Installing an Apache + SSL on FreeBSD using the ports tree

Installing Apache + SSL is very easy on FreeBSD.

Note: Tested on FreeBSD 9

  1. First install FreeBSD. Instructions for installing FreeBSD is contained in this article.
    How I install FreeBSD?
    How I install FreeBSD 9?
  2. Second update FreeBSD and install the ports tree. Instructions for this are in this article.
    What are the first commands I run after installing FreeBSD?
  3. Install the latest version of Apache, which is Apache 2.2 as of writing this.
    #
    #
    cd /usr/ports/www/apache22
    make BATCH=yes install

    This will download the Apache 2.2 source and compile and install it. A few other dependencies will be installed as well.

    Apache will not start automatically which is fine because we are not ready to start it yet.

  4. Configure Apache to automatically start when the FreeBSD system boots up. This is done using the /etc/rc.conf file.
    #
    #
    echo # Apache 2.2 >> /etc/rc.conf
    echo 'apache22_enable="YES"' >> /etc/rc.conf
  5. In order for Apache to use SSL, you must create a certificate. Now you may or may not know how to create one. I have made it easy for you by doing everything in a shell script. I have used SHA-256, because in this day an age, you need higher security than MD5 or SHA1.

    makesha256key.sh

    #!/bin/sh
    mkdir -p /root/mycert
    cd /root/mycert
    
    mkdir -p /usr/local/etc/apache22/ssl.key
    mkdir -p /usr/local/etc/apache22/ssl.crt
    chmod 0400 /usr/local/etc/apache22/ssl.key
    chmod 0400 /usr/local/etc/apache22/ssl.crt
    
    openssl genrsa -des3 -out $1.key 1024
    openssl req -new -x509 -nodes -sha256 -days 365 -key $1.key -out $1.crt
    
    cp $1.key $1.key.orig
    openssl rsa -in $1.key.orig -out $1.key
    
    cp $1.key /usr/local/etc/apache22/ssl.key/
    cp $1.crt /usr/local/etc/apache22/ssl.crt/
    chmod 0400 /usr/local/etc/apache22/ssl.key/$1.key
    chmod 0400 /usr/local/etc/apache22/ssl.crt/$1.crt
    

    This is NOT a fully functional shell script that shows you the command line options and everything. It is really just a list of commands to make this easier for you. Copy this to a shell script and run it. It takes one parameter, the cert name and you should call it like this:

    ./makesha256key.sh certname

    IMPORTANT: The commands in the script will prompt you for a Certificate password, and your Certification information. The only thing you need to make certain of is that when prompted for the “Common Name” you use the URL. For example, if your web site is www.rhyous.com, then www.rhyous.com is your Common Name.

    Or you can run the commands from the shell script manually one at a time if you want (replacing $1 with your desired certificate name).

    Note: In this script, the certificate will be a self-signed certificate, but you can get a signed certificate free here: http://cert.startcom.org

  6. Now configure Apache to read the httpd-ssl.conf file when it starts.

    Open the /usr/local/etc/apache22/httpd.conf using the easy editor or ee.

    # ee /usr/local/etc/apache22/httpd.conf

    Near the end of the file, remove the comment symbol, the # sign, from the following line:

    Include etc/apache22/extra/httpd-ssl.conf

    Note: While you are in this file you may want to remove the comment from the line for enabling Virtual Hosts too if you are going to have multiple URLs hosted at this page.

  7. Configure the httpd-ssl.conf.
    # ee /usr/local/etc/apache22/extra/httpd-ssl.conf

    I only change the two lines to point to the correct certificate. Here is an sample httpd-ssl.conf without the comments.

    Listen 443
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl
    SSLPassPhraseDialog  builtin
    SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
    SSLSessionCacheTimeout  300
    SSLMutex  "file:/var/run/ssl_mutex"
    <VirtualHost _default_:443>
      DocumentRoot "/usr/local/www/apache22/data"
      ServerName www.example.com:443
      ServerAdmin you@example.com
      ErrorLog "/var/log/httpd-error.log"
      TransferLog "/var/log/httpd-access.log"
    
      SSLEngine on
    
      SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    
      SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/server.crt"
    
      SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/server.key"
    
      <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
      </FilesMatch>
      <Directory "/usr/local/www/apache22/cgi-bin">
        SSLOptions +StdEnvVars
      </Directory>
    
      BrowserMatch ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    
      CustomLog "/var/log/httpd-ssl_request.log" \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    
    </VirtualHost>
    

  8. Now start or restart Apache.
    # /usr/local/etc/rc.d/apache22 start

Now just open a browser (on another system of course) and connect to your new FreeBSD installed web server. You can connect using name, fqdn, or IP and see which work.

  • http://servername
  • http://www.YourDomain.com
  • http://192.168.0.100

You can also try to connect with SSL.

  • https://servername
  • https://www.YourDomain.com
  • https://192.168.0.100

Common Errors

  1. Performing sanity check on apache22 configuration:
    httpd: apr_sockaddr_info_get() failed for F9
    httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
    Syntax OK
    Starting apache22.
    httpd: apr_sockaddr_info_get() failed for F9
    httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
    /usr/local/etc/rc.d/apache22: WARNING: failed to start apache22
    

    If you get this error, you need to update your /etc/hosts file and make sure the system’s hostname there.

    ::1                     localhost YourServerNameHere
    127.0.0.1               localhost YourServerNameHere
    

Install other software

It is now very common to install a database server and a scripting language, such as MySQL and PHP. I have separate documents for each install:

How to install MySQL FreeBSD?

How to install PHP5 and PHP5 Extensions on FreeBSD?

14 Comments

  1. […] Apache – http://www.rhyous.com/2009/11/06/installing-an-apache-ssl-on-freebsd-using-the-ports-tree/ […]

  2. 2cu.co.nz says:

    2cu.co.nz

    Installing an Apache + SSL on FreeBSD using the ports tree | Rhyous

  3. aplus seo says:

    aplus seo

    Installing an Apache + SSL on FreeBSD using the ports tree | Rhyous

  4. seo says:

    seo

    Installing an Apache + SSL on FreeBSD using the ports tree | Rhyous

  5. Smuli says:

    Hi,

    I would like to add, that the point under "Common Errors" is actually just a "Warning". Apache runs nevertheless, if you have right domain name pointing to the IP or not.

    Anyways, good article.

    Cheer,
    Samuli

  6. By the way, excelent website logo as well. Hail the sword!!!

  7. steffen says:

    It is useful to try everything in practice anyway and I like that here it's always possible to find something new. 🙂

  8. Guests says:

    You have tested it and writing form your personal experience or you find some information online?

    • rhyous says:

      Yes, I have tested it and it is in production at my work for an internal site for my support team. We are running dotProject and a few other sites off it. I'll be honest this was the first time I went with SHA-256 over MD5, but it is working well.

Leave a Reply

How to post code in comments?