openssl 1.0.1fのinstall後、apache 2.2.26 のconfigureを行おうと、次のようなerrorとなります。
wget http://ftp.yz.yamagata-u.ac.jp/pub/network/apache/httpd/httpd-2.2.26.tar.gz
tar -zxvf httpd-2.2.26.tar.gz
cd httpd-2.2.26
$ ./configure --prefix=/usr/local/apache22 \
--with-mpm=prefork \
--enable-proxy \
--enable-modules=ssl \
--with-ssl=/usr/local/openssl \
--enable-rewrite=shared \
--enable-so
:
checking for SSL_CTX_new... no
checking for ENGINE_init... no
checking for ENGINE_load_builtin_engines... no
checking for SSL_set_cert_store... no
configure: error: ... Error, SSL/TLS libraries were missing or unusableopnesslは、現在、0.9.8 , 1.0.0 , 1.0.1 の3系統がメンテナンスされているので、apache 2.2系には、openssl 0.9.8を使いましょう。
以下は、openssl , apache のinstall手順と、オレオレ証明書の設定登録手順。
参考url http://www.whitemark.co.jp/tec/apache/apache-openssl1.html
openssl
$ wget https://www.openssl.org/source/openssl-0.9.8y.tar.gz $ tar -zxvf openssl-0.9.8y.tar.gz $ cd openssl-0.9.8y $ ./config --prefix=/usr/local/openssl $ make $ make test $ su # make install
$ su - # vi /etc/ld.so.conf ↓追加 /usr/local/openssl/lib # ldconfig
apache
$ wget http://ftp.yz.yamagata-u.ac.jp/pub/network/apache/httpd/httpd-2.2.26.tar.gz
$ tar -zxvf httpd-2.2.26.tar.gz
$ cd httpd-2.2.26
$ ./configure --prefix=/usr/local/apache22 \
--with-mpm=prefork \
--enable-proxy \
--enable-modules=ssl \
--with-ssl=/usr/local/openssl \
--enable-rewrite=shared \
--enable-so
$ make
$ su
# make install念の為、mod_sslのinstall状況を確認
$ /usr/local/apache22/bin/httpd -l | grep ssl mod_ssl.c
オレオレ自己認証局と、サーバ証明書の作成
まずは作業用dir作成
$ mkdir /home/endo/tmp/SSL_TEST
CA (自己認証局)作成
$ cd /home/endo/tmp/SSL_TEST
$ /usr/local/openssl/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
........++++++
........++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:jp
State or Province Name (full name) [Some-State]:tokyo
Locality Name (eg, city) []:shibuya
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:colinux.a4.jp
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
d6:1d:3c:80:df:91:08:1d
Validity
Not Before: Feb 7 11:26:44 2014 GMT
Not After : Feb 6 11:26:44 2017 GMT
Subject:
countryName = jp
stateOrProvinceName = tokyo
organizationName = Internet Widgits Pty Ltd
commonName = colinux.a4.jp
X509v3 extensions:
X509v3 Subject Key Identifier:
73:24:33:6C:F0:A6:68:D5:DF:6A:C1:8F:E7:9A:22:D0:F2:B0:A4:29
X509v3 Authority Key Identifier:
keyid:73:24:33:6C:F0:A6:68:D5:DF:6A:C1:8F:E7:9A:22:D0:F2:B0:A4:29
DirName:/C=jp/ST=tokyo/O=Internet Widgits Pty Ltd/CN=colinux.a4.jp
serial:D6:1D:3C:80:DF:91:08:1D
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Feb 6 11:26:44 2017 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
$
秘密鍵と証明書要求 作成
$ cd /home/endo/tmp/SSL_TEST $ /usr/local/openssl/ssl/misc/CA.sh -newreq Generating a 1024 bit RSA private key ......................++++++ ..........++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:jp State or Province Name (full name) [Some-State]:tokyo Locality Name (eg, city) []:shibuya Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:colinux.a4.jp Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem
証明書 作成
$ cd /home/endo/tmp/SSL_TEST
$ /usr/local/openssl/ssl/misc/CA.sh -sign
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
d6:1d:3c:80:df:91:08:1e
Validity
Not Before: Feb 7 11:28:33 2014 GMT
Not After : Feb 7 11:28:33 2015 GMT
Subject:
countryName = jp
stateOrProvinceName = tokyo
localityName = shibuya
organizationName = Internet Widgits Pty Ltd
commonName = colinux.a4.jp
