Tuesday, December 18, 2018

RHEL7 - Set up a secure HTTPS server with SSL


  1. Install httpd packages for default page display

Verify that you have httpd package is installed and default page is working as expected.
[root@server2 ~]# rpm -qa | grep httpd
httpd-tools-2.4.6-40.el7.x86_64
httpd-manual-2.4.6-40.el7.noarch
httpd-2.4.6-40.el7.x86_64
[root@server2 ~]# yum install httpd
[root@server2 ~]# echo "This is a test default page" >/var/www/html/index.html
[root@server2 ~]# systemctl status httpd
[root@server2 ~]# systemctl start httpd
[root@server2 ~]# systemctl enable httpd
[root@server2 ~]# elinks http://localhost

  1. Allow http on firewall

Allow apache http port 80 and https port 443

To check run the command
[root@server2 ~]# firewall-cmd --list-all
if you didn't see the ports on output, add them

[root@server2 ~]# firewall-cmd --permanent --add-port=80/tcp
[root@server2 ~]# firewall-cmd --permanent --add-port=443/tcp
[root@server2 ~]# firewall-cmd --reload


  1. Now, Install SSL packages

We need ssl package to generate the keys. Check to see if its already installed.
[root@server2 ~]# rpm -qa | grep mod_ssl
mod_ssl-2.4.6-40.el7.x86_64
[root@server2 ~]# rpm -qa | grep openssl
openssl-1.0.1e-42.el7_1.9.x86_64
openssl-libs-1.0.1e-42.el7_1.9.x86_64

If not installed, install it
[root@server2 ~]# yum install mod_ssl openssl


  1. Now, generate certificates.

a. Generate self-signed certificate (key) with 2048 bit encryption
[root@server2 ~]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................................................................................................+++
............................................+++
e is 65537 (0x10001)
[root@server2 ~]#

b. Generate certificate signing request (csr)
[root@server2 ~]# openssl req -new -key ca.key -out ca.csr
just follow the prompt.

c. SSL certificate
Note: self-signed certificate (csr of x509 type) is valid for a year.

[root@server2 ~]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
Getting Private key

[root@server2 ~]# ls -ltr
-rw-r--r--. 1 root root 1679 Dec 18 23:07 ca.key
-rw-r--r--. 1 root root  997 Dec 18 23:10 ca.csr
-rw-r--r--. 1 root root 1188 Dec 18 23:11 ca.crt

Once these certificates are created, you need to copy to the right directory location as follows.

[root@server2 ~]# cp ca.crt /etc/pki/tls/certs/
[root@server2 ~]# cp ca.key ca.csr /etc/pki/tls/private/

Note: if you copied these certs from different location, you have
to run the semanage command to apply right context. Just verify ..
for eg,
[root@server2 ~]# wget http://192.168.10.120/certs/ca.crt
[root@server2 ~]# mv ca.crt /etc/pki/tls/certs/
[root@server2 ~]# ls -lZd /etc/pki/tls/certs/
drwxr-xr-x. root root system_u:object_r:cert_t:s0      /etc/pki/tls/certs/
[root@server2 ~]# ls -lZd /etc/pki/tls/certs/ca.crt
-rw-r--r--. root root unconfined_u:object_r:cert_t:s0  /etc/pki/tls/certs/ca.crt
and so on

  1. Now, configure your server with the certificates.

[root@server2 ~]# mkdir /var/www/html/best.expanor.local
[root@server2 ~]# echo "Best.expanor.local" >/var/www/html/best.expanor.local/index.html
[root@server2 ~]# systemctl restart httpd
[root@server2 ~]# cat /etc/httpd/conf.d/spage.conf
<virtualhost 192.168.10.122:443>
        servername best.expanor.local
        documentroot best.expanor.local
        directoryindex  index.html
        sslengine on
        sslcertificatefile /etc/pki/tls/certs/ca.crt
        sslcertificatekeyfile /etc/pki/tls/private/ca.key
</virtualhost>

Note: You append/specify sslengine , sshcertificate file, and sslcertificatekeyfile.

[root@server2 ~]# vi /etc/hosts
192.168.10.122  best.expanor.local
[root@server2 ~]# systemctl restart httpd

Or

You can directly edit ssl.conf file which is created by default.

# vi /etc/httpd/conf.d/ssl.conf
Go to the section <VirtualHost _default_:443>.
Uncomment the DocumentRoot and ServerName line and replace example.com with your domain/ipaddress.

<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
ServerName 192.168.10.122:443

Now, go to line SSLCertificateFile and SSLCertificateKeyFile and change with your cert.

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

Save the file and restart the service
# systemctl restart httpd

Or
[root@server2 ~]# cat /etc/httpd/conf.d/webpage.conf
<virtualhost 192.168.10.122:443>
        servername best.expanor.local
        documentroot /var/www/html/best.expanor.local
        directoryindex  index.html
        sslengine on
        sslcertificatefile /etc/pki/tls/certs/ca.crt
        sslcertificatekeyfile /etc/pki/tls/private/ca.key
</virtualhost>
[root@server2 ~]#

Note: Make sure to add hosts entry of domain
# cat /etc/hosts
192.168.10.122  best.expanor.local

  1. Verify it. Open your browser and type

No comments:

Post a Comment