Apache Modules mod ssl

Getting Started
When installing Apache2, mod_ssl is included with the installation as long as you have the use flag enabled for apache. You can check if the USE flag is enabled, by running: If is highlighted, you are good to go. If not, either alter your USE flags in /etc/make.conf or /etc/portage/package.use. For more information about altering your USE flags, read the appropriate section in the handbook.

SSL keys
Here you have a choice: you can either use a certificate issued by a third party like Thawte or VeriSign (you might also want to check out TIP cacert.org SSL certificates). This is recommended for broad public internet use. Generated keys (also referred as self signed certificates) are generally used for development, testing or internal use. If your certificates were supplied to you, then just place them in the /etc/apache2/ssl directory.

For more detailed informations regarding certificate generation, take a look at an SSL Certificate with Apache+mod_ssl.

First, we generate a random key

At this point, a certificate created this way would force Apache to ask for the passphrase at each startup. If you don't want Apache to prompt you for a passphrase everytime you start or restart it, remove the "-des3" option as shown.

The next step is to create a key file with the passphrase removed.

Now we turn this key into a certificate request

And with it, we can now generate ourselves a brand new self signed certificate valid for 365 days. The default value is 30 days without the "-days [number]" option.

Now copy the key:

Finally, make sure the following are correct:

Warning: Always remember that anyone holding the key certificate file can assume the identity of the bearer of the certificate. Your certificate private key file should only be readable by root user! (the .pem file).

Enabling mod_ssl
Now for the final step : as stated in the Apache2 install guide, to enable mod_ssl on your Apache2 server, simply add the "-D SSL -D SSL_DEFAULT_VHOST" options to the APACHE2_OPTS statement in /etc/conf.d/apache2.

Then simply run and check everything's working.

Important Note about SSL enabled VirtualHosts
While port 80 is able to host a rather unlimited number of VirtualHosts correctly, in order for SSL enabled VirtualHost to work properly each must live on a separate IP/port combination. Although you can have more than one VirtualHost per SSL enabled port, the certificate file used will be from the first SSL configuration directive. When this happens the browser will throw an error about mismatched, or possibly malicious host, when you attempt to access the non-default VirtualHost for that port.

Why can't I use SSL with name-based/non-IP-based virtual hosts?

Why isn't it possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?

Problems of course start to occur when using non-standard HTTP and HTTPS ports. (There are only two of them, so they run out fast when you add your first SSL enabled VirtualHost.)


 * Trying to remember the port number.
 * Search engines gets lost as most search engines interpret a different port as a different host.

Previously, it was common knowledge that SSL/HTTPS and the VirtualHost directive on the same IP as another SSL/HTTPS site would conflict. This was due to the method of the server sending the certificate for a host before the client was able to send a request for a specific host.

More recently, Server Name Indication (SNI) was implemented in both web server and web browser software to allow for a connecting client to start a TLS session indicating the desired host. This allows the web server to then send the appropriate certificate to the client and allow communications to continue as usual.

SNI is available not only in a separate module (mod_gnutls) but is also implemented in the latest versions of OpenSSL and mod_ssl. SNI requires no different configuration from including an SSL certificate in a VirtualHost directive. However it does require a browser's support. Many new versions of major browsers do support SNI.

Changing the port SSL runs on
(If anybody more familiar with wikies wants to reformat this section, please do so.)

To change the port SSL runs on, you will need to edit /etc/apache2/modules.d/41_mod_ssl.default-vhost.conf in the following ways (the following example assumes you want SSL to run on port 72):

1) After "" and before "", add a new line reading "Listen 72"

2) Change "" to be 

Two other notable problems I ran into but were not included above:

1) If you get a permission denied error, you may need to add the following under the  tag on a new line: "Include /etc/apache2/vhosts.d/default_vhost.include"

2) There seems to be a default SSL server running, whose configuration file is defined in "/etc/apache2/vhosts.d/00_default_ssl_vhost.conf". I commented out the "Listen" line in this configuration file to prevent conflicts.