Configuration Prerequisites
Keypair
You will need a keypair obtained from a trusted certificate authority like Let's Encrypt or your own Self-Signed Certificate. You should have the following files.
- Private Key: yourdomain.com.key
- Public Certificate: yourdomain.com.[crt or pem]
- Intermediate Certificate (optional): YourAuthorityCA.crt
Depending on where you obtain your certificate the Intermediate may or may not be required. Usually when you purchase a certificate the signing authority will provide this. For example, Let's Encrypt provides their intermediate certificates here.
Apache Mod SSL
You may already have this installed but you can run the following command to check.$ sudo httpd -M | grep ssl
ssl_module (shared)
If the above command returns no output you can install the module with yum.
$ sudo yum install -y mod_ssl
Apache Configuration
The default ssl configuration can be found at:
/etc/httpd/conf.d/ssl.conf
However, I recommend disabling this configuration file and using a simpler configuration. You can disable the default ssl.conf just by renaming it.
$ sudo mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.disabled
You can figure out where you virtual host files are configured by running the following.
$ httpd -S
VirtualHost configuration:
*:80 is a NameVirtualHost
*:443 is a NameVirtualHost
default server linuxbucket.com (/etc/httpd/conf.d/linuxbucket.conf:2)
port 80 namevhost linuxbucket.com (/etc/httpd/conf.d/linuxbucket.conf:2)
alias www.linuxbucket.com
port 443 namevhost linuxbucket.com (/etc/httpd/conf.d/linuxbucket.conf:12)
alias www.linuxbucket.com
The following is an example of a vhost configuration that has both HTTP and HTTPS configurations. The bold sections need to be customized to match your domain.
$ cat /etc/httpd/conf.d/linuxbucket.conf
<VirtualHost *:80>
ServerName linuxbucket.com
ServerAlias www.linuxbucket.com
DocumentRoot /var/www/linuxbucket.com/httpsdocs
<Directory /var/www/linuxbucket.com/html>
AllowOverride All
</Directory>
</VirtualHost>
Listen 443 https
<VirtualHost *:443>
ServerName linuxbucket.com
ServerAlias www.linuxbucket.com
DocumentRoot /var/www/linuxbucket.com/html
SSLEngine on
SSLCertificateFile /etc/ssl/linuxbucket/public.crt
SSLCertificateKeyFile /etc/ssl/linuxbucket/private.key
# SSLCertificateChainFile /etc/ssl/linuxbucket/intermediate.crt
SSLCipherSuite HIGH:!aNULL:!MD5
SSLProtocol -ALL +TLSv1.2
<Directory /var/www/linuxbucket.com/html>
AllowOverride All
</Directory>
</VirtualHost>
The important configuration to include from the above example would be the
<VirtualHost *:443> section. This also assumes you've placed the .crt and .key files in the location specified in the configuration. You can change the file locations to whatever you want but in general you'll want to place them somewhere under /etc/pki or/etc/ssl.The
SSLCertificateChainFile parameter is commented out above but if the provider of your SSL certificate provided you with an intermediate certificate, this is where it is configured. You can check to make sure the chain looks good using SSL Shopper's tool.Apache documentation has some good information on
SSLCipherSuite configurations. If security is a priority you may want to force strong encryption for all traffic. Otherwise reference the Apache documentation for some examples of conditional ChiperSuite configurations. There are articles that can be found on google that can help with better understanding the options here.SSL Labs also has a great tool that can help you see how your security posture stacks up.
Restart Apache
After all the configurations are in place you can run a syntax check.$ httpd -tAnd then restart Apache if the test is successful.
Syntax OK
#RHEL 6
$ sudo service httpd restart
#RHEL 7
$ sudo systemctl restart httpd.service