CentOS / Redhat Apache mod_ssl Configuration

by on November 21, 2009 · 23 comments· LAST UPDATED January 27, 2010

in , ,

The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. How do I install and configure mod_ssl under CentOS / Fedora / Redhat Enterprise Linux?

mod_ssl is the SSL/TLS module for the Apache HTTP server. You can use self signed certificate or 3rd party SSL certificate. This module provides SSL v2/v3 and TLS v1 support for the Apache HTTP Server. It was contributed by Ralf S. Engeschall based on his mod_ssl project and originally derived from work by Ben Laurie. This module relies on OpenSSL to provide the cryptography engine.

Step #1: Install mod_ssl

Type the following command as the root user to install mod_ssl, enter:
# yum install mod ssl

Step #2: Create an SSL Certificate

Type the following commands:
# cd /etc/pki/tls/certs
# openssl genrsa -des3 -out apachekey.pem 2048

Sample outputs:

Generating RSA private key, 2048 bit long modulus
..................+++
...................................+++
e is 65537 (0x10001)
Enter pass phrase for apachekey.pem:
Verifying - Enter pass phrase for apachekey.pem:

Note enter a strong, passphrase to protect the Apache web server key pair.

Generate a Certificate Signing Request (CSR)

Type the following command:
# openssl req -new -key apachekey.pem -out apachekey.csr
Sample outputs:

Enter pass phrase for apachekey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:MH
Locality Name (eg, city) [Newbury]:Poona
Organization Name (eg, company) [My Company Ltd]:nixCraft LTD
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.nixcraft.com
Email Address []:vivek@nixcraft.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

You need to provide the information fill or hit [Enter] key to accept defaults, but the Common Name field is very important. You must match the fullyqualified domain name of your server exactly (e.g. www.nixcraft.com) or the certificate will not work. No need to enter the challenge password.

Create the Web Server Certificate

You must signed the CSR to create the web server certificate, enter (you can send it to your CA to sign the same). To sign httpserver.csr using your CA:
# openssl ca -in apachekey.csr -out apachecert.pem

Install SSL Certificate

Copy server key and certificates files /etc/pki/tls/http/, enter:
# cp apachecert.pem /etc/pki/tls/http/
# cp apachekey.pem /etc/pki/tls/http/

Edit /etc/httpd/conf.d/ssl.conf, enter:
# vi /etc/httpd/conf.d/ssl.conf
Listen to the the HTTPS port, enter:

Listen 10.10.29.68:443

Update it as follows to seed appropriately, enteR:

SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024

Update VirtualHost as follows:

 
<VirtualHost www.nixcraft.com:443>
    SSLEngine On
    SSLCertificateFile /etc/pki/tls/http/apachecert.pem
    SSLCertificateKeyFile /etc/pki/tls/http/apachekey.pem
    SSLProtocol All -SSLv2
    SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5
    DocumentRoot "/var/www/html/ssl"
    ServerName www.nixcraft.com:443
</VirtualHost>
 

Save and close the file. Make sure /var/www/html/ssl exits, enter:
# mkdir -p /var/www/html/ssl
Edit /etc/httpd/conf/httpd.conf, enter:
# vi /etc/httpd/conf/httpd.conf
Make sure SSL is used for /var/www/html/ssl and set other options for the same, enter:

 
<Directory /var/www/html/ssl>
         SSLRequireSSL
         SSLOptions +StrictRequire
         SSLRequire %{HTTP_HOST} eq "www.nixcraft.com"
         ErrorDocument 403 https://www.nixcraft.com/sslerror.html
</Directory>
 

Now, you can upload ssl specific php or html pages in /var/www/html/ssl directory and can access them by visiting https://www.nixcraft.com/ url. Do not forgot to restart Apache:
# service httpd restart

Firewall Configuration

Edit /etc/sysconfig/iptables. Add the following lines, ensuring that they appear before the final DROP lines:

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

Save and close the file. Restart the firewall:
# service iptables restart

References:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 23 comments… read them below or add one }

1 kubrick November 21, 2009 at 11:49 am

I’ve found an article about mod_ssl for Debian systems.
I think it could be useful too.

http://www.debian-administration.org/articles/31

Cheers!

Reply

2 anonymous November 24, 2009 at 2:13 pm

This article is really helpful. Can you post article about kerberos+openldap+openafs or nfs4 with selinux enabled in CentOS.

