Category Archives: Apache2

Openssl certificates for apache

In my former post i described a way how to create self signed SSL certificates with an own certificate authority. These certificates didn’t work in latest chrome versions so I updated my scripts to create valid certificates for chrome. This time I only create wildcard certificates because creating one for every subdomain was annoying.

#!/bin/bash
if [ -e ca.key ]; then
	echo "ca.key already exists"
	exit 1
fi

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=Coffeebeans/CN=Coffeebeans Domain Validation Secure Server CA/emailAddress=office@coffeebeans.at"
#!/bin/bash
NAME=star.$1
if [ "star." == $NAME ]; then
	echo "usage: $0 <domain.name>"
	exit 1
fi
if [ -e $NAME.key ]; then
	echo "$NAME.key already exists"
	exit 1
fi
if [ ! -e ca.crt ]; then
	echo "no ca certificate created"
	exit 1
fi

CONFIG=$(cat <<-EOF
[ca]
default_ca=CA_default

[CA_default]
dir=./ca
database=\$dir/index.txt
new_certs_dir=\$dir/newcerts
serial=\$dir/serial
private_key=./ca.key
certificate=./ca.crt
default_days=3650
default_md=sha256
policy=policy_anything
copy_extensions=copyall

[policy_anything]
countryName=optional
stateOrProvinceName=optional
localityName=optional
organizationName=optional
organizationalUnitName=optional
commonName=supplied
emailAddress=optional

[req]
default_bits=4096
prompt=no
default_md=sha256
req_extensions=req_ext
distinguished_name=dn
 
[ dn ]
C=AT
ST=Vienna
L=Vienna
OU=Domain Control Validated
emailAddress=office@coffeebeans.at
CN=*.$1
 
[ req_ext ]
subjectAltName=@alt_names
 
[ alt_names ]
DNS.1=$1
DNS.2=*.$1
EOF
)

# PREPARE
echo "$CONFIG" > config.txt
if [ ! -d ./ca ]; then
	mkdir -p ./ca/newcerts
	touch ./ca/index.txt
fi

openssl genrsa -out $NAME.key 4096
openssl req -new -key $NAME.key -out $NAME.csr -config config.txt
openssl ca -create_serial -batch -in $NAME.csr -out $NAME.crt -config config.txt

# CLEANUP
rm -f *.csr config.txt
chmod 644 *.key *.crt

I also tried to use these certificates in postfix which did NOT work. To create files for postfix see my former post.

 

SSL certificates for apache

Simple way to create self-signed SSL certificates.

#!/bin/bash
# usage: ./create-ca.sh
if [ -e ca.key ]; then
	echo "ca.key already exists"
	exit 1
fi

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=coffeebeans.at/OU=IT/CN=coffeebeans.at/emailAddress=office@coffeebeans.at"
#!/bin/bash
# usage: ./create-key.sh CN
NAME=$1
SERIAL=`ls -l *.key | wc -l`

if [ $SERIAL -lt 10 ]; then
	SERIAL="0$SERIAL"
fi

if [ -e $NAME.key ]; then
	echo "$NAME.key already exists"
	exit 1
fi

if [ ! -e ca.crt ]; then
	echo "no ca certificate created"
	exit 1
fi

echo "creating key for $NAME with serial $SERIAL"
openssl genrsa -out $NAME.key 4096
openssl req -new -key $NAME.key -out $NAME.csr \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=coffeebeans.at/OU=IT/CN=$NAME/emailAddress=office@coffeebeans.at"
openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key \
  -set_serial $SERIAL -in $NAME.csr -out $NAME.crt

rm *.csr

 

Apache2 with Git Smart HTTP

Install git-core and apache2. Also make sure required modules are loaded:

apt-get install git-core apache2
a2enmod cgi alias env rewrite

To create a git server with smart protocol, I used the following script in /var/gitwww:

#!/bin/bash

WORKDIR=`pwd`
REPO=$1

# create dir
echo $REPO
mkdir -p $REPO
cd $REPO

# init repo
git init --bare
touch git-daemon-export-ok
cp hooks/post-update.sample hooks/post-update
git config http.receivepack true
git update-server-info

chown -R www-data:www-data .

