2016年8月9日 星期二

[研究] Apache HTTPd Web Server 2.4.23 + HTTPS (SSL) 安裝 (Windows 2012 R2)

[研究] Apache HTTPd Web Server 2.4.23 + HTTPS (SSL) 安裝 (Windows 2012 R2)

2016-08-08
2020-10-02 修訂

續這篇
[研究] Apache HTTPd Web Server 2.4.23 安裝 (Windows 2012 R2)
http://shaurong.blogspot.com/2016/08/apache-httpd-web-server-windows-2012-r2.html

敝人下載的 Apache for Windows 包含有 openssl.exe,在 C:\Apache24\bin 目錄


c:\>C:\apache24\bin\openssl.exe   version
WARNING: can't open config file: c:/openssl-1.0.2h-win64/ssl/openssl.cnf
OpenSSL 1.0.2h  3 May 2016

c:\>C:\apache24\bin\openssl.exe   version   -a
WARNING: can't open config file: c:/openssl-1.0.2h-win64/ssl/openssl.cnf
OpenSSL 1.0.2h  3 May 2016
built on: reproducible build, date unspecified
VC-WIN64A
options:  bn(64,64) rc4(16x,int) des(idx,cisc,2,long) idea(int) blowfish(idx)
compiler: cl  /MD /Ox -DOPENSSL_THREADS  -DDSO_WIN32 -W3 -Gs0 -Gy -nologo -DOPEN
SSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_S
ECURE_NO_DEPRECATE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MO
NT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_A
SM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DOPEN
SSL_USE_APPLINK -I. -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_SSL2 -DOPENSS
L_NO_KRB5 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_WEAK_SSL_CIPHERS -DOPENSSL_NO_STATIC_E
NGINE
OPENSSLDIR: "c:/openssl-1.0.2h-win64/ssl"

c:\>

為了省去打路徑的麻煩,執行


Microsoft Windows [版本 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>PATH=%PATH%;C:\Apache24\bin

C:\Windows\system32>echo %PATH%
C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\Wind
owsPowerShell\v1.0\;C:\Apache24\bin

C:\Windows\system32>



OpenSSL manpages
https://www.openssl.org/docs/manmaster/apps/ca.html

OpenSSL雖然有 -config 參數,在執行 openssl 時候可以指定 openssl.cfg 路徑,但是實測 openssl-1.0.2h-win64 在 Windows Server 2012 R2 上無效,要用下面環境變數方式指定才能成功


set   OPENSSL_CONF=C:\Apache24\conf\openssl.cnf


而  OPENSSLDIR 用下面環境變數方式設定,依然無效
SET   OPENSSLDIR=C:\Apache24\ssl

(下圖) 可以看到 OPENSSL_CONF 指定後,不再有警告;但 OPENSSLDIR 設定無效

(下圖) 在 "命令提示字元" 模式設定的,當該  "命令提示字元"  視窗關閉後,設定就失效了,要讓每個  "命令提示字元"  都生效,要設定在環境變數中






(下圖) 注意,路徑的分隔符號是分號,所以 C:\Apache24\bin 之前有個分號




設定完成後,要重新啟動新的命令提示字元才會生效,設定完成前啟動的無效


因為 C:\Apache24\conf\extra\httpd-ssl.conf 裡面可以找到
SSLCertificateFile "c:/Apache24/conf/server.crt"
SSLCertificateKeyFile "c:/Apache24/conf/server.key"

所以準備把 憑證放到 C:\Apache24\conf 目錄 ( 或者放其他目錄,改掉 httpd-ssl.conf 中的目錄設定也可)

cd   C:\Apache24\conf
# 產生私鑰 
openssl   genrsa   -out   server.key  2048
# 用 -key 參數和剛產生的 server.key 產生 CSR  ( server.csr)
openssl req -new -key server.key -out  server.csr
# 產生自我簽署的金鑰
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

修改 c:\Apache24\conf\httpd.conf 內容,拿掉註解 #

#LoadModule ssl_module modules/mod_ssl.so
改為
LoadModule ssl_module modules/mod_ssl.so

#Include conf/extra/httpd-ssl.conf
改為
Include conf/extra/httpd-ssl.conf

#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
改為
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

PS : socache_shmcb_module modules/mod_socache_shmcb.so 若沒載入會出現下面錯誤
c:\Apache24\logs>httpd -k restart
AH00526: Syntax error on line 92 of C:/Apache24/conf/extra/httpd-ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you
need to load the appropriate socache module (mod_socache_shmcb?).

