enable-proxy \
              --enable-modules=ssl \
              --with-ssl=/usr/local/openssl \
              --enable-rewrite=shared \
              --enable-so
$ make
$ su
# make install

念の為、mod_sslのinstall状況を確認

$ /usr/local/apache22/bin/httpd -l | grep ssl
  mod_ssl.c

オレオレ自己認証局と、サーバ証明書の作成

まずは作業用dir作成
$ mkdir /home/endo/tmp/SSL_TEST
CA (自己認証局)作成
$ cd /home/endo/tmp/SSL_TEST
$ /usr/local/openssl/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
........++++++
........++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:jp
State or Province Name (full name) [Some-State]:tokyo
Locality Name (eg, city) []:shibuya
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:colinux.a4.jp
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
    Serial Number:
        d6:1d:3c:80:df:91:08:1d
    Validity
        Not Before: Feb  7 11:26:44 2014 GMT
        Not After : Feb  6 11:26:44 2017 GMT
    Subject:
        countryName               = jp
        stateOrProvinceName       = tokyo
        organizationName          = Internet Widgits Pty Ltd
        commonName                = colinux.a4.jp
    X509v3 extensions:
        X509v3 Subject Key Identifier: 
            73:24:33:6C:F0:A6:68:D5:DF:6A:C1:8F:E7:9A:22:D0:F2:B0:A4:29
        X509v3 Authority Key Identifier: 
            keyid:73:24:33:6C:F0:A6:68:D5:DF:6A:C1:8F:E7:9A:22:D0:F2:B0:A4:29
            DirName:/C=jp/ST=tokyo/O=Internet Widgits Pty Ltd/CN=colinux.a4.jp
            serial:D6:1D:3C:80:DF:91:08:1D

        X509v3 Basic Constraints: 
            CA:TRUE
Certificate is to be certified until Feb  6 11:26:44 2017 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
$ 
秘密鍵と証明書要求 作成
$ cd /home/endo/tmp/SSL_TEST
$ /usr/local/openssl/ssl/misc/CA.sh -newreq
Generating a 1024 bit RSA private key
......................++++++
..........++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:jp
State or Province Name (full name) [Some-State]:tokyo
Locality Name (eg, city) []:shibuya
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:colinux.a4.jp
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
証明書 作成
$ cd /home/endo/tmp/SSL_TEST
$  /usr/local/openssl/ssl/misc/CA.sh -sign 
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
  Serial Number:
      d6:1d:3c:80:df:91:08:1e
  Validity
      Not Before: Feb  7 11:28:33 2014 GMT
      Not After : Feb  7 11:28:33 2015 GMT
  Subject:
      countryName               = jp
      stateOrProvinceName       = tokyo
      localityName              = shibuya
      organizationName          = Internet Widgits Pty Ltd
      commonName                = colinux.a4.jp
  X509v3 extensions:
      X509v3 Basic Constraints: 
          CA:FALSE
      Netscape Comment: 
          OpenSSL Generated Certificate
      X509v3 Subject Key Identifier: 
          07:F8:56:D6:72:D3:18:D3:DC:5F:DD:FB:2C:25:94:D8:D0:AA:6A:2D
      X509v3 Authority Key Identifier: 
          keyid:73:24:33:6C:F0:A6:68:D5:DF:6A:C1:8F:E7:9A:22:D0:F2:B0:A4:29

Certificate is to be certified until Feb  7 11:28:33 2015 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
  Data:
      Version: 3 (0x2)
      Serial Number:
          d6:1d:3c:80:df:91:08:1e
      Signature Algorithm: sha1WithRSAEncryption
      Issuer: C=jp, ST=tokyo, O=Internet Widgits Pty Ltd, CN=colinux.a4.jp
      Validity
          Not Before: Feb  7 11:28:33 2014 GMT
          Not After : Feb  7 11:28:33 2015 GMT
      Subject: C=jp, ST=tokyo, L=shibuya, O=Internet Widgits Pty Ltd, CN=colinux.a4.jp
      Subject Public Key Info:
          Public Key Algorithm: rsaEncryption
          RSA Public Key: (1024 bit)
              Modulus (1024 bit):
                  00:c6:6c:d4:38:dd:2f:d6:7a:19:34:e0:68:72:47:
                  38:c3:99:91:ed:6d:82:36:6d:3e:e8:78:c9:3a:06:
                  75:24:69:ea:98:0e:f0:fb:74:0c:ca:fd:7b:dc:1b:
                  e6:22:d8:a9:1c:24:3a:9d:79:35:22:60:87:cd:c3:
                  71:bb:1d:df:4e:76:06:85:55:93:d8:50:06:13:73:
                  65:2c:c0:6d:8c:99:d3:22:65:96:2e:14:87:d3:e8:
                  97:69:6a:89:ac:d2:2c:f2:dd:9d:9f:74:1f:cf:5c:
                  00:4f:a5:0a:02:9e:9c:8e:48:be:a3:f5:ac:02:c3:
                  9c:69:13:7b:0c:08:e7:a9:47
              Exponent: 65537 (0x10001)
      X509v3 extensions:
          X509v3 Basic Constraints: 
              CA:FALSE
          Netscape Comment: 
              OpenSSL Generated Certificate
          X509v3 Subject Key Identifier: 
              07:F8:56:D6:72:D3:18:D3:DC:5F:DD:FB:2C:25:94:D8:D0:AA:6A:2D
          X509v3 Authority Key Identifier: 
              keyid:73:24:33:6C:F0:A6:68:D5:DF:6A:C1:8F:E7:9A:22:D0:F2:B0:A4:29

