Most of the below are copied from Mel Lester Jr. ([email protected]) with some minor modifications to his tips:
Apache 2.xx is included with Solaris 10. A few configuration details need to be addressed prior to starting Apache 2.xx:
1. Login as root
wired# _
2. Copy the file, /etc/apache2/httpd.conf-example to /etc/apache2/httpd.conf
wired# cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf
3. Edit /etc/apache2/httpd.conf
? Set ServerName if necessary (default is 127.0.0.1)
? Set ServerAdmin to a valid email address
4. From the command line type:
wired# svcadm enable apache2
That is all it takes to to start the basic Apache 2 web server bundled with Solaris 10. In fact, the Apache 2 web service should persist through server and/or zone boots. The actual web pages are located in the /var/apache2/htdocs directory by default.
SSL Certificate Configuration for Apache2 on Solaris 10
By: Mel Lester Jr. ([email protected])
Version 1.04 June 21, 2006)
1. Enable SSL Service Property if necessary. Log in as root and issue the following command:
web# svcprop -p httpd/ssl svc:network/http:apache2
If the response is “false”, issue these three commands:
web# svccfg -s http:apache2 setprop httpd/ssl=true
web# svcadm refresh http:apache2
web# svcprop -p httpd/ssl svc:network/http:apache2
If the response is “true”, continue to the next step.
2. Create a Certificate Directory and a Key Directory.
web# mkdir /etc/apache2/ssl.crt
web# mkdir /etc/apache2/ssl.key
3. Generate a RSA Key.
web# /usr/local/ssl/bin/openssl genrsa -des3 1024 > /etc/apache2/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
……………………..++++++
………++++++
e is 65537 (0x10001)
Enter pass phrase: ********
Verifying – Enter pass phrase: ********
4. Generate a Certificate Request.
web# /usr/local/ssl/bin/openssl req -new -key /etc/apache2/ssl.key/server.key > \
> /etc/apache2/ssl.crt/server.csr
Enter pass phrase for /etc/apache2/ssl.key/server.key: ********
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]::US
State or Province Name (full name) [Some-State]:OR
Locality Name (eg, city) []:Blodgett
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:DIS
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:Big Cheese
Email Address []:[email protected]
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ********
An optional company name []: Live Free or Die
5. Install a Self-Signed Certificate. If you are going to install a certificate from an authoritative source, follow their instructions and skip this step.
web# /usr/local/ssl/bin/openssl req -x509 -days 3650 -key \
> /etc/apache2/ssl.key/server.key \
> -in /etc/apache2/ssl.crt/server.csr > \
> /etc/apache2/ssl.crt/server.crt
Enter pass phrase for /etc/apache2/ssl.key/server.key: ********
6. Modify the ssl.conf file to use your certificate.
web# cd /etc/apache2
web# ls -l
total 334
-rw-r–r– 1 root bin 1987 Jan 6 21:10 highperformance-std.conf
-rw-r–r– 1 root bin 1987 Jan 6 21:10 highperformance.conf
-rw-r–r– 1 root bin 37519 Jan 6 21:10 httpd-std.conf
-rw-r–r– 1 root root 37660 Jan 18 21:49 httpd.conf
-rw-r–r– 1 root bin 37661 Jul 20 2005 httpd.conf-example
-rw-r–r– 1 root bin 12959 Jan 6 21:10 magic
-rw-r–r– 1 root bin 15020 Jan 6 21:10 mime.types
-rw-r–r– 1 root bin 10759 Jan 6 21:10 ssl-std.conf
-rw-r–r– 1 root bin 10996 Jan 6 21:10 ssl.conf
drwxr-xr-x 2 root root 512 Jan 19 03:24 ssl.crt
drwxr-xr-x 2 root root 512 Jan 19 02:52 ssl.key
Edit the ssl.conf and change the line that begins with “ServerAdmin” to reflect an email address or alias for the Server’s Administrator.
7. Test the SSL Certificate with Apache2
? If Apache2 is enabled, disable it during testing.
web# svcs | grep -i apache2
online 3:29:01 svc:/network/http:apache2
web# svcadm disable apache2
? Use the legacy script to manually test start Apache2 with SSL.
web# /usr/apache2/bin/apachectl startssl
Apache/2.0.52 mod_ssl/2.0.52 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server 127.0.0.1:443 (RSA)
Enter pass phrase: ********
Ok: Pass Phrase Dialog successful.
If this test fails with an error similar to ‘vhost.c:232 assertion “rv == APR_SUCCESS” failed on startssl’, your server may not be configured to use DNS to resolve host names. This failure is due to a known bug in Apache2 2.0.nn. A quick fix is be to edit the hosts line in your server’s /etc/nsswitch.conf to look like the following:
hosts: files dns
More information about this issue may be found at:
http://issues.apache.org/bugzilla/show_bug.cgi?id=27525
After editing /etc/nsswitch.conf or otherwise resolving the issue, repeat the test until you are able to manually start and stop Apache2 using your SSL Certificate and Pass Phrase.
web# ps -ef | grep httpd
root 1392 575 0 03:45:16 ? 0:01 /usr/apache2/bin/httpd -k start -DSSL
root 1400 1116 0 03:45:51 pts/3 0:00 grep httpd
webservd 1393 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webservd 1397 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webservd 1396 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webservd 1395 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webservd 1394 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
? If your results are similar to the one above, use the legacy script to conclude the test. You may also want to verify that a client browser can access your site using https before continuing. Accept the self-signed Certificate if necessary.
web# /usr/apache2/bin/apachectl stop
8. Enable Apache2 with SSL to be started automatically as a service.
web# cd /etc/apache2/ssl.key
web# cp server.key server.key.org
web# /usr/local/ssl/bin/openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org: ********
writing RSA key
web# chmod 400 server.key
web# svcadm enable apache2
web# svcs | grep -i apache2
online 4:29:01 svc:/network/http:apache2
Thank you! This site helps me too, but it is in german :/ http://www.schafos.de/zertifikate-installieren-apache-java.html
Thank you. Exellent tutorial, it all worked perfectly. Great job.
Thank you! so MUCHHHHHHHHHHHHHH
my generating cert request (your step 4)
it returned error below after entering the valid passphrase :
unable to find ‘distinguished_name’ in config
problems making Certificate Request
21408:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:325:
my earlier comment post resolved , forgot to put -config as the environment config is not set.
and now the self-signed step failure occured :
unable to load X509 request
2677:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:637:Expecting: CERTIFICATE REQUEST
i tried the command to generate RSA key. But message ‘/usr/local/ssl/bin/openssl: not found’
why? What should i do to proceed?
Need to install openssl first from sunfreeware.com:
ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/openssl-1.0.0a-sol10-sparc-local.gz
Because the path of opnssl is /usr/sfw/bin/openssl
Thank you one big help me
The conversation here’s top-notch! Keep up folks. Feels like I really learn new things every time I arrive at this site.
All of the discourse here is top-notch! Keep
up fellas. Feels like I truly realize something new every time I arrive here
We’re a group of volunteers and opening a brand new scheme in our community. Your website offered us with helpful information to work on. You have done an impressive job and our whole group will probably be thankful to you.
I like your blog style and design. Precisely how did you build
this amazing site and exactly how long could this task take?
My brother suggested I might like this web site. He was entirely right.
This post actually made my day. You cann’t imagine just how much time I had spent for this info! Thanks!
I like the helpful information you supply in your articles.
I’ll bookmark your weblog and take a look at again here frequently. I’m moderately sure I will learn
plenty of new stuff right here! Good luck for the next!
Everyone loves what you guys tend to be up too.
This kind of clever work and exposure! Keep up the excellent works
guys I’ve added you guys to my own blogroll.
Its like you read my mind! You appear to know a lot about this, like you wrote the book in it or something.
I think that you could do with a few pics to drive the message home a bit, but other than that,
this is excellent blog. An excellent read. I will certainly be back.
Iām not that much of a internet reader to be honest but your blogs really nice, keep it up!
I’ll go ahead and bookmark your website to come back down the road.
Many thanks
What’s Taking place i’m new to this, I stumbled upon this I have found It
absolutely useful and it has helped me out loads.
I am hoping to give a contribution & help different users like
its helped me. Good job.
Spot on with this write-up, I seriously feel this web site needs a
great deal more attention. I’ll probably be back again to read more,
thanks for the info!
I have to thank you for the efforts you’ve put in writing this website.
I’m hoping to see the same high-grade content from you later on as well.
In fact, your creative writing abilities has inspired me to
get my own site now š