How to install mod_ssl on RHEL/CentOS 7 with Apache web server

install mod_ssl on RHEL/CentOS 7 with Apache

The mod_ssl module provides SSL v3 and TLS v1.x with support to the Apache HTTP Server. This guide provides you with a basic step by step mod_ssl configuration on RHEL/CentOS 7 Linux server using httpd Apache web server.

Step-by-Step Instructions to Install mod_ssl on RHEL/CentOS 7

We assume that you have already done a basic installation and configuration of Apache web server on your RHEL/CentOS 7 server.

Step1: Install the mod_ssl module.

The first step is to install mod_ssl module with the yum command:

$ sudo yum install mod_ssl

Step2: Enable the mod_ssl module.

If you have just installed mod_ssl, it may not be enabled yet. To verify whether mod_ssl is enabled, you need to execute:

$ apachectl -M | grep ssl

If you don’t see any output from this last command, then your mod_ssl is disabled. To enable the mod_ssl module, go ahead and restart your httpd Apache web server:

ssl_module (shared)

Step3: Open TCP port 443 to allow incoming traffic with https protocol:

$ firewall-cmd --zone=public --permanent --add-service=https
$ firewall-cmd --reload


You should by now be able to log into your Apache web server via HTTPS protocol. Navigate your browser to https://your-server-ip or https://your-server-hostname to confirm mod_ssl configuration.

Step4: Generating the SSL certificate.

If you don’t already have a proper SSL certificates for your server, use the following command  to make a new self-signed certificate.

For instance, let’s generate a new self-signed certificate for host rhel7 with 365 days until expiry:

$ openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/httpd.key -x509 -days 365 -out /etc/pki/tls/certs/httpd.crt
Generating a RSA private key
writing new private key to '/etc/pki/tls/private/httpd.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:AU
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:rhel7
Email Address []:

Once the above command has been successfully executed, these two SSL files will be created:

# ls -l /etc/pki/tls/private/httpd.key /etc/pki/tls/certs/httpd.crt
-rw-r--r--. 1 root root 1269 Jan 29 16:05 /etc/pki/tls/certs/httpd.crt
-rw-------. 1 root root 1704 Jan 29 16:05 /etc/pki/tls/private/httpd.key

Step5: Configure Apache web-server with new SSL certificates.

To insert your newly created SSL certificate in the Apache web-server configuration, go ahead and open the /etc/httpd/conf.d/ssl.conf file with administrative privileges and edit these lines:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateFile /etc/pki/tls/certs/httpd.crt
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key

Once set, you need to restart the httpd Apache web-server:

$ systemctl restart httpd

Step6: Test your mod_ssl configuration

Test through navigating to https://your-server-ip or https://your-server-hostname URL.

Step7: You can optionally redirect all HTTP traffic to HTTPS.

For this, you’ll need to create a new file /etc/httpd/conf.d/redirect_http.conf with the following content:

<VirtualHost _default_:80>
         Servername rhel7
         Redirect permanent / https://rhel7/

Restart the httpd daemon to apply the changes made

$ systemctl restart httpd

The configuration above will redirect any traffic from http://rhel7 to https://rhel7 URL.