Apache w/SSL on FC6

From MyWiki

Jump to: navigation, search

Presumably you already have apache installed: 

# yum list httpd | grep installed
httpd.i386                               2.2.3-5                installed

Create /etc/grid-security and make sure it has the right permissions: 

# mkdir /etc/grid-security
# chmod 755 /etc/grid-security

Get a host certificate using ncsa-cert-request, which is installed on NCSA HPC systems: 

% cd ~/.globus/
% ncsa-cert-request -host gridshib-ca.ncsa.uiuc.edu

You will need your Default NCSA Password, which was given to you when you started working at NCSA.

The ncsa-cert-request script can also be found at: 

/afs/ncsa/packages/NCSA-CA/bin/ncsa-cert-request
http://ca.ncsa.uiuc.edu/ncsa-cert-request

Move the resulting hostcert.pem and hostkey.pem to /etc/grid-security on the installation host and make sure they have the right permissions 

# chown root:root /etc/grid-security/hostcert.pem
# chmod 644 /etc/grid-security/hostcert.pem
# chown root:root /etc/grid-security/hostkey.pem
# chmod 600 /etc/grid-security/hostkey.pem

Install mod_ssl: 

# yum install mod_ssl

Modify the Apache SSl configuration: 

# cp /etc/httpd/conf.d/ssl.conf /tmp/ssl.conf.bak
# sed 's/^SSLCertificateFile \/etc\/pki\/tls\/certs\/localhost.crt/SSLCertificateFile \/etc\/grid-security\/hostcert.pem/' /etc/httpd/conf.d/ssl.conf > /tmp/ssl.conf
# sed 's/^SSLCertificateKeyFile \/etc\/pki\/tls\/private\/localhost.key/SSLCertificateKeyFile \/etc\/grid-security\/hostkey.pem/' /tmp/ssl.conf > /etc/httpd/conf.d/ssl.conf
# sed 's/^#DocumentRoot "\/var\/www\/html"/DocumentRoot "\/var\/www\/html"/' /etc/httpd/conf.d/ssl.conf > /tmp/ssl.conf
# sed 's/^#ServerName www.example.com:443/ServerName gridshib-ca.ncsa.uiuc.edu:443/' /tmp/ssl.conf > /etc/httpd/conf.d/ssl.conf

Next thing I ran into was SELinux blocking httpd when it tried to start: 

# /etc/init.d/httpd start
Starting httpd:                                            [FAILED]
# tail -1 /var/log/messages
Mar  1 18:29:58 gridshib-ca kernel: audit(1172795398.749:69): avc:  denied  { getattr } for  pid=8797 comm="httpd" name="hostcert.pem" dev=dm-0 ino=1376330 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file

Best I could figure out to do was to put SELinux into permissive mode: 

# setenforce Permissive

And then edit /etc/selinux/conf to make this permanent: 

# sed 's/^SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/conf > /etc/selinux/conf

Now, apache should start: 

# /etc/init.d/httpd start
Starting httpd:                                            [  OK  ]

Now configure iptables to allow connections to port 443: 

#/sbin/iptables -I RH-Firewall-1-INPUT -p tcp --dport https -j ACCEPT
# /etc/init.d/iptables save

At this point you should be able to point a web browser at https://yourhostncsa.ncsa.uiuc.edu and see a real web page.

Retrieved from "http://mywiki.ncsa.uiuc.edu/wiki/Apache_w/SSL_on_FC6"
Personal tools