Original address: http://blog.njmars.com/myhan/archive/2004/07/16/210.aspx
Environment: Redhat 9.0 Description: Using $ starting is the command execution of the ROOT account using the command of the ordinary user.
Step 1: Install Apache Download Apache2: http://httpd.apache.org/download.cgi I need mod_ssl support, and apache1 is different, mod_ssl is not a separate module, but put it in the Apache release package. The default is not enabled, and the config is optional. I use DSO to compile install Apache and compile all the modules to facilitate later possible needs. As long as you edit httpd.conf, you can customize your Apache if you remove unwanted modules (annotation or deleting the LoadModule line of the corresponding module). $ TAR ZXVF HTTPD-2.0.50.tar.gz $ ./configure --prefix = / usr / local / apache2 --enable-so --enable-ssl = shared --enable-mods-shared = all --with -ssl = / usr / local / ssl $ make $ su # make install
Apache has two ways of using modules, one is permanent to incorporate core; if the operating system supports dynamic sharing object (DSO), the module can also be dynamically compiled. The storage of the DSO module is independent and core, which can be used by the core using the runtime configuration instruction provided by the Mod_SO module. If there is any dynamic module in the compilation, the Mod_SO module will automatically contain the core. If you want the core to load DSO, not actually compiling any dynamic module, you need to specify -enable-so. (http://kajaa.bbs.us/apachemanual/install.html)
The first time, Apache compiled according to the above method, the error will be reported when started: # cd / usr / local / apache2 # ./bin/apachectl startsslsyntax error on line 251 of /usr/local/apache/conf/httpd.conf:cannot Load /usr/local/apache/modules/mod_ssl.so INTO Server: /usr/local/apache/modules/mod_ssl.so: undefined Symbol: x509_free
what is the reason? Look http://www.smartframeworks.com/QT-apache-ssl.html Because OpenSSL installed by the following method (see: apache2 mod_ssl php5 full installation record (2)) is not compiled into a dynamic link library Because its document says that OpenSSL's dynamic link library is not mature, you can use ./config shared to compile OpenSSL with dynamic link library, but is still in the test phase. The way to solve this problem is: Compile MOD_SSL to the Apache. Please use the following method to reconnect:) $ ./configure --prefix = / usr / local / apache2 --enable-so --enable-ssl = static --with-ssl = / usr / local / ssl - Enable-mods-shared = all $ make $ su # make install This time I started Apache again, I found an error: # cd / usr / local / apache2 # ./bin/apachectl Startsslsyntax Error On line 108 of / usr / local / Apache2 / conf / ssl.conf: SSLCERTIFICATEFILE: File '/usr/local/apache2/conf/ssl.crt/server.crt' Does Not Exist or Is EMPTY
What is this reason? Because we don't have SSL to configure SSL, you need to generate the certificate required for SSL. When using apache1 mod_ssl before, Make has a step $ make Certificate that can be used to generate the certificate used by SSL. Now there is no such tool, I can only build it myself, people who are not familiar with the certificate, there is a tool to use: http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz# CD / USR / local / apache2 / conf # tar zxvf ssl.ca-0.1.tar.gz # cd ssl.ca-0.1 # ./new-root-ca.sh (Generate Root Certificate) No root Ca Key Round. Generating OneGenerating RSA Private Key, 1024 Bit Long Modulus ......................... .... E IS 65537 (0x10001) ENTER Pass Phrase for Ca.key: (Enter a password) Verifying - Enter Pass Phrase for Ca.key: (Enter a password again) ... Self-Sign the root Ca ... (Sign Root Certificate) ENTER Pass Phrase for Ca.key: (Enter the password just set) .............. (2 Let's start signing) Country name (2 letter code) [My ]: CNState or Province name (full name) [Perak]: JiangSuLocality name (eg, city) [Sitiawan]: NanJingOrganization name (eg, company) [My Directory Sdn Bhd]: Wiscom System Co., LtdOrganizational Unit name (eg, Section) [Certification Services Division]: ACSTARCOMMON NAME (EG, MD Root Ca) []: wiscom caemail address []: acmail@wiscom.com.cn is generated CA.k EY and CA.CRT two files, below to generate a certificate for our server: # ./new-server-cert.sh server (the name of this certificate is server ........... .Ctry name (2 letter code) [my]: cnState or province name [PRRAK]: JIANGSulocality Name (EG, City) [Sitiawan]: Nanjingorganization Name (EG, Company) [My Directory SDN BHD]: Wiscom System Co., Ltd., Ltd. [Secure Web Server]: ACSTARCOMMON Name (EG, www.domain.com) []: acmail.wiscom.com.cnemail address []: acmail@wiscom.com.cn
This generates two files of Server.csr and Server.Key. You also need to sign it to use: # ./sign-server-cert.sh serverca sign: server.csr -> server.crt: using configuration from ca.configenter pass phrase for ./ca.key: (Input Setting up root certificate password) Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName: PRINTABLE: 'CN'stateOrProvinceName: PRINTABLE:' JiangSu'localityName: PRINTABLE: 'NanJing'organizationName: PRINTABLE:' Wiscom System Co., Ltd ' organizationalUnitName: PRINTABLE: 'ACSTAR'commonName: PRINTABLE:' acmail.wiscom.com.cn'emailAddress: IA5STRING:'acmail@wiscom.com.cn'Certificate is to be certified until Jul 16 12:55:34 2005 GMT (365 DAYS) [Y / N]: Y1 OUT OF 1 CERTIFICATE REQUESTS CERTIFIED, CommT? [Y / N] YWRITE OUT DATABASE WITH 1 New EntriesData Base Updatedca Verify: Server.crt <-> CA CA CERTSERVER.CRT: OK (If there is an error here, it is best to recall, remove the SSL.ca-0.1 this directory, start from the decompression place.) Below, follow the settings inside SSL.conf, place the certificate in an appropriate location. # chmod 400 server.key # cd .. # mkdir ssl.key # mv ssl.ca-0.1 / server.key ssl.key # mkdir ssl.crt # mv ssl.ca-0.1 / server.crt ssl.crt
Then you can start! # cd / usr / local / apache2 # ./bin/apachectl startssl
For this tip: httpd: could not determine the server's full qualified domain name, using 127.0.0.1 for servername only needs to edit httpd.conf, find the servername xxxx, remove the previous comments.