Apache questions

[tmick]

Hi all,
So I had Apache working yesterday but today it won't start. It gives a message that Apache failed to start.
I checked the http_error.log file it tells me that ssl failed because of no cert.
So question 1, is there a current set of instructions on how to create a cert?
2. does no cert block Apache from starting?
3. The section on Apache in the handbook follows DNS set up & zero conf, do I have to have them?
I'm on FreeBSD 15 if it matters.

Thanks in advance.

 

[SirDice]

So question 1, is there a current set of instructions on how to create a cert?

Self-signed? Proper certificate? Letsencrypt? What kind of certificate are you looking for? Letsencrypt is probably easy enough, cheap (free), has a limited lifespan (typically 3 months) but can be refreshed automatically through some scripts. Generally only useful if you want to provide access to the website/webserver from the internet though.

does no cert block Apache from starting?

If you enabled SSL/TLS and it cannot find the website's certificate, yes. You can run a webserver without SSL/TLS though. But you obviously won't have any encryption of the data.

The section on Apache in the handbook follows DNS set up & zero conf, do I have to have them?

Depends, you can access the webpage just on it's IP address, but that's usually a bit difficult to remember for us humans.

I'm on FreeBSD 15 if it matters.

Nothing at all.

 

[tmick]

Self-signed? Proper certificate? Letsencrypt? What kind of certificate are you looking for? Letsencrypt is probably easy enough, cheap (free), has a limited lifespan (typically 3 months) but can be refreshed automatically through some scripts. Generally only useful if you want to provide access to the website/webserver from the internet though.

self signed a proper cert, and what's the best way or program to do this with? It's been a few years since I've done this on Unix. All I can find for creating the cert is certbot and it doesn't install.

 

[tmick]

Okay so I found a command that creates a cert

openssl req -new -x509 -days 365 -keyout mykey.key -out mycert.crt

and I found the crt & Key files but it suggests moving them to a Cert folder, I don't have one but it can be created. So where are the files actually supposed to go ? Just leave them in etc or add them to /usr/local/etc/ apache24 ?

 

[Espionage724]

On Linux I used to do this and keep the certs in a general folder:

openssl ecparam -name secp521r1 -genkey -out '/etc/ssl/certs/nginx.key

openssl req -new -x509 -key '/etc/ssl/certs/nginx.key' -out '/etc/ssl/certs/nginx.crt' -days 730

And pointed nginx to the certs:

ssl_certificate '/etc/ssl/certs/nginx.crt';
ssl_certificate_key '/etc/ssl/certs/nginx.key';

---

On FreeBSD I used py311-certbot Standalone (not webserver/plugin-specific) and pointed nginx to those files:

ssl_certificate '/usr/local/etc/letsencrypt/live/website.tld/fullchain.pem';
ssl_trusted_certificate '/usr/local/etc/letsencrypt/live/website.tld/fullchain.pem';
ssl_certificate_key '/usr/local/etc/letsencrypt/live/website.tld/privkey.pem';

 

[tmick]

Espionage724 When you say redirect Apache to the SSL Folder you created, are you making the change in httpd.conf or in the ssl.conf file?
Thanks for letting me know that I can create a folder for them and just point to it.

 

[richardtoohey2]

I don't currently use automation, so doing it manually, I create

/usr/local/etc/apache24/certificates/sitex.com
/usr/local/etc/apache24/certificates/sitey.com

Make sure any key files (in particular) are root-only-readable.

Then in Apache configuration (/usr/local/etc/apache24/extra/httpd-ssl.conf) for a virtual host:

<VirtualHost *:443>
    ServerName sitex.com
    ...
    SSLEngine on
    SSLCertificateFile "/usr/local/etc/apache24/certificates/sitex.com/somecert.crt"
    ...
</VirtualHost>

You can split out the ssl configuration for each site if you don't want to put in your main httpd-ssl.conf.

So something like this in httpd-ssl.conf:

Include /somelocation/etc/apache24/*.conf