Reply

3 Otto December 23, 2009 at 9:05 pm

Excellent!! I tried this on CentOS 5.4 and it worked fine. Thank you a lot for posting this information.

Thank you!

Reply

4 Stuart January 20, 2010 at 3:48 pm

Great areical. Thanks for taking the time to write.

Stu

Reply

5 s January 26, 2010 at 11:44 pm

Very useful article! thanks!

BTW, there should be a “_” in the “HTTP_HOST” in this line from the example for httpd.conf

SSLRequire %{HTTP HOST} eq "www.nixcraft.com"

Reply

6 StEwert February 12, 2011 at 1:41 pm

If you don’t want to enter the passphrase for the cert key you must do following:

1. cd /etc/httpd/conf/ssl.key/
2. cp apachekey.pem apachekey.pem.cryp
3. openssl rsa -in apachekey.pem.cryp -out apachekey.pem
4. chmod go-rw apachekey.pem
5. rm apachekey.pem.cryp

But you must know that the private key of your certificate is then not protected by a password!

Reply

7 chris July 4, 2011 at 8:02 pm

I am getting an error message when I type the following command
$ openssl ca -in apachekey.csr -out apachecert.pem

Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA private key /etc/pki/CA/private/cakey.pem
3075090140:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen(‘/etc/pki/CA/private/cakey.pem’,’r’)
3075090140:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:
unable to load CA private key

Reply

8 rinku August 2, 2011 at 4:16 pm

i am getting same error as above
$ openssl ca -in apachekey.csr -out apachecert.pem

Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA private key /etc/pki/CA/private/cakey.pem
3075090140:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen(‘/etc/pki/CA/private/cakey.pem’,’r’)
3075090140:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:
unable to load CA private key

Reply

9 Subbu October 3, 2011 at 6:51 am

Same error as above

Unable to load CA private key

Reply

10 Henry Truong October 13, 2011 at 11:53 pm

I got the same error too.
any one get this to work?

[root@vm6-swqa private]# openssl ca -in apachekey.csr -out apachecert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA private key ../../CA/private/cakey.pem
4525:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen(‘../../CA/private/cakey.pem’,’r’)
4525:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load CA private key

Thanks

Reply

11 TazMan February 28, 2012 at 12:46 pm

Me 2 ….

[root@deals360 certs]# openssl ca -in apachekey.csr -out apachecert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA private key ../../CA/private/cakey.pem
14374:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen(‘../../CA/private/cakey.pem’,’r’)
14374:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load CA private key

Reply

12 Adr March 13, 2012 at 2:51 pm

i also am getting the same error as everyone.
Really frustrating to get to the end of this tutorial only to find it doesn’t work!

openssl ca -in apachekey.csr -out apachecert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA private key ../../CA/private/cakey.pem
9623:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen(‘../../CA/private/cakey.pem’,’r’)
9623:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load CA private key

Reply

13 Fatos Kuskes April 17, 2012 at 10:00 am

For “CA private key” error:
One needs to generate CA files.

# /path/to/file/CA.pl -newca (in my case, the file located at /usr/local/ssl/misc/CA.pl)
Note 1.: If you dont have under /et/pki/CA folder, then you need to create so named “index.txt” file and “serial” files.
“index.txt” file can be empty, and “serial” should have a number in it.
Note 2. While generation required fields should be the same with CSR step.

This will create the required files (cacert.pem and cakey.pem) under the autogenerated demoCA folder.
copy files to the required paths: (in my case)
# cp /etc/pki/CA/newcerts/demoCA/cacert.pem /etc/pki/CA/cacert.pem
and
# cp /etc/pki/CA/newcerts/demoCA/private/cakey.pem /etc/pki/CA/private/cakey.pem
And now you can run
# openssl ca -in apachekey.csr -out apachecert.pem

Reply

14 lex November 17, 2012 at 6:35 am

thanks. but i can not copy because i did’nt find cacert.pem or cakey.pem T_T
help me please..

