2022年8月、ホームページを全面リニューアルしました! 情報を分かりやすくお伝えできるサイト作りを目指してまいります。

ソースで構築するApache + mod_ssl鯖!

CentOSでApache2 + mod_ssl鯖の構築! でCentOS編を書き記したので、そんならばソース編もと言うことで書くことにした。基本的な証明書の作り方は同じで、コンパイルせねばならない所だけが違う。尚、Apacheの設定は詳しく記さないので詳しく知りたければ、 ここ を参照すること。

インストール環境 )
OS : DebianGNULinux 3.1Sarge
マシン : PentiumⅡマシン


1.ソースのゲット
ソースをダウンロードするサイトは以下、ただしいずれも2006年6月現在の最新バージョンでゲット。
mod_ssl( http://www.modssl.org/source/ )
OpenSSL( http://www.openssl.org/source/ )
ml2:~# cd /usr/local/src/
ml2:/usr/local/src# wget http://www.meisei-u.ac.jp/mirror/apache/httpd/apache_1.3.36.tar.gz
ml2:/usr/local/src# tar zxvf apache_1.3.36.tar.gz
ml2:/usr/local/src# chown -R root.root apache_1.3.36
ml2:/usr/local/src# wget http://www.openssl.org/source/openssl-0.9.8b.tar.gz
ml2:/usr/local/src# tar zxvf openssl-0.9.8b.tar.gz
ml2:/usr/local/src# chown -R root.root openssl-0.9.8b
ml2:/usr/local/src# wget http://www.modssl.org/source/mod_ssl-2.8.27-1.3.36.tar.gz
ml2:/usr/local/src# chown -R root.root mod_ssl-2.8.27-1.3.36


2.opensslのコンパイル&リンク
ml2:/usr/local/src# cd openssl-0.9.8b
ml2:/usr/local/src/openssl-0.9.8b# ./config
ml2:/usr/local/src/openssl-0.9.8b# make
ml2:/usr/local/src/openssl-0.9.8b# make test
ml2:/usr/local/src/openssl-0.9.8b# make install


3.apache + mod_sslコンパイル&リンク
未だに、俺はApache1の方が扱いやすい慣れないもんだね(笑)。

ml2:/usr/local/src/openssl-0.9.8b# cd ..
ml2:/usr/local/src# cd mod_ssl-2.8.27-1.3.36
ml2:/usr/local/src/mod_ssl-2.8.27-1.3.36# ./configure –with-apache=../apache_1.3.36

Configuring mod_ssl/2.8.27 for Apache/1.3.36
+ Apache location: ../apache_1.3.36 (Version 1.3.36)
+ Auxiliary patch tool: ./etc/patch/patch (local)
+ Applying packages to Apache source tree:
o Extended API (EAPI)
o Distribution Documents
o SSL Module Source
o SSL Support
o SSL Configuration Additions
o SSL Module Documentation
o Addons
Done: source extension and patches successfully applied.

Now proceed with the following commands (Bourne-Shell syntax):
$ cd ../apache_1.3.36
$ SSL_BASE=/path/to/openssl ./configure … –enable-module=ssl
$ make
$ make certificate
$ make install

ml2:/usr/local/src/mod_ssl-2.8.27-1.3.36# cd ../apache_1.3.36
ml2:/usr/local/src/apache_1.3.36# ./configure –enable-module=ssl –enable-module=so

Configuring for Apache, Version 1.3.36
+ using installation path layout: Apache (config.layout)
Creating Makefile
Creating Configuration.apaci in src
Creating Makefile in src
+ configured for Linux platform
+ setting C compiler to gcc
+ setting C pre-processor to gcc -E
+ using “tr [a-z] [A-Z]” to uppercase
+ checking for system header files
+ adding selected modules
o ssl_module uses ConfigStart/End
+ SSL interface: mod_ssl/2.8.27
+ SSL interface build type: OBJ
+ SSL interface compatibility: enabled
+ SSL interface experimental code: disabled
+ SSL interface conservative code: disabled
+ SSL interface vendor extensions: disabled
+ SSL interface plugin: Built-in SDBM
+ SSL library path: /usr/local/ssl
+ SSL library version: OpenSSL 0.9.8b 04 May 2006
+ SSL library type: installed package (stand-alone)
+ enabling Extended API (EAPI)
+ using builtin Expat
+ using -ldl for vendor DSO support
+ checking sizeof various data types
+ doing sanity check on compiler and options
Creating Makefile in src/support
Creating Makefile in src/regex
Creating Makefile in src/os/unix
Creating Makefile in src/ap
Creating Makefile in src/main
Creating Makefile in src/lib/expat-lite
Creating Makefile in src/modules/standard
Creating Makefile in src/modules/ssl

ml2:/usr/local/src/apache_1.3.36# make
ml2:/usr/local/src/apache_1.3.36# make install


