≡ Menu

How To Install Apache 2 with SSL on Linux (with mod_ssl, openssl)

This article gives step by step instructions on how to install Apache 2 with mod_ssl.

I prefer to install Apache from source, as it gives me more flexibility on exactly what modules I want to enable or disable, and I can also upgrade or apply patch immediately after it is released by the Apache foundation.

1. Download Apache

Download Apache from httpd.apache.org. The current stable release is 2.2.17.

Once you get the direct URL to download the latest stable version of Apache, use wget as shown below to download it directly to you server.

cd ~
wget http://www.eng.lsu.edu/mirrors/apache//httpd/httpd-2.2.17.tar.gz
tar xvfz httpd-2.2.17.tar.gz

2. Install Apache with SSL/TLS

View all available Apache installation and configuration options as shown below.

cd httpd-2.2.17
./configure --help

To install an Apache module, you would typically say –enable-{module-name}. For example, to install SSL with Apache, it is –enable-ssl. To install ldap module, it is –enable-ldap.

To uninstall any default module that comes with Apache, you would typically say –disable-{module-name}. For example, to disable basic authentication in Apache, it is –disable-auth-basic

In this example, we will install Apache with all default modules, with addition of –enable-ssl (to install mod_ssl for SSL support), and –enable-so, which helps to load modules in Apache during run-time via the Dynamic Shared Object (DSO) mechanism, rather than requiring a recompilation.

./configure --enable-ssl --enable-so
make
make install

Note: By default the above installs Apache under /usr/local/apache2. If you like to change this location, use –prefix option in the ./configure.

3. Enable SSL in httpd.conf

Apache configuration file httpd.conf is located under /usr/local/apache2/conf.

Uncomment the httpd-ssl.conf Include line in the /usr/local/apache2/conf/httpd.conf file.

# vi /usr/local/apache2/conf/httpd.conf
Include conf/extra/httpd-ssl.conf

View the httpd-ssl.conf to review all the default SSL configurations. For most cases, you don’t need to modify anything in this file.

vi /usr/local/apache2/conf/extra/httpd-ssl.conf

The SSL certificate and key are required before we start the Apache. The server.crt and server.key file mentioned in the httpd-ssl.conf needs to be created before we move forward.

# egrep 'server.crt|server.key' httpd-ssl.conf
SSLCertificateFile "/usr/local/apache2/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"

4. Create server.crt and server.key file

First, Generate the server.key using openssl.

cd ~
openssl genrsa -des3 -out server.key 1024

The above command will ask for the password. Make sure to remember this password. You need this while starting your Apache later.

If you don’t provide a password, you’ll get the following error message.

2415:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You must type in 4 to 8191 characters

Next, generate a certificate request file (server.csr) using the above server.key file.

openssl req -new -key server.key -out server.csr

Finally, generate a self signed ssl certificate (server.crt) using the above server.key and server.csr file.

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

For more details refer to: How To Generate SSL Key, CSR and Self Signed Certificate For Apache

5. Copy the server.key and server.crt

Copy the server.key and server.crt file to appropriate Apache configuration directory location.

cd ~
cp server.key /usr/local/apache2/conf/
cp server.crt /usr/local/apache2/conf/

6. Start the apache and verify SSL

Start the Apache as shown below.

/usr/local/apache2/bin/apachectl start

This will prompt you to enter the password for your private key.

Apache/2.2.17 mod_ssl/2.2.17 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server www.example.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.

By default Apache SSL runs on 443 port. Open a web browser and verify that you can access your Apache using https://{your-ip-address}

Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • Ashish Sood March 1, 2011, 4:02 am

    Nice Article i will try this.
    Thanks

  • donb March 1, 2011, 9:06 am

    HI Ramesh,

    Good article. Could you do a quick article on setting up Apache once it’s installed. Maybe some simple apache administration tips…
    examples:
    — Hosting multiple virtual hosts on an apache instance
    — Securing the server
    — etc.

    Thanks
    Don

  • Keith March 1, 2011, 11:42 pm

    Thanks for the article, is there any benefit in installing Apache from source rather than from the distro package manager? I’ve read people saying to always install from the distro’s repo and package management to ensure security updates are applied.

    My servers are running Debian with Apache installed from aptitude so I’m curious about the install from source method.

    Thanks

  • Ajit March 2, 2011, 7:17 am

    I did try this in one of our lab servers but the wget command is not working.I am getting the following error….
    and the screen is not going ahead
    wget http://www.eng.lsu.edu/mirrors/apache//httpd/httpd-2.2.17.tar.gz
    –18:50:23– http://www.eng.lsu.edu/mirrors/apache//httpd/httpd-2.2.17.tar.gz
    => `httpd-2.2.17.tar.gz’
    Resolving http://www.eng.lsu.edu... 130.39.24.178
    Connecting to http://www.eng.lsu.edu|130.39.24.178|:80…

  • pawan March 2, 2011, 12:06 pm

    Hello all, i ordered SSl certs and doubt I have given wrong pass phrase during order and the certs were issued and installed. is there any chance i can compare the phass phrase with the old certs

  • Raghavendra March 2, 2011, 12:25 pm

    I have tried to install Apache on RHEL 5 along with openssl but
    ./configure –enable-ssl –enable-so
    output is as follows
    configure: error: …No recognized SSL/TLS toolkit detected
    could you please reply what the problem might be

  • Yogesh March 3, 2011, 4:11 am

    @Keith
    Installing Apache from tar.gz source is always better than rpm. RPMs are outdated in both the cases:
    1) when you download and install them
    2) install it from CD/DVD
    Source on the other hand is always updated. So when you download source.tar.gz you are getting all latest bug fixes with it 🙂

    More over it is easy to ‘choose’ what to install or not when you compile it using ./configure. You won’t get this with rpm! This is utter most necessary when you use variety of PHP & MySQL extensions in production environment.

    If you want to update/upgrade your current source installation, just backup main configuration files compile a newer version of apache, replace the configuration files. That’s it!

  • Yogesh March 3, 2011, 4:13 am

    @Ajit
    You you downloading this on a linux machine which is behind any firewall?
    This is simple internet connection problem. You may try using another download mirror. There are several available online 🙂

  • Yogesh March 3, 2011, 4:14 am

    @pawan
    As far as I know, you can’t check pass phrase once the certificate is issued!

  • Yogesh March 3, 2011, 4:16 am

    @Raghavendra
    Your machine seems not having open-ssl package installed?
    Please download openssl and then continue with compiling process.
    Hope you have all other prerequisites like gcc, gcc-c++, make, etc installed on your system.

  • Ajit March 4, 2011, 4:02 am

    Yogesh,
    I am behind a firewall.Then How can I download from that site.

  • Yogesh March 15, 2011, 12:22 pm

    @Ajit…. There are various ways… best is to download it on a windows desktop which is NOT behind firewall and then use WinSCP to upload the downloaded content to Linux server.

  • Mothra April 5, 2011, 6:21 am

    Fantastic and simple to follow tutorial, which serves as a useful reference for the rest of us.

    I would add the procedure to remove the passphrase from server.key before copying it to the conf directory. This avoids the scenario at 3am when the server has crashed, and you can’t start Apache without the passphrase, which you’re sure you wrote down somewhere…

    mv server.key server.key.ORIG
    openssl rsa -in server.key.ORIG -out server.key

    Also, a great follow-up tutorial would be to show how to install additional modules without recompiling in Apache (using apxs -c -i mod_whatever.c, etc…)

  • Donald May 4, 2011, 1:54 pm

    Nice and concise instructions. All to the point where potential problems arise.

    I use 192.168.1.5 static IP and self-signed certficate for the home server behind router, and I name the server as, say, foo.dyndns.org (I do have it registered free from dyndns.org but it points to my rounter’s public IP address. From router I port-forward https requests to 192.168.1.5). Whenever I do /usr/local/apache2/bin/apachectl start, it either says it cannot reliably determine server’s fully qualified domain name and hangs, or, after I change hostname from foo to foo.dyndns.org, it simply hangs without error. In either case, although I can see port 443 is listening, I don’t see any instance of httpd process, and I cannot https to the server even from a local 192.168.1.4 machine. Below are some of the configured variables. Can anyone provide help?

    [root@foo conf]# hostname
    foo

    [root@foo conf]# cat /etc/sysconfig/network
    NETWORKING=yes
    HOSTNAME=foo

    [root@foo conf]# cat /etc/hosts
    127.0.0.1 localhost foo
    192.168.1.5 foo.dyndns.org foo

    https-ssl.conf:

    DocumentRoot “/usr/local/apache2/htdocs”
    ServerName foo:443
    ErrorLog “/usr/local/apache2/logs/error_log”
    TransferLog “/usr/local/apache2/logs/access_log”
    SSLEngine on
    SSLCertificateFile “/usr/local/apache2/conf/server.crt”
    SSLCertificateKeyFile “/usr/local/apache2/conf/server.key”

  • Mothra May 5, 2011, 4:04 pm

    @Donald

    ServerName should be the FQDN (and the :443 part is redundant) – so for your example above, it should be:

    ServerName foo.dyndsn.org

    Also, I hope that config you posted is inside a VirtualHost?

    SSLEngine on
    SSLCertificateFile “/usr/local/apache2/conf/server.crt”
    SSLCertificateKeyFile “/usr/local/apache2/conf/server.key”

    ….. other configuration, rewrite rules etc. that apply to the SSL host …..