  Signature Algorithm: sha1WithRSAEncryption
      15:01:d9:e5:86:9e:7e:db:b6:61:32:c8:b2:a9:36:f6:78:95:
      03:9b:54:21:f1:d7:57:ae:c1:c7:63:66:a8:74:ce:89:fb:ad:
      23:aa:bc:27:b2:78:b2:4f:a7:81:18:94:39:4c:d6:bc:71:74:
      23:7c:db:2b:3b:7b:9f:f7:1a:ac:ab:dd:b2:f5:06:6d:3e:03:
      59:60:28:d9:5e:d1:68:98:46:8e:68:17:1b:04:c0:c7:71:df:
      0b:46:c2:c4:5a:cc:2f:00:ff:4e:90:c9:56:52:87:26:07:ce:
      b1:14:47:54:c4:42:9b:9d:ca:eb:73:fc:7c:43:2a:a9:17:64:
      ea:5e
-----BEGIN CERTIFICATE-----
MIICuzCCAiSgAwIBAgIJANYdPIDfkQgeMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
BAYTAmpwMQ4wDAYDVQQIEwV0b2t5bzEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMRYwFAYDVQQDEw1jb2xpbnV4LmE0LmpwMB4XDTE0MDIwNzExMjgz
M1oXDTE1MDIwNzExMjgzM1owajELMAkGA1UEBhMCanAxDjAMBgNVBAgTBXRva3lv
MRAwDgYDVQQHEwdzaGlidXlhMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
eSBMdGQxFjAUBgNVBAMTDWNvbGludXguYTQuanAwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAMZs1DjdL9Z6GTTgaHJHOMOZke1tgjZtPuh4yToGdSRp6pgO8Pt0
DMr9e9wb5iLYqRwkOp15NSJgh83Dcbsd3052BoVVk9hQBhNzZSzAbYyZ0yJlli4U
h9Pol2lqiazSLPLdnZ90H89cAE+lCgKenI5IvqP1rALDnGkTewwI56lHAgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBQH+FbWctMY09xf3fssJZTY0KpqLTAfBgNV
HSMEGDAWgBRzJDNs8KZo1d9qwY/nmiLQ8rCkKTANBgkqhkiG9w0BAQUFAAOBgQAV
Adnlhp5+27ZhMsiyqTb2eJUDm1Qh8ddXrsHHY2aodM6J+60jqrwnsniyT6eBGJQ5
TNa8cXQjfNsrO3uf9xqsq92y9QZtPgNZYCjZXtFomEaOaBcbBMDHcd8LRsLEWswv
AP9OkMlWUocmB86xFEdUxEKbncrrc/x8QyqpF2TqXg==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
秘密鍵、証明書要求、証明書の配備
$ su - 
# cd /usr/local/apache22/conf/
# mkdir sslkeys
# cd sslkeys/
# cp ~endo/tmp/SSL_TEST/newreq.pem .
# cp ~endo/tmp/SSL_TEST/newcert.pem .
# chmod 400 *.pem
# cd /usr/local/openssl
# cp -r ~endo/tmp/SSL_TEST/demoCA .

httpd.conf , httpd-ssl.conf の編集

$ su - 
# vi /usr/local/apache22/conf/extra/httpd-ssl.conf
※以下の通リ
SSLCertificateFile /usr/local/apache22/conf/sslkeys/newcert.pem
SSLCertificateKeyFile /usr/local/apache22/conf/sslkeys/newkey.pem

SSLCACertificatePath /usr/local/openssl/demoCA
SSLCACertificateFile /usr/local/openssl/demoCA/cacert.pem

# vi /usr/local/apache22/conf/httpd.conf
※コメント解除
Include conf/extra/httpd-ssl.conf

あとは、起動するだけです