ほぷしぃ

RedHatサーバインストール

Linux インストールmemo /  Apacheとmod_sslを使用してのSSL対応 /  JDKのインストール /  Tomcatのインストール /  PostgreSQLとANTのインストール /  qmailとメールサーバ /  tcpserverのインストール方法 /  RedHatについてのTips /  tarコマンドの使い方 /  一枚のNICに複数のIPを割り当てる方法 /  Linuxでのハードディスクの増設法

mod_sslを使ったApacheのSSL対応

更新日:2005年06月08日

HTTPの暗号化

webサーバを Apacheで構築する際、通信を暗号化するための方法

  1. Apache に mod_ssl と言う ssl モジュールを組み込む
  2. Apache のソースに Apachessl というパッチを当ててコンパイルする
  3. proxy サーバを利用する

今回は

という理由から mod_ssl を組み込む方法に決定

インストール前の準備

ソースの取得

apache1.3.33

URL : http://www.apache.org/dist/httpd/
から apache_1.3.33.tar.gz を選択してダウンロード(約 2.4 Mbyte)

openssl-0.9.7g

URL : http://www.openssl.org/source/
から openssl-0.9.7g.tar.gz を選択してダウンロード(約 3.0 Mbyte)

mod_ssl-2.8.22-1.3.33

URL : http://www.modssl.org/source/ または hrhttp://www.modssl.org/
から mod_ssl-2.8.22-1.3.33.tar.gz (Apache 1.3.33 用)を選択してダウンロード(約 0.7 Mbyte)

旧 Apache の削除

今回の環境ではOSインストール時に rpm 版の Apache がインストールされていたので削除
現在インストールされている rpm の確認

rootでログイン
> rpm -qa | grep apache

apache-1.3.19-5
apacheconf-0.7-2

Apache-1.3.19-5 を削除

> rpm -e apache-1.3.19-5

エラー:これらのパッケージを削除すると依存性を破棄します:
apacheは apacheconf-0.7-2
apache = 1.3.19-5は mod_ssl-2.8.1-5 に必要とされています
webserverは mod_dav-1.0.2-4 に必要とされています
webserverは mod_perl-1.24_01-2 に必要とされています

エラーが出るので依存関係にあるパッケージを削除

> rpm -e mod_perl-1.24_01-2
> rpm -e mod_dav-1.0.2-4
> rpm -e mod_ssl-2.8.1-5

エラー: removal of /var/cache/ssl_gcache_data.sem failed: そのようなファイルやディレクトリはありません
エラー: removal of /var/cache/ssl_gcache_data.pag failed: そのようなファイルやディレクトリはありません
エラー: removal of /var/cache/ssl_gcache_data.dir failed: そのようなファイルやディレクトリはありません
エラー: cannot remove /etc/httpd/conf/ssl.key - directory not empty
エラー: cannot remove /etc/httpd/conf/ssl.crt - directory not empty

その他の依存関係はないようなので apacheconf を削除

> rpm -e apacheconf-0.7.2

その後 Apache 削除

> rpm -e apache-1.3.19-5

エラー: cannot remove /var/www/html - directry not empty
エラー: cannot remove /var/www - directory not empty
エラー: cannot remove /usr/lib/apache - directory not empty
エラー: cannot remove /etc/httpd/conf - directory not empty
エラー: cannot remove /etc/httpd - directory not empty

/var/www/
/etc/httpd/
remove

/var/www と /etc/httpd は前の Apache の残骸と思われるので削除

> cd /var
> rm -rf www
> cd /etc
> rm -rf httpd

ソースの解凍・展開

ソースのあるディレクトリ (今回は /tmp ) へ移動して解凍・展開
※Apache と mod_sslのコンフィギュアーは同時に行なうので先に展開しておく

> cd /tmp
> tar xvfz openssl-0.9.7g.tar.gz
> tar xvfz apache_1.3.33.tar.gz
> tar xvfz mod_ssl-2.8.22-1.3.33.tar.gz

openssl のインストール

コンフィギュアー

 ※ ./configure ではなく ./config

> cd /tmp/openssl-0.9.7g
> ./config --prefix=/usr/local --openssldir=/usr/local/openssl -fPIC

Confiugured for linux-elf

メーク/インストール

> make
> make install

installing libcrypto.a
installing libssl.a

Apache + mod_ssl のインストール準備

コンフィギュアー

※ Apache のコンフィギュアーも同時に行なうので必要に応じて追加する

> cd /tmp/mod_ssl-2.8.22-1.3.33
> ./configure --with-apache=../apache_1.3.33 --with-ssl=../openssl-0.9.7g --prefix=/usr/local/apache --enable-rule=SHARED_CORE --enable-module=so --enable-shared=ssl

Now proceed with the following command:
$ cd ../apache
$ make
$ make certificate
$ make install