# done
cd $WORKDIR

And I configured my default virtualhost as following:

VirtualHost *:80>
        ServerAdmin webmaster@localhost

        SetEnv GIT_PROJECT_ROOT /var/gitwww
        SetEnv GIT_HTTP_EXPORT_ALL
        ScriptAlias /git/ /usr/lib/git-core/git-http-backend/

        Alias /git /var/gitwww
        <Directory /usr/lib/git-core>
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                AllowOverride None
                Order allow,deny
                Allow from all
        </Directory>

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
# for apache 2.4 (ubuntu 14.04+) use the following line instead of the 2 above:
#               Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

After that restart your apache and create a master branch from your client:

git clone http://_server_/git/_project_
cd _project_
touch README
git add .
git commit -m 'initial commit' -a
git push origin master

 

Bug in htpasswd.exe

I tried to configure basic authentication under an apache 2.4.4 and could not find out why my password didn’t match. Just got the following line in the log though my password was correct:

[…] [auth_basic:error] [pid …:tid …] [client ::…] AH01617: user ___: authentication failure for “/asd/”: Password Mismatch, referer: http://localhost/

So I found the following bug description https://issues.apache.org/bugzilla/show_bug.cgi?id=54735. To come over this I just had to use httpasswd with the -b flag to provide the password from command line instead of prompting for it.

htpasswd -b passwdfile username password

apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1 for ServerName

on local webservers without specific domain I often came over the stated apache warning. Here is how to get rid of it:

  • Check your /etc/hosts that there are entries for localhost, localhost.domainname, hostname, hostname.domainname.
  • Last edit /etc/apache2/httpd.conf and add ServerName hostname to the file.
  • Restart apache
root@coding:~# hostname --fqd
coding
root@coding:~# head -n2 /etc/hosts
127.0.0.1&nbsp;&nbsp; &nbsp;localhost localhost.localdomain
192.168.56.10&nbsp;&nbsp; &nbsp;coding coding.localdomain
root@coding:~# cat /etc/apache2/httpd.conf
ServerName coding
root@coding:~# /etc/init.d/apache2 restart
Restarting web server: apache2 ... waiting .
root@coding:~#

Nexus server behind an apache2 proxy

the following howto explains how to install a default nexus server behind an apache2 proxy on a debian host.

First install apache and java download nexus and prepare for configuration. You’ll find the latest version of nexus under http://nexus.sonatype.org/downloads/

[codesyntax lang=”bash”]

apt-get install apache2 sun-java6-jdk
wget http://nexus.sonatype.org/downloads/nexus-oss-webapp-VERSION-bundle.tar.gz
mv nexus-oss-webapp-VERSION-bundle.tar.gz nexus.tgz
mv nexus.tgz /usr/local/
cd /usr/local
tar -xf nexus.tgz
ln -s nexus-oss-webapp-VERSION nexus
ln -s /usr/local/nexus/bin/jsw/linux-x86-64/nexus /etc/init.d/nexus
update-rc.d nexus defaults

[/codesyntax]

Change root path of the nexus web application in /usr/local/nexus/conf/plexus.properties from /nexus to /

[codesyntax lang=”bash”]

webapp-context-path=/

[/codesyntax]

Then add a new vhost to apache:

[codesyntax lang=”apache”]

<VirtualHost _default_:80>
        ServerAdmin manuel@coffeebeans.at

        ProxyRequests Off
        ProxyPreserveHost On

        ProxyPass / http://localhost:8081/
        ProxyPassReverse / http://localhost:8081/

        LogLevel warn
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

[/codesyntax]

Apache needs some additional modules loaded and nexus has to be started too.

[codesyntax lang=”bash”]

a2enmod rewrite proxy proxy_http
apache2ctl restart
/etc/init.d/nexus start

[/codesyntax]

After this you should be able to access the nexus server via http://nexus-host:8081/ and http://nexus-host/. The first one is the webapp behind the proxy. Of course you have to replace the hostname or create an appropriate /etc/hosts entry.

As described, this setup is a nexus only host without NameVirtualHost configuration. You can add ServerName and ServerAlias if you want to be able to deploy other vhosts. If you want to share the vhost with other applications, just skip the part with changes in the nexus.properties file or change the value to the wanted path. Then you have to use different lines for proxy configuration. For example, if you want too keep /nexus, you have to use

[codesyntax lang=”bash”]

ProxyPass /nexus/ http://localhost:8081/nexus/
ProxyPassReverse /nexus/ http://localhost:8081/nexus/

[/codesyntax]