WampServer

You can follow my guided steps to create working https SSL:


****************
****Step1****** -> Create SSL Certificate and Key
****************

1a) Open the DOS command window and change directory to bin directory of wamp apache directory by using the DOS command without quotes: "cd /d c:\" and then "cd wamp\bin\apache\apache2.2.8\bin". apache2.2.8 should be changed to what apache folder your wamp server has.

After done, the DOS prompt should look like: C:\wamp\bin\apache\apache2.2.8\bin>

1b) Create a server private key with 1024 bits encryption. You should enter this command without quotes:
"openssl genrsa -des3 -out server.key 1024". It'll ask you a pass phrase (password), just enter any password you like '
1c) Remove the pass phrase from the RSA private key (while keeping a backup copy of the original file). Enter this command without quotes: "copy server.key server.key.org" and then "openssl rsa -in server.key.org -out server.key". It'll ask you the pass phrase, just type it.

1d) Create a self-signed Certificate (X509 structure) with the RSA key you just created. Enter the command without quotes: "openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt -config C:\wamp\bin\apache\apache2.2.8\conf\openssl.cnf".

You might combine step1b, 1c and 1d into one step by using this command, no quotes: "openssl req -new -x509 -nodes -out server.crt -keyout server.key" if you have trouble following through.

You'll fill in the information after entering this command. The correct location of config file, openssl.cnf may need to be changed. In windows, you won't see ".cnf" extension of the file openssl, but in DOS you'll see the full name openssl.cnf.

1e) Create a real SSL server certifcate (Optional): if you don't want step 1a to 1d
A. Create a server RSA private key for your Apache server (Triple-DES encrypted and PEM formatted):
Type command: openssl genrsa -des3 -out server.key 1024

You might keep the backup of server private key in a maximum secure place and guard it well (e.g
your digital wallet).

B. Create a Certificate Signing Request (CSR) for public (output will be PEM
formatted). A CSR is a file containing your certificate application information, including your Public
Key. Generate your CSR and then copy and paste the CSR file into the webform in the enrollment
process at your certificate authority website:

Type the command: openssl req -new -key server.key -out server.csr


You will now be asked to enter details to be entered into your CSR. What you are about to enter
is what is called a Distinguished Name or a DN. For some fields there will be a default value, If you
enter '.', the field will be left blank. Use the name of the webserver as Common Name (CN). If the
domain name (Common Name) is mydomain.com append the domain to the hostname (use the
fully qualified domain name).

Depending on a specific certifying authority (CA) you might have to enter the details as specified by
them. Normally, the CA authority will provide specific instructions for you.

C. Now all you have to do is sending this Certificate Signing Request (CSR) to a Certifying Authority
(CA) to be signed. A trusted CA means all major web browsers recognize it without giving you a
warning when you install your CA-signed SSL certificate on your webserver. Once the CSR has been
signed, you will have a REAL Certificate, which can be used by Apache. You can have a CSR signed
by a commercial CA (fees are required). Then they will send you the signed certificate which you
can store in a server.crt file
D. Once, your CSR certificate has been signed and returned to you, you can view the details by using
this command: openssl x509 -noout -text -in server.crt


****************
***** Step2***** -> Copy the server.key and server.crt files.
****************

2a) In the conf folder of apache2.2.8 folder, create two folders named as ssl.key and ssl.crt

2b) copy the server.key file to ssl.key folder and server.crt file to ssl.crt


****************
****Step3****** -> Edit the httpd.conf file and php.ini
****************

3a) In httpd.conf file, remove the comment '#' at the line which says: LoadModule ssl_module
modules/mod_ssl.so

3b) In httpd.conf, remove the comment '#' at the line which says: Include
conf/extra/httpd_ssl.conf
Then move that line after this block <IfModule ssl_module>.... </IfModule>

3c) open the php.ini file located in apache2.2....\bin folder, remove the comment ';' at the line
which says: extension=php_openssl.dll

***************
****Step4***** -> Edit the httpd_ssl.conf file in the folder name, extra
***************

4a) Find the line which says "SSLMutex ...." and change it to "SSLMutex default" without quotes

