- Install httpd packages for default page display
Verify that you have
httpd package is installed and default page is working as expected.
[root@server2 ~]#
rpm -qa | grep httpd
httpd-tools-2.4.6-40.el7.x86_64
httpd-manual-2.4.6-40.el7.noarch
httpd-2.4.6-40.el7.x86_64
[root@server2 ~]#
yum install httpd
[root@server2 ~]#
echo "This is a test default page" >/var/www/html/index.html
[root@server2 ~]#
systemctl status httpd
[root@server2 ~]#
systemctl start httpd
[root@server2 ~]#
systemctl enable httpd
[root@server2 ~]#
elinks http://localhost
- Allow http on firewall
Allow apache http
port 80 and https port 443
To check run the
command
[root@server2 ~]#
firewall-cmd --list-all
if you didn't see
the ports on output, add them
[root@server2 ~]#
firewall-cmd --permanent --add-port=80/tcp
[root@server2 ~]#
firewall-cmd --permanent --add-port=443/tcp
[root@server2 ~]#
firewall-cmd --reload
- Now, Install SSL packages
We need ssl package
to generate the keys. Check to see if its already installed.
[root@server2 ~]#
rpm -qa | grep mod_ssl
mod_ssl-2.4.6-40.el7.x86_64
[root@server2 ~]#
rpm -qa | grep openssl
openssl-1.0.1e-42.el7_1.9.x86_64
openssl-libs-1.0.1e-42.el7_1.9.x86_64
If not installed,
install it
[root@server2 ~]#
yum install mod_ssl openssl
- Now, generate certificates.
a. Generate
self-signed certificate (key) with 2048 bit encryption
[root@server2 ~]#
openssl genrsa -out ca.key 2048
Generating RSA
private key, 2048 bit long modulus
.........................................................................................................................+++
............................................+++
e is 65537 (0x10001)
[root@server2 ~]#
b. Generate
certificate signing request (csr)
[root@server2 ~]#
openssl req -new -key ca.key -out ca.csr
just follow the
prompt.
c. SSL certificate
Note: self-signed
certificate (csr of x509 type) is valid for a year.
[root@server2 ~]#
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
Getting Private key
[root@server2 ~]# ls
-ltr
-rw-r--r--. 1 root
root 1679 Dec 18 23:07 ca.key
-rw-r--r--. 1 root
root 997 Dec 18 23:10 ca.csr
-rw-r--r--. 1 root
root 1188 Dec 18 23:11 ca.crt
Once these
certificates are created, you need to copy to the right directory location as
follows.
[root@server2 ~]# cp
ca.crt /etc/pki/tls/certs/
[root@server2 ~]# cp
ca.key ca.csr /etc/pki/tls/private/
Note: if you copied
these certs from different location, you have
to run the semanage
command to apply right context. Just verify ..
for eg,
[root@server2 ~]#
wget http://192.168.10.120/certs/ca.crt
[root@server2 ~]# mv
ca.crt /etc/pki/tls/certs/
[root@server2 ~]# ls
-lZd /etc/pki/tls/certs/
drwxr-xr-x. root
root system_u:object_r:cert_t:s0
/etc/pki/tls/certs/
[root@server2 ~]# ls
-lZd /etc/pki/tls/certs/ca.crt
-rw-r--r--. root
root unconfined_u:object_r:cert_t:s0
/etc/pki/tls/certs/ca.crt
and so on
- Now, configure your server with the certificates.
[root@server2 ~]#
mkdir /var/www/html/best.expanor.local
[root@server2 ~]#
echo "Best.expanor.local"
>/var/www/html/best.expanor.local/index.html
[root@server2 ~]#
systemctl restart httpd
[root@server2 ~]#
cat /etc/httpd/conf.d/spage.conf
<virtualhost
192.168.10.122:443>
servername best.expanor.local
documentroot best.expanor.local
directoryindex index.html
sslengine on
sslcertificatefile
/etc/pki/tls/certs/ca.crt
sslcertificatekeyfile
/etc/pki/tls/private/ca.key
</virtualhost>
Note: You
append/specify sslengine , sshcertificate file, and sslcertificatekeyfile.
[root@server2 ~]# vi
/etc/hosts
192.168.10.122 best.expanor.local
[root@server2 ~]#
systemctl restart httpd
Or
You can directly
edit ssl.conf file which is created by default.
# vi
/etc/httpd/conf.d/ssl.conf
Go to the section
<VirtualHost _default_:443>.
Uncomment the
DocumentRoot and ServerName line and replace example.com with your
domain/ipaddress.
<VirtualHost
_default_:443>
DocumentRoot
"/var/www/html"
ServerName
192.168.10.122:443
Now, go to line
SSLCertificateFile and SSLCertificateKeyFile and change with your cert.
SSLEngine on
SSLCertificateFile
/etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile
/etc/pki/tls/private/ca.key
Save the file and
restart the service
# systemctl restart
httpd
Or
[root@server2 ~]#
cat /etc/httpd/conf.d/webpage.conf
<virtualhost
192.168.10.122:443>
servername best.expanor.local
documentroot
/var/www/html/best.expanor.local
directoryindex index.html
sslengine on
sslcertificatefile
/etc/pki/tls/certs/ca.crt
sslcertificatekeyfile
/etc/pki/tls/private/ca.key
</virtualhost>
[root@server2 ~]#
Note: Make sure to
add hosts entry of domain
# cat /etc/hosts
192.168.10.122 best.expanor.local
- Verify it. Open your browser and type
No comments:
Post a Comment