メーク

> cd ../apache
> make

+---------------------------------------------------------------------+
| Before you install the package you now should prepare the SSL    |
| certificate system by running the 'make certificate' command.    |
| For different situations the following variants are provided:    |
|                                  |
| % make certificate TYPE=dummy  (dummy  self-signed Snake Oil cert) |
| % make certificate TYPE=test   (test cert signed by Snake Oil CA) |
| % make certificate TYPE=custom  (custom cert signed by own CA)   |
| % make certificate TYPE=existing (existing cert)          |
|    CRT=/path/to/your.crt [KEY=/path/to/your.key]        |
|                                   |
| Use TYPE=dummy  when you're a vendor package maintainer,     |
| the TYPE=test   when you're an admin but want to do tests only,  |
| the TYPE=custom  when you're an admin willing to run a real server |
| and TYPE=existing when you're an admin who upgrades a server.    |
| (The default is TYPE=test)                     |
|                                   |
| Additionally add ALGO=RSA (default) or ALGO=DSA to select      |
| the signature algorithm used for the generated certificate.     |
|                                   |
| Use 'make certificate VIEW=1' to display the generated data.    |
|                                   |
| Thanks for using Apache & mod_ssl.    Ralf S. Engelschall    |
|                     rse@engelschall.com    |
|                     www.engelschall.com    |
+---------------------------------------------------------------------+

暗号鍵の作成

ローカル CA で暗号鍵を作成する場合は TYPE=custom を指定する

> make certificate TYPE=custom

青文字は入力した部分

STEP 0

Signature Algorithm をたずねられるので RSA ( R )を選択

-------------------------------------------------------------------

STEP 0: Decide the signature algorithm used for certificates
The generated X.509 certificates can contain either
RSA or DSA based ingredients. Select the one you want to use.
Signature Algorithm ((R)SA or (D)SA) [R]:R

STEP 1

STEP 1 での入力はなし

-------------------------------------------------------------------

STEP 1: Generating RSA private key for CA (1024 bit) [ca.key]
275576 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.......++++++
...++++++
e is 65537 (0x10001)

STEP 2

ローカルCAの情報を入力
※JP の Nagano の Matsumoto にある Information Strategy Laboratory という会社の System department という部署に ISL_PF CA というローカルCAを立てる
※登録するメールアドレスは account@domain.co.jp で 1000 日間有効

-------------------------------------------------------------------

STEP 2: Generating X.509 certificate signing request for CA [ca.csr]
Using configuration from .mkcert.cfg
you are about to be asked to enter information that will be incorparated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN
There are quite a few fields but you can leave same blank
For some fields there will be a default value,
If you enter '.', the field will be left black.
-----
1. Country Name       (2 letter code) [XY]:JP
2. State or Province Name  (full name)   [Snake Desert]:Nagano
3. Locality Name      (eg, city)   [Snake Town]:Matsumoto
4. Organization Name    (eg, company)  [Snake Oil, Ltd]:Information Strategy Laboratory
5. Organizational Unit Name (eg, section)  [Certificate Authority]:System department
6. Common Name       (eg, CA name)  [Snake Oil CA]:ISL_PF CA
7. Email Address      (eg, name@FQDN) [ca@snakeoil.dom]:account@domain.co.jp
8. Certificate Validity   (days)     [365]:1000

STEP 3

暗号鍵のバージョンを 3 と選択すると STEP 2 で入力した内容が出力されるので確認

-------------------------------------------------------------------

STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]
Certificate Version (1 or 3) [3]: 3

Signature OK
subject=/C=JP/ST=Nagano/L=Matsumoto/O=Information Strategy Laboratory/OU=System department/CN=ISL_PF CA/Email=account@domain.co.jp
Getting Private Key
Verify: matching certificate & key modulus
read RSA key
Verify: matching certificate signature
../conf/ssl.crt/ca.crt: /C=JP/ST=Nagano/L=Matsumoto/O=Information Strategy Laboratory/OU=System department/CN=ISL_PF CA/Email=account@domain.co.jp
error 18 at 0 depth lookup:self signed certificate
OK

STEP 4

STEP 4 での入力はなし

-------------------------------------------------------------------

STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key]
275576 semi-random semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...++++++
...++++++
e is 65537 (0x10001)

STEP 5

サーバの情報を入力
※JP の Nagano の Matsumoto にある Information Strategy Laboratory という会社の System department の www.isl.ne.jp というサーバの鍵を作成
※登録するメールアドレスは account@domain.co.jp で 1000 日間有効

-------------------------------------------------------------------
STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]
Using configuration from .mkcert.cfg
you are about to be asked to enter information that will be incorparated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN
There are quite a few fields but you can leave same blank
For some fields there will be a default value,
If you enter '.', the field will be left black.
-----
1. Country Name       (2 letter code) [XY]:JP
2. State or Province Name  (full name)   [Snake Desert]:Nagano
3. Locality Name      (eg, city)   [Snake Town]:Matsumoto
4. Organization Name    (eg, company)  [Snake Oil, Ltd]:Information Strategy Laboratory
5. Organizational Unit Name (eg, section)  [Certificate Authority]:System department
6. Common Name       (eg, FQDN)   [www.snakeoil.dom]:www.isl.ne.jp
7. Email Address      (eg, name@fqdn) [www@snakeoil.dom]:account@domain.co.jp
8. Certificate Validity   (days)     [365]:1000

