RSS feed for InstantSpot site Blog of Dave

Create SSL sites in Apache on Windows with OpenSSL

Fri, 13 Nov 2009 03:47:33 GMT

To get a secure SSL site up and running on Apache under Windows, there are a few hoops to jump through that are not very intuitive. To that end, I am going to document my approach to setting up SSL using OpenSSL. This approach assumes that you already have Apache up and running on your machine, so if you have not done that, head over to the HTTPD download page and set that up before continuing.

Setting up OpenSSL
First we need to get OpenSSL setup on our system, which is not included with the Apache Windows binaries. In fact the OpenSSL project doesn't even provide the binaries themselves, but you can find them at Shining Light Productions. For this example, I will be choosing the Win32 OpenSSL v0.9.8k Light version. If you see a message like the one below, you will need to install the Microsoft Visual C++ 2008 Redistributable Package and then attempt the OpenSSL installation again.

Once you have it installed, you can do a quick test to make sure that it is set up properly:
Creating Certificates
Next, we will use the OpenSSL terminal interface to create our self-signed certificates. To explain a bit about what is going on below, I have a site already existing on my system that can be reached at http://scribble. What we are doing is creating a secure subdomain of https://secure.scribble. Typically when I create certificates, I name the files with the host/domain obvious so that they can be easily identified later. Obviously you will want to replace the domain name to match your setup, but type the following in the terminal in the OpenSSL/bin directory:

[codeblock 433]

That will generate what you see below.

You may notice that I left a lot of the prompts blank. Considering this is a dummy certificate in a development environment, that approach makes sense. You may choose to be more explicit based on your needs.

If we were to use this key as it is, we would be prompted for the password every time that Apache starts. Since that is less than ideal, we will now generate a non-protected key from the one we created in the previous step by typing the following:

[codeblock 434]

You can see that I was prompted for a pass phrase. This is the same password that you created when we generated the certificate above.

Now we need to need to build the certificate that we will actually import into Apache. You can do so by typing:

[codeblock 435]

This will result in the following output:

You can see that we now have a .cert, .csr, .key, and .pem file for our domain. We will use a combination of the .key and the .cert
Configuring Apache
Now we need to make sure that your Apache server is ready to serve SSL requests.

First, let's put the .key and .cert files that we created above into a directory under Apache. In your "conf" directory, create a subdirectory named "ssl" and move secure.scribble.key and secure.scribble.cert into that new directory.

Next we need to make sure that the mod_ssl module is enabled. Open up the httpd.conf file for your Apache webserver. Search for "mod_ssl" and you should find a line that looks like this:

Yours will likely be commented out with a '#' sign in front of the line. You will want to delete that '#' so that it looks like the highlighted line above.

Next you will need to make sure that you have uncommented the line that includes the httpd-ssl.conf file like you see below:

The last thing we need to do is configure our site. Open up the conf/extra/httpd-ssl.conf file in an editor. You will see that there is an amazingly huge and complex site definition in there already that starts with and ends about 150 lines later with . We need to disable this site. If you are feeling bold, you can simply delete it. However, I take the approach of commenting it out entirely so that I still have it as a reference, which is my recommendation as well. Starting with the line , put a '#' at the start of every line that doesn't already have one and continue until you comment out the line.

Now it is finally time for us to create the site definition for our https://secure.scribble site. We will use some of the concepts in the example, but eliminate most of them. Here is what mine looks like after paring down all the excess:
[codeblock 436]

In that code you can see where we are pointing to the .key and .cert files that we created above.

Now, restart your Apache server and you are now serving up securely!

A linux guy's experience with Windows 7

Mon, 19 Oct 2009 13:58:00 GMT

Anyone who knows me well knows that I am typically somewhat of an anti-Windows guy. I absolutely love linux, and get very frustrated by Windows in general. The only thing that I really dislike about linux is the lack of application support by a number of companies (ahem…. Adobe). Before going to the Adobe MAX conference, I decided I should swap out OSes on my personal laptop so that I could run all the stuff I would need for labs without constantly cursing about being stuck in a VM, limited functionality, etc. A friend had just bought a package of Windows 7 licenses and sold me one for 5 bucks, which I considered to be a pretty reasonable risk. I opted for installing Windows 7 on my laptop.

Given that background and my previous feelings about Windows, I have to say that it is a pretty dang nice operating system. It is by far the best offering to date by MS in my opinion. There are a few things that they still haven't managed to get right (native file copy still makes me want to stick forks in my eyes), but by and large they have done a great job with Windows 7. Other than having to track down a few drivers for my laptop, the installation was painless – if not fast. This is still an area that linux, and especially Ubuntu, wins hands down though. Apps run extremely stable, and with the addition of a new concept of "Libraries", directories that I need access to regularly are right at hand instead of having to tree down through big hierarchies. I am also not finding what I expected would be an immediate degradation of performance after installing all the servers and development tools that I use on a daily basis. Over all, so far so good.

A few things that I think are a *must* for the way that I use it.

I found a "sudo" program called Start++ that allows me to open applications from the terminal or start menu as Administrator by typing sudo notepad [or some other program]. It will prompt you for the UAC stuff and the program will open as administrator. I use this regularly for editing system files like hosts, apache configs, and use it to open a terminal to fire off j2ee servers.
Install Teracopy which is a replacement for the Windows copy program. While certainly not as fast/efficient as a linux terminal, it greatly increases file copy speed over the native windows GUI file copy. No more "preparing to copy" waits while your system bogs down.

