Install and setup SSL certificate on Centos Running apache
- SSL Certificate issued by Lets Ecrypt
Login to your server and become root
$ ssh root@servername
2. Install apache and ssl support packages (apache and mod_ssl)
# yum install httpd mod_ssl
3. Start your web server
# systemctl start httpd
# systemctl status httpd
# systemctl enable httpd
# systemctl is-active httpd
4. Set up default page
a. Find your doc root.
# grep -ir DocumentRoot /etc/httpd
# echo " Welcome to test page" >/var/www/html/index.html
5. Try to access the page using the ip address
- Browser didn't show the page.
6. Now, check the firewall if its enabled?
# systemctl status firewalld
7. Add service or port to the firewall (enable port 80->http or 443->https). I will use service.
# firewall-cmd --default-zone
# firewall-cmd --permanent --zone=public --add-service=http
# firewall-cmd --permanent --zone=public --add-service=https
8. Reload the firewall service
# firewall-cmd --reload
9. Go back to the browser and test the connection.
- This time, you are able to get access to the site.
- But, note it says your site is not secure.
Now, try with https
https://192.168.10.20
it alerts with connection is not private.
its because, server is using self signed certificate.
To view the certificate (on chrome)
- go to settings
- More tools
- Developers tools
- Go to security tab
- Click on view certificate
- Clic on details to see more info
This certificate came from mod_ssl package.
Lets dig little more info mod_ssh package, how it created the certificate
# rpm -q --scripts mod_ssl | less
review the script line by line to understand what it infact does.
alternate way to check your web page
# curl http://192.168.10.20
# curl https://192.168.10.20
it says certificate is invalid.
gives your guide on how to ignore the error, use -k option.
# curl -k !$ # Returns the last commands from previous line
or
# curl -k https://192.168.10.20
We have to generate the certificate by using the certbot application.
How do we do that?
We install the package but first install the epel package
EPEL repo (Extra package for enterprise linux)
- It manages third party packages for is like centos.
# yum install epel-release -y
# yum search certbot
# yum install certbot -y
# yum info certbot # get more info about package
Lets search for apache plug in for certbot.
# yum search certbot
# yum search certbot | grep apache
python3-certbot-apache.noarch : The apache plugin for certbot
We found certbot-apache.noarch plugin, lets install it
# yum install python3-certbot-apache -y
If you like you can search for nginx as well,
You can now, generate using the certbot command. You can supply values at the command prompt or
just type certbot at the prompt and press enter
# certbot --apache -d master.expanor.local
-d = domain
Note: Your domain need to be a valid one such as .com, .net, .org
just answer the question.
it asks for email, agree A, mailing list y or n, press 1 for selection.
press 1 and enter. press 1 again for easy to allow http and https
To look at all the files created by certbot, run the find command
# find /etc/letsencrypt/live
you will find all the files here.
If you are hosting multiple domain, you will have your domain with these files.
# curl https://master.expanor.local
To update security issue, update ssh.conf file.
# vi /etc/httpd/conf.d/ssh.conf # default installation file
search for SSLProtocol
/SSLPro
add comment as
# Insecure:
# SSLProtocol all -SSLv2
SSLProtocol all -SSLv2 -SSLv3
also change CipherSuite
add
# Insecure:
# SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256_EECDH:AES256_EDH
save and exit
wq!
Once you made changes to your config file, check the syntact agian to make sure there is no error.
# apachectl configtest
Syntax OK.
Now, restart the service again
# systemctl restart httpd
Verify if web site is working fine.
# curl https://192.168.10.20
If you don't specify the expiration day on your certification at the time of creation, it will expire in 3 months or 1 year.
To renew
# certbot renew
it will give you an alert whether its time to renew or not.
This is a manual process. There are other ways to renew it.
You can add it to cron job.
# crontab -e
# Renew cert
0 0 * * * /usr/binb/certbot renew &> /var/log/certbot-cron.log
# crontab -l
another way to do is thorugh using systemd
# systemctl start certbot-renew.service
# systemctl status certbot-renew.service
Now start and enable the timer
# systemctl start certbot-renew.timer
# systemctl enable certbot-renew.timer
# systemctl list-timers
You will see two timers are enable and the time the timer will run.