  • Mothra May 5, 2011, 4:13 pm

    @Donald

    Another part I spotted – in your /etc/hosts you’ve got the name “foo” twice – one against the loopback address and the other against the external IP. This means no application can resolve the name “foo” successfully and it’s probably the reason Apache hangs.

    Take “foo” off the end of the top line (the one with 127.0.0.1) and your name resolution will be fixed.

  • Mothra May 5, 2011, 4:15 pm

    RE # 15 – sorry, that was meant to have the VirtualHost tags in it, but they were stripped out by this site.

  • vijaykumar May 10, 2011, 9:08 pm

    having a small problem .. after i copy the server.srt and the server.key and restarted the apache server … it starts up without prompting for pass phrase.. please help asap

  • yunus June 21, 2011, 2:15 am

    Hi,

    I would like to know how to setup reverse mod_proxy to convert https request to http. My scenario is that I have a web server running on http (LAN). I need to get a https request from internet users to that same server and convert it into http and pass it to that server.

  • Paulo September 5, 2011, 6:24 am

    Excellent article!!!!!
    I tried everything you said and its working flawlessly.
    Thanks a lot!

  • Shomfin December 20, 2011, 3:53 pm

    Very well written, easy-to-use article. Works great, thank you!!

  • Jyoti December 29, 2011, 1:46 am

    Thanks Ramesh for such nice article . I have just followed your steps for server.csr,self signed server.key as well as server.crt generation also copied those to conf directory of apache.But my problem is that whenever i am starting apache it doesn’t ask me to enter the password but starts properly,though i have installed mod_ssl but when i took a look inside module directory of apache no module for ssl is there as well as no LoadModule for ssl is there at httpd.conf. Please suggest me what changes to make in httpd.conf as well as httpd-ssl.conf so that i can proceed the ssl/https configuration for my production server. I am really stucked here. As my is starting properly so http is working but https is not.

    Thanks in advavnce !

  • Jyoti January 2, 2012, 7:56 am

    I am waiting for your reply Ramesh

  • Anonymous March 7, 2012, 8:42 am

    I have enabled SSL with Apache2.0.63. And i started Apache with command

    ./apachectl -k start -D SSL

    I can also see running port netstat -tlnp
    tcp 0 0 :::443 :::* LISTEN 32320/httpd

    but when i launch url in browser with https. But its working fine with http
    The requested URL /Login was not found on this server.

    Also i got file not found
    File does not exist: /opt//httpd/htdocs/pm

    RewriteEngine on
    RewriteRule ^/$ /pm/Login [R]
    RewriteRule ^/pm$ /pm/Login [R]
    RewriteRule ^/pm/$ /pm/Login [R]
    RewriteRule ^/pm/login$ /pm/Login [R]
    RewriteCond %{REQUEST_METHOD} (GET)

    Could you please let me know if i am missing anything here?

    Regards,
    Riyaz

  • Sarina May 21, 2012, 5:22 am

    While trying to enable proxy,rewrite,ssl,ajp. I’m receiving errors with ssl enabling:
    server_name:/tmp/httpd-2.2.22 # ./configure –enable-proxy –enable-rewrite –enable-ssl –enable-proxy-http –enable-proxy-ajp

    Error:
    adding “-I$(top_srcdir)/modules/proxy/../generators” to INCLUDES
    checking whether to enable mod_ssl… checking dependencies
    checking for SSL/TLS toolkit base… none
    checking for OpenSSL version… checking openssl/opensslv.h usability… no
    checking openssl/opensslv.h presence… no
    checking for openssl/opensslv.h… no
    checking openssl/ssl.h usability… no
    checking openssl/ssl.h presence… no
    checking for openssl/ssl.h… no
    no OpenSSL headers found
    checking for SSL-C version… checking sslc.h usability… no
    checking sslc.h presence… no
    checking for sslc.h… no
    no SSL-C headers found
    configure: error: …No recognized SSL/TLS toolkit detected

    I’ve checked for openssl package on my machine and it is there.
    which openssl
    /usr/bin/openssl

    I’m using SUSE Linux 64 bit m/c

  • Giuseppe Bertone June 7, 2012, 6:47 am

    @Sarina You need the OpenSSL development package installed, the binary one is not enough because it does not contain the header files.

  • Ravi August 9, 2013, 4:55 am

    Hi

    My openssl version is OpenSSL 1.0.0-fips

    i have installed apache 2.2.25 on rhel 6.4 but while starting apache it is throwing some error like
    Unable to initialize TLS servername extension callback (incompatible OpenSSL version?)

    can any one provide me some solution?

  • Mustapha Oldache February 1, 2014, 12:05 pm

    HI !
    always thanks.

  • Manny May 3, 2015, 8:22 pm

    Thank you.

  • Mayank Aggarwal August 14, 2015, 9:01 am

    Kindly put such articles related to Jboss as well.