Python support for SSL and HTTPS is not installed

I wanted to give Google’s new Go language a try which requires checking out the source code with Mercurial.

Mercurial was installed from ports on my Mac with

sudo port install mecurial

But checking out the code threw an error.

Chill:~ rus$ hg clone -r release $GOROOT
abort: Python support for SSL and HTTPS is not installed
Exception exceptions.AttributeError: "'httpsrepository' object has no attribute 'urlopener'" in > ignored

After some hunting I found the answer is to install the python socket ssl library from ports

Chill:~ rus$ sudo port install py25-socket-ssl
---> Fetching py25-socket-ssl
---> Verifying checksum(s) for py25-socket-ssl
---> Extracting py25-socket-ssl
---> Configuring py25-socket-ssl
---> Building py25-socket-ssl
---> Staging py25-socket-ssl into destroot
---> Installing py25-socket-ssl @2.5.4_0
---> Activating py25-socket-ssl @2.5.4_0
---> Cleaning py25-socket-ssl

Which then let me check out the source for Go!

Chill:~ rus$ hg clone -r release $GOROOT
requesting all changes
adding changesets
adding manifests
adding file changes
added 3976 changesets with 16799 changes to 2931 files
updating working directory
1640 files updated, 0 files merged, 0 files removed, 0 files unresolved

Now it’s time to compile 😀

Apache2 with SSL and Tomcat5.5 on Ubuntu

One of the newer features to our site is an access control mechanism to force specific paths to only be delivered over SSL when our customers have particularly sensitive data. We already use Apache2 with mod_jk to talk to the Tomcat5.5 instance running our app so the only part left is to enable SSL!

First make sure mod_ssl is enabled:

root@reltest-tcj0:/var/log/apache2# a2enmod
Which module would you like to enable?
Your choices are: actions asis auth_anon auth_dbm auth_digest auth_ldap cache cern_meta cgid cgi dav_fs dav deflate disk_cache expires ext_filter file_cache headers imap include info jk ldap mem_cache mime_magic proxy_connect proxy_ftp proxy_http proxy rewrite speling ssl suexec unique_id userdir usertrack vhost_alias
Module name? ssl
This module is already enabled!

Then we configure mod_jk to pass it’s SSL environment variables to Tomcat by adding the following to apache2.conf

JkExtractSSL On

Tell Apache2 to listen on the SSL port by editing ports.conf

Listen 443

We want to make sure we have the latest common CA certificates in order to establish a trusted root for our new shiny signed certificate!

apt-get install ca-certificates

If you have a lovely genuinely signed certificate like we do you might need to then add it’s intermediate certificate to the ca-certificates system. Move the certificate to /usr/share/ca-certificates then add it’s location to /etc/ca-certificates.conf

Now run update-ca-certificates to update the system’s certificate store (located in /etc/ssl/certs/ca-certificates.crt).

root@reltest-tcj0:/etc/apache2/sites-enabled# update-ca-certificates
Updating certificates in /etc/ssl/certs....done.

We want the same site to simply be available over SSL I’m going to duplicate the existing VirtualHost for that site specifying the use of port 80 for the original vhost and port 443 for the new one that uses SSL. The only change that needs to be made to the new vhost are the following SSL directives:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/
SSLCertificateKeyFile /etc/apache2/ssl/
SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt

Obviously making sure the keys are in the right place!

And lastly make sure that NameVirtualHost settings exist for both port 80 and port 443!

NameVirtualHost *:80
NameVirtualHost *:443

et voila.