These are two ways to renew the cert but you can disable cron job for now.
# crontab -e and add # at the begining..
#
So far,
- We installed and configure SSL certificate issued by Let's Encrypt on Centos running apache.
- Installed software packages httpd, mod_ssl
- Added fireall rule to allow traffic for http and https
- Installed EPEL repository to install extra software packages.
- Installed certbot application and certbot apache plub-in.
- Created and installed SSL certificate using certbot tool
- Finally automated the renew process of the certificate.
troubleshooting
[root@master ~]# firewall-cmd --add-service=https --permanent
success
[root@master ~]# firewall-cmd --reload
success
[root@master ~]# curl https://192.168.56.5
curl: (7) Failed to connect to 192.168.56.5 port 443: Connection refused
[root@master ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3 enp0s8
sources:
services: cockpit dhcpv6-client http https ssh
ports: 6789/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@master ~]# apachectl -S
AH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
[root@master ~]# ls -l /etc/pki/tls/certs/localhost.crt
ls: cannot access '/etc/pki/tls/certs/localhost.crt': No such file or directory
[root@master ~]# cd /etc/pki/tls/certs/
[root@master certs]# ls
ca-bundle.crt ca-bundle.trust.crt
[root@master certs]# ls -ltr
total 0
lrwxrwxrwx. 1 root root 55 Dec 11 2019 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
lrwxrwxrwx. 1 root root 49 Dec 11 2019 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[root@master certs]#
Note: curl: (7) Failed to connect
is related to host entry. Check /etc/hosts file maping.
[root@master certs]# apachectl -t
AH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
Since mod_ssl package should create a self-signed key and certificate file for localhost upon installlation, but
it didn't. we will create using the openssl command
# ls -l /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.key
ls: cannot access '/etc/pki/tls/certs/localhost.crt': No such file or directory
ls: cannot access '/etc/pki/tls/certs/localhost.key': No such file or directory
# openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 --nodes \
-out /etc/pki/tls/certs/localhost.crt \
-keyout /etc/pki/tls/private/localhost.key
duration: 10 years.
it will prompt you for some questions, just supply. key/cert is generated.
[root@master certs]# ls -l /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.key
ls: cannot access '/etc/pki/tls/certs/localhost.key': No such file or directory
-rw-r--r--. 1 root root 2021 Feb 1 12:15 /etc/pki/tls/certs/localhost.crt
[root@master certs]# ls -l /etc/pki/tls/private/localhost.key
-rw-------. 1 root root 3272 Feb 1 12:14 /etc/pki/tls/private/localhost.key
[root@master certs]# cp /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.key
[root@master certs]#
# ls -l /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.key
-rw-r--r--. 1 root root 2021 Feb 1 12:15 /etc/pki/tls/certs/localhost.crt
-rw-r--r--. 1 root root 3272 Feb 1 12:16 /etc/pki/tls/certs/localhost.key
# apachectl -t
Syntax OK
[root@master certs]# apachectl -S
still getting error
# curl http://192.168.56.5
# echo $?
0
# curl https://192.168.56.5
curl: (7) Failed to connect to 192.168.56.5 port 443: Connection refused
# echo $?
7
Monday, February 1, 2021
SSL - Install and setup SSL certificate on Centos Running apache
Subscribe to:
Post Comments (Atom)
Git branch show detached HEAD
Git branch show detached HEAD 1. List your branch $ git branch * (HEAD detached at f219e03) 00 2. Run re-set hard $ git reset --hard 3. ...
-
snmpconfig command allow you to managge snmpv1/v3 agent configuration on SAN switch. Event trap level is mapped with event severity level....
-
Firmware upgrade on HPE SuperDom Flex 280 - prerequisites tasks a. Set up repo b. Upload firmware to your webserver 1. For foundation so...
-
Disabling the Telnet protocol on Brocade SAN switches By default, telnet is enabled on Brocade SAN switches. As part of security hardening o...
No comments:
Post a Comment