4b) Find the line which says: <VirtualHost _default_:443>. Right after it, change the line which says "DocumentRoot ..." to DocumentRoot "C:/wamp/www/" with quotes. Change the line "ErrorLog...." to Errorlog logs/sslerror_log. Change the line "TransferLog ...." to TransferLog logs/sslaccess_log


4c) SSL crt file: Change the line "SSLCertificateFile ...." to SSLCertificateFile "conf/ssl.crt/server.crt"


4d) SSL key file: Change the line "SSLCertificateKeyFile ...." to SSLCertificateKeyFile "conf/ssl.key/server.key"


4e) Change the line which says <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin"> or something similar to <Directory "C:/wamp/www/"> and add the following lines inside those <Directory ... >...</Directory> tags:

Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Require all granted

4f) Make sure the line CustomLog "logs/ssl_request_log" \
is uncommented (remove the #). This step is suggested by wmorse1.

**************
****Step5**** In the previous DOS Command windows, enter httpd -t . If it displays Sysntax is OK, then
************** go to Step 6. If not, then correct the wrong syntax and redo step 5.



**************
****Step6***** -> Restart the Apache server
***************


**************
****Step7**** -> if restart is successful, then open the browser and enter "[localhost"]; without
************** quotes.


*************************
****Step8 (Optional)**** -> If you want to allow world wide web access to your HTTPS secure server, then
************** ********** in the httpd_ssl.conf file, change the line which says 'ServerName localhost:443' to 'ServerName www.yourwebsitename.com:443' without quotes. yourwebsitename is your registered internet domain name. If you don't have it, then just use your WAN IP address. For example 'ServerName 99.238.53.105:443'. Make sure these setups are correct to allow outside access to secured www server.

8.a The DocumentRoot you modified in step 4b points to the correct website folder on your
computer.

8.b If your computer's connected to the router, setup the router to allow port 443 forwarding to your
computer.

8.c If your computer has a firewall enabled or behind a network firewall, set up the firewall to allow
incoming port 443 connection.



Edited 12 time(s). Last edit at 10/25/2016 10:52AM by RiggsFolly.

Hi hambuler,

I've tried your procedure but I get an error message at step 1d. Here is the error message I receive:


E:\wamp\bin\apache\apache2.2.8\bin>openssl req -new -x509 -nodes -sha1 -days 365
-key server.key -out server.crt -config c:\bin\apache\apache2.2.8\bin\openssl.cnf

error on line -1 of c:\bin\apache\apache2.2.8\bin\openssl.cnf
1940:error:02001003:system library:fopen:No such process:.\crypto\bio\bss_file.c
:122:fopen('c:\bin\apache\apache2.2.8\bin\openssl.cnf','rb')
1940:error:2006D080:BIO routines:BIO_new_file:no such file:.\crypto\bio\bss_file
.c:125:
1940:error:0E078072:configuration file routinesEF_LOAD:no such file:.\crypto\c
onf\conf_def.c:197:

I use the new wampserver 2.0b.

Regards,

Maltec

Hi,

I've found the error in step 1d:

step 1d must be:

openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt -config C:\wamp\bin\apache\apache2.2.8\conf\openssl.cnf

instead of:

openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt -config C:\wamp\bin\apache\apache2.2.8\bin\openssl.cnf".

So I've go ahead with the rest of the procedure but it doesn't work.

Maltec

I have installed wamserver 2.0b too and I don't have any problem excuting all the steps written. The openssl.cnf file can be copied to bin directory or you can change -config option to the correct location of openssl.cnf.

Hy,

I have followed all the steps you mentioned, but at step number 6 I couldn't restart my Apache server. In Apache error log file apears only one thing

Unable to open logs

Do you have any idea of how can I solve this problem?
Thanks a lot.

I've solved that problem, now I can use SSH. Thank you hambuler!

Hi!

I followed the tutorial and when restarting apache in the the sslerror_log appears the foolwing line:
[Wed Mar 19 12:54:24 2008] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)


I wonder how can i make this error dissapear?

Excelent tutorial by the way.

This SSL certificate is self-signed, your own Certificate Authoirty (CA). The log shows a warning but not error message. Consider buying a CA certificate from VeriSign if you want to make the warning msg disappear. Procedures will be slighly different at step 1d then.

hey hambuler,

please i didnt understand step 1c, and 1d ....

1c- how can i Remove the pass phrase from the RSA private key, and when you said "It'll ask you the pass phrase, just type it." whci pass phrase ? a new one...


1d- i keep getting this error similar to maltec's ... and when u said "You'll fill in the information after entering this command"... what information ?? im not getting any way to enter any information... please can u explain thoroughly sep by step ????

cclaudia386 Wrote:
-------------------------------------------------------
> Hy,
>
> I have followed all the steps you mentioned, but
> at step number 6 I couldn't restart my Apache
> server. In Apache error log file apears only one
> thing
>
> Unable to open logs
>
> Do you have any idea of how can I solve this
> problem?
> Thanks a lot.


I'm having the same error. cclaudia386, what did you do to fix it?

i am also unable to restart after doing all da 5 steps .syntaxes also ok
please help me.

fdo Wrote:
-------------------------------------------------------
> i am also unable to restart after doing all da 5
> steps .syntaxes also ok
> please help me.

I was able to solve my problem by checking the logs. For example, I was missing a log file names sslaccess.log. Once I created it manually it started up fine.

Thanks for the step-by-step guide. It was rather straight forward and is working for me.

I found a few things that hung me up.

STEP 1d Do not include this portion "-sha1"

I added a STEP 4F CustomLog "logs/ssl_request.log" \

Without this STEP 4F I was getting the same error that fdo reported and I took the advice of jdgiotta. If you adjust this portion of the httpd_ssl.conf (very bottom) file it will restart, if you're getting the Ok in Step 5.

The only problem I'm experiencing now is phpMyAdmin won't load, or open. I'm getting a NOT FOUND message.

Very thing is working great on the SSL--except other applications like phpMyAdmin.

Nevermind, answered my own question in regards to phpMyAdmin not working.

In the original instructions:

"3b) In httpd.conf, remove the comment '#' at the line which says: Include
conf/extra/httpd_ssl.conf
Then move that line after this block <IfModule ssl_module>.... </IfModule>"


I had removed the line after the block which was this line:
Include "c:/wamp/alias/*"

Don't do that...

Thank you very much wmorse1 i got it. now its working fine i added the 4f customlog statement.

thank you for the tutorial. worked perfectly from the start.

one question. i can hit localhost from http or https. is this normal? i would like to not be able to hit it from http. can anyone assist in this? thanks in advance.

The Wise One,

Depends on your configuration of your Wamped Up server.

If you are behind a router(recommended) mod your routers config to allow port 443 and deny 80 from outside access. You may have to set up a policy to do this also.

If not you will have to edit your httpd.conf file to set this up.

I am not used to Apache on Windblows so its a little different then Linux thats for sure.

I have the same problem and am behind a router but I go to [www.grc.com] to test my open ports and 80 is still open when it should be closed. Dont know why its exposed but am working on that and will post again.

Oh....Just an FYI, close your security Hole for MySQL if you have not already done so. MySQL allows access to 443

SoftwareZealot

The Wise One...

I suggest setting up a .htaccess file. Then drop this file into your www folder and it will make all visits move from http to https.



RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) []%{HTTP_HOST}%{REQUEST_URI}

thanks for the replies.

softwarezealot,

how do i close the off mysql access to 443? im kind of new to this but if i run it purely on 443, wouldnt i want mysql to have access to it?

ill have to do it through the conf file as i have another machine that runs a local server on port 80, so closing off port 80 at the router isnt going to work for me.

wmorse1,

is there a way to do this in the apache conf file versus an htaccess file? i prefer not to use htaccess if at all possible.

basically, and i dont know if this is possible or not, but i want to leave some parts of the local server on http, and only apply https to a single directory and its children.

The Wise One...

I'm not sure, I'm also kind of new. I just had the same question and wanted to share my result.

However, with that said, maybe look into using the <VirtualHost > settings? I use these to direct multiple domain names into various folders. Each domain has a different set of content. I got the idea from here:
[httpd.apache.org]

[httpd.apache.org]


I hope this helps, but directly, I really don't know the right solution.