PS:
C:\Apache24\conf>openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taipei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:


C:\Apache24\conf>openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=C = TW, ST = Taiwan, L = Taipei, O = Internet Widgits Pty Ltd
Getting Private key

C:\Apache24\conf>

重新啟動 Apache Web Server 讓設定生效 (可能有 ServerName 警告,可不理)

httpd.exe  -k  restart

測試














(完)

相關

OpenSSL manpages
https://www.openssl.org/docs/manmaster/apps/ca.html

[研究] AppServ 8.4.0 + HTTPS (SSL) 安裝 (Windows 2012 R2)
http://shaurong.blogspot.com/2016/08/appserv-840-https-ssl-windows-2012-r2.html

[研究] Apache HTTPd Web Server 2.4.23 + HTTPS (SSL) 安裝 (Windows 2012 R2)
http://shaurong.blogspot.com/2016/08/apache-httpd-web-server-2423-https-ssl.html

[研究] Apache HTTPd Web Server 2.4.6 + HTTPS (SSL) yum 安裝 (CentOS 7.2 x64)
http://shaurong.blogspot.com/2016/08/apache-httpd-web-server-246-https-ssl.html

網際網路資訊服務(英语:Internet Information Services,簡稱IIS)
https://zh.wikipedia.org/wiki/%E7%B6%B2%E9%9A%9B%E7%B6%B2%E8%B7%AF%E8%B3%87%E8%A8%8A%E6%9C%8D%E5%8B%99
有 Windows 版本和內建 IIS 版本關係

[研究] Windows 2012 R2 安裝 IIS 8.5 和 HTTP (SSL) 連線 (方法二)
http://shaurong.blogspot.com/2015/04/windows-2012-r2-iis-http-ssl.html

[研究] Windows 2012 R2 安裝 IIS 8.5 和 HTTP (SSL) 連線 (方法一)
http://shaurong.blogspot.com/2015/04/windows-2008-r2-iis-http-ssl.html

[研究] Windows 2012 安裝 IIS 8.0 和 HTTP (SSL) 連線
http://shaurong.blogspot.com/2015/04/windows-2012-iis-http-ssl.html

[研究] Windows 2008 R2 安裝 IIS 7.5 和 HTTP (SSL) 連線
http://shaurong.blogspot.com/2015/04/windows-2008-r2-iis-http-ssl.html

[研究] Windows 2003 R2 安裝 IIS 6.0 和 HTTPS (SSL) 連線
http://shaurong.blogspot.com/2015/04/windows-2003-r2-iis-https-ssl.html

[研究] Windows 10 Enterprise 1511 (x64)安裝架設IIS 10.0、建立SSL憑證、提供 HTTPS (SSL) 連線
http://shaurong.blogspot.com/2016/02/windows-10-enterprise-1511-x64iisssl.html

[研究] Windows 7 Ultimate x64安裝架設IIS 7.5、建立SSL憑證、提供 HTTPS (SSL) 連線
http://shaurong.blogspot.com/2016/02/windows-7-ultimate-x64iisssl-https-ssl.html

[研究] Windows XP Professional x86 安裝架設IIS 5.1、建立SSL憑證、提供 HTTPS (SSL) 連線
http://shaurong.blogspot.com/2016/02/windows-xp-professional-x86-iisssl.html

[研究] 在Windows XP Professional上IIS 5.1啟動SSL
http://shaurong.blogspot.com/2011/06/windows-xp-professionaliisssl.html

Internet Information Services (IIS) 10.0 Express 下載
https://www.microsoft.com/zh-TW/download/details.aspx?id=48264
支援 Windows 7/2008R2,8/2012,8.1/2012 R2,10/2016

Internet Information Services (IIS) 8.0 Express
https://www.microsoft.com/en-us/download/details.aspx?id=34679

Internet Information Services (IIS) 7 Manager
https://www.microsoft.com/en-us/download/details.aspx?id=2299

Internet Information Services (IIS) 6.0 Resource Kit
https://www.microsoft.com/en-us/download/details.aspx?id=5135
支援 Windows XP/2003

Internet Information Services (IIS) 6.0 Resource Kit Tools
https://www.microsoft.com/en-us/download/details.aspx?id=17275

Internet Information Services (IIS) 6.0 Manager for Windows XP
https://www.microsoft.com/en-us/download/details.aspx?id=15662



沒有留言:

張貼留言