Reply

15 isa adi mulia May 21, 2012 at 3:57 pm

this is, work for me:
#yum install mod ssl
#openssl genrsa -des3 -out apachekey.pem 2048
#openssl req -new -key apachekey.pem -out apachekey.csr
#openssl x509 -req -days 365 -in apachekey.csr -signkey apachekey.pem -out apachecert.pem
#mkdir /etc/pki/tls/http
#cp apachecert.pem /etc/pki/tls/http/
#cp apachekey.pem /etc/pki/tls/http/
#nano /etc/httpd/conf.d/ssl.conf
edit this line

SSLCertificateFile /etc/pki/tls/http/apachecert.pem
SSLCertificateKeyFile /etc/pki/tls/http/apachekey.pem
DocumentRoot “/var/www/html/ssl”

# mkdir -p /var/www/html/ssl
# nano /etc/httpd/conf/httpd.conf
edit this line

SSLRequireSSL
SSLOptions +StrictRequire
SSLRequire %{HTTP_HOST} eq “your_domain.com”
ErrorDocument 403 https://your_domain.com/sslerror.html

# cd /etc/pki/tls/http
# cp apachekey.pem apachekey.pem.cryp
#. openssl rsa -in apachekey.pem.cryp -out apachekey.pem
# chmod go-rw apachekey.pem
# service httpd restart

Reply

16 lex November 17, 2012 at 7:10 am

thanks. But you sure all this lines in /etc/httpd/conf/httpd.conf?
SSLRequireSSL
SSLOptions +StrictRequire
SSLRequire %{HTTP_HOST} eq “your_domain.com”
ErrorDocument 403 https://your_domain.com/sslerror.html

I didn’t see them so i had to insert and when i type “service httpd restart”, it showed me
Sysntax error on Line xxx( where i insert SSLRequireSSL.)
SSLRequireSSL not allowed here.
please help me :(

Reply

17 Rob May 29, 2013 at 4:12 am

add to the start and after.

Reply

18 xin June 24, 2013 at 4:40 pm

Hi, Rob.
I had the same question just like lex.
What u mean by saying “add to the start and after”?
U mean insert into the beginning and ending of the file?

PS: are all these commands above used to set up “https”? I try to set my FreePBX website to be https, but not sure if this is the right method.

Reply

19 Michiel October 22, 2012 at 8:59 am

I dont understand why you would accept MD5 ciphers since MD5 is worthless.
I rather would expect !MD5 in the configuration.

Reply

20 Jake February 26, 2013 at 7:57 pm

Hi, How can i edit the apachekey.pem and apachekey.csr? i entered the hostname wrong. please help

Reply

21 IT Guy August 2, 2013 at 12:47 pm

Good effort, pity you left out some vital information regarding the CA certificate, rendering this useless.

Reply

22 Josh August 15, 2013 at 4:25 pm

This tutorial sucks and is full of errors. This should be pulled from this site. I am requesting a re-write!

Reply

23 Cody December 15, 2014 at 6:19 pm

“This module provides SSL v2/v3 and TLS v1 support for the Apache HTTP Server.”

… and SSLv2, SSLv3 … shouldn’t be used… and I seem to think even when this article was written, it shouldn’t have (certainly since TLSv1 it hasn’t been suggested but I can’t remember the years nor do I really care enough to look). Even TLSv1 is considered broken (= insecure). Anything less than TLSv1.2 is and even then it has far too many weak ciphers…. and when you consider some allow weaker ciphers it is rather … a problem. Sort of like ssh: if you don’t disable v1 then it is possible for a client to use that and among other things, is vulnerable to MiTM attack.

Yes, encryption is important but equally so is to not provide a false sense of security with poor algorithms (which is just as bad if not worse than no encryption – if it for a moment provides a false sense of security but doesn’t actually deliver on the actual security (as opposed to false sense of), then it is a problem). And MD5[1] shouldn’t be used, as someone else pointed out. And to continue, unless you have customers (say) that use medium encryption ciphers, I’d not even allow that (which more and more in recent times, this is less of a problem). Frankly I’m not sure allowing it at all is worth the risk (especially in 2014). Even if it is, keep in mind the (over the years) exploits that force a client to downgrade (like say, MiTM attacks). SSLv3 shouldn’t be used, either (as above and this has been for a long time, too).

But as for those who are throwing out complaints without any suggestion of improvement, I have this to say: stop it. Either be constructive or don’t do anything at all. By all means, point out problems but to just say it sucks blah blah and nothing else… well it isn’t helpful. Yes, it could be a lot better but then again those in 2013 … it was 2009 that he wrote it and I’ll be blunt: if you rely on something from 2009 in 2013 (or onward) for security, you’ve already failed… Sorry, but that’s the truth, like it or not (that’s not to say you can’t have any value of it – certainly old things can provide insight and value, but to make use of it, depending on what extent – which this article fits in because of the content is outdated and was last year too, and… – is a mistake)

[1] I want to point out that MD5 has its uses but not for this. I mean more than file checksums, too (although that is certainly one use).

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: