Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.
On Wed, 17 Apr 2024 at 15:36, General Email
wrote:
>
>
> Anyways, I looked more on google and I think that I have found what I was
> looking for on this page:
> https://gist.github.com/taoyuan/39d9bc24bafc8cc45663683eae36eb1a
>
Few days ago, I configured SSL and enabled HTTPS on Apache 2.4. It is
working fine.
I am listing the steps below, in case it helps someone.
--
Enabling HTTPS and Configuring SSL in Apache 2.4 on Windows 10
Date: April, 2024
--
VERY IMPORTANT:
You should not follow this process for a production environment because
self-signed SSL certificate (that is being generated here) is a security risk.
You should follow this process only for the local development environment.
-
Please follow the steps listed below:
-
Step 1: Stop Apache web server if it is already running.
Step 2: Add "absolute_path_to_apache24_dir\bin" to the system environment
variable "Path". openssl.exe is in this folder.
Step 3: Open the Windows command prompt and change directory to
"absolute_path_to_apache24_dir\conf".
Step 4: On the command prompt, execute the following command:
set OPENSSL_CONF=absolute_path_to_apache24_dir\conf\openssl.cnf
If "absolute_path_to_apache24_dir" contains spaces then enclose the
path in quotes.
Step 5: Check that the OPENSSL_CONF variable is set to correct directory by
executing the following command on the command prompt:
echo %OPENSSL_CONF%
Step 6: On the command prompt, execute the following command
(openssl.exe is in "absolute_path_to_apache24_dir\bin" folder):
openssl genrsa -out cert.key 2048
Step 7: On the command prompt, execute the following command:
openssl req -new -key cert.key -out cert.csr
When you execute this command, you will be asked to give input for
some fields. I had given input for only one field (and for other fields,
I just hit "Enter" key):
Common Name (e.g. server FQDN or YOUR name) []:localhost
Step 8: On the command prompt, execute the following command:
openssl x509 -req -days 3650 -in cert.csr -signkey cert.key -out cert.crt
Step 9: Change a few lines in the
"absolute_path_to_apache24_dir\conf\httpd.conf"
file. I am listing the lines after the changes. I am not listing the
original lines. You can search and change/replace the
original lines.
The changed lines are:
Define SRVROOT "absolute_path_to_apache24_dir"
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
ServerName localhost:80
Include conf/extra/httpd-ssl.conf
Step 10: Change a few lines in the
"absolute_path_to_apache24_dir\conf\extra\httpd-ssl.conf" file.
I am listing the lines after the changes. I am not listing the
original lines. You can search and change/replace the
original lines.
The changed lines are:
ServerName localhost:443
ServerAdmin ad...@localhost.localdomain.com
SSLCertificateFile "${SRVROOT}/conf/cert.crt"
SSLCertificateKeyFile "${SRVROOT}/conf/cert.key"
Step 11 (Last Step): Now, you can start Apache web server and test.
Since the security certificate that was generated here is self-signed,
the browser may show you a warning that the connection/certificate,
etc. is not trusted. But since this is your local development
environment, you can ignore this warning and accept the risk and
go ahead with the testing/development, etc.
I do the same (ignore the warning and accept the risk).
End
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.
On Wed, Apr 17, 2024, 3:27 PM General Email < general.email.12341...@gmail.com> wrote: > > >> > If people are asking for advice on PHP then advise them on PHP or don't >> say anything. >> > Don't start advising them about Java. >> >> Please... I am not even making remarks about you asking openssl questions >> at httpd. >> > > > So, is this wrong forum for asking about openssl commands required for > generating certificates for enabling https on apache? > > I can easily look at openssl website or other websites and look how to > create self signed certificates. However, I was not sure if that would work > on apache. That's why I asked here. > > Most of the websites showed how to generate .pem certificates, but after > reading about ssl/https on apache website, I saw that apache requires .crt > certificates. > > Obviously, I can figure out this whole thing if I read whole openssl > manual and apache ssl configs, etc. but I don't want to invest time in that > and I was looking for a quick solution and that's why I posted here. > > > >> I think most people will understand that I try to make you see the >> difference between developing an application and how it is hosted/used what >> ever, operate within your area of expertise. >> > > I know this and I told you that I want to hard code https. Now, please > tell me how can my idea go wrong? > > Please don't tell me how other people's unrelated ideas went wrong. > > Let's have a meaningful discussion. > > I don't work for any company. > > I do freelancing. I am doing this project for a real estate client. So, > its only me who will do everything and decide everything - development, > testing, maintenance hosting, hard coding, migration, https, ssl, etc. > > I would really like to know how my idea of hardcoding https can go wrong? > Anyways, I looked more on google and I think that I have found what I was looking for on this page: https://gist.github.com/taoyuan/39d9bc24bafc8cc45663683eae36eb1a
Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.
