It’s becoming more and more of a requirement to run different apps under different versions of ruby
One one project I have needed to take the plunge with Ruby 1.9 for unicode support.
This is no big deal really because Passenger and Rails 3 are pretty stable on Ruby 1.9, however, I still have apps that need 1.8 for various reasons I wont go into.
As it stands, Passenger does not support running apps under different interpreters using the apache or nginx modules, I came across this article
I’m going to try and simplify by just giving installation instructions, but if you want a bit more in-depth info as to the reason for this process head on over to Phusion’s blog.
First of all your going to need RVM and passenger module installed on your apache/nginx instance, I’m going to assume you’ve already got this working and the reason your here is to use multiple different versions of the ruby interpreter with passenger. NOTE: You should be using the interpreter used for the majority of your apps as the base apache or nginx passenger ruby
Lets assume we already have a working app using passenger with ruby 1.8.7 and we want to get another app running but using ruby 1.9.2
It became apparent that getting mod_ssl working correctly without browser warnings when developing sites that take payments is a bit of pain. Mainly because there is no free way to have a root authority sign your Certificate Signing Request (CSR).
There is how ever a short cut, given that you are using Apache, mod_ssl, openssl and Firefox.
We’re going to generate our own Certificate Authority (CA), this is CA is only going to work for us so if your generating a certificate for production, you’ll need to send your CSR to a proper CA such as VeriSign
Step1, Make a temporary folder we can work in.
Step2, generate our private key
openssl genrsa -des3-out server.key 1024
You will be asked for a passphrase in the creation of this key. (just use 12345) or anything butdo not forget this passphrase! You’ll have to do this all over if you forget the passphrase. You will need this passphrase later on in the process.
Step3, generate a CSR from our private key
openssl req -new-key server.key -out server.csr
you’ll be asked for the following information:
Country Name (2 letter code)[AU]: (enter your country code here)
State or Province Name (full name)[Some-State]: (Enter your state here)
Locality Name (eg, city): (enter your city here)
Organization Name (eg, company)[Internet Widgits Pty Ltd]: (enter something here)
Organizational Unit Name (eg, section): (enter something here)
Common Name (eg, YOUR name): (this is the important one)
Email Address : (your e-mail address)
Make sure you fill in `Common Name` with your domain you want this certificate for, this should match your apache vhost `ServerName` setting
Now, looking at the directory we’re working in, you should have the following:
drwxr-xr-x 5 rob staff 126 Nov 1417:01 .
drwx------ 38 rob staff 1248 Nov 1416:57 .. -rw-r--r--1 rob staff 729 Nov 1417:01 server.csr -rw-r--r--1 rob staff 963 Nov 1416:59 server.key
Step4, create the private key for our CA
openssl genrsa -des3-out ca.key 1024
Again, you’ll be asked for a passphrase, which, again, you should not forget.
Step5, create CA certificate using the key we just made
You will be asked for similar information you were asked for when we make the web server certificate earlier; this information should be about you, enter something like the following
Country Name (2 letter code)[AU]:GB
State or Province Name (full name)[Some-State]:Cheshire
Locality Name (eg, city):Stockport
Organization Name (eg, company)[Internet Widgits Pty Ltd]:My CA
Organizational Unit Name (eg, section):My CA for Dev
Common Name (eg, YOUR name):Rob Aldred
Email Address :firstname.lastname@example.org
Now you will have 4 files your directory; server.key, server.csr, ca.key, ca.crt
Next is the important park, signing our certificate request.
The easiest way to do this is to use the sign.sh script contained in the mod_ssl source,
or you can get it here: sign.sh
copy the script to the working directory
Step6, make sign.sh executable and sign our CSR
chmod +x sign.sh
you should get something like the following:
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
The Subjects Distinguished Name is as follows
Certificate is to be certified until Nov 1423:09:202010 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
Answer ‘y’ to the question asking to Sign the certificate [y/n]
Step7, remove password requirement from server key
Step10, Tell apache to listen on 443
By default there is a file in /etc/apache2/extras called httpd-ssl.conf
this needs to edited and included in /etc/apache2/httpd.conf its commented out initially.
Depending where you are defining your VirtualHost blocks
Comment out or remove the _default_ virtualHost block in httpd-ssl.conf, this will cause errors when starting apache because we have no configured certificate for the example apache provites
Edit your httpd.conf to include the etc/httpd-ssl.conf file, scroll to the bottom the file, you’ll notice its commented out at around line #476
# Secure (SSL/TLS) connections # Include /private/etc/apache2/extra/httpd-ssl.conf
Just remove the # and move onto the next step
I use a seperate vhosts folder in extra, containing individual conf files for each virtualhost, they are included in the extra/httpd-vhosts.conf files using the following:
Step10, restart apache
Step11, (a few steps in itself) Add our CA to Firefox so it think its a trusted authority
Go to Preferences (Cmd + ,)
Go to Advanced
Go to Encryption
Click ‘View Certificates’
Choose the ‘Authorities’ tab
Hit Shift + Cmd + g to open the go to folder window
Enter ‘/etc/apache2/certs’ (You might be asked to authenticate with your system password)
Select the ca.crt file we generated earlier and click ‘Open’
Firefox will ask you:
Do you want to trust “My CA” for the following purposes?
Just select Trust this CA to identify websites
Restart your browser
If you’ve followed everything correctly when you go to https://localhost (or whatever CommonName you specified)
You will get a ssl encrypted site and no warnings about the certificate not being trusted.
If apache doesn’t come backup then apache’s config checks program is your best friend.