Navigation
Install the app
How to install the app on iOS
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
More options
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
How do I set up SSL on Apache and Win 2000/XP
Apache SSL / Win 2000
How do I set up SSL on Apache and Win 2000/XP
by
Tracey
Posted
(Edited
)
This article is base on information from http://www.serverwatch.com/tutorials/article.php/10825_1437211 and http://plone.org/documentation/developer/ApacheSSLWindows/wikipage_view
The serverwatch article was very helpful in the setup of ssl on windows, however it is written with Apache 1.3.26 / Mod_SSL 2.8.10 in mind, so I did not achieve complete success with this alone. Oh sure, it seemed successful on the local machine, but when it came to accessing an actual domain name, things changed.
I was getting errors like:
(OS10048) Only one usage of each socket address (protocol/network address/port) is normally permitted. :make_sock could not bind to address 0.0.0.0:443 no listening sockets available, shutting down, unable to open logs.
And of course, nothing I tried seemed to work. Adding the ip address in front of the Listen directive just changed the IP address in the error message. Removing the listen 443 directive revealed the next error message:
Only one usage of each socket address (protocol/network address/port) is normally permitted. :make_sock could not bind to address 0.0.0.0:80 no listening sockets available, shutting down, unable to open logs.
So, once I had achieved success, I decided to document the process in case I have to do it again and need a memory jogger. I recommend you visit the two sites I used as reference, as they have a lot of useful links.
This document assumes an existing installation of Apache 2.0.xx.
Text taken from the above article is in bold italics.
The system I have running uses Apache 2.0.47 (win32) mod_ssl / 2.0.47 OpenSSL / 0.9.7b. I had Apache 2.0.36 with no SSL prior to this install.
At the time of the writing of this, there is no binary release of apache2 with SSL compiled-in, due to the US authorities limiting export of encryption software. See http://www.apacheweek.com/features/ssl
Before you start
BACKUP your entire Apache directory.
Delete all subdirectories and files from your c:\apache folder.
Navigate to http://hunter.campbus.com/ and download the latest Apache2_openssl zip file (Apache_2.0.47-OpenSSL_0.9.7b-win32.zip at time of writing)
You will also need a config file, which you can download from http://www.tud.at/programm/openssl.cnf (right click this link and select ôsave target as.. save as openssl.cnfö)
Now begin:
Extract the zip file into your c:\apache directory.
Create a directory c:\apache\openssl
Now create another directory c:\apache\openssl\bin
Extract/copy openssl.exe to c:\apache\openssl\bin.
Extract/copy libeay32.dll and ssleay32.dll to c:\WINNT\system32
To create a test certificate for using SSL, open a command prompt window, enter a change directory command:
cd C:\Apache\openssl\bin
and then enter the following commands:
openssl req -config openssl.cnf -new -out localhost.csr
openssl rsa -in privkey.pem -out localhost.key
openssl x509 -in localhost.csr -out localhost.cert -req -signkey localhost.key -days 5000
openssl x509 -in localhost.cert -out localhost.der.crt -outform DER
Then create a C:\Apache\conf\ssl directory, and move localhost.key, localhost.cert, and localhost.der.crt into it.
Note: The selection of 5000 days to certificate expiration is arbitrary.
The following exerts are my httpd.conf and ssl.conf directives required to get this to work:
#most comments have been removed from these files for ease of reading. Refer to your ssl.default.conf and httpd.default.conf for information on these directives. Also, for more detailed info, browse to http://httpd.apache.org/docs-2.0/mod/mod_ssl.html or http://www.modssl.org/docs/
Httpd.conf
*************************************************************
ServerRoot "C:/Apache"
PidFile logs/httpd.pid
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
<IfModule mpm_winnt.c>
ThreadsPerChild 250
MaxRequestsPerChild 0
</IfModule>
Listen 80 # !! see note later in article about this directive.