> > > If people are asking for advice on PHP then advise them on PHP or don't > say anything. > > Don't start advising them about Java. > > Please... I am not even making remarks about you asking openssl questions > at httpd. > So, is this wrong forum for asking about openssl commands required for generating certificates for enabling https on apache? I can easily look at openssl website or other websites and look how to create self signed certificates. However, I was not sure if that would work on apache. That's why I asked here. Most of the websites showed how to generate .pem certificates, but after reading about ssl/https on apache website, I saw that apache requires .crt certificates. Obviously, I can figure out this whole thing if I read whole openssl manual and apache ssl configs, etc. but I don't want to invest time in that and I was looking for a quick solution and that's why I posted here. > I think most people will understand that I try to make you see the > difference between developing an application and how it is hosted/used what > ever, operate within your area of expertise. > I know this and I told you that I want to hard code https. Now, please tell me how can my idea go wrong? Please don't tell me how other people's unrelated ideas went wrong. Let's have a meaningful discussion. I don't work for any company. I do freelancing. I am doing this project for a real estate client. So, its only me who will do everything and decide everything - development, testing, maintenance hosting, hard coding, migration, https, ssl, etc. I would really like to know how my idea of hardcoding https can go wrong?
Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.
On Wed, Apr 17, 2024, 1:17 PM Marc wrote: > > > > > http is an insecure protocol. I don't want my website to run on > > http. So, I am hardcoding https in links in my website that refer to > > pages in my website. > > > > > > Now, I know that you will write why not redirect http to https by > > default. > > No because that is not relevant to me and what I would like to address. I > am even deploying https on tasks in private air-gapped environments. This > is not a discussion about whether or not https should be used and when. > > > > The problem with this is that if the website gets migrated to > > different provider and if people forget to redirect http to https in new > > setup then it will become a security problem. > > I know there are many idiots out there and your concern is very valid. > Most of the security breaches you read about is about such issues. > However, can you imagine the apache dev team thinking like you? Hard > coding everything to https? Can you imagine all http ports of tomcat, > httpd, jboss etc. being dropped? These people have been making rock solid > applications for decades they don't lecture others how to use or not use > https. > You will never match them in any way, why not follow their lead? > > > > Hardcoding https solves all issues. > > > > A few years back I had an argument with apple developers. They were having > in the build process of the calendar server openssl. The developers thought > for security purposes it would be better to include it in the build. This > resulted in that calenderservers were always having an old insecure > openssl, because the openssl updated by the distribution was not used. (and > nobody is going to build the application frequently) This is what happens > when application developers think they are security geniuses. > > The point I am trying to make is that you as an application developer > should be focussed on developing your application it is not your business > how this application is hosted. You should not concern yourself with things > you are not experienced in/with. Especially when it comes to something as > crucial as security. You are not removing ca certs from the trust store, > your are not setting secure ciphers, you are not setting limits on key > sizes etc. Why would you then even bother with https or http? > > With your argument you might as well hard code the domain name in your > application (like wordpress) and hardcode root name servers etc. > If you buy an egg in the store, it does not come with any requirement that > it should be used only for making cakes. Grasp this concept. > Marc, I don't know what you are trying to prove by your points + you are insulting people for no reason. If you insult people, they may insult you back. Russia attacked Ukraine and Ukraine/NATO hit Russia back. The original discussion was about openssl commands and I think that since you don't know openssl commands, you should not have said anything. Let other people do what they want to do. If they want to hardcode something, why are you bothered. I will hard code https, its my choice. It has nothing to do with you. Now, you are saying to hard code root name servers, etc. which doesn't make sense. You are taking this discussion in all sorts of directions and I don't know what you want to prove. If you want to prove that you are a very smart person and other people are fools then for that you need to play chess with all other people and win all the games. You can invite wordpress idiots to play chess with you and then if you win then probably you can tell that person that he/she is an idiot. There are many people in this world who are very smart but they don't say that other people are fools - for example, Steve Wozniak, Larry Page, Knuth, etc. If people are asking for advice on PHP then advise them on PHP or don't say anything. Don't start advising them about Java. By the way, if you insult me, I will insult you back. GE
Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.
> This is also not relevant to what I am stating. If you develop, do it > regardless of http/https that is convenient for everyone. It will be to > your own benefit. If you have to host the application on your own server, > so be it. It will be easier with choosing your https solution. You could > already be developing it now, and later you can check how to use openssl. > Last thing you want, is an application that forces https or http. > http is an insecure protocol. I don't want my website to run on http. So, I am hardcoding https in links in my website that refer to pages in my website. Now, I know that you will write why not redirect http to https by default. The problem with this is that if the website gets migrated to different provider and if people forget to redirect http to https in new setup then it will become a security problem. Hardcoding https solves all issues.
Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.
> > Here’s a possible SO question that might help you: > > https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl > Thanks Will. I will look look into it.
Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.
> But should your development be not protocol independent? If your code > works on http it should also work on https. I am getting sick of these > wordpress idiots where they still have hardcoded links everywhere and I > can't even convert a website from http to https. > Are you saying that I am a wordpress idiot?
Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.
> I think you need to search for setting up your own CA and sign certs. Windows is my development environment. Later the website will be hosted on linux and the linux hosting provider will provide SSL certificate. I had looked at https://stackoverflow.com/questions/4221874/how-do-i-allow-https-for-apache-on-localhost But it looks like many answers on this page are obsolete now. I don't think openssl commands are any differnt on windows. Yeah, they are not. But I don't know what all arguments to give to openssl. Maybe easier to get an existing cert and use that, and just ignore the > warning? > Maybe there are even easier to use tools on windows that do this all for > I actually want to use openssl. openssl.exe comes with apache 2.4 distribution.
[users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.
Hi, I was looking for openssl command(s) to generate server side certificate and key so that https start working on my apache 2.4 web server on windows. I looked on Internet but found few commands but they all used different arguments to openssl. Can someone please give me exact openssl command(s) to use. I will appreciate it. Regards, GE
