[研究] Apache HTTPd Web Server 2.4.23 + HTTPS (SSL) 安裝 (Windows 2012 R2)

[研究] Apache HTTPd Web Server 2.4.23 + HTTPS (SSL) 安裝 (Windows 2012 R2)

2016-08-08

2020-10-02 修訂

續這篇
[研究] Apache HTTPd Web Server 2.4.23 安裝 (Windows 2012 R2)
http://shaurong.blogspot.com/2016/08/apache-httpd-web-server-windows-2012-r2.html

敝人下載的 Apache for Windows 包含有 openssl.exe，在 C:\Apache24\bin 目錄

c:\>C:\apache24\bin\openssl.exe   version WARNING: can't open config file: c:/openssl-1.0.2h-win64/ssl/openssl.cnf OpenSSL 1.0.2h  3 May 2016 c:\>C:\apache24\bin\openssl.exe   version   -a WARNING: can't open config file: c:/openssl-1.0.2h-win64/ssl/openssl.cnf OpenSSL 1.0.2h  3 May 2016 built on: reproducible build, date unspecified VC-WIN64A options:  bn(64,64) rc4(16x,int) des(idx,cisc,2,long) idea(int) blowfish(idx) compiler: cl  /MD /Ox -DOPENSSL_THREADS  -DDSO_WIN32 -W3 -Gs0 -Gy -nologo -DOPEN SSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_S ECURE_NO_DEPRECATE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MO NT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_A SM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DOPEN SSL_USE_APPLINK -I. -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_SSL2 -DOPENSS L_NO_KRB5 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_WEAK_SSL_CIPHERS -DOPENSSL_NO_STATIC_E NGINE OPENSSLDIR: "c:/openssl-1.0.2h-win64/ssl" c:\>

為了省去打路徑的麻煩，執行

Microsoft Windows [版本 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>PATH=%PATH%;C:\Apache24\bin C:\Windows\system32>echo %PATH% C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\Wind owsPowerShell\v1.0\;C:\Apache24\bin C:\Windows\system32>

OpenSSL manpages
https://www.openssl.org/docs/manmaster/apps/ca.html

OpenSSL雖然有 -config 參數，在執行 openssl 時候可以指定 openssl.cfg 路徑，但是實測 openssl-1.0.2h-win64 在 Windows Server 2012 R2 上無效，要用下面環境變數方式指定才能成功

set   OPENSSL_CONF=C:\Apache24\conf\openssl.cnf

而  OPENSSLDIR 用下面環境變數方式設定，依然無效
SET   OPENSSLDIR=C:\Apache24\ssl

(下圖) 可以看到 OPENSSL_CONF 指定後，不再有警告；但 OPENSSLDIR 設定無效

(下圖) 在 "命令提示字元" 模式設定的，當該  "命令提示字元"  視窗關閉後，設定就失效了，要讓每個  "命令提示字元"  都生效，要設定在環境變數中

(下圖) 注意，路徑的分隔符號是分號，所以 C:\Apache24\bin 之前有個分號

設定完成後，要重新啟動新的命令提示字元才會生效，設定完成前啟動的無效

因為 C:\Apache24\conf\extra\httpd-ssl.conf 裡面可以找到

SSLCertificateFile "c:/Apache24/conf/server.crt"

SSLCertificateKeyFile "c:/Apache24/conf/server.key"

所以準備把 憑證放到 C:\Apache24\conf 目錄 ( 或者放其他目錄，改掉 httpd-ssl.conf 中的目錄設定也可)

cd   C:\Apache24\conf

# 產生私鑰 

openssl   genrsa   -out   server.key  2048

# 用 -key 參數和剛產生的 server.key 產生 CSR  ( server.csr)

openssl req -new -key server.key -out  server.csr

# 產生自我簽署的金鑰

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

修改 c:\Apache24\conf\httpd.conf 內容，拿掉註解 #

#LoadModule ssl_module modules/mod_ssl.so

改為

LoadModule ssl_module modules/mod_ssl.so

#Include conf/extra/httpd-ssl.conf

改為

Include conf/extra/httpd-ssl.conf

#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

改為

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

PS : socache_shmcb_module modules/mod_socache_shmcb.so 若沒載入會出現下面錯誤

c:\Apache24\logs>httpd -k restart

AH00526: Syntax error on line 92 of C:/Apache24/conf/extra/httpd-ssl.conf:

SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you

need to load the appropriate socache module (mod_socache_shmcb?).

PS：

C:\Apache24\conf>openssl req -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:TW

State or Province Name (full name) [Some-State]:Taiwan

Locality Name (eg, city) []:Taipei

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (e.g. server FQDN or YOUR name) []:

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:1234

An optional company name []:

C:\Apache24\conf>openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok

subject=C = TW, ST = Taiwan, L = Taipei, O = Internet Widgits Pty Ltd

Getting Private key

C:\Apache24\conf>

重新啟動 Apache Web Server 讓設定生效 (可能有 ServerName 警告，可不理)

httpd.exe  -k  restart

測試

(完)

相關

OpenSSL manpages
https://www.openssl.org/docs/manmaster/apps/ca.html

[研究] AppServ 8.4.0 + HTTPS (SSL) 安裝 (Windows 2012 R2)
http://shaurong.blogspot.com/2016/08/appserv-840-https-ssl-windows-2012-r2.html

[研究] Apache HTTPd Web Server 2.4.23 + HTTPS (SSL) 安裝 (Windows 2012 R2)
http://shaurong.blogspot.com/2016/08/apache-httpd-web-server-2423-https-ssl.html

[研究] Apache HTTPd Web Server 2.4.6 + HTTPS (SSL) yum 安裝 (CentOS 7.2 x64)
http://shaurong.blogspot.com/2016/08/apache-httpd-web-server-246-https-ssl.html

網際網路資訊服務（英语：Internet Information Services，簡稱IIS）
https://zh.wikipedia.org/wiki/%E7%B6%B2%E9%9A%9B%E7%B6%B2%E8%B7%AF%E8%B3%87%E8%A8%8A%E6%9C%8D%E5%8B%99
有 Windows 版本和內建 IIS 版本關係

[研究] Windows 2012 R2 安裝 IIS 8.5 和 HTTP (SSL) 連線 (方法二)
http://shaurong.blogspot.com/2015/04/windows-2012-r2-iis-http-ssl.html

[研究] Windows 2012 R2 安裝 IIS 8.5 和 HTTP (SSL) 連線 (方法一)
http://shaurong.blogspot.com/2015/04/windows-2008-r2-iis-http-ssl.html

[研究] Windows 2012 安裝 IIS 8.0 和 HTTP (SSL) 連線
http://shaurong.blogspot.com/2015/04/windows-2012-iis-http-ssl.html

[研究] Windows 2008 R2 安裝 IIS 7.5 和 HTTP (SSL) 連線
http://shaurong.blogspot.com/2015/04/windows-2008-r2-iis-http-ssl.html

[研究] Windows 2003 R2 安裝 IIS 6.0 和 HTTPS (SSL) 連線
http://shaurong.blogspot.com/2015/04/windows-2003-r2-iis-https-ssl.html

[研究] Windows 10 Enterprise 1511 (x64)安裝架設IIS 10.0、建立SSL憑證、提供 HTTPS (SSL) 連線
http://shaurong.blogspot.com/2016/02/windows-10-enterprise-1511-x64iisssl.html

[研究] Windows 7 Ultimate x64安裝架設IIS 7.5、建立SSL憑證、提供 HTTPS (SSL) 連線
http://shaurong.blogspot.com/2016/02/windows-7-ultimate-x64iisssl-https-ssl.html

[研究] Windows XP Professional x86 安裝架設IIS 5.1、建立SSL憑證、提供 HTTPS (SSL) 連線
http://shaurong.blogspot.com/2016/02/windows-xp-professional-x86-iisssl.html

[研究] 在Windows XP Professional上IIS 5.1啟動SSL
http://shaurong.blogspot.com/2011/06/windows-xp-professionaliisssl.html

Internet Information Services (IIS) 10.0 Express 下載
https://www.microsoft.com/zh-TW/download/details.aspx?id=48264
支援 Windows 7/2008R2,8/2012,8.1/2012 R2,10/2016

Internet Information Services (IIS) 8.0 Express
https://www.microsoft.com/en-us/download/details.aspx?id=34679

Internet Information Services (IIS) 7 Manager
https://www.microsoft.com/en-us/download/details.aspx?id=2299

Internet Information Services (IIS) 6.0 Resource Kit
https://www.microsoft.com/en-us/download/details.aspx?id=5135
支援 Windows XP/2003

Internet Information Services (IIS) 6.0 Resource Kit Tools
https://www.microsoft.com/en-us/download/details.aspx?id=17275

Internet Information Services (IIS) 6.0 Manager for Windows XP
https://www.microsoft.com/en-us/download/details.aspx?id=15662