-
Notifications
You must be signed in to change notification settings - Fork 10
Setting up a secure SSL HTTPS website using Apache on CentOS
For this tutorial, I will be using a fictitious site called “example.com”.
Navigate to your registrar; for this example, I will be using https://www.godaddy.com/.
- Sign in
-
If you are a “delegate” click on
Account Settings
>Delegate Access
(e.g. your user is allowed to access your company’s products)
-
If you are a “delegate” click on
- Visit the products page (this is the default landing page once logged in)
- Click
Manage All
button or theShow More
link and find the domain you want to manage - On the domain you want to setup, click the
Manage
button - If existing record, click the pencil icon to edit, otherwise click
ADD
- For an “A” record (i.e. no a sub domain), set the “Host” to
@
and the “Points to” to the IP of the server your site is hosted on. Leave TTL at default, or set to “Custom” and a value of 600 seconds (10 minutes) - Click
Save
At this point, if you want to setup your HTTP site (not HTTPS), jump to Apache web server setup below.
Switch to the root user (if not already):
$ sudo su
Navigate to here:
$ cd /var/www
If not already created, make these directories (skip this step if renewing a cert, see below):
# This is where we’ll put all of the SSL-related files:
$ mkdir ssls
$ cd ssls
$ mkdir example.com
$ cd example.com
Note: The location to store the SSL-related files is optional; feel free to do what you want.
If you are renewing your cert …
Open your site’s .conf
file and find these lines:
SSLCertificateKeyFile /var/www/ssls/star.example.com/STAR_example.com.key
SSLCertificateFile /var/www/ssls/star.example.com/STAR_example_com.crt
SSLCertificateChainFile /var/www/ssls/star.example.com/STAR_example.com.ca-bundle
Next, generate a new CSR (if openssl
does not work, try using the full path, /usr/bin/openssl
):
$ openssl req -new -key /var/www/ssls/star.example.com/STAR_example_com.key -out STAR_example_com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:OREGON
Locality Name (eg, city) [Default City]:SPRINGFIELD
Organization Name (eg, company) [Default Company Ltd]:COMPANY NAME, INC.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:*.EXAMPLE.COM
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Note: For “Common Name”, the *.
will work for sub domains; the drawback is, this is more expensive in terms of buying the SSL certificate. In other words, if you don’t need sub domains, then save yourself some money and just use EXAMPLE.COM
(no wildcard).
Note: Filling out the above in all-caps is optional.
First-time setup …
This is the same as above, but you need to generate the key and the Certificate Signing Request (CSR) at the same time:
$ openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr
Generating a 2048 bit RSA private key
......................................................................................................................+++
.................................+++
writing new private key to 'example_com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:OREGON
Locality Name (eg, city) [Default City]:SPRINGFIELD
Organization Name (eg, company) [Default Company Ltd]:COMPANY NAME, INC.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:EXAMPLE.COM
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Note: For example’s sake, the above “Common Name” does not use a wildcard.
I recommend ssls.com (no affiliation). They are nice and cheap.
I usually pick the EssenetialsSSL option.
During the checkout process, you will be asked to upload your CSR file.
You will need to verify your identity via your choice of options:
- E-mail verification (they will then email you and ask you to verify by clicking on a link)
- Verification file (they will send you a
txt
file that you upload to the public directory of your website)
Once the checkout process is complete, you will receive a verification email.
If you chose to verify via e-mail, click the link they send in the verification e-mail.
If you chose to verify your identity with a verification txt
file, navigate to your site’s public root and create a .well-known/pki-validation
directory. Move the validation txt
file into this directory.
After a while (30 mins or up to 12-24 hours) you will get an email letting you know that your site has been validated and they will provide a zip file containing the needed cert files.
At this point, you can delete the .well-known
directory.
Once you get the zip file from ssls.com, move them to your web server and put the files in /var/www/example.com/
. This directory should now contain these files:
example_com.ca-bundle
example_com.crt
example_com.csr
example_com.key
You can go to your site in your browser of choice, click on the lock icon (Chrome browser) and then click on the certificate. A new window will appear that gives you all the details of your certificate, including dates.
First, ssh
into your host.
Once logged in, check to see if you Apache httpd/conf
file is setup to load additional config files from httpd/conf.d
(this should be the default setting):
# CentOS linux flavor:
$ cd /etc/httpd
$ cat conf/httpd.conf
# ...
# Load config files from the config directory "/etc/httpd/conf.d".
#
Include conf.d/*.conf
# ...
If there is a #
in front of Include ...
, remove it and save and restart Apache sudo systemctl restart httpd
Now you can create a conf file for your site in the /etc/httpd/conf.d
directory:
$ cd /etc/httpd/conf.d
# Switch to root user so you don’t have to sudo every command:
$ sudo su
# Create the config file for your domain:
$ touch example.com.conf
# Open the file to edit (`yum install nano` if needed, or use editor of choice):
$ nano example.com.conf
Edit the following to match your needs (for HTTP, comment-in the first block of code and comment-out the second block):
#
# HTTP configuration
# Comment-out when SSL is setup and ready ready.
#
# <VirtualHost *:80>
# ServerAdmin [email protected]
# DocumentRoot /var/www/example.com
# ServerName example.com
# ServerAlias www.example.com
# ErrorLog /var/log/httpd/example.com-error.log
# CustomLog /var/log/httpd/example.com-access.log combined
# <Directory /var/www/example.com>
# IndexOptions +FancyIndexing NameWidth=*
# Options -Indexes +Includes +FollowSymLinks +MultiViews
# AllowOverride All
# Order allow,deny
# Allow from all
# Require all granted
# </Directory>
# </VirtualHost>
#
# HTTPS configuration
# Comment-in when SSL is setup and ready.
#
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /var/www/example.com
ServerName example.com
ServerAlias www.example.com
ErrorLog /var/log/httpd/example.com-error.log
CustomLog /var/log/httpd/example.com-access.log combined
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*) https://example.com/$1 [R=301,L]
<Directory /var/www/example.com>
IndexOptions +FancyIndexing NameWidth=*
Options -Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride All
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin [email protected]
DocumentRoot /var/www/example.com
ServerName example.com
ServerAlias www.example.com
<Directory /var/www/example.com>
IndexOptions +FancyIndexing NameWidth=*
Options -Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride All
</Directory>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1$1 [R=301,L]
SSLEngine on
SSLCertificateKeyFile /var/www/ssls/example.com/example_com.key
SSLCertificateFile /var/www/ssls/example.com/example_com.crt
SSLCertificateChainFile /var/www/ssls/example.com/example_com.ca-bundle
SSLProtocol -ALL +TLSv1.2
SSLHonorCipherOrder Off
SSLCipherSuite ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</VirtualHost>
Save and exit using CTRL + O
and CTRL + X
.
Check your configuration files to make sure nothing is broken:
$ apachectl configtest
Note: If you have multiple sites on your server, you may need to replace the *
value of VirtualHost
for an actual IP address.
$ apachectl graceful
If that does not work, use:
$ systemctl restart httpd
Navigate to your site; note that it may take up to one day for the DNS change to propagate and resolve to your site.