[Linux] Install Apache SSL Certificate
Install Apache SSL Certificate
Buy an SSL certificate from www.ssls.com and install it on CentOS.
https://www.ssls.com/ssl-certificates/comodo-positivessl
Comodo PositiveSSL certificate price is $14.97 for 3 years, $4.99 for 1 year, and sub domains are not supported.
Purchase certificate
To purchase a certificate, go to ssls.com and click the button with the card icon on the right to add it to your shopping cart.
Click the CHECKOUT button to proceed with the purchase by card or paypal.
If you proceed with the purchase, you will see a screen where you insert the CSR for issuing the certificate.
CSR file creation
The CSR file creates a CSR file using the openssl command.
In the command below, site-domain should be the domain name such as naver.com.
Enter information to be used for key generation such as Country and State, and enter the challenge password and optional company name as empty values by pressing the Enter key.
# openssl req -new -newkey rsa:2048 -nodes -keyout site-domain.key -out site-domain.csr
Generating a 2048 bit RSA private key
............................................+++
..............................................................................................................................................................................
Country Name (2 letter code) [XX]:KR
State or Province Name (full name) []:Gyeonggi-do
Locality Name (eg, city) [Default City]:Ansan-si
Organization Name (eg, company) [Default Company Ltd]:Bonmade Ltd
Organizational Unit Name (eg, section) []:dev team
Common Name (eg, your name or your server's hostname) []:site-domain
Email Address []:appmania78@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: When all the information is entered, csr file and key file are created.
#ls -l
합계 44
-rw-------. 1 root root 1305 8월 10 2015 anaconda-ks.cfg
-rw-r--r-- 1 root root 1078 8월 17 15:45 site-domain.csr
-rw-r--r-- 1 root root 1704 8월 17 15:45 site-domain.key The csr file must be registered at ssls.com and the key file must be uploaded to the Apache server, so keep it well.
Copy the contents of the csr file and enter it into ssls.com. Paste everything from ------BEGIN to ------END line.
The certificate supports both domains with and without www.
Choose whether the server is Tomcat or not.
Since it is going to be installed on Apache, select the item below.
The method of verifying ownership of the domain is file upload, and select file upload among the email methods.
Next, you need to upload a file to prove that you own the domain.
First, download the text file by clicking SAVE ACTIVATION FILE in the upper right corner, and create and upload the .well-known/pki-validation folder on the file server of the domain that owns the file to be downloaded.
site-domain/.well-known/pki-validation/If you enter the downloaded text file name, check if the contents of the text file are visible.
Now wait a while, and the SSL certificate file will be sent by e-mail.
Modify the httpd.conf file
Register the certificate by modifying the httpd.conf file.
Add port 443 and add the two files received by e-mail and the path where the site-domain.key file created when csr was created is uploaded as follows.
#vi /etc/httpd/conf/httpd.conf <VirtualHost *:443>
DocumentRoot /var/www/html/webfile
ServerName www.site-domain
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl/quote-plus_com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/quote-plus.com.key
SSLCertificateChainFile /etc/httpd/conf/ssl/quote-plus_com.ca-bundle
</VirtualHost> Check 443 Port Listen
Since https uses port 443, you need to check whether httpd is listening to port 443 with the netstat command.
# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1444/master
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1466/mysqld
tcp 0 0 0.0.0.0:1202 0.0.0.0:* LISTEN 20783/sshd
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 12315/dnsmasq
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 31941/cupsd
tcp6 0 0 ::1:25 :::* LISTEN 1444/master
tcp6 0 0 :::80 :::* LISTEN 8184/httpd
tcp6 0 0 :::1202 :::* LISTEN 20783/sshd
tcp6 0 0 :::21 :::* LISTEN 11236/vsftpd
tcp6 0 0 ::1:631 :::* LISTEN 31941/cupsd If you are not listening to port 443, check if openssl and mod_ssl are installed.
# yum list installed openssl
# yum list installed mod_ssl Install a module that is not installed and restart Apache.
#yum -y install openssl
#yum -y install mod_ssl
#service httpd restart If you check again with netstat command, 443 port is Listerned.
# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1444/master
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1466/mysqld
tcp 0 0 0.0.0.0:1202 0.0.0.0:* LISTEN 20783/sshd
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 12315/dnsmasq
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 31941/cupsd
tcp6 0 0 ::1:25 :::* LISTEN 1444/master
tcp6 0 0 :::443 :::* LISTEN 8654/httpd
tcp6 0 0 :::80 :::* LISTEN 8654/httpd
tcp6 0 0 :::1202 :::* LISTEN 20783/sshd
tcp6 0 0 :::21 :::* LISTEN 11236/vsftpd
tcp6 0 0 ::1:631 :::* LISTEN 31941/cupsd
[root@localhost ~]# Resolving httpd restart error
If the following error occurs in the step of modifying the httpd.conf file and restarting the service, you can check the cause with the systemctl status httpd.service command.
It mainly occurs when the path of the certificate file is wrong.
# service httpd restart
Redirecting to /bin/systemctl restart httpd.service
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details. # systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 목 2017-08-17 18:34:30 KST; 5s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 9766 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Process: 9764 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 9764 (code=exited, status=1/FAILURE)
8월 17 18:34:30 localhost.localdomain systemd[1]: Starting The Apache HTTP Server...
8월 17 18:34:30 localhost.localdomain httpd[9764]: AH00526: Syntax error on line 202 of /etc/httpd/conf/httpd.conf:
8월 17 18:34:30 localhost.localdomain httpd[9764]: SSLCertificateKeyFile: file '/etc/ssl/crt/site-domain.key' does not exist or is empty
8월 17 18:34:30 localhost.localdomain systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
8월 17 18:34:30 localhost.localdomain kill[9766]: kill: cannot find process ""
8월 17 18:34:30 localhost.localdomain systemd[1]: httpd.service: control process exited, code=exited status=1
8월 17 18:34:30 localhost.localdomain systemd[1]: Failed to start The Apache HTTP Server.
8월 17 18:34:30 localhost.localdomain systemd[1]: Unit httpd.service entered failed state.
8월 17 18:34:30 localhost.localdomain systemd[1]: httpd.service failed. https test and certificate verification
Restart the service and access https in your browser and it will show up as an authenticated site.
# service httpd restart 
Now let's check the installed certificate.
Click F12 in Chrome to open developer tools, and click the View certificate button in the Security tab to check the certificate.
Check the validity period on the certificate and renew it before expiration
http redirect
To redirect http to https, create a .htaccess file and add the code below.
There is some information that you can add it to httpd.conf, but it didn't work, so I added it to .htaccess.
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,L] Reference URL
http://egloos.zum.com/guswl47/v/6514311
https://wiki.kldp.org/HOWTO/html/SSL-RedHat-HOWTO/ssl-redhat-howto-4.html
- 2012-07-12
- 2012-07-20
- 2012-09-26
- 2013-04-09
- 2013-04-26
- 2021-12-22
- 2021-12-22
- 2021-12-22
- 2021-12-01
- 2021-11-06