{"id":844,"date":"2013-07-18T17:01:45","date_gmt":"2013-07-18T17:01:45","guid":{"rendered":"http:\/\/codebangers.com\/?p=844"},"modified":"2013-07-18T17:02:11","modified_gmt":"2013-07-18T17:02:11","slug":"844","status":"publish","type":"post","link":"https:\/\/codebangers.com\/844\/","title":{"rendered":"Configure HTTPS with Linux"},"content":{"rendered":"

. Getting the required software<\/h2>\n

For an SSL encrypted web server you will need a few things. Depending on your install you may or may not have OpenSSL and mod_ssl, Apache’s interface to OpenSSL.\u00a0Use yum to get them if you need them.<\/p>\n

 <\/p>\n

yum install mod_ssl openssl<\/pre>\n
Yum will either tell you they are installed or will install them for you.<\/p>\n
 <\/p>\n
2. Generate a self-signed certificate<\/h2>\n
Using OpenSSL we will generate a self-signed certificate. If you are using this on a production server you are probably likely to want a key from Trusted Certificate Authority, but if you are just using this on a personal site or for testing purposes a self-signed certificate is fine. To create the key you will need to be root so you can either su to root or use sudo in front of the commands<\/p>\n
 <\/p>\n
# Generate private key \r\nopenssl genrsa -out ca.key 1024 \r\n\r\n# Generate CSR \r\nopenssl req -new -key ca.key -out ca.csr\r\n\r\n# Generate Self Signed Key\r\nopenssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt\r\n\r\n# Copy the files to the correct locations\r\ncp ca.crt \/etc\/pki\/tls\/certs\r\ncp ca.key \/etc\/pki\/tls\/private\/ca.key\r\ncp ca.csr \/etc\/pki\/tls\/private\/ca.csr<\/pre>\n
\n\n\n\n
\"\"<\/td>\nWARNING:<\/strong>\u00a0Make sure that you\u00a0copy<\/strong>\u00a0the files and do not\u00a0move<\/strong>\u00a0them if you use SELinux. Apache will complain about missing certificate files otherwise, as it cannot read them because the certificate files do not have the right SELinux context.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
If you have moved the files and not copied them, you can use the following command to correct the SELinux contexts on those files, as the correct context definitions for \/etc\/pki\/* come with the bundled SELinux policy.<\/p>\n
 <\/p>\n
restorecon -RvF \/etc\/pki<\/pre>\n
Then we need to update the Apache SSL configuration file<\/p>\n
 <\/p>\n
vi +\/SSLCertificateFile \/etc\/httpd\/conf.d\/ssl.conf<\/pre>\n
Change the paths to match where the Key file is stored. If you’ve used the method above it will be<\/p>\n
 <\/p>\n
SSLCertificateFile \/etc\/pki\/tls\/certs\/ca.crt<\/pre>\n
Then set the correct path for the Certificate Key File a few lines below. If you’ve followed the instructions above it is:<\/p>\n
 <\/p>\n
SSLCertificateKeyFile \/etc\/pki\/tls\/private\/ca.key<\/pre>\n
Quit and save the file and then restart Apache<\/p>\n
 <\/p>\n
\/etc\/init.d\/httpd restart<\/pre>\n
All being well you should now be able to connect over https to your server and see a default Centos page. As the certificate is self signed browsers will generally ask you whether you want to accept the certificate. Firefox 3 won’t let you connect at all but you can override this.<\/p>\n
 <\/p>\n
3. Setting up the virtual hosts<\/h2>\n
Just as you set\u00a0VirtualHosts<\/a>\u00a0for http on port 80 so you do for https on port 443. A typical\u00a0VirtualHost<\/a>\u00a0for a site on port 80 looks like this<\/p>\n
 <\/p>\n
<VirtualHost *:80>\r\n        <Directory \/var\/www\/vhosts\/yoursite.com\/httpdocs>\r\n        AllowOverride All\r\n        <\/Directory>\r\n        DocumentRoot \/var\/www\/vhosts\/yoursite.com\/httpdocs\r\n        ServerName yoursite.com\r\n<\/VirtualHost><\/pre>\n
To add a sister site on port 443 you need to add the following at the top of your file<\/p>\n
 <\/p>\n
NameVirtualHost *:443<\/pre>\n
and then a\u00a0VirtualHost<\/a>\u00a0record something like this:<\/p>\n
 <\/p>\n
<VirtualHost *:443>\r\n        SSLEngine on\r\n        SSLCertificateFile \/etc\/pki\/tls\/certs\/ca.crt\r\n        SSLCertificateKeyFile \/etc\/pki\/tls\/private\/ca.key\r\n        <Directory \/var\/www\/vhosts\/yoursite.com\/httpsdocs>\r\n        AllowOverride All\r\n        <\/Directory>\r\n        DocumentRoot \/var\/www\/vhosts\/yoursite.com\/httpsdocs\r\n        ServerName yoursite.com\r\n<\/VirtualHost><\/pre>\n
Restart Apache again using<\/p>\n
 <\/p>\n
\/etc\/init.d\/httpd restart<\/pre>\n
 <\/p>\n
4. Configuring the firewall<\/h2>\n
You should now have a site working over https using a self-signed certificate. If you can’t connect you may need to open the port on your firewall. To do this amend your iptables rules:<\/p>\n
 <\/p>\n
iptables -A INPUT -p tcp --dport 443 -j ACCEPT\r\n\/sbin\/service iptables save\r\niptables -L -v<\/pre>\n
Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
. Getting the required software For an SSL encrypted web server you will need a few things. Depending on your install you […]<\/p>\n","protected":false},"author":2,"featured_media":100,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,30,15],"tags":[],"class_list":["post-844","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-apache2","category-howto","category-linux-1"],"_links":{"self":[{"href":"https:\/\/codebangers.com\/wp-json\/wp\/v2\/posts\/844","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/codebangers.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/codebangers.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/codebangers.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/codebangers.com\/wp-json\/wp\/v2\/comments?post=844"}],"version-history":[{"count":3,"href":"https:\/\/codebangers.com\/wp-json\/wp\/v2\/posts\/844\/revisions"}],"predecessor-version":[{"id":848,"href":"https:\/\/codebangers.com\/wp-json\/wp\/v2\/posts\/844\/revisions\/848"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/codebangers.com\/wp-json\/wp\/v2\/media\/100"}],"wp:attachment":[{"href":"https:\/\/codebangers.com\/wp-json\/wp\/v2\/media?parent=844"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/codebangers.com\/wp-json\/wp\/v2\/categories?post=844"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/codebangers.com\/wp-json\/wp\/v2\/tags?post=844"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}