Make sure you have gcc and openssl-devel installed.
# yum install gcc
# yum install openssl-devel
You also need “Apache Portable Runtime Library” APR to install Apache from source.
You’ll already have “apr” and “apr-util” package installed. Install the apr-devel and apr-util-devel packages.
# yum install apr-devel
# yum install apr-util-devel
Note: In our case (because of the version compatibility issues),
we’ll be downloading these and installing it manually later. But, let us
go with the flow for now and see what happens when you try to do it
this way.
Download Apache
Download Apache from
httpd.apache.org. The current stable release is 2.4.2.
Once you get the direct URL to download the latest stable version of
Apache, use wget as shown below to download it directly to you server.
cd /usr/src
wget http://mirror.nyi.net/apache//httpd/httpd-2.4.2.tar.gz
tar xvfz httpd-2.4.2.tar.gz
Install Apache with SSL/TLS
View all available Apache installation and configuration options as shown below.
cd httpd-2.4.2
./configure --help
To install an Apache module, you would typically say
–enable-{module-name}. For example, to install SSL with Apache, it is
–enable-ssl. To install ldap module, it is –enable-ldap.
To uninstall any default module that comes with Apache, you would
typically say –disable-{module-name}. For example, to disable basic
authentication in Apache, it is –disable-auth-basic
In this example, we will install Apache with all default modules,
with addition of –enable-ssl (to install mod_ssl for SSL support), and
–enable-so, which helps to load modules in Apache during run-time via
the Dynamic Shared Object (DSO) mechanism, rather than requiring a
recompilation.
./configure --enable-ssl --enable-so
make
make install
Note: By default the above installs Apache under /usr/local/apache2.
If you like to change this location, use –prefix option in the
./configure.
Fixing APR Utility Error Messages
You might’ve not faced this problem while
installing older version of Apache as we discussed a while back.
When you execute the “make”, you might get “
rotatelogs.c:(.text+0x5ed): undefined reference to `apr_file_link’” error message if you are doing this on CentOS 6.2 as shown below.
# make
rotatelogs.c:298: warning: implicit declaration of function âapr_file_linkâ
/usr/lib64/apr-1/build/libtool --silent --mode=link gcc -std=gnu99 -pthread
-o rotatelogs rotatelogs.lo /usr/lib64/libaprutil-1.la -ldb-4.7 -lexpat -ldb-4.7 /usr/lib64/libapr-1.la -lpthread
rotatelogs.o: In function `post_rotate':
rotatelogs.c:(.text+0x5ed): undefined reference to `apr_file_link'
collect2: ld returned 1 exit status
make[2]: *** [rotatelogs] Error 1
make[2]: Leaving directory `/usr/src/httpd-2.4.2/support'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/src/httpd-2.4.2/support'
make: *** [all-recursive] Error 1
This is because on CentOS 6, the latest APR version available through yum installation is 1.3.9 as shown below.
# rpm -qa apr*
apr-1.3.9-3.el6_1.2.x86_64
apr-util-1.3.9-3.el6_0.1.x86_64
However, Apache 2.4.2 needs the latest version of APR (which is currently 1.4.6).
So, go to
APR download page and download both apr and apr-util.
cd /usr/src
wget http://mirror.atlanticmetro.net/apache//apr/apr-1.4.6.tar.gz
wget http://mirror.atlanticmetro.net/apache//apr/apr-util-1.4.1.tar.gz
tar xvfz apr-1.4.6.tar.gz
tar xvfz apr-util-1.4.1.tar.gz
Now, you should place this new version of apr and apr-util
directories (without the version name in the directory) under “srclib”
directory located under the httpd-2.4.2 directory that was created when
you uncompressed the downloaded apache software.
In my example, I downloaded the httpd-2.4.2.tar.gz and uncompressed
it under /usr/src. So, I need to place the latest apr and apr-util under
this directory.
mv apr-1.4.6 /usr/src/httpd-2.4.2/srclib/apr
mv apr-util-1.4.1 /usr/src/httpd-2.4.2/srclib/apr-util
After this is done, we need to configure and make it again. If you
execute the ./configure –help, you’ll see the following options that are
related to APR
# cd /usr/src/httpd-2.4.2
# ./configure --help
--with-included-apr Use bundled copies of APR/APR-Util
--with-apr=PATH prefix for installed APR or the full path to apr-config
--with-apr-util=PATH prefix for installed APU or the full path to apu-config
If you decide to install the apr-1.4.6 and apr-util-1.4.1 on your
system, you need to use “–with-apr” and “–with-apr-util” and provide the
path where you installed these utility.
