[Linux] Install Apache SSL Certificate


Writing time : 2017-08-17 19:06:18

Install Apache SSL Certificate

Buy an SSL certificate from www.ssls.com and install it on CentOS.

https://www.ssls.com/ssl-certificates/comodo-positivessl

Comodo PositiveSSL certificate price is $14.97 for 3 years, $4.99 for 1 year, and sub domains are not supported.

Purchase certificate


To purchase a certificate, go to ssls.com and click the button with the card icon on the right to add it to your shopping cart.

SSL certificate generation purchase site access

Click the CHECKOUT button to proceed with the purchase by card or paypal.

SSL certificate generation purchase site access

If you proceed with the purchase, you will see a screen where you insert the CSR for issuing the certificate.

SSL certificate generation purchase site access

CSR file creation


The CSR file creates a CSR file using the openssl command.

In the command below, site-domain should be the domain name such as naver.com.

Enter information to be used for key generation such as Country and State, and enter the challenge password and optional company name as empty values by pressing the Enter key.

# openssl req -new -newkey rsa:2048 -nodes -keyout site-domain.key -out site-domain.csr  
Generating a 2048 bit RSA private key  
............................................+++  
..............................................................................................................................................................................  
Country Name (2 letter code) [XX]:KR  
State or Province Name (full name) []:Gyeonggi-do  
Locality Name (eg, city) [Default City]:Ansan-si  
Organization Name (eg, company) [Default Company Ltd]:Bonmade Ltd  
Organizational Unit Name (eg, section) []:dev team  
Common Name (eg, your name or your server's hostname) []:site-domain  
Email Address []:appmania78@gmail.com  
  
Please enter the following 'extra' attributes  
to be sent with your certificate request  
A challenge password []:  
An optional company name []:  

When all the information is entered, csr file and key file are created.

#ls -l  
합계 44  
-rw-------. 1 root root 1305  8월 10  2015 anaconda-ks.cfg  
-rw-r--r--  1 root root 1078  8월 17 15:45 site-domain.csr  
-rw-r--r--  1 root root 1704  8월 17 15:45 site-domain.key  

The csr file must be registered at ssls.com and the key file must be uploaded to the Apache server, so keep it well.

Copy the contents of the csr file and enter it into ssls.com. Paste everything from ------BEGIN to ------END line.

SSL certificate generation purchase site access

The certificate supports both domains with and without www.

SSL certificate generation purchase site access

Choose whether the server is Tomcat or not.

Since it is going to be installed on Apache, select the item below.

SSL certificate generation purchase site access

The method of verifying ownership of the domain is file upload, and select file upload among the email methods.

SSL certificate generation purchase site access

Next, you need to upload a file to prove that you own the domain.

First, download the text file by clicking SAVE ACTIVATION FILE in the upper right corner, and create and upload the .well-known/pki-validation folder on the file server of the domain that owns the file to be downloaded.

SSL certificate generation purchase site access

site-domain/.well-known/pki-validation/If you enter the downloaded text file name, check if the contents of the text file are visible.

SSL certificate generation purchase site access

Now wait a while, and the SSL certificate file will be sent by e-mail.

SSL certificate generation purchase site accessSSL certificate generation purchase site access

Modify the httpd.conf file


Register the certificate by modifying the httpd.conf file.

Add port 443 and add the two files received by e-mail and the path where the site-domain.key file created when csr was created is uploaded as follows.

#vi /etc/httpd/conf/httpd.conf  


<VirtualHost *:443>  
DocumentRoot /var/www/html/webfile  
ServerName www.site-domain  
SSLEngine on  
SSLCertificateFile /etc/httpd/conf/ssl/quote-plus_com.crt  
SSLCertificateKeyFile /etc/httpd/conf/ssl/quote-plus.com.key  
SSLCertificateChainFile /etc/httpd/conf/ssl/quote-plus_com.ca-bundle  
</VirtualHost>  

Check 443 Port Listen


Since https uses port 443, you need to check whether httpd is listening to port 443 with the netstat command.

