OK,

I have the web server running just fine at internal.domain.com, I even have a CNAME set up for secure.internal.domain.com and a virtual host set up for same. I can access documents via http on secure.internal.domain.com. But I cannot access them via https.

My goal is to require https when accessing secure.internal.domain.com.

I am running Apache 2 on Red Hat 8 with a 2.4 kernel.

I created a host key and cert files using openssl with the CN of ".domain.com" in x509 format with an RSA cipher. Note the leading dot on the CN. I think that's needed to say any sub-domain at domain.com

Now that I have these files, where do I put them and how do I enable them? What else do I need to examine / do?

BTW, in the ssl_error_log file I get these two messages everytime I try to access the test server with https:

RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
RSA server certificate CommonName (CN) `internal' does NOT match server name!?

I've not yet figured out exactly what the message is trying to tell me (except that it didn't work :P )

-g
It's so secure even I can't find it.

The OpenBSD people made a quick easy FAQ on how to do it:
http://www.openbsd.org/faq/faq10.html#HTTPS

Note that the paths will probably be different on RedHat and you don't have to limit your signature to 365 days.

--
Kevin

FQ, if you feel this content is inappropriate for this forum, please just delete this reply or move it to a more appropriate place.

This is what I learned and did to get my test server serving pages via https. The note is rather long, don't feel obligated to read all of it.

I did this on a Red Hat 8.0 system with Apache 2.0.

Before I go further, the RH docs contain a good description of the whole secure setup thing at:
http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/custom-guide/ch-httpd-secure-server.html

And, while not as directly useful, the Apache documentation contains a description of it's use of ssl here:
http://httpd.apache.org/docs-2.0/ssl/

The first important thing is that the ssl.conf file is in /etc/conf.d/ssl.conf. Once I found this, things started going better.

Make sure you have virtual host definitions working first.
I took an existing VirtualHost setup, stuck "secure." on the front of the ServerName definition and changed the DocumentRoot to where the secure files were going to be located. Put an index.html in it that identifies itself for testing purposes and make sure it outputs enough text so that IE doesn't think it failed (I used a sentence and a bunch of asterisks). I saved and did an apachectl configtest (don't restart yet as it's wasted effort until the DNS knows about the name). Next I changed my DNS zone definition to add a CNAME for the "secure" sub-domain in the zone file for my internal server (which for purposes of tihs not I'll call "internal.example.com") and restarted named. Ping secure.internal.example.com to make sure you can resolve the name. Once the DNS is ok, restart httpd to read the new virtualhost. Make sure you can access http://secure.internal.example.com using HTTP (not HTTPS). If you can, you know you have a good basic virtualhost definition.

Another important, before you get into it, note:
If you are going to use the same server and are using name based virtual hosts, then you will need to change your httpd.conf file so that the NameVirtualHost directive contains a :80 (or whatever port you use for http) appended to the IP. Also, in each of the VirtualHost tags you will also need to append the :80 after the IP. If you don't, you'll get a message containing: " mixing * ports and non-* ports with a NameVirtualHost" in it. This is because your secure definition will contain a :443 port specification in it.

I edited the ssl.conf file and scrolled down to where the skeleton <VirtualHost _default_:443> definition tag is in the file. I commented out that tag and the lines just below it defining the "General setup for the virtual host" and pasted in my definition from the httpd.conf file (up to, but not including my </VirtualHost> end tag) at that place. I changed the cloned virtual host tag to put the :443 port qualifier on it and also modified the ServerName directive to append :443 on it. The rest of the skeleton definition I left as it was because it contains all of the SSL stuff. I then saved the file.

I then did an "apachectl configtest" to make sure there were no typos. Fix: repeat until no errors. Then I restarted HTTP (service httpd restart).

Then I accessed my server again, made sure I could get to the old stuff, then tried the secure stuff again via https://secure.internal.example.com.

Presto! I got a squawk message concerning my certificate. This was good news as it was now attempting to talk to me instead giving me a "no server found" message.

Now I needed a certificate that was more meaningful so I found this site which gave me good instructions on setting up a self-signed secure certificate for testing:
http://sial.org/howto/openssl/self-signed/

Note, because of the secure nature of the .key file, I suggest that all of this work be done as root.
I followed their instructions on how to create the host.key and host.cert files (and the host.info file as well). I created these files in a secure location (and not where apache was going to look for them just in case I hosed something up). I made sure that my common name (CN) was *.internal.example.com (of course you will use your own domain name). Note that the CN starts with an "*." (asterisk period). That's so that any sub-domain of internal.example.com would be covered by the certificate. In my case that would be secure.internal being covered. Note that the name given (internal.example.com) must match the IP of the server that the DNS reports for that name (or else in the squawk box that appears, the third point will be the yellow triangle).

I then changed permissions on the files: "chmod 600 host.cert host.key host.info" to make them readable only to root.

Then I went to the ssl.key directory, renamed server.key to server.key.old and copied in the new host.key file:
$ mv server.key server.key.old
$ cp /root/certs/host.key server.key

Similarly for the ssl.crt directory:
$ mv server.crt server.crt.old
$ cp /root/certs/host.cert server.crt

Again, make sure these files are permissions only to root.

Then I restarted httpd again. And then I browsed to the secure.internal.example.com again and again got a squawk message. This time the dates showed a green check circle and the valid name check (third and last item on the list) also showed a green check circle. The only fuss was that it was signed by a company (me) that I had not (yet) chosen to trust.

Click on View Certificate to bring up the certificates box and click the Install Certificate (if you trust yourself) and the Certificate import wizard" will start. Click Next. The "Certificate Store" panel ought to show up. Since this is a regular certificate, and not a root certificate (which is another route if you have lots of machines needing several test certs) I left the "automatically set..." radio button selected and clicked Next. You should get a complete box. Click Finish. You will get a message titled "Root Certificate Store" asking if you want to ADD the following certificate to the Root Store. Click Yes. You should get a confirmation box saying that the import was successful. Click OK. Note that the two open panels won't refresh themselves. Click OK to the Certificate dialog. I then clicked no to the "squawk" message. Then I re-visited the secure site and no squawk message came up. Success!

OK, Now we have it so that secure access works. However, it is still possible to access the secure pages via two mechanisms:

via http: on secure.internal.example.com
via http: on internal.example.com/secure-root

If that's okay for you, then quit now.

To eliminate point 1, I went back into the httpd.conf and deleted my secure.internal.example.com virtualhost definition, checked via configtest and restarted httpd. tried to go there via http and got to my regular old internal.example.com webpage (the default). Done.

Being the paranoid sort, I then tried going with https and got to the secure pages just fine.

To eliminate point 2, go back into your httpd.conf and add into your virtualhost (of internal.example.com) definition the following:
<Location "/Secure_Server/">
SSLRequireSSL
</Location>

Do a configtest and restart httpd. Done.

And again I went to the secure site via https just to make sure.


OK. I know that was long and I hope it helps somebody.
-g