help logoLON-CAPA Help

There are two different contexts in which a LON-CAPA server may communicate via SSL (Secure Sockets Layer):

Apache SSL

In the case of Apache, the steps required depend on the Linux distro.

For all distros you will need to install a key, generate a certificate signing request with that key, and have the certificate signed. You will also want to disable the passphrase prompt on web server restart by removing the password from the copy of the key you use with Apache, e.g.,

openssl rsa -in server.key -out server.key.nopass
You will then put the the (nopass) key and certificate files in locations accessible to Apache, and include information about the locations of those files in a config file containing the following lines:
SSLCertificateFile < path to signed certificate >
SSLCertificateKeyFile < path to key >
replacing < path to ... > with the path to the location of the particular file.

Which Apache config file contains these entries depends on the distro:

If you want to use rewrite rules to ensure that all external web requests are served using SSL, you should verify that mod_rewrite is enabled:

You will also need to copy the rewrites/loncapa_rewrite_on.conf file to loncapa_rewrite.conf with the following commands:

and then reload the web server:

To disable rewriting of external web requests to https://, copy rewrites/loncapa_rewrite_off.conf to loncapa_rewrite.conf and reload the web server.

You will need to open the server's Firewall to allow inbound traffic on port 443.

Note: changing firewall settings will cause iptables to reload, which means the rules to allow connections from other LON-CAPA servers via port 5663 will need to be re-established (if the LON-CAPA daemons were already running) by doing: /etc/init.d/loncontrol restart as root.


In the case of encrypted internal communication between LON-CAPA servers, you will need command line access as either root or www and enter the following commands:

cd /home/httpd/lonCerts

Important: for the Common Name you should enter the lonHostID. This is displayed on the log-in page (Server: ) and is also an entry in the loncapa.conf file in /etc/httpd/conf (CentOS RedHat Scientific Linux Fedora) or /etc/apache2 (SuSE SLES Debian Ubuntu LTS). An example would be msul1.

By running you will:

Your certificate will be signed by the certificate authority and an e-mail will be sent to the e-mail address you gave when prompted for one when you ran

Save the e-mail you receive to a file, remove the headers from it, and run it (as the www user).

If it successfully completes you will have:

Now when you machine connects to another server in the LON-CAPA network it will try to do so over an SSL connection. You can verify this by doing:

ps auxwww | grep lonc

You should see something like:
lonc: msul1 Connection count: 1 Retries remaining: 5 (ssl)
where before you saw something like:
lonc: msul1 Connection count: 1 Retries remaining: 5 (insecure)