Monday, July 4, 2016

How To Install and Configure Apache SSL on CentOS 7

Overview

This purpose of this document is to install and configure Apache2 and configure SSL Certificate on CentOS 7 or RHEL 7.

Applies To

RHEL 7, CentOS 7

Pre-Requisites

·        mod_ssl, install when you want to configure SSL Certificate

HTTPD – Package Install

Download and install httpd package on the server, install run the command;

yum install -y httpd


HTTPD – Service Enable

Next step is to enable httpd service to automatically start service at OS boot time.

systemctl enable httpd.service




HTTPD – Service Status

Next step is to check the status of httpd service, to know the status of service, run the command;

systemctl status httpd.service


Start Service

Next step is to start httpd service, to start run the command;

systemctl start httpd.service



Configure Firewall

Next step is to configure firewall, if the firewall is started. HTTPD service daemon runs on port default port 80, which is not opened as a standard, in order open the port run the command and reload firewall.

firewall-cmd --permanent --zone=public --add-service=http

firewall-cmd --reload


Launch Website

After configuring the firewall, launch the website from the browser.

Install and Configure SSL for Apache

In order to configure Apache (httpd) web server with SSL Certificate; you have to install package and configure it accordingly. In this guide we will install self-sign SSL Certificate.

Install Mod_SSL

Next step is to configure SSL Certificate on the server. To install the mod_ssl package, run the command;

yum install mod_ssl -y


Create Certificate (CSR)

Before you create the certificate, SSL store folder has to be created, as shown below.

Certificate Request

After mod_ssl package installation, you need to generate a new certificate file for the web server.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/vcptest-apache.key -out /etc/httpd/ssl/vcptest-apache.crt



Attribute
Purpose
req
Certificate Request
-x509
PKCS#10 X.509 Certificate Signing Request (CSR) Management
-nodes
This tells OpenSSL to skip the option to secure our certificate with a passphrase.
-days
Certificate validity in days
-newkey
If we want to generate a new certificate and a new key at the same time.
-keyout
Where to store the generated private key file that would be created.
-out
Where to store the generated Certificate file that would be created.

Note:   We need Apache (httpd daemon) to be able to read the file, without user intervention, when the server starts up. If  passphrase is set, it would prevent this from happening, since we would have to enter passphrase for every httpd daemon restart. 

Organization Information

When you request for a new certificate below information has to be included, below is an example.

Option
Purpose
Example
Common Name
The fully qualified domain name for your web server. This must be an exact match.
If you intend to secure the URL https://vcptest.effonetech.com, then your CSR’s common name must be vcptest.effonetech.com.
Organization Name
Do not abbreviate your organization name. (Legal Name)
effonetech.com
Organizational Unit
Section of the organization
IT
City or Locality
City where organization is legally located
Bengaluru
State or Province
The state or province where organization is legally located. Abbreviation should not be used.
Karnataka
Country
The two-letter abbreviation of country
IN

Configure Apache SSL

Generate Private Key and Certificate Files

To generate the new private key and certificate run the command;

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/vcptest-apache.key -out /etc/httpd/ssl/vcptest-apache.crt


Out Filename
Purpose
vcptest-apache.key
Private Key File (-keyout)
vcptest-apache.crt
Certificate File (-out)


Validate Private Key and Certificate Files

To ensure the private key and the certificate is generated in the designate directory list and check files.


Edit SSL Configuration

After the Certificate and private key file are generated, next step is to edit the SSL configuration file of the webserver;

ls /etc/httpd/conf.d/ssl.conf

vi /etc/httpd/conf.d/ssl.conf

Set DocumentRoot

Find and set the DocumentRoot attribute value to “/var/www/html” folder, which is also the default.

Set ServerName

Find and set the ServerName attribute value to “<DomainName>:443”, typically webserver’s FQDN and bind port is default 443.


Set SSLCertificateFile

Find and set the SSLCertificateFile attribute value to “/etc/httpd/ssl/vcptest-apache.crt.


Set SSLCertificateKeyFile

Find and set the SSLCertificateKeyFile attribute value to “/etc/httpd/ssl/vcptest-apache.key”.


Validate SSL Configuration

After making the necessary changes to the SSL configuration file, validate them by running the command;

cat /etc/httpd/conf.d/ssl.conf | grep ^DocumentRoot

cat /etc/httpd/conf.d/ssl.conf | grep ^ServerName

cat /etc/httpd/conf.d/ssl.conf | grep ^SSLCertificateFile

cat /etc/httpd/conf.d/ssl.conf | grep ^SSLCertificateKeyFile


Configure Firewall

Once the configuration of httpd service is completed, next step is to configure firewall, wherein we will open https service port and reload the firewall rules.

After configuring the firewall, when the firewall rules are listed “https” service should be listed as shown below.

firewall-cmd --permanent --zone=public --add-service=https

firewall-cmd --reload

firewall-cmd --list-service


Start Service – HTTPD

After configuring the firewall and reloading it, next step is to restart the service. To restart the run the command; Other service httpd service management commands are also listed below.

systemctl restart httpd  or systemctl stop httpd; systemctl start httpd

HTTPD Service Management

Service Control Task
Purpose
systemctl status httpd
Display the current status of httpd service
systemctl start httpd
Start httpd service
systemctl stop httpd
Stop httpd service
systemctl disable httpd
Disable httpd service in multi-user target
systemctl enable httpd
Enable httpd service in multi-user target
systemctl restart httpd
Restart httpd service

Launch SSL Website

After reloading the firewall and restarting the service and service status is shown as “Running”;
Launch the webserver in browser.



General Troubleshooting

Configuration Test

One more the first and foremost troubleshooting method for httpd webserver is to check the configuration file, which can be done with “apachectl -t” command.

Testing httpd Configuration – Syntax

To validate configuration for syntax errors run the command;

apachectl -t

Testing httpd Configuration – Debug Mode

To validate configuration for syntax errors in debug mode run the command, you change the debug level according to table mentioned below.

apachectl -t -e <Debug Log Level>

Test Apache configuration and enable debug mode with “Info

Debug Log Level
Purpose
debug
Run test in debug mode and show all the messages related to the httpd service
warn
Run test and show only warning messages related to the httpd service
crit
Run test and show critical messages related to the httpd service
error
Run test and show error messages related to the httpd service
info
Run test and show informative messages related to the httpd service

Verify Logs

Second troubleshooting method is checking the different log files, that are located in the folder “/var/log/httpd/”.

Log File Name
Purpose
access_log
All access related logs are stored into this file
error_log
All errors related logs are stored into this file
ssl_access_log
All SSL Access related logs are stored into this file
ssl_error_log
All SSL access related error logs are stored into this file
ssl_request_log
All SSL access related each request log are stored into this file


SlideShare Information

Step by step guide is uploaded.


No comments:

Post a Comment