Saturday, January 28, 2006

Apache + SSL on Windows (Yes, Windows)

This past week was a pretty frustrating one on numerous levels; just one of those weeks where everything that can possibly go wrong does, and 99% of it was out of my control, which makes it all the more frustrating. Out of these challenges tends to come some experience and maybe even a bit of wisdom, however, so while it's painful while it's a growth experience and forces you to investigate things you might not otherwise have done. (That's my "silver lining" outlook at the end of the week. If I had posted anything on Monday it would have been far less optimistic!)

One of the major frustrations I had this week was trying to upgrade CF 5 to CF 7 Enterprise (multi-instance installation) on a Windows 2000 server. Nothing I haven't done numerous times before, but this particular server was the proverbial server from hell. Every single thing that could go wrong did, and since I'm in Dallas and the server's in San Diego, it made it all the more frustrating because walking over, sticking a CD in the drive, and reinstalling Windows wasn't an option. Sure I could have scheduled to have it done by the colo engineers, but that seemed overkill just to get CF upgraded.

Problem #1 was that the CF 7 installation hung when it was trying to connect to the web server, which was IIS at this point. (For some reason it was unsuccessul in migrating my CF 5 settings as well, but that was a minor issue since I had a spreadsheet with all the settings in it anyway.) I've seen that happen before but usually you can just kill the process and run the web server connector after the fact. The web server connector also hung, however, so I was faced with doing this piece manually.

This isn't that big of a deal, or shouldn't have been, but after following these instructions, it still just didn't work. When I'd hit the CF administrator it would just spit out what I assume is the encrypted CF code to the browser, and attempts to hit other CF pages would either result in the source code being displayed or some varying degrees of not processing or not finding the pages. In short, CF and IIS weren't communicating.

Step 2 was to try doing a single instance/standalone install of CF 7 because on this server I really don't need multiple instances. I prefer to do the multi-instance install regardless, but since I wasn't getting anywhere with the multi-instance install I decided to give the standalone install a try. The web server connector still locked up, so I tried these instructions to do the manual configuration for the standalone installation. Still nothing--same behavior as before from IIS.

At this point I've spent a significant amount of time on something that should have been rather trivial, so I decided to install Apache 2.0.55 on Windows and see if that would work. The web server connector still hung (I was being ultra-paranoid and uninstalling/reinstalling CF at several points during this process) when trying to talk to Apache. So I followed the stand-alone manual web server configuration instructions above to get CF to talk to Apache and EUREKA! Success!

The story doesn't end there though. The Windows installer for Apache 2.0.55 doesn't come with SSL support, and this server runs one app that needs SSL. Jared was nice enough to be listening to me yell over IM about my problems during this process and sent me a link describing how to install SSL support for Apache on Windows. This led me down a couple of other paths, but here are the links for trying this process (emphasis on TRYING):

My own personal opinion on these two sets on instructions is that they are missing some rather crucial steps (if you *combine* the two you get close), but in the end even after trying this process multiple times, it just didn't work. Apache would fail to start with the mod_ssl LoadModule line uncommented, but if I commented it out Apache would start. I checked the placement and existence of the files multiple times and spent a lot of time walking back through this process step by step, and I was sure I was using the latest package that supposedly will allow for this, but it just didn't want to work.

VERY long story short, if you want to use Apache with SSL on Windows, go download this package from and be done with it. Yes, it comes with MySQL, mod_perl, PHP 5, and a bunch of other stuff you might not want or need, but you can easily disable that stuff and it doesn't install these add-ons as Windows services, so it's really just some extra files on your hard drive that won't cause any real harm.

The key here is that this is Apache 2.0.54 with SSL support already in there. (Another option I found prior to discovering this package was to get the source code for Apache and mod_ssl and compile it myself, but I just wanted to get this thing DONE!) I just installed it late yesterday--I wasn't about to let the weekend hit without having this issue resolved--and so far it works like a champ. I generated a test certificate using Open SSL and it works great. Just going this route initially would have saved me a ton of time so my thanks go out to devside for making this available.

Now back to the silver lining stuff. I know a lot more about Apache than I did before (I'm semi-dangerous with Apache on Linux), it forced me to figure out SSL with Apache on Windows, and I also know more than I ever wanted to about manually configuring the web server connections with CF. That's not necessarily a bad thing and it likely isn't something I would have spent my time learning had I not been faced with this. Most importantly I left work for the weekend knowing that things were working, and hey, now I can count myself among the cool kids because I'm running Apache. ;-)


I always use the Apache/SSL binary from

works like a champ is always up to date within a day of a new Apache or OpenSSL release.

Thanks Kurt--I actually used those as part of the instructions I list in the blog entry but didn't have luck getting it to work. I may take another run at it at some point but that other package seemed to install without a hitch, so I'm happy for the time being.

I've had the same frustrations with Apache/SSL/Win32. The all in one WAMP packages, like DevSide's is the way to go, if you can. There are a number of these out there, some with or without SSL. Saint WAMP is another good one which is on sourceforge. EasyPHP is a popular one, but its getting kinda stale, it doesn't have SSL, and half of the instructions are in French. Xampp, Uniform Server, IBServer, and FoxServ are other examples (but I'd probably stick with DevSide and Saint WAMP).

In any case, its quite amazing that for something that has been around as long as it has, that this kind of functionality isn't easier to get up and running and/or come out of the box without having to go to these WAMP solutions. While it makes sense that you might have to recompile things on a *nix box, it doesn't make sense for a Windows box in which it shouldn't matter. A Win32 executable is more or less the same/compatible no matter which version of Windows you have.

Oh yeah, BTW, here's another good site that I think is better (than the two you mentioned) at explaining exactly what you have to do to get 2.0.55 up and running with SSL on a Windows box:

I always use the ApacheSSL package from

No comments: