Lion Web Server

I spent a lot of time getting OS X Lion Server to work with my web sites last summer. Most of the problems had to do with security certificates for one of the sites, but I also had to figure out how to get Server.app to stop overwriting my configuration files each time I restarted Apache.

What follows are the notes I made towards the end of the process.

2011-08-15

Obtained new server certificate for senate.qc.cuny.edu, including an
intermediate certificate for GlobalTrust.

The process was to generate a new private key and certificate signing request
for senate.qc.cuny.edu from the openssl command line. Sent the csr to IT,
and got an email with text blocks for two .crt files, which I
installed using the Server.app interface to certificate administration. That
panel had me drag and drop the senate.qc.cuny.edu.crt and intermediate.crt
files I created from the email, plus the senate.qc.cuny.edu.key that I had
generated before. It converted them into pem files with extra text in the
file names, and installed them in /etc/certificates with proper permissions.

I don't know whether my original problem was that the private key changed, or
the lack of an intermediate authority stopped working with Lion or something
else.

Anyway, Server.app then handled everything for the web sites automatically. By
having my named virtual hosts for port 80 set up with proper document roots
for babbage and senate in extra/httpd-vhosts.conf, Server.app was able to
generate the correct files in sites for me automatically.

It just works.

2011-08-13

If you restart the server using Server.app, httpd.conf gets rewritten to
comment out the include of extra/httpd-info.conf. So httpd.conf isn't immune to
getting mangled either. OK, fixed that by de-commenting it in
httpd.conf.default.

Down to trying to get it to use the senate certificate for https.
Can I rename it over the babbage ones?

2011-08 too many weeks!

I put AddType .xhtml in both httpd.conf and other/php5.conf

Edit sites_disabled/default_default.conf
Set DocumentRoot to /Volumes/Sensitive/...babbage
Set ServerAdmin to my email
Add index.xhtml to DirectoryIndex
add SSLStrictSNIVHostCheck off

Copy default_default.conf over 0000_default_default.conf

Edit sites/0000_any_443__shadow.conf
Change ServerName from * to babbage.cs.qc.cuny.edu

Now server starts with no complaint about RSA server certificate CN not
matching server name if you do apachectl graceful. But if you shutdown and
restart from Server.app, 0000_any_443__shadow.conf getc changed back to
"ServerName *" and you get the warning again. But trying to access babbage
through https (properly) takes you to /var/empty

Edit httpd.conf to Include extra/httpd-vhosts.conf
Edit extra/httpd-vhosts.conf
NameVirtualHost *:80
DocumentRoot /Volumes/Sensitive/...senate.qc.cuny.edu
ServerName senate.qc.cuny.edu
Directory /Volumes/Sensitve/...senate.qc.cuny.edu

Now you can access non-ssl senate web pages.
But cannot use https: I tried adding SSLCertificateFile and
SSLCertificateKeyFile entries in two virtualhost *:443 sections but got "Pass
phrase incorrect" errors. Observed that sudo getsslpassphrase
babbage.cs.qc.cuny.edu:443 RSA gives the same output as for
senate.qc.cuny.edu:443 RSA. Actually, it doesn't matter what you use for the
hostname -- even blank -- so long as the port number is :443