How to install mod_ssl on RHEL/CentOS 7 with Apache web server

The mod_ssl module is a crucial component for enabling secure communication between clients and your Apache web server. It provides SSL v3 and TLS v1.x support, ensuring that sensitive data transmitted over the internet is encrypted and protected. This guide provides you with a basic, step-by-step mod_ssl configuration on a RHEL/CentOS 7 Linux server using the httpd Apache web server. Securing your web server with mod_ssl is a fundamental practice for any website handling user data or sensitive information. Let’s explore how to install mod_ssl on RHEL/CentOS 7 with Apache web server.

Step-by-Step Instructions to Install mod_ssl on RHEL/CentOS 7

We assume that you have already performed a basic installation and configuration of the Apache web server on your RHEL/CentOS 7 server. If not, there are numerous online resources available to guide you through that process. With Apache installed and running, let’s proceed with the mod_ssl installation.

Step 1: Install the mod_ssl module.

The first step is to install the mod_ssl module using the yum package manager, which is the standard package management tool for RHEL/CentOS 7. Open your terminal and execute the following command:

$ sudo yum install mod_ssl

This command will download and install the mod_ssl package and any necessary dependencies. You may be prompted to confirm the installation; simply type y and press Enter.

Step 2: Enable the mod_ssl module.

After installing mod_ssl, it might not be enabled automatically. To verify whether mod_ssl is enabled, you can use the apachectl command to list the loaded Apache modules and then filter the output using grep to search for "ssl". Execute the following command:

$ apachectl -M | grep ssl

If you see the following output, it means that the mod_ssl module is enabled:

ssl_module (shared)

If you don’t see any output from this last command, then your mod_ssl module is disabled. The most reliable way to ensure mod_ssl is enabled is to restart the httpd Apache web server. This often triggers the automatic loading of newly installed modules. Execute the following command:

$ sudo systemctl restart httpd

Step 3: Open TCP port 443 to allow incoming traffic with HTTPS protocol:

HTTPS uses port 443 by default. You need to configure the firewall to allow incoming traffic on this port. RHEL/CentOS 7 uses firewalld as its default firewall management tool. Use the following commands to open port 443:

$ firewall-cmd --zone=public --permanent --add-service=https

success

$ firewall-cmd --reload

success

The first command adds the "https" service (which is pre-defined to use port 443) to the public zone and makes the rule permanent. The second command reloads the firewall rules, applying the changes immediately.

NOTE

You should now be able to access your Apache web server via the HTTPS protocol. Navigate your browser to https://your-server-ip or https://your-server-hostname to confirm the mod_ssl configuration. You will likely see a warning about an untrusted certificate, as we haven’t yet configured a valid SSL certificate. This is expected at this stage.

Step 4: Generating the SSL certificate.

If you don’t already have a proper SSL certificate for your server (e.g., purchased from a Certificate Authority), you can generate a self-signed certificate for testing and development purposes. While self-signed certificates are not trusted by default by browsers, they are sufficient for internal use or situations where you control the clients.

For instance, let’s generate a new self-signed certificate for host rhel7 with 365 days until expiry:

$ openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/httpd.key -x509 -days 365 -out /etc/pki/tls/certs/httpd.crt

This command uses the openssl command-line tool to generate a new RSA private key and a self-signed certificate. Let’s break down the options:

• req: Specifies that we are creating a certificate request.
• -newkey rsa:2048: Generates a new RSA key with a key size of 2048 bits.
• -nodes: Disables encryption of the private key (not recommended for production).
• -keyout /etc/pki/tls/private/httpd.key: Specifies the output file for the private key.
• -x509: Creates a self-signed certificate instead of a certificate request.
• -days 365: Sets the validity period of the certificate to 365 days.
• -out /etc/pki/tls/certs/httpd.crt: Specifies the output file for the certificate.

The command will prompt you for information about your organization and the server. You can leave some fields blank, but the "Common Name" field should match your server’s hostname or domain name.

Generating a RSA private key
................+++++
..........+++++
writing new private key to '/etc/pki/tls/private/httpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:AU
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:LinuxConfig.org
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:rhel7
Email Address []:

Once the above command has been successfully executed, these two SSL files will be created:

# ls -l /etc/pki/tls/private/httpd.key /etc/pki/tls/certs/httpd.crt
-rw-r--r--. 1 root root 1269 Jan 29 16:05 /etc/pki/tls/certs/httpd.crt
-rw-------. 1 root root 1704 Jan 29 16:05 /etc/pki/tls/private/httpd.key

These files contain the private key and the certificate, respectively. It’s crucial to protect the private key, as it allows anyone who possesses it to decrypt traffic encrypted with the corresponding certificate.

Step 5: Configure Apache web-server with new SSL certificates.

To instruct Apache to use your newly created SSL certificate, you need to update the ssl.conf configuration file. This file typically resides in the /etc/httpd/conf.d/ directory. Open the /etc/httpd/conf.d/ssl.conf file with administrative privileges using a text editor like vi or nano and edit these lines:

FROM:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
TO:
SSLCertificateFile /etc/pki/tls/certs/httpd.crt
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key

These lines specify the paths to the SSL certificate and private key files. Replace the default paths with the paths to your newly created files.