In this example, we didn’t do that. i.e We didn’t install the apr and
apr-util that we downloaded. Instead we placed them under the
httpd-2.4.2/srclib/apr-util. So, we should use “–with-included-apr” in
the ./configure which will use these apr and apr-util only for the
apache compilation and installation.
So, let us re-do the ./configure (using –with-included-apr), make and make install as shown below.
./configure --enable-ssl --enable-so --with-included-apr
make
make install
Now, make will not give “rotatelogs.c:(.text+0x5ed): undefined reference to `apr_file_link” error message anymore.
Enable SSL in httpd.conf
Apache configuration file httpd.conf is located under /usr/local/apache2/conf.
Uncomment the httpd-ssl.conf Include line and the LoadModule ssl_module line in the /usr/local/apache2/conf/httpd.conf file.
# vi /usr/local/apache2/conf/httpd.conf
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
View the httpd-ssl.conf to review all the default SSL configurations.
For most cases, you don’t need to modify anything in this file.
# vi /usr/local/apache2/conf/extra/httpd-ssl.conf
The SSL certificate and key are required before we start the Apache.
The server.crt and server.key file mentioned in the httpd-ssl.conf needs
to be created before we move forward.
# cd /usr/local/apache2/conf/extra
# egrep 'server.crt|server.key' httpd-ssl.conf
SSLCertificateFile "/usr/local/apache2/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
Create server.crt and server.key file
First, Generate the server.key using openssl.
# cd /usr/src
# openssl genrsa -des3 -out server.key 1024
The above command will ask for the password. Make sure to remember
this password. You need this while starting your Apache later.
Next, generate a certificate request file (server.csr) using the above server.key file.
# openssl req -new -key server.key -out server.csr
Finally, generate a self signed ssl certificate (server.crt) using the above server.key and server.csr file.
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
After you’ve done with the above steps, you’ll see the following three files under /usr/src
# ls server*
server.crt server.csr server.key
Copy the server.key and server.crt file to appropriate Apache configuration directory location.
cp server.key /usr/local/apache2/conf/
cp server.crt /usr/local/apache2/conf/
Start the Apache
If you are getting the below error message, make sure to uncomment the line shown below in httpd.conf
# /usr/local/apache2/bin/apachectl start
AH00526: Syntax error on line 51 of /usr/local/apache2/conf/extra/httpd-ssl.conf:
Invalid command 'SSLCipherSuite', perhaps misspelled or defined by a module not included in the server configuration
# vi /usr/local/apache2/conf/httpd.conf
LoadModule ssl_module modules/mod_ssl.so
If you are getting the below error message, make sure to uncomment the line shown below in httpd.conf
# /usr/local/apache2/bin/apachectl start
AH00526: Syntax error on line 76 of /usr/local/apache2/conf/extra/httpd-ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
# vi /usr/local/apache2/conf/httpd.conf
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Finally, this will prompt you to enter the password for your private key before starting up the apache.
# /usr/local/apache2/bin/apachectl start
Apache/2.4.2 mod_ssl (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server www.example.com:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
Verify that the Apache httpd process is running in the background
# ps -ef | grep http
root 29529 1 0 13:08 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
daemon 29530 29529 0 13:08 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
daemon 29531 29529 0 13:08 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
daemon 29532 29529 0 13:08 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
root 29616 18260 0 13:09 pts/0 00:00:00 grep http
To stop the apache use apachectl stop.
# /usr/local/apache2/bin/apachectl stop
Use httpd -l to view all the modules that are compiled inside the Apache httpd daemon.
# /usr/local/apache2/bin/httpd -l
Compiled in modules:
core.c
mod_so.c
http_core.c
event.c
By default Apache SSL runs on 443 port. Open a web browser and verify
that you can access your Apache using https://{your-ip-address}