LoadModule access_module modules/mod_access.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_module modules/mod_auth.so
#LoadModule auth_anon_module modules/mod_auth_anon.so
#LoadModule auth_dbm_module modules/mod_auth_dbm.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule cgi_module modules/mod_cgi.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule headers_module modules/mod_headers.so
LoadModule imap_module modules/mod_imap.so
LoadModule include_module modules/mod_include.so
#LoadModule info_module modules/mod_info.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule negotiation_module modules/mod_negotiation.so
#LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule status_module modules/mod_status.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule userdir_module modules/mod_userdir.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule ssl_module modules/mod_ssl.so
ServerAdmin name@company.co.nz
ServerName machinename #this will be your domain name eg name.domain.com
UseCanonicalName On
HostnameLookups on
ErrorLog logs/error.log
CustomLog logs/access.log combined
ServerTokens Full
ServerSignature Off
Include conf/ssl.conf #do not wrap with <IfModule mod_ssl.c></IfModule>
# see http://www.modssl.org/docs/2.8/ssl_reference.html for more info
SSLMutex default
SSLRandomSeed startup builtin
SSLSessionCache none
SSLProtocol -all +SSLv3
SSLCipherSuite HIGH:MEDIUM
*************************************************************
Ssl.conf
*************************************************************
<IfDefine SSL> #you can remove these directives if you want.. be sure to remove the end tag too (</IfDefine>)
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<VirtualHost _default_:443>
DocumentRoot "c:/apache/htdocs"
ServerName machinename #this will be your domain name eg name.domain.com
ServerAdmin name@company.com
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile c:/apache/conf/ssl/localhost.der.crt
SSLCertificateKeyFile c:/apache/conf/ssl/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "c:/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
*************************************************************
Testing
To test the syntax of the httpd.conf file: at a command prompt in the C:\Apache directory enter the command:
apache -t
Start your Apache service via the ApacheMonitor.exe as normal.
Test your configuration by navigating to http://yoururl (http://localhost to start)
Now, from this point, it gets a little weird. This is what I spent 4 days trying to get to workà.
Now, with Apache running, edit your httpd.conf and comment out the
Listen 80 directive
#Listen 80
Open a command prompt, navigate to your apache/bin directory, then enter the following:
Apache ûD SSL
If there are any problems with your SSL setup, this will show any relevant error messages. If you do not comment out the Listen directive in httpd.conf before running this command, you will get those error messages I referred to earlier.
If you get no messages, move onto the next step:
Test your ssl config; navigate to https://yoururl (https://localhost to start). Once you have success here, move onto the next step.
Uncomment the Listen 80 directive again,
The last step was found on the following site
http://plone.org/documentation/developer/ApacheSSLWindows/wikipage_view
If you use IfDefine SSL in the ssl.conf (default) and start apache as a service, you need to edit the apache command line in the registry. In this case, the option -D SSL has to be appended to the value of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apache2.
Restart your service. You should now have both https and http running.
The serverwatch article was very helpful in the setup of ssl on windows, however it is written with Apache 1.3.26 / Mod_SSL 2.8.10 in mind, so I did not achieve complete success with this alone. Oh sure, it seemed successful on the local machine, but when it came to accessing an actual domain name, things changed.
I was getting errors like:
(OS10048) Only one usage of each socket address (protocol/network address/port) is normally permitted. :make_sock could not bind to address 0.0.0.0:443 no listening sockets available, shutting down, unable to open logs.
And of course, nothing I tried seemed to work. Adding the ip address in front of the Listen directive just changed the IP address in the error message. Removing the listen 443 directive revealed the next error message:
Only one usage of each socket address (protocol/network address/port) is normally permitted. :make_sock could not bind to address 0.0.0.0:80 no listening sockets available, shutting down, unable to open logs.
So, once I had achieved success, I decided to document the process in case I have to do it again and need a memory jogger. I recommend you visit the two sites I used as reference, as they have a lot of useful links.
This document assumes an existing installation of Apache 2.0.xx.
Text taken from the above article is in bold italics.
The system I have running uses Apache 2.0.47 (win32) mod_ssl / 2.0.47 OpenSSL / 0.9.7b. I had Apache 2.0.36 with no SSL prior to this install.
At the time of the writing of this, there is no binary release of apache2 with SSL compiled-in, due to the US authorities limiting export of encryption software. See http://www.apacheweek.com/features/ssl
Before you start
BACKUP your entire Apache directory.
Delete all subdirectories and files from your c:\apache folder.
Navigate to http://hunter.campbus.com/ and download the latest Apache2_openssl zip file (Apache_2.0.47-OpenSSL_0.9.7b-win32.zip at time of writing)
You will also need a config file, which you can download from http://www.tud.at/programm/openssl.cnf (right click this link and select ôsave target as.. save as openssl.cnfö)
Now begin:
Extract the zip file into your c:\apache directory.
Create a directory c:\apache\openssl
Now create another directory c:\apache\openssl\bin
Extract/copy openssl.exe to c:\apache\openssl\bin.
Extract/copy libeay32.dll and ssleay32.dll to c:\WINNT\system32
To create a test certificate for using SSL, open a command prompt window, enter a change directory command:
cd C:\Apache\openssl\bin
and then enter the following commands:
openssl req -config openssl.cnf -new -out localhost.csr
openssl rsa -in privkey.pem -out localhost.key
openssl x509 -in localhost.csr -out localhost.cert -req -signkey localhost.key -days 5000
openssl x509 -in localhost.cert -out localhost.der.crt -outform DER
Then create a C:\Apache\conf\ssl directory, and move localhost.key, localhost.cert, and localhost.der.crt into it.
Note: The selection of 5000 days to certificate expiration is arbitrary.
The following exerts are my httpd.conf and ssl.conf directives required to get this to work:
#most comments have been removed from these files for ease of reading. Refer to your ssl.default.conf and httpd.default.conf for information on these directives. Also, for more detailed info, browse to http://httpd.apache.org/docs-2.0/mod/mod_ssl.html or http://www.modssl.org/docs/
Httpd.conf
*************************************************************
ServerRoot "C:/Apache"
PidFile logs/httpd.pid
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
<IfModule mpm_winnt.c>
ThreadsPerChild 250
MaxRequestsPerChild 0
</IfModule>
Listen 80 # !! see note later in article about this directive.
LoadModule access_module modules/mod_access.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_module modules/mod_auth.so
#LoadModule auth_anon_module modules/mod_auth_anon.so
#LoadModule auth_dbm_module modules/mod_auth_dbm.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule cgi_module modules/mod_cgi.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule headers_module modules/mod_headers.so
LoadModule imap_module modules/mod_imap.so
LoadModule include_module modules/mod_include.so
#LoadModule info_module modules/mod_info.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule negotiation_module modules/mod_negotiation.so
#LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule status_module modules/mod_status.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule userdir_module modules/mod_userdir.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule ssl_module modules/mod_ssl.so
ServerAdmin name@company.co.nz
ServerName machinename #this will be your domain name eg name.domain.com
UseCanonicalName On
HostnameLookups on
ErrorLog logs/error.log
CustomLog logs/access.log combined
ServerTokens Full
ServerSignature Off
Include conf/ssl.conf #do not wrap with <IfModule mod_ssl.c></IfModule>
# see http://www.modssl.org/docs/2.8/ssl_reference.html for more info
SSLMutex default
SSLRandomSeed startup builtin
SSLSessionCache none
SSLProtocol -all +SSLv3
SSLCipherSuite HIGH:MEDIUM
*************************************************************
Ssl.conf
*************************************************************
<IfDefine SSL> #you can remove these directives if you want.. be sure to remove the end tag too (</IfDefine>)
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<VirtualHost _default_:443>
DocumentRoot "c:/apache/htdocs"
ServerName machinename #this will be your domain name eg name.domain.com
ServerAdmin name@company.com
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile c:/apache/conf/ssl/localhost.der.crt
SSLCertificateKeyFile c:/apache/conf/ssl/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "c:/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
*************************************************************
Testing
To test the syntax of the httpd.conf file: at a command prompt in the C:\Apache directory enter the command:
apache -t
Start your Apache service via the ApacheMonitor.exe as normal.
Test your configuration by navigating to http://yoururl (http://localhost to start)
Now, from this point, it gets a little weird. This is what I spent 4 days trying to get to workà.
Now, with Apache running, edit your httpd.conf and comment out the
Listen 80 directive
#Listen 80
Open a command prompt, navigate to your apache/bin directory, then enter the following:
Apache ûD SSL
If there are any problems with your SSL setup, this will show any relevant error messages. If you do not comment out the Listen directive in httpd.conf before running this command, you will get those error messages I referred to earlier.
If you get no messages, move onto the next step:
Test your ssl config; navigate to https://yoururl (https://localhost to start). Once you have success here, move onto the next step.
Uncomment the Listen 80 directive again,
The last step was found on the following site
http://plone.org/documentation/developer/ApacheSSLWindows/wikipage_view
If you use IfDefine SSL in the ssl.conf (default) and start apache as a service, you need to edit the apache command line in the registry. In this case, the option -D SSL has to be appended to the value of the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apache2.
Restart your service. You should now have both https and http running.
Please Note: 1 is Bad, 10 is Good :-)
Part and Inventory Search
-
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.