Monday, February 1, 2021

SSL - Install and setup SSL certificate on Centos Running apache

 Install and setup SSL certificate on Centos Running apache
- SSL Certificate issued by Lets Ecrypt

Login to your server and become root
$ ssh root@servername

2. Install apache and ssl support packages (apache and mod_ssl)
# yum install httpd mod_ssl

3. Start your web server
# systemctl start httpd
# systemctl status httpd
# systemctl enable httpd
# systemctl is-active httpd

4. Set up default page
a. Find your doc root.
# grep -ir DocumentRoot /etc/httpd
# echo " Welcome to test page" >/var/www/html/index.html

5. Try to access the page using the ip address
- Browser didn't show the page.

6. Now, check the firewall if its enabled?
# systemctl status firewalld

7. Add service or port to the firewall (enable port 80->http or 443->https). I will use service.
# firewall-cmd --default-zone
# firewall-cmd --permanent --zone=public --add-service=http
# firewall-cmd --permanent --zone=public --add-service=https

8. Reload the firewall service
# firewall-cmd --reload

9. Go back to the browser and test the connection.
- This time, you are able to get access to the site.
- But, note it says your site is not secure.

Now, try with https
https://192.168.10.20
it alerts with connection is not private.
its because, server is using self signed certificate.

To view the certificate (on chrome)
- go to settings
- More tools
- Developers tools
- Go to security tab
- Click on view certificate
- Clic on details to see more info

This certificate came from mod_ssl package.

Lets dig little more info mod_ssh package, how it created the certificate
# rpm -q --scripts mod_ssl | less

review the script line by line to understand what it infact does.

alternate way to check  your web page
# curl http://192.168.10.20
# curl https://192.168.10.20

it says certificate is invalid.
gives your guide on how to ignore the error, use -k option.
# curl -k !$    # Returns the last commands from previous line
or
# curl -k https://192.168.10.20


We have to generate the certificate by using the certbot application.
How do we do that?
We install the package but first install the epel package

EPEL repo (Extra package for enterprise linux)
- It manages third party packages for is like centos.

# yum install epel-release -y
# yum search certbot
# yum install certbot -y
# yum info certbot    # get more info about package

Lets search for apache plug in for certbot.

# yum search certbot
# yum search certbot | grep apache
python3-certbot-apache.noarch : The apache plugin for certbot
We found certbot-apache.noarch plugin, lets install it
# yum install python3-certbot-apache -y

If you like you can search for nginx as well,

You can now, generate using the certbot command. You can supply values at the command prompt or
just type certbot at the prompt and press enter
# certbot --apache -d master.expanor.local
-d = domain

Note: Your domain need to be a valid one such as .com, .net, .org

just answer the question.
it asks for email, agree A, mailing list y or n, press 1 for selection.
press 1 and enter. press 1 again for easy to allow http and https


To look at all the files created by certbot, run the find command
# find /etc/letsencrypt/live
you will find all the files here.

If you are hosting multiple domain,  you will have your domain with these files.


# curl https://master.expanor.local

To update security issue, update ssh.conf file.
# vi /etc/httpd/conf.d/ssh.conf    # default installation file

search for SSLProtocol

/SSLPro

add comment as
# Insecure:
# SSLProtocol all -SSLv2
SSLProtocol all -SSLv2 -SSLv3

also change CipherSuite

add
# Insecure:
# SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256_EECDH:AES256_EDH

save and exit
wq!

Once you made changes to your config file, check the syntact agian to make sure there is no error.

# apachectl configtest

Syntax OK.

Now, restart the service again
# systemctl restart httpd

Verify if web site is working fine.
# curl https://192.168.10.20

If you don't specify the expiration day on your certification at the time of creation, it will expire in 3 months or 1 year.

To renew
# certbot renew
it will give you an alert whether its time to renew or not.

This is a manual process. There are other ways to renew it.
You can add it to cron job.
# crontab -e
# Renew cert
0 0 * * * /usr/binb/certbot renew  &> /var/log/certbot-cron.log

# crontab -l

another way to do is thorugh using systemd

# systemctl start certbot-renew.service
# systemctl status certbot-renew.service

Now start and enable the timer
# systemctl start certbot-renew.timer
# systemctl enable certbot-renew.timer
# systemctl list-timers

You will see two timers are enable and the time the timer will run.


These are two ways to renew the cert but you can disable cron job for now.

# crontab -e and add # at the begining..
#


So far,
- We installed and configure SSL certificate issued by Let's Encrypt on Centos running apache.
- Installed software packages httpd, mod_ssl
- Added fireall rule to allow traffic for http and https
- Installed EPEL repository to install extra software packages.
- Installed certbot application and certbot apache plub-in.
- Created and installed SSL certificate using certbot tool
- Finally automated the renew process of the certificate.




































troubleshooting


[root@master ~]# firewall-cmd --add-service=https --permanent
success
[root@master ~]# firewall-cmd --reload
success
[root@master ~]# curl https://192.168.56.5
curl: (7) Failed to connect to 192.168.56.5 port 443: Connection refused

[root@master ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3 enp0s8
  sources:
  services: cockpit dhcpv6-client http https ssh
  ports: 6789/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[root@master ~]# apachectl -S
AH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
[root@master ~]# ls -l /etc/pki/tls/certs/localhost.crt
ls: cannot access '/etc/pki/tls/certs/localhost.crt': No such file or directory
[root@master ~]# cd /etc/pki/tls/certs/
[root@master certs]# ls
ca-bundle.crt  ca-bundle.trust.crt
[root@master certs]# ls -ltr
total 0
lrwxrwxrwx. 1 root root 55 Dec 11  2019 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
lrwxrwxrwx. 1 root root 49 Dec 11  2019 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[root@master certs]#


Note: curl: (7) Failed to connect
is related to host entry. Check /etc/hosts file maping.


[root@master certs]# apachectl -t
AH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty


Since mod_ssl package should create a self-signed key and certificate file for localhost upon installlation, but
it didn't. we will create using the openssl command

# ls -l /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.key
ls: cannot access '/etc/pki/tls/certs/localhost.crt': No such file or directory
ls: cannot access '/etc/pki/tls/certs/localhost.key': No such file or directory

# openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 --nodes \
  -out /etc/pki/tls/certs/localhost.crt \
  -keyout /etc/pki/tls/private/localhost.key

duration: 10 years.
it will prompt you for some questions, just supply. key/cert is generated.


[root@master certs]# ls -l /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.key                    
ls: cannot access '/etc/pki/tls/certs/localhost.key': No such file or directory
-rw-r--r--. 1 root root 2021 Feb  1 12:15 /etc/pki/tls/certs/localhost.crt
[root@master certs]# ls -l /etc/pki/tls/private/localhost.key
-rw-------. 1 root root 3272 Feb  1 12:14 /etc/pki/tls/private/localhost.key
[root@master certs]# cp /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.key
[root@master certs]#
# ls -l /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.key
-rw-r--r--. 1 root root 2021 Feb  1 12:15 /etc/pki/tls/certs/localhost.crt
-rw-r--r--. 1 root root 3272 Feb  1 12:16 /etc/pki/tls/certs/localhost.key

# apachectl -t
Syntax OK
[root@master certs]# apachectl -S

still getting error
# curl http://192.168.56.5
# echo $?
0

# curl https://192.168.56.5
curl: (7) Failed to connect to 192.168.56.5 port 443: Connection refused
# echo $?
7




No comments:

Post a Comment

Git branch show detached HEAD

  Git branch show detached HEAD 1. List your branch $ git branch * (HEAD detached at f219e03)   00 2. Run re-set hard $ git reset --hard 3. ...