# netstat -tnlp  
Active Internet connections (only servers)  
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name  
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1444/master  
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      1466/mysqld  
tcp        0      0 0.0.0.0:1202            0.0.0.0:*               LISTEN      20783/sshd  
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      12315/dnsmasq  
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      31941/cupsd  
tcp6       0      0 ::1:25                  :::*                    LISTEN      1444/master  
tcp6       0      0 :::80                   :::*                    LISTEN      8184/httpd  
tcp6       0      0 :::1202                 :::*                    LISTEN      20783/sshd  
tcp6       0      0 :::21                   :::*                    LISTEN      11236/vsftpd  
tcp6       0      0 ::1:631                 :::*                    LISTEN      31941/cupsd  

If you are not listening to port 443, check if openssl and mod_ssl are installed.

# yum list installed openssl  
# yum list installed mod_ssl  

Install a module that is not installed and restart Apache.

#yum -y install openssl  
#yum -y install mod_ssl  
#service httpd restart  

If you check again with netstat command, 443 port is Listerned.

# netstat -tnlp  
Active Internet connections (only servers)  
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name  
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1444/master  
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      1466/mysqld  
tcp        0      0 0.0.0.0:1202            0.0.0.0:*               LISTEN      20783/sshd  
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      12315/dnsmasq  
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      31941/cupsd  
tcp6       0      0 ::1:25                  :::*                    LISTEN      1444/master  
tcp6       0      0 :::443                  :::*                    LISTEN      8654/httpd  
tcp6       0      0 :::80                   :::*                    LISTEN      8654/httpd  
tcp6       0      0 :::1202                 :::*                    LISTEN      20783/sshd  
tcp6       0      0 :::21                   :::*                    LISTEN      11236/vsftpd  
tcp6       0      0 ::1:631                 :::*                    LISTEN      31941/cupsd  
[root@localhost ~]#  

Resolving httpd restart error


If the following error occurs in the step of modifying the httpd.conf file and restarting the service, you can check the cause with the systemctl status httpd.service command.

It mainly occurs when the path of the certificate file is wrong.

# service httpd restart  
Redirecting to /bin/systemctl restart  httpd.service  
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.  


# systemctl status httpd.service  
● httpd.service - The Apache HTTP Server  
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)  
Active: failed (Result: exit-code) since 목 2017-08-17 18:34:30 KST; 5s ago  
Docs: man:httpd(8)  
man:apachectl(8)  
Process: 9766 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)  
Process: 9764 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)  
Main PID: 9764 (code=exited, status=1/FAILURE)  
  
8월 17 18:34:30 localhost.localdomain systemd[1]: Starting The Apache HTTP Server...  
8월 17 18:34:30 localhost.localdomain httpd[9764]: AH00526: Syntax error on line 202 of /etc/httpd/conf/httpd.conf:  
8월 17 18:34:30 localhost.localdomain httpd[9764]: SSLCertificateKeyFile: file '/etc/ssl/crt/site-domain.key' does not exist or is empty  
8월 17 18:34:30 localhost.localdomain systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE  
8월 17 18:34:30 localhost.localdomain kill[9766]: kill: cannot find process ""  
8월 17 18:34:30 localhost.localdomain systemd[1]: httpd.service: control process exited, code=exited status=1  
8월 17 18:34:30 localhost.localdomain systemd[1]: Failed to start The Apache HTTP Server.  
8월 17 18:34:30 localhost.localdomain systemd[1]: Unit httpd.service entered failed state.  
8월 17 18:34:30 localhost.localdomain systemd[1]: httpd.service failed.  

https test and certificate verification


Restart the service and access https in your browser and it will show up as an authenticated site.

# service httpd restart  
SSL certificate generation purchase site access

Now let's check the installed certificate.
Click F12 in Chrome to open developer tools, and click the View certificate button in the Security tab to check the certificate.

SSL certificate generation purchase site access

Check the validity period on the certificate and renew it before expiration

SSL certificate generation purchase site access

http redirect


To redirect http to https, create a .htaccess file and add the code below.
There is some information that you can add it to httpd.conf, but it didn't work, so I added it to .htaccess.

RewriteCond %{HTTPS} !=on  
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,L]  

Reference URL


http://egloos.zum.com/guswl47/v/6514311

https://www.instantssl.com/ssl-certificate-support/cert$ITALICWORDinstallation/ssl-certificate-mod$ITALICWORDssl.html

https://wiki.kldp.org/HOWTO/html/SSL-RedHat-HOWTO/ssl-redhat-howto-4.html

Previous post

Other posts in the category