Configuring Apache and Tomcat Web Services to use SSL CertificateΒΆ
It is highly recommended that all communication with UForge is done via HTTPS. After the initial installation of UForge, neither the HTTP server (Apache) nor the application server (Tomcat) have yet been configured to use an SSL certificate and allow HTTPS.
To configure both servers to use an SSL certificate:
Log in as
rootto the machine running the UForge Apache and Tomcat Web Services.Copy the SSL certificate files locally to the machine. Note that you should have three or four files, for example:
- SSLCertificateFile: server.crt.pem
- SSLCertificateKeyFile: server.key.pem
- SSLCACertificateFile: CA.crt.pem
- SSLCertificateChainFile: intermediate.CA.crt.pem (this one is optional)
You need to build a self contained certificate as follows:
$ cat server.crt.pem CA.crt.pem > server_CA_chain.crt.pemor:
$ cat server.crt.pem intermediate.CA.crt.pem CA.crt.pem > server_CA_chain.crt.pemNote that
.pemfiles contain the following type of data for certificate files:$ cat server.crt.pem -----BEGIN CERTIFICATE----- MIIHJTCCBg2gAwIBAgIDB25YMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ ... aW9uIEF1dGhvcml0eTADAgECGmRMaWFiaWxpdHkgYW5kIHdhcnJhbnRpZXMgYXJl V4XfZvZtrRcZ -----END CERTIFICATE-----And the following data for the key file:
$ cat server.key.pem -----BEGIN PRIVATE KEY----- MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDaRIAE7wrKbS9T ... GdIr+qaNjk+eZLVsuPsAvwPlsWI/Cip7Zqygtvviteyen0VZbLpRJgbbjXqh9GwP G33VnWF89pfm5FNRu3WHIf8Ukw== -----END PRIVATE KEY-----If this is not the case, refer to the OpenSSL documentation on how to convert certificate and key files from one format to another.
Put the following entries in
/etc/httpd/conf.d/ssl.conf:
- SSLCertificateFile
/etc/pki/tls/certs/server.crt.pem- SSLCertificateKeyFile
/etc/pki/tls/private/server.key.pem- SSLCertificateChainFile
/etc/pki/tls/certs/intermediate.CA.crt.pem- SSLCACertificateFile
/etc/pki/tls/certs/CA.crt.pemVerify the permissions and ownerships of these files:
$ ll -d /etc/pki/tls/certs/server.crt.pem /etc/pki/tls/private/localhost.key /etc/pki/tls/private/ /etc/pki/tls/certs/ drwxr-xr-x. 2 root root 4096 Sep 25 12:05 /etc/pki/tls/certs/ -rw-------. 1 root root 1188 Sep 25 12:05 /etc/pki/tls/certs/server.crt.pem drwxr-xr-x. 2 root root 4096 Sep 25 12:05 /etc/pki/tls/private/ -rw-------. 1 root root 887 Sep 25 12:05 /etc/pki/tls/private/server.key.pem(Re)start the httpd server:
$ service httpd restartIf the server does not start, this may be because of a bad certificate, key or CA certificate file. In this case, check the appropriate logs in
/var/log/httpd.
Verify the validity of the certificates:
$ openssl s_client -connect localhost:443 ... Verify return code: 0 (ok) --- Ctrl-C or Ctrl-D to leave openssl clientIf there is a problem with the certificate you might get outputs like:
$ openssl s_client -connect localhost:443 ... Verify return code: 18 (self signed certificate) ---or
$ openssl s_client -connect localhost:443 ... Verify return code: 21 (unable to verify the first certificate) ---Verify the certificate:
$ openssl s_client -showcerts -connect <ip-of-the-uforge-web-service-machine>:<port>Or you can use same openssl client command used for the Apache server in the previous step.
To verify that the new certificate is correct and if the Tomcat service is accessible from the outside, go to http://www.digicert.com/help/ and type the public name or IP address of your web service.
Note that there is no way to specify another port than HTTPS (443) on this page therefore you might need to add an iptables redirection rule like:
$ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT--to-port 9191