原付生活(3)
Apache1.3.36+mod_ssl2.8.27のインストール&初期設定。
# fetch http://www.modssl.org/source/mod_ssl-2.8.27-1.3.36.tar.gz
# fetch http://www.apache.jp/dist/httpd/apache_1.3.36.tar.gz
# tar zxvf mod_ssl-2.8.27-1.3.36.tar.gz
# tar zxvf apache_1.3.36.tar.gz
# cd mod_ssl-2.8.27-1.3.36
# env CFLAGS="-DBIG_SECURITY_HOLE"
? ./configure
? --with-apache=../apache_1.3.36
? --with-ssl=/usr/local
? --enable-rule=SHARED_CORE
? --with-layout=Apache
? --enable-module=so
? --enable-module=ssl
? --enable-module=rewrite
? --enable-shared=rewrite
Configuring mod_ssl/2.8.27 for Apache/1.3.36
+ Apache location: ../apache_1.3.36 (Version 1.3.36)
+ OpenSSL location: /usr/local
+ Auxiliary patch tool: ./etc/patch/patch (local)
+ Applying packages to Apache source tree:
o Extended API (EAPI)
o Distribution Documents
o SSL Module Source
o SSL Support
o SSL Configuration Additions
o SSL Module Documentation
o Addons
Done: source extension and patches successfully applied.
Configuring for Apache, Version 1.3.36
+ using installation path layout: Apache (config.layout)
・
・
・
(中略)
・
・
・
Now proceed with the following commands:
$ cd ../apache_1.3.36
$ make
$ make certificate
$ make install
上記のとおりに
# cd ../apache_1.3.36
# make
===> src
===> src/regex
sh ./mkh -i _REGEX_H_ regex2.h regcomp.c regerror.c regexec.c regfree.c > ../include/hsregex.h
・
・
・
(中略)
・
・
・
+---------------------------------------------------------------------+
| Before you install the package you now should prepare the SSL |
| certificate system by running the 'make certificate' command. |
| For different situations the following variants are provided: |
| |
| % make certificate TYPE=dummy (dummy self-signed Snake Oil cert) |
| % make certificate TYPE=test (test cert signed by Snake Oil CA) |
| % make certificate TYPE=custom (custom cert signed by own CA) |
| % make certificate TYPE=existing (existing cert) |
| CRT=/path/to/your.crt [KEY=/path/to/your.key] |
| |
| Use TYPE=dummy when you're a vendor package maintainer, |
| the TYPE=test when you're an admin but want to do tests only, |
| the TYPE=custom when you're an admin willing to run a real server |
| and TYPE=existing when you're an admin who upgrades a server. |
| (The default is TYPE=test) |
| |
| Additionally add ALGO=RSA (default) or ALGO=DSA to select |
| the signature algorithm used for the generated certificate. |
| |
| Use 'make certificate VIEW=1' to display the generated data. |
| |
| Thanks for using Apache & mod_ssl. Ralf S. Engelschall |
| rse@engelschall.com |
| www.engelschall.com |
+---------------------------------------------------------------------+
<=== src
サーバの秘密鍵と証明書申請データ(CSR)はあとで作るとして、
証明書は無償の認証局CACertで発行してもらったものがあります。
旧サーバのものを持ってきて、
# make certificate TYPE=existing CRT=証明書のパス
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.
Using existing custom certificate [EXISTING]
______________________________________________________________________
RESULT: Server Certification Files
o conf/ssl.key/server.key
The PEM-encoded DSA private key file which you configure
with the 'SSLCertificateKeyFile' directive (automatically done
when you install via APACI). KEEP THIS FILE PRIVATE!
o conf/ssl.crt/server.crt
The PEM-encoded X.509 certificate file which you configure
with the 'SSLCertificateFile' directive (automatically done
when you install via APACI).
Congratulations that you establish your server with real certificates.
# make install
===> [mktree: Creating Apache installation tree]
./src/helpers/mkdir.sh /usr/local/apache/bin
mkdir /usr/local/apache
mkdir /usr/local/apache/bin
・
・
・
(中略)
・
・
・
+--------------------------------------------------------+
| You now have successfully built and installed the |
| Apache 1.3 HTTP server. To verify that Apache actually |
| works correctly you now should first check the |
| (initially created or preserved) configuration files |
| |
| /usr/local/apache/conf/httpd.conf
| |
| and then you should be able to immediately fire up |
| Apache the first time by running: |
| |
| /usr/local/apache/bin/apachectl start
| |
| Or when you want to run it with SSL enabled use: |
| |
| /usr/local/apache/bin/apachectl startssl
| |
| Thanks for using Apache. The Apache Group |
| http://www.apache.org/ |
+--------------------------------------------------------+
ってな感じでしょうか。
サーバの秘密鍵を作ります。
# openssl genrsa -rand 適当 -out server.key -des3 1024
0 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.....................................................++++++
........................................................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:パスワード
Verifying - Enter pass phrase for server.key:パスワード
このままだと、Apache起動時にいつもパスワードを聞かれます。
なので、
# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:パスワード
writing RSA key
とすると、聞かれなくなります。
次にCSRを作ります。
# openssl req -new -days 365 -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Chigasaki
Organization Name (eg, company) [Internet Widgits Pty Ltd]:The Sunday Breeze
Organizational Unit Name (eg, section) []:webmaster
Common Name (eg, YOUR name) []:www.sundaybreeze.jp
Email Address []:メールアドレス@sundaybreeze.jp
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
そうすると、
-rw-r--r-- 1 root wheel 745 Jul 12 12:41 server.csr
-rw-r--r-- 1 root wheel 887 Jul 12 12:36 server.key
こんな感じ。
どちらもパーミッションは400にしちゃいましょう。
で、
server.csrはApacheルート/conf/ssl.csr/へ
server.keyはApacheルート/conf/ssl.key/へ
移動します。
証明書自体はApacheルート/conf/ssl.crt/にあります。
証明書作ったときのCSRじゃなくていいのかな?
まあいいや。
httpd.confは旧サーバのものをそのまま使います。
configファイルの妥当性チェックは
# Apacheルート/bin/apachectl configtest
でできます。が、
まだmod_becomeやらPHPやらをインストールしていないのでエラーが出ます。
これはまた後日。
Apacheの起動シェルは
/usr/local/etc/rc.d
にある。はず。なのに。ない。なんで?
なので、邪道ですが
# cd /usr/port/www/apache13
# make
としてportsでmakeまでして、
出来上がった
/usr/ports/www/apache13/work/apache_1.3.36/apache.sh
を/usr/local/etc/rc.dにコピーしました。
もちろん起動コマンド等修正が必要です。
で、/etc/rc.confに
apache_enable="YES"
を追記してrebootすれば起動する、はず。
このネタへのコメント:
コメントはありません。