Monday, 2 May 2016

Install mod_SSL for Apache HTTP Server on CentOS 7

Install mod_SSL for Apache HTTP Server on CentOS 7

Apache HTTP server runs its service on default port 80/tcp and serves the web pages to clients’ browsers in plain text using Hyper Text Transfer Protocol (HTTP). However, in case of private pages or data entry forms, communication in plain text mode is highly pron to Sniffing attacks.

HTTPS is the secured version of HTTP protocol. Apache HTTP server runs its service using HTTP on default port 443/tcp. In HTTPS, data is transported in encrypted form using a Public/Private key pair. Therefore, if a Sniffer gets your data, he cannot decrypt it.

Obviously, there is a little overhead of encryption and decryption is involved, but it is acceptable because of the security it offered.

In this article, we are installing a SSL certificate on Apache HTTP Server using mod_ssl in CentOS 7. The complete step by step configuration to install a SSL certificate on Apache HTTP server is provided in this article.

 

This Article Provides:

     

    Environment Specification:

    We have configured a CentOS 7 virtual machine with following specification.

    • Hostname – lampserver.test.local
    • IP Address – 192.168.116.67/24
    • Operating System – CentOS 7.3
    • Apache HTTP Server – Apache 2.4.6

    We have already installed Apache HTTP Server and configured a test website running on the default port 80/tcp of our Apache HTTP Server. Our objective is to migrate the same website to HTTPS port 443/tcp, without affecting the existing HTTP website.

    Apache Default Homepage

     

    Generating a SSL Certificate for Apache Website:

    Every website that runs over HTTPS, must have a SSL (Secure Socket Layer) certificate, that is required by the client browser, to validate the authenticity of the website. This SSL Certificate should be digitally signed by a verified CA (Certificate Authority). Otherwise, if you are using an unsigned or self-signed certificate the client browser will display a warning like that “the security certificate is not verified and you must not proceed to this website”, etc.

    Whether the SSL Certificate is signed or not, in both cases the communication is performed in encrypted form. So, in simple words, if you want to omit the warning message from your clients’ browsers than digitally signed your SSL certificate by a Certificate Authority, or otherwise train your users to ignore the security warning and add website to their browser’s exeption list.

    We use a Linux utility openssl to generate an self-signed SSL certificate along with a private key.

    [root@lampserver ~]# mkdir /etc/httpd/ssl
    [root@lampserver ~]# openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/httpd/ssl/lampserver.crt -keyout /etc/httpd/ssl/lampserver.key
    Generating a 2048 bit RSA private key
    ..............................+++
    ...............+++
    writing new private key to '/etc/httpd/ssl/lampserver.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:PK
    State or Province Name (full name) []:Sindh
    Locality Name (eg, city) [Default City]:Karachi
    Organization Name (eg, company) [Default Company Ltd]:None
    Organizational Unit Name (eg, section) []:IT
    Common Name (eg, your name or your server's hostname) []:lampserver.test.local
    Email Address []:root@lampserver.test.local
    [root@lampserver ~]# ls /etc/httpd/ssl/
    lampserver.key  lampserver.crt
    [root@lampserver ~]#

    Here, Common Name (CN) is very important, because it is the host/domain name used by users to access the website. If Common Name is different from the host/domain name, users will receive certificate errors.

     

    Installing SSL Certificate on Apache in CentOS 7:

    To install SSL certificate on Apache HTTP Server, we have to install mod_ssl package. mod_ssl module adds the SSL functionality in Apache HTTP Server.

    Install mod_ssl package using yum command.

    [root@lampserver ~]# yum install mod_ssl
    Loaded plugins: fastestmirror
    base                                                                                                                                             | 3.6 kB  00:00:00
    extras                                                                                                                                           | 3.4 kB  00:00:00
    updates                                                                                                                                          | 3.4 kB  00:00:00
    Loading mirror speeds from cached hostfile
    * base: mirrors.nayatel.com
    * extras: mirrors.nayatel.com
    * updates: mirrors.nayatel.com
    Resolving Dependencies
    --> Running transaction check
    ---> Package mod_ssl.x86_64 1:2.4.6-40.el7.centos will be installed
    --> Finished Dependency Resolution
    Dependencies Resolved
    ========================================================================================================================================================================
    Package                              Arch                                Version                                               Repository                         Size
    ========================================================================================================================================================================
    Installing:
    mod_ssl                              x86_64                              1:2.4.6-40.el7.centos                                 base                              103 k
    Transaction Summary
    ========================================================================================================================================================================
    Install  1 Package
    Total download size: 103 k
    Installed size: 224 k
    Is this ok [y/d/N]: y
    Downloading packages:
    mod_ssl-2.4.6-40.el7.centos.x86_64.rpm                                                                                                           | 103 kB  00:00:09
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Installing : 1:mod_ssl-2.4.6-40.el7.centos.x86_64                                                                                                                 1/1
      Verifying  : 1:mod_ssl-2.4.6-40.el7.centos.x86_64                                                                                                                 1/1
    Installed:
      mod_ssl.x86_64 1:2.4.6-40.el7.centos
    Complete!
    [root@lampserver ~]#

    mod_ssl installs a SSL configuration file in Apache configuration directory.

    Edit the /etc/httpd/conf.d/ssl.conf and add following directives therein to install SSL certificate.

    SSLCertificateFile /etc/httpd/ssl/lampserver.crt
    SSLCertificateKeyFile /etc/httpd/ssl/lampserver.key

    if you got your SSL certificate digitally signed by a CA, then you have to add the CA certificate file as well.

    SSLCACertificateFile /etc/httpd/ssl/ca-bundle.crt

    Restart the httpd.service to apply changes.

    [root@lampserver ssl]# systemctl restart httpd.service

    Open website in a client’s browser.

    Website Security Warning

    Client’s browser displays a security warning because our website is using a self-signed SSL certificate.

    Add security exception in client's browser.

    Add security exception in Browser

    Click on Confirm Security Exception.

    Apache Default Homepage

    Now our Apache website is running over HTTPS and you can see the Green Lock icon on the Address Bar.

    We have successfully installed SSL Certificate on Apache using mod_ssl in CentOS 7 server.

    Install mod_SSL for Apache HTTP Server on CentOS 7


    YOU MIGHT ALSO LIKE:

    No comments:

    Post a Comment