2021年2月3日 星期三

How to Enable HTTPS on the Raspberry Pi Apache Web Server

Note that this enables only “self-signed” certificates. I followed these directions but invariably encountered problems that were not addressed. Running Wheezy on a Raspberrry Pi B v1.

As usual, update first.

$ sudo apt-get update

Then make sure Apache and OpenSSL is installed:

$ sudo apt-get install apache2 openssl

If it is already installed, like it was on mine, then you will see:

Reading package lists... Done
Building dependency tree
Reading state information... Done
apache2 is already the newest version.
openssl is already the newest version.
openssl set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.

Your external certs are installed in /etc/ssl/certs. You won’t put these certs there.

Create a new directory for local certificates (-p means no error if existing, make parent directories as needed):

$ sudo mkdir -p /etc/ssl/localcerts

The next line starts the certificate generation. The cert is good for 365 days – you can change that.

$ sudo openssl req -new -x509 -days 365 -nodes -out /etc/ssl/localcerts/apache.pem -keyout /etc/ssl/localcerts/apache.key

The result of this command is:

Generating a 2048 bit RSA private key
......., etc.

Next, you will enter the answers to the following questions. This is where I effed up, so don’t you do it too. the FQDN name is the name of your Apache web server. For me, since I’m just running it locally, that would be the server name, like “raspberrypi” – if you kept the default. That server name is mapped to an internal IP, like 192.168.1.11 or something.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:PaynsName
Organizational Unit Name (eg, section) []:SysOpsProgFest
Common Name (e.g. server FQDN or YOUR name) []:raspberrypi_orwhatever
Email Address []:noNeed@forrealemail.com

When that is done, you will have two new files in this directory: /etc/ssl/localcerts

Then chmod those files:

$ sudo chmod 600 /etc/ssl/localcerts/apache*

Enable SSL:

$ sudo a2ensite ssl

If you get a “not found” error, try:

sudo a2ensite default-ssl

I think my ssl file already existed in /etc/apache2/sites-available.

Now you need to edit the ssl configuration file in the /etc/apache2/sites-available directory.

$ cd /etc/apache2/sites-available 
$ ls -l

See what’s in there. For me, it looked like this:

-rw-r--r-- 1 root root 692 Jul 19 2016 default
-rw-r--r-- 1 root root 7461 Mar 18 14:51 default-ssl

Copy the default-ssl to a new file named the same name as your FQDN name above – for this example:

$ sudo cp default-ssl raspberrypi_orwhatever

Then edit it:

$ sudo nano raspberrypi_orwhatever

Change this line:

 <VirtualHost _default_:443>

to this:

 <VirtualHost raspberrypi_orwhatever:443>

and change these two lines:

SSLCertificateFile    /etc$
SSLCertificateKeyFile /etc$

to this (your new key location):

SSLCertificateFile /etc/ssl/localcerts/apache.pem
SSLCertificateKeyFile /etc/ssl/localcerts/apache.key

Save, close, then do:

$ sudo a2ensite raspberrypi_orwhatever

The link above says to enable port 443 in /etc/apache2/ports.conf, but mine already had it enabled with these lines:

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

So I didn’t modify that file.

Now restart Apache:

$ sudo service apache2 restart

And what you should get is a browser error, telling you that the site is not secure. That means it’s working! Because you didn’t pay a service to generate a validated certificate, you have to take your own word for it that it’s valid.

FireFox

firefox-self-signed-ssl-warning[1]

Click on I Understand the Risks, then click on Add Exception….

Next click on Get Certificate, and finally Confirm Security Exception to bypass SSL warning in FireFox.

Chrome

chrome-your-connection-is-not-private[1]

Click on Advanced, then Proceed to example.com (unsafe) to bypass SSL warning in Chrome.

Internet Explorer

internet-explorer-self-signed-ssl-warning[1]

Click on Continue to this website (not recommended) to bypass SSL warning in Internet Explorer. 

資料來源: https://variax.wordpress.com/2017/03/18/adding-https-to-the-raspberry-pi-apache-web-server/comment-page-1/

沒有留言: