Note that this enables only “self-signed” certificates. I followed these directions but invariably encountered problems that were not addressed. Running Wheezy on a Raspberrry Pi B v1.
As usual, update first.
$ sudo apt-get update
Then make sure Apache and OpenSSL is installed:
$ sudo apt-get install apache2 openssl
If it is already installed, like it was on mine, then you will see:
Reading package lists... Done Building dependency tree Reading state information... Done apache2 is already the newest version. openssl is already the newest version. openssl set to manually installed. 0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
Your external certs are installed in /etc/ssl/certs. You won’t put these certs there.
Create a new directory for local certificates (-p means no error if existing, make parent directories as needed):
$ sudo mkdir -p /etc/ssl/localcerts
The next line starts the certificate generation. The cert is good for 365 days – you can change that.
$ sudo openssl req -new -x509 -days 365 -nodes -out /etc/ssl/localcerts/apache.pem -keyout /etc/ssl/localcerts/apache.key
The result of this command is:
Generating a 2048 bit RSA private key ......., etc.
Next, you will enter the answers to the following questions. This is where I effed up, so don’t you do it too. the FQDN name is the name of your Apache web server. For me, since I’m just running it locally, that would be the server name, like “raspberrypi” – if you kept the default. That server name is mapped to an internal IP, like 192.168.1.11 or something.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:PaynsName
Organizational Unit Name (eg, section) []:SysOpsProgFest
Common Name (e.g. server FQDN or YOUR name) []:raspberrypi_orwhatever
Email Address []:noNeed@forrealemail.comWhen that is done, you will have two new files in this directory: /etc/ssl/localcerts
Then chmod those files:
$ sudo chmod 600 /etc/ssl/localcerts/apache*
Enable SSL:
$ sudo a2ensite ssl
If you get a “not found” error, try:
sudo a2ensite default-ssl
I think my ssl file already existed in /etc/apache2/sites-available.
Now you need to edit the ssl configuration file in the /etc/apache2/sites-available directory.
$ cd /etc/apache2/sites-available $ ls -l
See what’s in there. For me, it looked like this:
-rw-r--r-- 1 root root 692 Jul 19 2016 default -rw-r--r-- 1 root root 7461 Mar 18 14:51 default-ssl
Copy the default-ssl to a new file named the same name as your FQDN name above – for this example:
$ sudo cp default-ssl raspberrypi_orwhatever
Then edit it:
$ sudo nano raspberrypi_orwhatever
Change this line:
<VirtualHost _default_:443>
to this:
<VirtualHost raspberrypi_orwhatever:443>
and change these two lines:
SSLCertificateFile /etc$ SSLCertificateKeyFile /etc$
to this (your new key location):
SSLCertificateFile /etc/ssl/localcerts/apache.pem SSLCertificateKeyFile /etc/ssl/localcerts/apache.key
Save, close, then do:
$ sudo a2ensite raspberrypi_orwhatever
The link above says to enable port 443 in /etc/apache2/ports.conf, but mine already had it enabled with these lines:
<IfModule mod_gnutls.c> Listen 443 </IfModule>
So I didn’t modify that file.
Now restart Apache:
$ sudo service apache2 restart
And what you should get is a browser error, telling you that the site is not secure. That means it’s working! Because you didn’t pay a service to generate a validated certificate, you have to take your own word for it that it’s valid.
FireFox
![firefox-self-signed-ssl-warning[1]](https://variax.files.wordpress.com/2017/03/firefox-self-signed-ssl-warning1.png?w=419&h=144)
Click on I Understand the Risks, then click on Add Exception….
Next click on Get Certificate, and finally Confirm Security Exception to bypass SSL warning in FireFox.
Chrome
![chrome-your-connection-is-not-private[1]](https://variax.files.wordpress.com/2017/03/chrome-your-connection-is-not-private1.png?w=419&h=182)
Click on Advanced, then Proceed to example.com (unsafe) to bypass SSL warning in Chrome.
Internet Explorer
![internet-explorer-self-signed-ssl-warning[1]](https://variax.files.wordpress.com/2017/03/internet-explorer-self-signed-ssl-warning1.png?w=416&h=177)
Click on Continue to this website (not recommended) to bypass SSL warning in Internet Explorer.
資料來源: https://variax.wordpress.com/2017/03/18/adding-https-to-the-raspberry-pi-apache-web-server/comment-page-1/
沒有留言:
張貼留言