4.暗号化Key作成
1)秘密鍵を作る

ml2:/usr/local/apache/conf/ssl.crt# /usr/local/ssl/bin/openssl genrsa
-des3 -out server.key.secure 1024   
 ←1行でGenerating RSA private key, 1024 bit long modulus
……………………………++++++
………………………………..++++++
e is 65537 (0x10001)
Enter pass phrase for server.key.secure: パスフレーズを入力(好きなパスワードを入力する)
Verifying – Enter pass phrase for server.key.secure: パスフレーズ再入力

ml2:/usr/local/apache/conf/ssl.crt# /usr/local/ssl/bin/openssl rsa -in
server.key.secure -out server.key    
←1行で
Enter pass phrase for server.key.secure: 上記のパスフレーズを入力
writing RSA key

2)署名要求を作る
ml2:/usr/local/apache/conf/ssl.crt# /usr/local/ssl/bin/openssl req -new
-key server.key -out server.csr
      ←1行で
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]: JP ←国
State or Province Name (full name) [Berkshire]: Tokyo ←都道府県
Locality Name (eg, city) [Newbury]: Chiyodaku ←市区町村
Organization Name (eg, company) [My Company Ltd]: xxxxxxxxxxxxx.jp ←ドメイン名など
Organizational Unit Name (eg, section) []: Enter
Common Name (eg, your name or your server’s hostname) []: www.xxxxxxxxxxxxx.jp ←ホスト名
Email Address []: mity@xxxxxxxxxxxxx.jp ←管理者メールアドレス

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: Enter
An optional company name []: Enter

3)CA証明書の作成
ml2:/usr/local/apache/conf/ssl.crt# /usr/local/ssl/bin/openssl x509
-in server.csr -out server.pem -req -signkey server.key -days 365
     ←1行で
Signature ok
subject=/C=JP/ST=Tokyo/L=Chiyodaku/O=xxxxxxxxxxxxx.jp/CN=www.xxxxxxxxxxxxx.jp
/emailAddress=mity@xxxxxxxxxxxxx.jp
Getting Private key

ml2:/usr/local/apache/conf/ssl.crt# chmod 400 server.*


5.apacheの設定
1)DocumentRoot作成
ml2:/usr/local/apache/conf/ssl.crt# mkdir /usr/local/apache/htdocs/sslcert
ml2:/usr/local/apache/conf/ssl.crt# chmod 777 /usr/local/apache/htdocs/sslcert

2)httpd.confの編集
ml2:/usr/local/apache/conf/ssl.crt# cd ..
ml2:/usr/local/apache/conf# vi httpd.conf

省略
<VirtualHost _default_:443>

# General setup for the virtual host
DocumentRoot “/usr/local/apache/htdocs/sslcert”
ServerName ml2.xxxxxxxxxxxxx.co.jp
ServerAdmin root@ml2.xxxxxxxxxxxxx.co.jp
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
省略
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.pem
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
省略


6.起動
1)Apache + sslの起動
ml2:/usr/local/apache/conf# /usr/local/apache/bin/apachectl sslstart

2)プロセス確認
ml2:/usr/local/apache/conf# ps -ef

省略
root 6095 1 0 12:15 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 6096 6095 0 12:15 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 6097 6095 0 12:15 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 6098 6095 0 12:15 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 6099 6095 0 12:15 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 6100 6095 0 12:15 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 6101 6095 0 12:15 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
省略

注:自動起動設定やlogrotation設定等は、当サイトの関連サイトを参照のこと。


7.Client側からブラウズ確認(IEの場合)
https://IPアドレスもしくはホスト名/ へアクセスして以下のような手続きを行う。

図1
図2
図3
図4
図5
図6
図7

以上

コメント