Once you’ve made these changes, save the file and restart the httpd Apache web server:

$ sudo systemctl restart httpd

Step 6: Test your mod_ssl configuration

Now it’s time to test your mod_ssl configuration. Open your web browser and navigate to https://your-server-ip or https://your-server-hostname.

If everything is configured correctly, you should see your website. However, because you are using a self-signed certificate, your browser will likely display a warning message indicating that the connection is not private or that the certificate is not trusted. This is normal for self-signed certificates. You can usually bypass the warning by adding an exception for the certificate or trusting it temporarily.

Step 7: You can optionally redirect all HTTP traffic to HTTPS.

To ensure that all traffic to your website is encrypted, you can redirect all HTTP (port 80) requests to HTTPS (port 443). For this, you’ll need to create a new configuration file in the /etc/httpd/conf.d/ directory. Create a new file named /etc/httpd/conf.d/redirect_http.conf with the following content:

<VirtualHost _default_:80>
    Servername rhel7
    Redirect permanent / https://rhel7/
</VirtualHost>

This configuration defines a virtual host that listens on port 80 and redirects all requests to the corresponding HTTPS URL. Make sure to replace "rhel7" with your actual server name or domain.

Restart the httpd daemon to apply the changes made:

$ sudo systemctl restart httpd

The configuration above will redirect any traffic from http://rhel7 to https://rhel7 URL. Now, if you try to access your website using http://your-server-ip or http://your-server-hostname, you will be automatically redirected to the HTTPS version.

Alternative Solutions for Enabling HTTPS

While the above steps outline the standard procedure for installing mod_ssl and configuring HTTPS, there are alternative approaches that can simplify the process or offer different levels of automation. Here are two such alternatives:

1. Using Let’s Encrypt for Automatic Certificate Management

Let’s Encrypt is a free, automated, and open Certificate Authority (CA) that provides SSL certificates. It simplifies the process of obtaining and renewing certificates by automating the verification and installation steps.

Explanation:

Instead of generating a self-signed certificate or manually purchasing one from a CA, you can use Let’s Encrypt to obtain a trusted certificate automatically. This eliminates the browser warnings associated with self-signed certificates and provides a more secure solution.

Steps:

1. Install the certbot client: certbot is the official Let’s Encrypt client. You can install it using yum:

   sudo yum install certbot python2-certbot-apache

2. Obtain a certificate: Use certbot to request a certificate for your domain. Replace yourdomain.com with your actual domain name:

   sudo certbot --apache -d yourdomain.com -d www.yourdomain.com

   certbot will automatically configure Apache to use the new certificate. It will also set up automatic renewal, ensuring that your certificate remains valid.

3. Verify HTTPS: After certbot completes, verify that your website is accessible via HTTPS. You should no longer see any browser warnings about untrusted certificates.

2. Using Docker with Pre-configured HTTPS

Docker provides a way to containerize applications and their dependencies, making it easy to deploy and manage them. You can use a pre-configured Docker image that includes Apache, mod_ssl, and Let’s Encrypt integration to simplify the setup process.

Explanation:

Instead of manually installing and configuring Apache, mod_ssl, and Let’s Encrypt, you can use a Docker image that already has these components set up. This allows you to deploy a secure web server with minimal effort.

Steps:

1. Install Docker: If you don’t already have Docker installed, follow the instructions on the Docker website to install it on your RHEL/CentOS 7 server.

2. Pull a pre-configured Docker image: There are several Docker images available that include Apache, mod_ssl, and Let’s Encrypt integration. Search for a suitable image on Docker Hub. For example, you can use the jc21/nginx-proxy-manager image (though it uses Nginx instead of Apache, the principle is the same and easily adaptable for an Apache image).

   docker pull jc21/nginx-proxy-manager:latest

3. Run the Docker container: Configure the container with your domain name and other necessary settings, and then run it:

   docker run -d -p 80:80 -p 443:443 -v /path/to/data:/data -v /path/to/letsencrypt:/etc/letsencrypt jc21/nginx-proxy-manager:latest

   Replace /path/to/data and /path/to/letsencrypt with appropriate paths on your host system. You will then access the Nginx Proxy Manager web interface to configure your domains and obtain Let’s Encrypt certificates.

These alternative solutions offer different approaches to enabling HTTPS on your RHEL/CentOS 7 server. Let’s Encrypt simplifies certificate management, while Docker provides a containerized environment that can streamline deployment and configuration. Install mod_ssl on RHEL/CentOS 7 with Apache web server using any of the methods described above. Each approach has its own advantages and disadvantages, so choose the one that best suits your needs and technical expertise. The importance of install mod_ssl on RHEL/CentOS 7 with Apache web server is extremely important to consider. It should be mentioned that install mod_ssl on RHEL/CentOS 7 with Apache web server helps protect valuable and sensitive data.