Difference between revisions of "Howto GnuTLS"
m (comment on certificate path) |
MikeHarris (talk | contribs) (→How?) |
||
| Line 18: | Line 18: | ||
I'm assuming you don't want to keep the old '''mod_ssl''' mod, it might well get in the way. So now you need to configure the https bit for your sites virtual host. Here's an example config. Put it in /etc/apache2/sites-available/mysitename and then, well, you should know the rest if you are using Apache2 already really. | I'm assuming you don't want to keep the old '''mod_ssl''' mod, it might well get in the way. So now you need to configure the https bit for your sites virtual host. Here's an example config. Put it in /etc/apache2/sites-available/mysitename and then, well, you should know the rest if you are using Apache2 already really. | ||
| + | <pre> | ||
<VirtualHost server.example.net:443> | <VirtualHost server.example.net:443> | ||
ServerName server.example.net:443 | ServerName server.example.net:443 | ||
| Line 27: | Line 28: | ||
GnuTLSEnable on | GnuTLSEnable on | ||
| − | GnuTLSCertificateFile /etc/ | + | GnuTLSCertificateFile /etc/ssl/certs/server.example.net.crt |
| − | GnuTLSKeyFile /etc/ | + | GnuTLSKeyFile /etc/ssl/private/server.example.net.key |
GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT | GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT | ||
| − | + | ||
| + | # the next bit is optional for if you use a signing authority, such as Gandi.net whose | ||
| + | # authority is not recognised by some web browser (Firefox 4 for example!) | ||
| + | # this is an example only, check your system and certificate authority for the correct entry | ||
| + | GnuTLSClientCAFile /etc/ssl/certs/GandiProSSLCA.pem | ||
| + | |||
</VirtualHost> | </VirtualHost> | ||
| + | </pre> | ||
Note here that the old equivalent '''mod_ssl''' declarations have been commented out, also that the certificate is handed to '''mod_gnutls''' as two seperate files, the .crt (certificate) and .key (key) files. '''mod_ssl''' was able to us the combined .pem format which was literally a concatenation of the the certificate and key files. Anyhow, '''mod_gnutls''' can't do that, so we have to have them separate. | Note here that the old equivalent '''mod_ssl''' declarations have been commented out, also that the certificate is handed to '''mod_gnutls''' as two seperate files, the .crt (certificate) and .key (key) files. '''mod_ssl''' was able to us the combined .pem format which was literally a concatenation of the the certificate and key files. Anyhow, '''mod_gnutls''' can't do that, so we have to have them separate. | ||
Revision as of 09:37, 12 May 2011
I've recently installed GnuTLS on a server.
Why?
GnuTLS is a free way of serving up secure sites (https). One very specific advantage is that it can host more than one certificate on one IP address. Many pages on the internet will tell you that this is not possible. That's total BS.
How?
It's easy. The example here is for Debian Squeeze, assume you are using Apache2 as http server and already have it installed. You will need to have the mod-gnutls package libapache2-mod-gnutls installed.
apt-get install libapache2-mod-gnutls
You may also get it installed by another method. Now you can run Debian's special commands to enable/disable the correct modules in Apache2:
a2dismod ssl a2enmod gnutls
I'm assuming you don't want to keep the old mod_ssl mod, it might well get in the way. So now you need to configure the https bit for your sites virtual host. Here's an example config. Put it in /etc/apache2/sites-available/mysitename and then, well, you should know the rest if you are using Apache2 already really.
<VirtualHost server.example.net:443>
ServerName server.example.net:443
ServerAlias server.example.net
DocumentRoot /var/www/mywebsite/
# SSLEngine on
# SSLCertificateFile /etc/apache2/ssl/server.example.net.pem
GnuTLSEnable on
GnuTLSCertificateFile /etc/ssl/certs/server.example.net.crt
GnuTLSKeyFile /etc/ssl/private/server.example.net.key
GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT
# the next bit is optional for if you use a signing authority, such as Gandi.net whose
# authority is not recognised by some web browser (Firefox 4 for example!)
# this is an example only, check your system and certificate authority for the correct entry
GnuTLSClientCAFile /etc/ssl/certs/GandiProSSLCA.pem
</VirtualHost>
Note here that the old equivalent mod_ssl declarations have been commented out, also that the certificate is handed to mod_gnutls as two seperate files, the .crt (certificate) and .key (key) files. mod_ssl was able to us the combined .pem format which was literally a concatenation of the the certificate and key files. Anyhow, mod_gnutls can't do that, so we have to have them separate.
Now restart Apache2.
What now?
Keep adding virtual hosts with different certificates, they will all work.