Tuesday, April 26, 2011

Howto configure Apache with SSL (CentOS):

Configuring Apache server with SSL is an easy task when you know what you're doing ;) 
I decided to make one easy-to-understand quick tutorial that will serve as a memory refresher, In my case I used CentOS 5.5 x64.

So...here we go:

1.Make sure Apache is installed:
#rpm -qa|grep httpd

if no, install it:
#yum install httpd

2.Install mod_ssl module for Apache 2 to enable SSL support:
#yum install mod_ssl

3.Generate the certificate request and send the request (contents of server.csr) to your CA (such as Verisign for example):
#openssl req -nodes -newkey rsa:2048 -keyout myserver.key\
-out server.csr

Grant read permissions only to root on your private key:
#chmod 0400 myserver.key

4. After receiving the public key + bundle from your CA, unzip and put them in the same directory as your private key, in my case I used "/etc/ssl/crt":
#mv myserver.key /etc/ssl/crt/
#mv my_server_org_il* /etc/ssl/crt

There is a neat way to check if public key mathes private key, go to the directory with your certificates and execute the following commands:
For public key:
# openssl x509 -noout -modulus -in hostcert.pem | openssl sha1
4e9d47dec86984789b15db10d204faa5e7aa7777
For private key:
# openssl rsa -noout -modulus -in hostkey.pem | openssl sha1
4e9d47dec86984789b15db10d204faa5e7aa7777

As you can see the output is the same - means we're good to go.


5.Before making any change, backup both configuration files:
#cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak
#cp /etc/httpd/conf/http.conf /etc/httpd/conf/http.conf.bak

Edit ssl.conf:

#vi /etc/httpd/conf.d/ssl.conf

Now, it's up to you to decide whether you will be using VirtualHost block or not (http://httpd.apache.org/docs/trunk/mod/core.html#virtualhost), anyway the configuration should include the following lines:
 
ServerAdmin root@localhost
DocumentRoot /var/www/html/support
ServerName support.mydoimain.com
ErrorLog logs/support_mydoimain_com-error_log
CustomLog logs/support_mydoimain_com-access_log common
SSLEngine on
SSLCertificateFile /etc/ssl/crt/support_mydoimain_com.crt
SSLCertificateKeyFile /etc/ssl/crt/myserver.key
SSLCACertificateFile /etc/ssl/crt/support_mydoimain_com.ca-bundle


6. For proper URL redirection  - you can use this line to redirect all incoming http traffic to your https server, add it to: httpd.conf

RedirectPermanent / https://support.mydomain.com/


7. Restart httpd service:
#/etc/init.d/httpd restart

Make sure Listen 443 line is located in ssl.conf
Make sure Listen 80 line is located in httpd.conf

To check the web-server is listening on both ports run:
#lsof -i :80
#lsof -i :443

Basic configuration is done, try to access the server from the browser:
http://support.mydomain.com

No comments: