A Guide on how to Setup an Apache

Virtual-Host using a Self-Signed

Certificate

Introduction

In order to have a secure web server, clients should be able to connect to your server knowing that the
transaction is well-encrypted so that their data is safe. The server should be able to send traffic in a safe
way between itself and the clients, with no chance of the messages being intercepted by outside parties.
An easy way to do this is with Apache2, which is the leading Linux web server software, and Secure
Sockets Layer, commonly known as SSL, which is a protocol for cryptographically securing
transactions between a web browser and a web server.
Therefore, in this guide, we will show you how to set up a self-signed SSL certificate for use with an
Apache web server. In this guide there will be strong references to the official openSUSE
documentation page and also some minor corrections
( https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.apache2.ht
ml#sec.apache2.ssl ).

Requirements
Make sure the following requirements are met before trying to set up the Apache Web server:
1. The machine's network is configured properly.
2. The machine's exact system time is maintained by synchronizing with a time server. This is
necessary because parts of the HTTP protocol depend on the correct time.
3. The latest security updates are installed.
4. The default Web server port (80) and (443) for SSL are opened in the firewall. For this,
configure the SuSEFirewall2 to allow the service HTTP Server in the external zone. These ports
are required to be open if you want outsiders to be able to access a website setup inside your
network. We assume that the firewall is enabled. To open the ports you can go to
Yast→Firewall→Allowed Services→Add HTTP Server + HTTPS Server
You proceed with Next and finish.
You should then check /etc/apache2/listen.conf. You should see the following in the file:
Listen 80

<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_ssl.c>

Listen 443

</IfModule>
</IfDefine>
</IfDefine>

This means that SSL is enabled. If its not there you can add it manually.

Installing Apache

You need to have root access with your current user.

su - #makes your session root

Next step is to make sure that your system is updated.

zypper update #updates zypper

Next, you need to install apache2.

zypper in apache2 #installs apache2

And of course start the service.

systemctl start apache2 #starts apache2 service

This step is optional, but you can enable the service so that is starts every time you boot
systemctl enable apache2 #starts apache2 service on boot c
After all this steps, as a first test you should go and add an HTML file in srv/www/htdocs and then
open a browser and type http://localhost. You should see the HTML page there and that means that
APACHE works.

USING APACHE WITH SSL

First, we have to create a dir called srv/www/vhosts/ and then create a folder with the name of our
website. In this folder we should put all of our website files but for now we just create a simple
index.html file with the message APACHE WITH SSL WORKS.
Then its really important to restart the apache service.
systemctl restart apache2#restarts apache2 service
and check that it works with
systemctl status apache2#status of apache2 service

We then have to create a self signed certificate.

First you need to generate a certificate signing request (CSR). You are going to use openssl, with
PEM as the certificate format. During this step, you will be asked for a passphrase, and to answer
several questions. Remember the passphrase you enter as you will need it in the future.

We do this with with the following command.

sudo openssl req -new > new.cert.csr

And we get the following output where its interactive and we have to put some important information.
Generating a 2048 bit RSA private key
...........+++
..................+++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GE
State or Province Name (full name) [Some-State]:BAYERN
Locality Name (eg, city) []:NUREMBERG
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ORESTIS
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ORESTIS
Email Address []:orestisnalmpantis@gmail.com

Please enter the following 'extra' attributes

to be sent with your certificate request
A challenge password []:susetesting
An optional company name []:susetesting
After we do this, its time that we actually Generate the Certificate.
1. Export the private part of the key to new.cert.key. You will be prompted for the passphrase
you entered when creating the certificate signing request (CSR).
sudo openssl rsa -in privkey.pem -out new.cert.key

2. Generate the public part of the certificate according to the information you filled out in the
signing request. The -days option specifies the length of time before the certificate expires.
You can revoke a certificate, or replace one before it expires.
sudo openssl x509 -in new.cert.csr -out new.cert.cert -req \-signkey
new.cert.key -days 365

3. Copy the certificate files to the relevant directories, so that the Apache server can read them.
Make sure that the private key /etc/apache2/ssl.key/server.key is not world-
readable, while the public PEM certificate /etc/apache2/ssl.crt/server.crt is.
sudo cp new.cert.cert /etc/apache2/ssl.crt/server.crt
sudo cp new.cert.key /etc/apache2/ssl.key/server.key

The SSL module is enabled by default in the global server configuration. In case it has been disabled on
your host, activate it with the following command: a2enmod ssl. To finally enable SSL, the server
needs to be started with the flag “SSL”. To do so, call a2enflag SSL . We also go to
/etc/sysconfig/apache2 and increase the value of APACHE_TIMEOUT or
APACHE_START_TIMEOUT because now that we have a password we need enough time to enter the
passphrase.

In this part the documenation

(https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.apache2.htm
l#sec.apache2.ssl) is a little misleading. It is really important that by the time you create the certificates,
you go to /etc/apache2/vhosts.d/ folder and copy the vhost-ssl.template file into your own .conf file. I
copied the file and name it orestis.conf ,which will be the main configuration file for our Apache-SSL
configuration.
Now the important step is to add in this orestis.conf file the certificates. So it will look like this:
<VirtualHost _default_:443>

# You can use per vhost certificates if SNI is supported.

SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/vhost-example-chain.crt

Its really important and should be stressed more in the documentation , that we should also add the
following on all virtual hosts on the orestis.conf file. If we don't the Apache with SSL wont start.
<Directory "/srv/www/vhosts/orestis/">
Require all granted
</Directory>

With ifconfig we find the IP that we should include in the ServerName

The final conf file should look like this. All the important sections are in bold.
<VirtualHost *:443>
# General setup for the virtual host
DocumentRoot "/srv/www/vhosts/orestis/"
<Directory "/srv/www/vhosts/orestis/">
Require all granted
</Directory>
ServerName 10.160.67.235
ServerAdmin orestisnalmpantis@gmail.com
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log
 # SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

# You can use per vhost certificates if SNI is supported.

SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/vhost-example-chain.crt

</VirtualHost>

We then restart the service. We should then run the lsof command to see that the service is actually
listening to the corresponding port 443.
# lsof -i:443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd-pre 19117 root 6u IPv6 836290 0t0 TCP *:https (LISTEN)
httpd-pre 19126 wwwrun 6u IPv6 836290 0t0 TCP *:https (LISTEN)
httpd-pre 19127 wwwrun 6u IPv6 836290 0t0 TCP *:https (LISTEN)
httpd-pre 19128 wwwrun 6u IPv6 836290 0t0 TCP *:https (LISTEN)
httpd-pre 19129 wwwrun 6u IPv6 836290 0t0 TCP *:https (LISTEN)
httpd-pre 19131 wwwrun 6u IPv6 836290 0t0 TCP *:https (LISTEN)

You can check https://g235.suse.de/ to check an example website.