STEP 6

暗号鍵のバージョンを 3 と選択すると STEP 5 で入力した内容が出力されるので確認

-------------------------------------------------------------------

STEP 6: Generating X.509 certificate signed by own CA [server.crt]
Certificate Version (1 or 3) [3]:3
Signature OK
subject=/C=JP/ST=Nagano/L=Matsumoto/O=Information Strategy Laboratory/OU=System department/CN=www.isl.ne.jp/Email=account@domain.co.jp
Getting CA Private Key
Verify: matching certificate & key modulus
read RSA key
Verify: matching certificate signature
../conf/ssl.crt/server.crt: OK

STEP 7

Encrypt the private key now? と聞かれるので Y を選択し、暗号鍵[ ca.key ]を使用する時のパスフェーズ(パスワード)を入力

-------------------------------------------------------------------

STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key]
The contents of the ca.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]:Y
read RSA key
writing RSA key
Enter PEM pass phrase:XXXXXXXXXX
Verifying password - Enter PEM pass phrase:XXXXXXXXXX
Fine, you're using an encrypted private key.

STEP 8

Encrypt the private key now? と聞かれるので Y を選択し、暗号鍵[ server.key ]を使用する時のパスフェーズ(パスワード)を入力

-------------------------------------------------------------------

STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security [server.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]:Y
read RSA key
writing RSA key
Enter PEM pass phrase:XXXXXXXXXX
Verifying password - Enter PEM pass phrase:XXXXXXXXXX
Fine, you're using an encrypted private key.

RESULT

鍵が作成されたので結果を確認

-------------------------------------------------------------------

RESULT: CA and Server Certification Files

o conf/ssl.key/ca.key
  The PEM-encoded RSA private key file of the CA which you can
  use to sign other servers or clients. KEEP THIS FILE PRIVATE!

o conf/ssl.crt/ca.crt
  The PEM-encoded X.509 certificate file of the CA which you use to
  sign other servers or clients. When you sign clients with it (for
  SSL client authentication) you can configure this file with the
  'SSLCACertificateFile' directive.

o conf/ssl.key/server.key
  The PEM-encoded RSA private key file of the server which you configure
  with the 'SSLCertificateKeyFile' directive (automatically done
  when you install via APACI). KEEP THIS FILE PRIVATE!

o conf/ssl.crt/server.crt
  The PEM-encoded X.509 certificate file of the server which you configure
  with the 'SSLCertificateFile' directive (automatically done
  when you install via APACI).

o conf/ssl.csr/server.csr
  The PEM-encoded X.509 certificate signing request of the server file which
  you can send to an official Certificate Authority (CA) in order
  to request a real server certificate (signed by this CA instead
  of our own CA) which later can replace the conf/ssl.crt/server.crt
  file.

Congratulations that you establish your server with real certificates.

Apache のインストール

> make install

+--------------------------------------------------------+
| You now have successfully built and installed the   |
| Apache 1.3 HTTP server. To verify that Apache actually |
| works correctly you now should first check the     |
| (initially created or preserved) configuration files  |
|                            |
|  /usr/local/apache/conf/httpd.conf
|                            |
| and then you should be able to immediately fire up   |
| Apache the first time by running:           |
|                            |
|  /usr/local/apache/bin/apachectl start
|                            |
| Or when you want to run it with SSL enabled use:    |
|                            |
|  /usr/local/apache/bin/apachectl startssl
|                            |
| Thanks for using Apache.    The Apache Group    |
|                http://www.apache.org/ |
+--------------------------------------------------------+

起動・確認

Apache + SSL で起動

※ ./apachectl startssl で443ポート (暗号化する場合) と80ポート (しない場合) の両方起動する

> cd /usr/local/apache/bin
> ./apachectl startssl

パスフェーズを要求されるので鍵を作成した時の STEP 8 で指定したパスフェーズを入力
青文字は入力した部分

[Fri Nov 16 16:36:17 2001] [alert] httpd: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
Apache/1.3.20 mod_ssl/2.8.4 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.

Server terra:443 (RSA)
Enter pass phrase:XXXXXXXXXX

Ok: Pass Phrase Dialog successful.
./apachectl startssl: httpd started

起動確認

サーバ側での確認

> ps -ef | grep httpd

クライアントからの確認

ブラウザから
https://192.168.1.XXX(IPアドレス) で443ポートの確認
http://192.168.1.XXX(IPアドレス) で80ポートも確認

ブラウザに「あなたの予想に反して…」という Apache ロゴ付きのページが表示されれば成功!!

次のページへ ページのトップへ 次のページへ