Overview
This purpose of this document is to install and configure
Apache2 and configure SSL Certificate on CentOS 7 or RHEL 7.
Applies To
RHEL 7, CentOS 7
Pre-Requisites
·
mod_ssl, install when you want to configure SSL Certificate
HTTPD – Package Install
Download and install httpd package on the server,
install run the command;
yum install -y httpd
HTTPD – Service Enable
Next step is to enable httpd service to automatically start
service at OS boot time.
systemctl enable httpd.service
HTTPD – Service Status
Next step is to check the status of httpd service, to know
the status of service, run the command;
systemctl status httpd.service
Start Service
Next step is to start httpd service, to start run the
command;
systemctl start httpd.service
Configure Firewall
Next step is to configure firewall, if the firewall is
started. HTTPD service daemon runs on port default port 80, which is not opened
as a standard, in order open the port run the command and reload firewall.
firewall-cmd --permanent
--zone=public --add-service=http
firewall-cmd --reload
Launch Website
After configuring the firewall, launch the website from the
browser.
Install and Configure SSL for Apache
In order to configure Apache (httpd) web server with SSL
Certificate; you have to install package and configure it accordingly. In this
guide we will install self-sign SSL Certificate.
Install Mod_SSL
Next step is to configure SSL Certificate on the server. To
install the mod_ssl package, run the command;
yum install mod_ssl -y
Create Certificate (CSR)
Before you create the certificate, SSL store folder has to
be created, as shown below.
Certificate Request
After mod_ssl package installation, you need to generate a
new certificate file for the web server.
openssl req -x509 -nodes -days
365 -newkey rsa:2048 -keyout /etc/httpd/ssl/vcptest-apache.key -out
/etc/httpd/ssl/vcptest-apache.crt
Attribute
|
Purpose
|
req
|
Certificate Request
|
-x509
|
PKCS#10
X.509 Certificate Signing Request (CSR) Management
|
-nodes
|
This tells OpenSSL to skip the option to secure our
certificate with a passphrase.
|
-days
|
Certificate validity in days
|
-newkey
|
If we want to generate a new certificate and a new
key at the same time.
|
-keyout
|
Where to store the generated private key file that would
be created.
|
-out
|
Where to store the generated Certificate file that
would be created.
|
Note: We need Apache (httpd daemon) to be able to read the
file, without user intervention, when the server starts up. If passphrase is set, it would prevent this from
happening, since we would have to enter passphrase for every httpd daemon
restart.
Organization Information
When you request for a new certificate below information has
to be included, below is an example.
Option
|
Purpose
|
Example
|
Common Name
|
The fully qualified domain name for your web server. This must
be an exact match.
|
If you intend to secure the URL https://vcptest.effonetech.com,
then your CSR’s common name must be vcptest.effonetech.com.
|
Organization Name
|
Do not abbreviate your organization name. (Legal Name)
|
effonetech.com
|
Organizational Unit
|
Section of the organization
|
IT
|
City or Locality
|
City where organization is legally located
|
Bengaluru
|
State or Province
|
The state or province where organization is legally located. Abbreviation
should not be used.
|
Karnataka
|
Country
|
The two-letter abbreviation of country
|
IN
|
Configure Apache SSL
Generate Private Key and Certificate Files
To generate the new private key and certificate run the
command;
openssl req -x509
-nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/vcptest-apache.key
-out /etc/httpd/ssl/vcptest-apache.crt
Out Filename
|
Purpose
|
vcptest-apache.key
|
Private
Key File (-keyout)
|
vcptest-apache.crt
|
Certificate
File (-out)
|
Validate Private Key and Certificate Files
To ensure the private key and the certificate is generated
in the designate directory list and check files.
Edit SSL Configuration
After the Certificate and private key file are generated,
next step is to edit the SSL configuration file of the webserver;
ls /etc/httpd/conf.d/ssl.conf
vi /etc/httpd/conf.d/ssl.conf
Set DocumentRoot
Find and set the DocumentRoot
attribute value to “/var/www/html”
folder, which is also the default.
Set ServerName
Find and set the ServerName
attribute value to “<DomainName>:443”,
typically webserver’s FQDN and bind port is default 443.
Set SSLCertificateFile
Find and set the SSLCertificateFile attribute value to “/etc/httpd/ssl/vcptest-apache.crt”.
Set SSLCertificateKeyFile
Find and set the SSLCertificateKeyFile attribute value to “/etc/httpd/ssl/vcptest-apache.key”.
Validate SSL Configuration
After making the necessary changes to the SSL configuration
file, validate them by running the command;
cat /etc/httpd/conf.d/ssl.conf | grep ^DocumentRoot
cat /etc/httpd/conf.d/ssl.conf | grep ^ServerName
cat /etc/httpd/conf.d/ssl.conf | grep ^SSLCertificateFile
cat /etc/httpd/conf.d/ssl.conf | grep ^SSLCertificateKeyFile
Configure Firewall
Once the configuration of httpd service is completed, next
step is to configure firewall, wherein we will open https service port and
reload the firewall rules.
After configuring the firewall, when the firewall rules are
listed “https” service should be
listed as shown below.
firewall-cmd --permanent
--zone=public --add-service=https
firewall-cmd --reload
firewall-cmd --list-service
Start Service – HTTPD
After configuring the firewall and reloading it, next step
is to restart the service. To restart the run the command; Other service httpd
service management commands are also listed below.
systemctl restart httpd or systemctl stop
httpd; systemctl start httpd
HTTPD Service Management
Service Control Task
|
Purpose
|
systemctl status httpd
|
Display the
current status of httpd service
|
systemctl start httpd
|
Start
httpd service
|
systemctl stop httpd
|
Stop httpd
service
|
systemctl disable httpd
|
Disable
httpd service in multi-user target
|
systemctl enable httpd
|
Enable
httpd service in multi-user target
|
systemctl restart httpd
|
Restart
httpd service
|
Launch SSL Website
After reloading the firewall and restarting the service and
service status is shown as “Running”;
Launch the webserver in browser.
General Troubleshooting
Configuration Test
One more the first and foremost troubleshooting method for
httpd webserver is to check the configuration file, which can be done with “apachectl -t” command.
Testing httpd Configuration – Syntax
To validate configuration for syntax errors run the command;
apachectl -t
Testing httpd Configuration – Debug Mode
To validate configuration for syntax errors in debug mode
run the command, you change the debug level according to table mentioned below.
apachectl -t -e <Debug
Log Level>
Test Apache configuration and enable debug mode with “Info”
Debug Log Level
|
Purpose
|
debug
|
Run test in
debug mode and show all the messages related to the httpd service
|
warn
|
Run test
and show only warning messages related to the httpd service
|
crit
|
Run test
and show critical messages related to the httpd service
|
error
|
Run test
and show error messages related to the httpd service
|
info
|
Run test
and show informative messages related to the httpd service
|
Verify Logs
Second troubleshooting method is checking the different log
files, that are located in the folder “/var/log/httpd/”.
Log File Name
|
Purpose
|
access_log
|
All access
related logs are stored into this file
|
error_log
|
All errors
related logs are stored into this file
|
ssl_access_log
|
All SSL
Access related logs are stored into this file
|
ssl_error_log
|
All SSL
access related error logs are stored into this file
|
ssl_request_log
|
All SSL
access related each request log are stored into this file
|
No comments:
Post a Comment