SSL Certificate – Renewing a Certificate for ApacheSSL

This doc was written to assist with the next time I have to update the SSL cert on an ApacheSSL server. The specific examples here are from an RHEL5 server with Apache2.x

Here are the steps.

  1. Locate the Relevant Files - These files are the CRT and CSR. The CRT is issued by Thawte or Verisign, and the CSR is the request that you send to them. To find these locate your httpd.conf file or possibly the httpd-ssl.conf file in ./extras/. This stuff should typically be in /etc/httpd/conf, but idiots will place it in other locations because they don’t understand the UNIX conventions. Specifically you are looking for a line that says something line this. SSLCertificateKeyFile /usr/local/apache2/conf/server.key. That will take you to server.key as the file. You need to find the CSR associated with the key and copy that.
  2. Login to the Certificate Authority’s Web Site - For Thawte, we have an account itsupport/Thawt3SSL and fill out the information. If you get stuck, the reference the current ‘live’ certificate with your browser. You will need to paste the… sadly my notes just trail off here.
  3. Certificate Authority will Call You - So you need to be able to answer, or have someone fwd the Cert. Authority to your phone. The just want to verify things.
  4. Apply the Certificate - This will need to go in the file that is listed in your config files… see #1 above, but, SSLCertificateFile /usr/local/apache2/conf/server.crt it’s the .crt file not the key.
  5. Restart Apache - service httpd restart
  6. Check the Cert - for the new expiration date.

NB: if you need to make a change to any information, then the certificate authority will need to talk with company executives, have some faxes sent and generally draw the whole thing out. Also you will need to generate a new key. You will need to start with key generation:

Code:

/usr/bin/openssl genrsa -rand /dev/urandom -out /usr/local/apache2/conf/server_new.key 1024
/usr/bin/openssl req -new -key /usr/local/apache2/conf/server.key -out /usr/local/apache2/conf/server.csr

Create the .key and then the request .csr. This is where you make the changes to the information and the CSR is what you will submit to the authority.

Setting up Apache Log File Rotation

This how-to walks users through setting up proper log file rotation for a multil-site Apache installation where the log file are broken out by site. I built all this on my own, but forgot about logfile rotation so now the log files just keep growing and growing.  Time to institute a log rotation algorithm.

For the most part when you are working with Unix you will find that the syslog daemon handles how messages are logged in you system, but Apache handles it’s own logs and the details are typically kept in the httpd.conf file.

sudo grep -i 'log' /etc/httpd/conf/httpd.conf /etc/httpd/conf.d/*
# Custom log file locations
LogLevel warn
ErrorLog  /var/www/html/site1.com/log/error.log
CustomLog /var/www/html/site1.com/log/access.log combined
# Custom log file locations
LogLevel warn
ErrorLog  /var/www/html/site2.com/log/error.log
CustomLog /var/www/html/site2.com/log/access.log combined
# Custom log file locations
LogLevel warn
ErrorLog  /var/www/html/site3.com/log/error.log
CustomLog /var/www/html/site3.com/log/access.log combined

So, grepping gives me a listing of logfile locations for each of the sites and as you can see they are all located in different directories.  You probably also noticed that there are logfiles in the con.d directory that I grepped for.  A lot of stuff will want to install there, like phpMyAdmin or webalizer or ssl.conf.  One other note, some installations will have their config files in an apache2 directory. Continue reading

Subversion with Apache, CentOS and Active Directory

I’m a big fan of the Collabnet implementation of Subversion.  They set you up with installable RPMs that handle but bulk of what you need to do to get subversion working.  They have the new Subversion Edge that is 100% Apache and will work with active directory, but if your team has hundreds of thousands of files using Apache to check out is going to be significantly slower than SVN+SSH. Edge cannot do svn+ssh, but it does have a nice web GUI.  If you aren’t worried about speed I 100% recommend using Edge.  You can then just skim this article because I do have some hints on properly setting up the LDAP connectivity that apply to a GUI or command line setup.  if you have a team like my team, then you need a faster transport method and that means svn+ssh

First, why is it faster?  Easy.  SSH opens a single connection an reuses it for all of the files.  Set your Apache  loglevel to debug sometime watch the logs when a user checks out files.  Sure, you can configure Apache to more efficiently spawn and destroy children, but I don’t think it’s worth the time.

UPDATE – With the release of Subversion 1.7, which is an awesome rewrite from the ground up, many of my concerns about speed have gone away.  SVN+SSH is still going to be faster than Apache, but you may be able okay.  I really like Subversion Edge and think you should consider installing it.

PREREQUISITES

CentOS /RedHat 5.x with the base default, but patched.

LET’S DO IT

Install CentOS5 (or Redhat).  Just do a default install and make sure it’s updates with yum.  Then get the CollabNet RPMS:

http://www.open.collab.net/downloads/subversion/linux1.5.html

Grab the Server, Client and Extras for your architecture and get them on your server.  Then install it with yum.

yum localinstall –nogpgcheck CollabNetSubversion-server-1.6.15-1.x86_64.rpm CollabNetSubversion-extras-1.6.15-1.x86_64.rpm CollabNetSubversion-client-1.6.15-1.x86_64.rpm

This sets you, but you will still need to configure things.  I like to keep my repos in a directory called /repos.  So, I’d make sure this exists now:

mkdir /repo; chown csvn:csvn /repo

Continue reading

Building an Apache Server with Zend Optimizer

Just finished building an Apache 2.x, PHP 5.2.10, MySQL 5.x server.  It’s purpose is to run an Xsilva LightSpeed e-commerce site with Zend Optimizer v3.3.9.    If any one has any questions I can share what I know if you ask.  This was a build from the ground up on a new CentOS system.  I learned a few things along the way.

First tuning the server is the key.  If you use the default Apache settings along with a LightSpeed site you will probably be able to overwhelm your own server with very little effort.  That means if you try to host this with most web providers you will have poor results because they probably haven’t or possible don’t have a clue how to tune Apache.  They just rely on Zend. Zend is supposed to handle memory management, but it does not do a very good job of it.   You’ll need to fine tune the MPM (Multi-Processing Module) so that the MaxClients sets and appropriate limit on the number of simultaneous requests that can be supported by your server.

Continue reading