Things that annoy me

I still wish I could have a real terminal and be able to use VI in sudo, but that is just something I will have to get over I guess.
I hate that I now have to be so careful with regard to viruses and spyware. I love the protection that linux offers in that area, and having to go out of my to stay protected seems a bit cumbersome.
I miss being able to easily try out software with the ease of the synaptic package manager. It seems foreign now to have to download an exe run an installer and have settings being obscurely written all over a "black box" registry.
I miss built-in networking tools. Even simply things like being able to run "whois" from the teminal.
My drive is getting fragmented far faster than with linux, and I find that I am running the defrag tool fairly often. Linux just manages this under the covers and I never have to worry about it.

All said, after using it for about the past 4 weeks, I can honestly say that I am surprised (and perhaps even a bit disappointed) that I like it as much as I do. I planned on just running it while I was at the Adobe MAX conference and going back to linux when I got home, but it looks like I will be keeping it for a while longer.

I recommend saying "format c: /q" near your new Vista machine

Fri, 02 Feb 2007 01:51:05 GMT

As reported by ZDnet, Microsoft has left a funny security hole in their new offering to the masses that allows an attacker - or just someone who is able to... you know...talk and stuff - to verbally execute commands through its speech recognition feature. One point that has been brought up is that someone could send an audio file that played the commands for your computer to follow. How about that! So for those of you who continue to use Windows and migrate to Vista, you might consider disabling leaving your microphone off unless you are actually using it. Also, before they get a patch out, you *have* to go play with it and let me know what you were able to actually do!

Here is the complete article which includes a confirmation response from Microsoft on the exploit.

Mounting drives in Windows... just like Linux!

Wed, 10 Jan 2007 22:13:59 GMT

Before continuing I must concede to the fact that I am *not* a fan of Windows. I use it where I have to, but by and large I feel that Linux, specifically Ubuntu, is just a more pleasant experience and is a better tool for the kind of jobs that *I* need a computer to do. I must also admit that I was Microsoft certified about 9 years ago (the NT4 track!), so what I "discovered" last night might not be entirely new to many people, but it was certainly new to me so I thought I would share. Plus, considering how rarely I have compliments for Windows, I feel obligated to share this so that my steadfast Microsoft fanboy friends will quit saying "Why do you hate Bill Gates?", which incidentally I do not.

Now that I have gotten that out, let me tell you about a cool feature I found within Windows last night. It actually does something the way that Linux does!

One of the Windows web servers that we interact with has its webroot on the D: drive, with a path D:\inetpub\wwwroot. At the time that this application was created, hard drives were not the size they are today and 8GB seemed like a reasonable partition for a data drive. However the application has grown, as has its need for hard drive consumption and it finally reached a level which needed to be addressed.

I originally set out to add a new drive (E:), then move the wwwroot over to the new drive, update all mappings in IIS, including virtual directories, and update any mappings within ColdFusion. This was not a very exciting prospect considering this is a live production server. However, this seemed like a fairly logical approach so I began.

First I added the new drive and initialized it in the Disk Manager. I now had this 80GB empty partition which I planned on turning into E: After choosing to to make it a "Primary Partition" and selecting the size, I got to the point for choosing the drive letter. This is where an option jumped out at me that I had never noticed before, which is a testament to both my lack of observance and to how fast I normally cruise through this section! I was presented with the following:

WHAT??? "Mount"???

The solution became abundantly clear immediately. Rather than have to re-map paths and risk blowing up whatever buried physical paths might lurk under the covers of this legacy application, I would simply mount the new drive as: d:\inetpub\wwwroot - just like Linux but with backwards slashes and the funny letter/colon thing on the front!

So, I renamed the existing wwwroot folder to wwwroot.old, mounted the drive to that position, and copied over all files from the old wwwroot to the new wwwroot. I restarted ColdFusion and IIS and the application picked up right where it had left off without a hitch!

So (get ready to write this down, because you won't hear it often from me).... YAY for Windows!

Grand Canyon... It's on!

Mon, 11 Jul 2005 05:00:00 GMT

My father and I decided that this was the year that we would hike the North Rim to the South Rim of the Grand Canyon. I know this seems crazy, but it is actually a paperwork challenge to be able to hike the Grand Canyon. There is an application process in which you have to fax your request in the 1st day of the month 6 months before the intended date of your trip with a detailed itinerary, including where you will be sleeping and when. We sent faxed our paperwork in and held our breath on the 1st of April, 6 months before we hoped to go in September. After no word for a month we finally contacted them, only to find out that we had been rejected. Discouraged, but not beaten, we laid out the calendar to see if there was another time that would work. We decided that November would be acceptable, albeit a little colder. It should be in the 60s in the bottom of the canyon though where we will spend the majority of our time. Once again, we laid out our itinerary and faxed in on July 1. My dad received a letter today dated July 6, 2005 telling him that they were sorry, but they were unable to accept out application. He spent a good hour walking around the house cussing and feeling terribly disappointed. A bit later my mom noticed there was another letter from the Grand Canyon dated July 7, 2005.

Dear Mr. Shuck, we have accepted your request to hike the Grand Canyon on the dates of November 1, 2 and 3, 2005. Enlcosed are your passes, which you will need to affix to your backpack and carry with you in the canyon. There is no need to stop by the back country headquarters before departing on the trail.

So in 3.5 months, I will be taking this in....