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
07:F8:56:D6:72:D3:18:D3:DC:5F:DD:FB:2C:25:94:D8:D0:AA:6A:2D
X509v3 Authority Key Identifier:
keyid:73:24:33:6C:F0:A6:68:D5:DF:6A:C1:8F:E7:9A:22:D0:F2:B0:A4:29
Certificate is to be certified until Feb 7 11:28:33 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d6:1d:3c:80:df:91:08:1e
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=jp, ST=tokyo, O=Internet Widgits Pty Ltd, CN=colinux.a4.jp
Validity
Not Before: Feb 7 11:28:33 2014 GMT
Not After : Feb 7 11:28:33 2015 GMT
Subject: C=jp, ST=tokyo, L=shibuya, O=Internet Widgits Pty Ltd, CN=colinux.a4.jp
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c6:6c:d4:38:dd:2f:d6:7a:19:34:e0:68:72:47:
38:c3:99:91:ed:6d:82:36:6d:3e:e8:78:c9:3a:06:
75:24:69:ea:98:0e:f0:fb:74:0c:ca:fd:7b:dc:1b:
e6:22:d8:a9:1c:24:3a:9d:79:35:22:60:87:cd:c3:
71:bb:1d:df:4e:76:06:85:55:93:d8:50:06:13:73:
65:2c:c0:6d:8c:99:d3:22:65:96:2e:14:87:d3:e8:
97:69:6a:89:ac:d2:2c:f2:dd:9d:9f:74:1f:cf:5c:
00:4f:a5:0a:02:9e:9c:8e:48:be:a3:f5:ac:02:c3:
9c:69:13:7b:0c:08:e7:a9:47
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
07:F8:56:D6:72:D3:18:D3:DC:5F:DD:FB:2C:25:94:D8:D0:AA:6A:2D
X509v3 Authority Key Identifier:
keyid:73:24:33:6C:F0:A6:68:D5:DF:6A:C1:8F:E7:9A:22:D0:F2:B0:A4:29
Signature Algorithm: sha1WithRSAEncryption
15:01:d9:e5:86:9e:7e:db:b6:61:32:c8:b2:a9:36:f6:78:95:
03:9b:54:21:f1:d7:57:ae:c1:c7:63:66:a8:74:ce:89:fb:ad:
23:aa:bc:27:b2:78:b2:4f:a7:81:18:94:39:4c:d6:bc:71:74:
23:7c:db:2b:3b:7b:9f:f7:1a:ac:ab:dd:b2:f5:06:6d:3e:03:
59:60:28:d9:5e:d1:68:98:46:8e:68:17:1b:04:c0:c7:71:df:
0b:46:c2:c4:5a:cc:2f:00:ff:4e:90:c9:56:52:87:26:07:ce:
b1:14:47:54:c4:42:9b:9d:ca:eb:73:fc:7c:43:2a:a9:17:64:
ea:5e
-----BEGIN CERTIFICATE-----
MIICuzCCAiSgAwIBAgIJANYdPIDfkQgeMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
BAYTAmpwMQ4wDAYDVQQIEwV0b2t5bzEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMRYwFAYDVQQDEw1jb2xpbnV4LmE0LmpwMB4XDTE0MDIwNzExMjgz
M1oXDTE1MDIwNzExMjgzM1owajELMAkGA1UEBhMCanAxDjAMBgNVBAgTBXRva3lv
MRAwDgYDVQQHEwdzaGlidXlhMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
eSBMdGQxFjAUBgNVBAMTDWNvbGludXguYTQuanAwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAMZs1DjdL9Z6GTTgaHJHOMOZke1tgjZtPuh4yToGdSRp6pgO8Pt0
DMr9e9wb5iLYqRwkOp15NSJgh83Dcbsd3052BoVVk9hQBhNzZSzAbYyZ0yJlli4U
h9Pol2lqiazSLPLdnZ90H89cAE+lCgKenI5IvqP1rALDnGkTewwI56lHAgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBQH+FbWctMY09xf3fssJZTY0KpqLTAfBgNV
HSMEGDAWgBRzJDNs8KZo1d9qwY/nmiLQ8rCkKTANBgkqhkiG9w0BAQUFAAOBgQAV
Adnlhp5+27ZhMsiyqTb2eJUDm1Qh8ddXrsHHY2aodM6J+60jqrwnsniyT6eBGJQ5
TNa8cXQjfNsrO3uf9xqsq92y9QZtPgNZYCjZXtFomEaOaBcbBMDHcd8LRsLEWswv
AP9OkMlWUocmB86xFEdUxEKbncrrc/x8QyqpF2TqXg==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
秘密鍵、証明書要求、証明書の配備
$ su - # cd /usr/local/apache22/conf/ # mkdir sslkeys # cd sslkeys/ # cp ~endo/tmp/SSL_TEST/newreq.pem . # cp ~endo/tmp/SSL_TEST/newcert.pem . # chmod 400 *.pem # cd /usr/local/openssl # cp -r ~endo/tmp/SSL_TEST/demoCA .
httpd.conf , httpd-ssl.conf の編集
$ su - # vi /usr/local/apache22/conf/extra/httpd-ssl.conf ※以下の通リ SSLCertificateFile /usr/local/apache22/conf/sslkeys/newcert.pem SSLCertificateKeyFile /usr/local/apache22/conf/sslkeys/newkey.pem SSLCACertificatePath /usr/local/openssl/demoCA SSLCACertificateFile /usr/local/openssl/demoCA/cacert.pem # vi /usr/local/apache22/conf/httpd.conf ※コメント解除 Include conf/extra/httpd-ssl.conf
あとは、起動するだけです
