The mod_ssl module provides SSL v3 and TLS v1.x with support to the Apache HTTP Server. This guide provides you with a basic step by step mod_ssl configuration on RHEL/CentOS 7 Linux server using httpd Apache web server.
Step-by-Step Instructions to Install mod_ssl on RHEL/CentOS 7
We assume that you have already done a basic installation and configuration of Apache web server on your RHEL/CentOS 7 server.
Step1: Install the mod_ssl module.
The first step is to install mod_ssl module with the yum command:
$ sudo yum install mod_ssl
Step2: Enable the mod_ssl module.
If you have just installed mod_ssl, it may not be enabled yet. To verify whether mod_ssl is enabled, you need to execute:
$ apachectl -M | grep ssl
If you don’t see any output from this last command, then your mod_ssl is disabled. To enable the mod_ssl module, go ahead and restart your httpd Apache web server:
Step3: Open TCP port 443 to allow incoming traffic with https protocol:
$ firewall-cmd --zone=public --permanent --add-service=https
$ firewall-cmd --reload
You should by now be able to log into your Apache web server via HTTPS protocol. Navigate your browser to https://your-server-ip or https://your-server-hostname to confirm mod_ssl configuration.
Step4: Generating the SSL certificate.
If you don’t already have a proper SSL certificates for your server, use the following command to make a new self-signed certificate.
For instance, let’s generate a new self-signed certificate for host rhel7 with 365 days until expiry:
$ openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/httpd.key -x509 -days 365 -out /etc/pki/tls/certs/httpd.crt
Generating a RSA private key ................+++++ ..........+++++ writing new private key to '/etc/pki/tls/private/httpd.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:AU State or Province Name (full name) : Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]:LinuxConfig.org Organizational Unit Name (eg, section) : Common Name (eg, your name or your server's hostname) :rhel7 Email Address :
Once the above command has been successfully executed, these two SSL files will be created:
# ls -l /etc/pki/tls/private/httpd.key /etc/pki/tls/certs/httpd.crt -rw-r--r--. 1 root root 1269 Jan 29 16:05 /etc/pki/tls/certs/httpd.crt -rw-------. 1 root root 1704 Jan 29 16:05 /etc/pki/tls/private/httpd.key
Step5: Configure Apache web-server with new SSL certificates.
To insert your newly created SSL certificate in the Apache web-server configuration, go ahead and open the /etc/httpd/conf.d/ssl.conf file with administrative privileges and edit these lines:
FROM: SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key TO: SSLCertificateFile /etc/pki/tls/certs/httpd.crt SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
Once set, you need to restart the httpd Apache web-server:
$ systemctl restart httpd
Step6: Test your mod_ssl configuration
Test through navigating to https://your-server-ip or https://your-server-hostname URL.
Step7: You can optionally redirect all HTTP traffic to HTTPS.
For this, you’ll need to create a new file /etc/httpd/conf.d/redirect_http.conf with the following content:
<VirtualHost _default_:80> Servername rhel7 Redirect permanent / https://rhel7/ </VirtualHost>
Restart the httpd daemon to apply the changes made
$ systemctl restart httpd
The configuration above will redirect any traffic from http://rhel7 to https://rhel7 URL.