Wednesday, 19 March 2008

Apache SSL on Solaris

Ok, this is not a how to but a caveat. I downloaded Apache 2.2.8 onto my Solaris 9 box with the intention of upgrading from 2.0.47 and also enabling SSL. The upgrade part went fine after I managed to work out that to enable mod_ssl you need to provide two options to ./configure those being:

$ ./configure --enable-ssl --with-ssl=/usr/local/ssl

Or wherever your ssl is located. That took me a while as previously there was just the one option.

Secondly, (and this was a hard one) after installing the new apache I could not get SSL to work. On startup apache logged that it had loaded mod_ssl and generated some keys but it would not listen on port 443. I had a clue when I removed the Listen 80 statement for normal web traffic. This made apache complain that there were no ports to listen on. Ahh, it was ignoring my ssl config (contained in ssl.conf). That config was encased in a tag which it turns out was invalid (perhaps hangover from previous ssl config). Commenting it out (and the closing tag) made everything work after fixing a few more errrors.

So I guess the lesson to be learned here is that we shouldn't trust the config from the previous version of software. Too many assumptions are being made. I also don't understand why the ssl.conf file was conditionally included depending on the presense of the mod_ssl module yet the ssl.conf file had another conditional (which turned out to be broken). Why the double checking?

Oh well, at least it works now.