Nov 112000

Apache with SSL

I’m in the process of installing and configuring a web mail client.   I want to use one because I don’t always have access to ssh from remote locations.   But they almost always have access to http.  But everything in http is passed in clear text.  So I’m using SSL to encrypt the traffic.  This will hide both my password and my email from anyone who happens to be snooping.  And That’s A Good Thing ™.

WARNING: If you already have Apache installed, you may find that your existing installation will be broken for a while.  Take a backup.  At least take a copy of your existing Apache configuration files.

If you do want to add SSL to an existing installation, read Integration with an existing Apache first.

Installing the port

A port is easy to install.  And because as I had all the port skeletons installed, I just had to do the following:
cd /usr/ports/www/apache13-modssl
make install

That will get the binaries installed.  But I like to do more than just that.

What will Apache run as?

For example, I prefer to run apache as user www and group www.   This is mostly for security reasons.  If an exploit is ever found for apache, it means they are restricted to that group/user.  That’s simplified, but it’s a good start.  You don’t have to do this.  It’s fine with the default.  Feel free to ignore this section.

I have the following user.  You can add this using adduser or with vipw (and if you do use vipw, remember to use an unallocated number; 99 may already be in use on your machine; the first 99 is the User ID; the second 99 is the group id; if you don’t know what this means, then you should be using the adduser command). 

www:*:99:99::0:0:apache Daemon:/nonexistent:/sbin/nologin

I also created the www group by adding this line to /etc/group (again, if you don’t know about this file, you should be using adduser):



There are a few things you should change in your Apache configuration file.  By default, this file is:

Note: sometimes this file is httpd.conf.

Here are the original entries and what I changed them to.

Original New values User nobody
Group nobody
User www
Group www

Only make this change if the user (www) and group (www) exist.

ServerAdmin you@your.address ServerAdmin

Substitute your email address.

Testing the configuration

After making these changes, you should test them:
# /usr/local/sbin/apachectl configtest
Syntax OK

One day, at band camp, I found the following output:

# /usr/local/sbin/apachectl configtest
[Fri Jun  8 16:02:50 2001] [alert] httpd: Could not determine the server's
fully qualified domain name, using for ServerName
Syntax OK

This can be fixed one of two ways. Either add something like this to /etc/hosts
or something like this to your DNS zonefile:
dev         IN      A
The above solutions assume the host name is

Starting and restarting the server

OK.  Everything is fine.  Now let’s start the server:
# /usr/local/sbin/apachectl startssl
/usr/local/sbin/apachectl startssl: httpd started

It might take a while to start. It’s creating a new random number for security reasons.

Let’s say you made a change to the configuration file.  Now you want Apache to take notice of the change.  Here’s the command you can issue.  You should first do a configtest.

# /usr/local/sbin/apachectl graceful
/usr/local/sbin/apachectl graceful: httpd gracefully restarted

Checking for problems

It’s a good idea to check the logs, just in case:
# tail tail apache_ssl_engine_log
[notice] SIGUSR1 received.  Doing graceful restart
[notice] Apache/1.3.14 (Unix) mod_ssl/2.7.1 OpenSSL/0.9.4 
                 configured -- resuming normal operations

Similarly, remember to check the SSL engine log:

# tail apache_ssl_engine_log
[info]  Init: 1st restart round (already detached)
[info]  Init: Reinitializing OpenSSL library
[info]  Init: Seeding PRNG with 1160 bytes of entropy
[info]  Init: Configuring temporary RSA private keys (512/1024 bits)
[info]  Init: Configuring temporary DH parameters (512/1024 bits)
[info]  Init: Initializing (virtual) servers for SSL
[info]  Init: Configuring server for SSL protocol
[warn]  Init: ( RSA server certificate CommonName 
               (CN) `www.snakeoil.dom' does NOT match server name!?

That "snakeoil" is the default SSL certificate which comes with the install.   We’ll replace that later with our own test certificate.

Remember your firewall

If you have a firewall, remember to give access to port 443, which is https.


Now point your browser at your web server.  Try the address: http://server, where sever is the IP address or name of your webserver.  You should see something like this:

Hey, it worked !
The SSL/TLS-aware Apache webserver was
successfully installed on this website.

Then try https://server which should give you the same screen.

Getting a certificate

I’m about to describe how to create your own testing certificate.   This is not a certificate which you can use for public consumption.  If the public are going to be using your website, then you should get a proper certificate.   How you do that is beyond the scope of this article.  I’m now going to show you how I generated my testing certificate.

The commands I issued are:

# cd /usr/ports/www/apache13-modssl
# make certificate

I changed the value for the fields I knew and accepted the defaults for everything else.  This will create the certificates in the following directory:


Look for two sub-directories, ssl.crt and ssl.key.  The contents of these directories will be copied to the apache home directory.  But first, I saved the existing certificates in case I needed them:

# cd /usr/local/etc/apache
# mv ssl.crt ssl.crt-default
# mv ssl.key ssl.key-default

Then I copied the new keys over:

# cd /usr/ports/www/apache13-modssl/work/apache_1.3.14/conf
# cp -rp ssl.key /usr/local/etc/apache
# cp -rp ssl.crt /usr/local/etc/apache

Then you need to restart Apache.  I originally tried just a "graceful", but that failed to pick up the new certificate.  So I did a stop and then a start.   Here’s what I saw:

# /usr/local/sbin/apachectl startssl
Apache/1.3.14 mod_ssl/2.7.1 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.

Server (RSA)
Enter pass phrase:

Ok: Pass Phrase Dialog successful.
/usr/local/sbin/apachectl startssl: httpd started

This is good.  I added a passphrase when creating the certificate.  This passphrase is required when starting up the webserver.  Therefore, I had to enter it manually.  I don’t know what I’ll do upon startup.

Removing the passphrase

If you later decide you don’t want the passphrase, there is something you can do.  Have a read of (this URL was provided by Snick^).

There are security issues associated with passphrase removal.  Read the above URL and make your own decision.

Confirming the encryption

I wanted to confirm that my https connection was indeed encrypted.   Under Netscape, I looked at View->Page Info.  Included on that page was this message:
Security: This is a secure document that uses a high-grade encryption key for U.S. domestic use only (RC4, 128 bit).



That indicates the document *is* indeed encrypted.  That’s good enough for me.

Problems I encountered

When I tried to browse to the website from Netscape 4.74, I was created with the following message box:

SSL has recieved an error from the server indicating an incorrect Message Authentication Code. This could indicate a network error, a bad server implementation, or a security violation.

The following errors were found in /var/log/apache_error_log:

[error] mod_ssl: SSL handshake failed (server, 
         client (OpenSSL library error follows)
[error] OpenSSL: error:0407106B::lib(4) :func(113) :reason(107)
[error] OpenSSL: error:04065072::lib(4) :func(101) :reason(114)
[error] OpenSSL: error:1408F071::lib(20) :SSL3_GET_RECORD:bad 
         mac decode [Hint: Browser still remembered details of a 
         re-created server certificate?]

If I used IE4, I didn’t have a problem.  I was confused.

The next day, I tried Netscape again.  It worked.  I think it was because I had restarted the Netscape session (i.e. stopped Netscape and ran it again).  I conclude that because Netscape went through the "Oh, here’s a new certificate, but it doesn’t look quite right to me…" messages.  Then Netscape worked just fine with https.

See the next section for the solution to the above.

Error solution (added on 13 July 2001)

It’s always good when someone else writes in with a solution to a perplexing problem.

Date sent:      	Fri, 13 Jul 2001 08:23:26 -0400
From:           	"Callum M. Duncan"
To:             	comments at freebsddiary in dot org
Subject:        	Apache with SSL certificate error

I ran across the same error the other day while building Apache + SSL +
(countless other modules) Everytime I built Apache, I just ran another 
`make certificate`... just a test cert, so I didn't care about keeping 
the old one.

Obviously Netscape had issues when my new Apache presented a certificate
that did not match the original The trick was to delete the old 

The certificates can be found by digging through the following menus:

Security Info

Hopefully this will same some people some confusion, or at least having to
wait around.(Though I am surprised that worked, but maybe you set a very 
low expiry)

Anyway, thank you for such a great FreeBSD resource!

Indeed that did solve the problem. I can now use Netscape for that URL. For those with an older version of netscape, the menu location is Communicator | Tools | Security Info.

Integration with an existing installation (added on 7 December 2000)

Today I wanted to install SSL on an existing webserver. In fact, it was the one on which FreshPorts runs.  When I followed the above instructions, I wound up with a completely new install of Apache.   Even the old one wouldn’t work.  So here, in brief, is what I did:
  • I made a back up of everything.
  • Deinstalled all apache, ssl, and php (see the output from pkg_info and use pkg_delete to remove them).
  • Did the install as detailed in this article.
  • Installed mod_php4 (I took the opportunity to upgrade from mod_php3).
  • Because many of my existing .php3 files, I made sure the following items where in my Apache configuration file:
    DirectoryIndex index.php index.html index.php3
    AddType application/x-httpd-php .php .php3

I modified these two lines to ensure that .php3 files worked for me.

  One Response to “Apache with SSL”

  1. In current apache13-modssl (1.3.26), make certificate will create you test certificate:
    shoes# make certificate
    ===> Creating Test Certificate for Server
    SSL Certificate Generation Utility (
    Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.

    Generating test certificate signed by Snake Oil CA [TEST]
    WARNING: Do not use this for real-life/production systems

    STEP 0: Decide the signature algorithm used for certificate
    The generated X.509 CA certificate can contain either
    RSA or DSA based ingredients. Select the one you want to use.
    Signature Algorithm ((R)SA or (D)SA) [R]:
    [end of quote]

    If you give "make TYPE=custom certificate", system will also generate CA for you and then its upto you to decide how you will secure private key on your CA.