Introduction
TLS or transport layer security and SSL, secure socket layer, are two protocols that guarantee security in web communication. Web traffic is in fact encrypted and protected in a container.
In this guide, you will see how to enable an SSL certificate to be used on an Apache web server with an AlmaLinux-based system.
In the example, the SSL certificate will be self-signed: this means that it will allow secure communication between server and client but, since an official recognition by a certification authority is missing, the identity of your server cannot be certified.
Pre-Requisites
Pre-requisites: A configured and running Almalinux operating system on your server and the Apache package to be configured on the virtual hosts.
Check your Apache installation using the command:
$ sudo yum list --installed | grep httpd
In case you haven't installed Apache yet, install it via the command:
$ sudo yum install httpd
The following steps will enable automatic activation when starting the Apache service on your server:
$ sudo systemctl enable httpd.service
Now log into your server via SSH to continue.
Installing Mod SSL
First, set up a self-signed certificate to use the mod_ssl component, which is necessary for SSL encryption within data exchanges on the server.
The component can be installed using the command:
$ sudo yum install mod_ssl
The component will be activated at the end of the installation process and Apache will be available to start with an SSL certificate since its first re-start. To do so, use the command:
$ sudo systemctl restart httpd.service
Creating a certificate
Now that Apache is enabled for encryption, proceed by creating an SSL certificate. Certificates contain information about your site.
Each certificate must be associated with a private key. Before generating the certificate we will therefore have to create a directory, accessible only to the root user and to no one else, containing the private key file.
Therefore, the first step is given by the creation of the folder with the following command, :
$ sudo mkdir /etc/ssl/private
Next, set the privileges on the directory to make it available only to the root user :
$ sudo chmod 700 /etc/ssl/private
Now that a place where to save the files is available, create the SSL key and certificate via openssl, using the command:
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
This command forwards a request to create SSL certificates and keys. When sending the command, you will be prompted to enter some basic information about your website.
Before proceeding, let's analyze the options and commands of this very complex command:
- openssl: the command linked to the SSL key and certificate management tool
- req -x509 : this option requires an X.509 type certificate. X.509 is a public key infrastructure linked to SSL and TLS certificates
- -nodes : this option suggests skipping the password setup option on the certificate. The request for a password should be disabled because, when starting the server, Apache should be able to read the files without any user intervention.
- -days 365 : this option sets the certificate validity timecertificate
- -newkey rsa:2048 : this option specifies that the user wants to create a certificate but also a key in the request. The numerical value stands for the length of the RSA key which, in this case, will be 2048 bits long. The creation of a 4096 - bit key, which will provide greater security can also be commissioned but at the cost of more computational resources during handshakes.
- -keyout: this option shows where to save the key to be generated
- -out: this option shows where to save the certificate.
When entering the information, be careful to correctly type the domain name or IP address of your server under Common Name.
At the end of this procedure, the files will be saved in subfolders of the /etc/ssl path.
Configuring Apache to use SSL
At this step, add to the Apache configuration the entries necessary for using SSL certificates. The Apache directory structure allows, on Almalinux, to create new configuration files to be added in the /etc/httpd/conf.d directory. The files should have the extension .conf and, as for any modification of the Apache configuration, to apply the set changes the service has to be restarted.
On a previously configured virtual host, add the options related to SSL in a new file.
Create a new file in the directory specified above to be able to add new options to the Apache configuration. Use the command:
$ sudo vi /etc/httpd/conf.d/iltuodominio.conf
Once the text editor is open, enter the following instructions to specify the options related to the SSL certificates:
<VirtualHost *:443>
ServerName tuodominio
DocumentRoot /var/www/prova-ssl
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/pki/tls/private/apache-selfsigned.key
</VirtualHost>
Instead of domainname, enter the full name of your domain or its IP address. Your choice should necessarily suit the specifications in the Common Name item, entered when creating the certificate.
The rest of the lines will simply show which directory to look for the certificate and included key.
Therefore, it is important to define a directory selected by the DocumentRoot option. Use the command:
$ sudo mkdir /var/www/prova-ssl
Within this directory, an index.htmlfile can be created for you to have a test page to connect to when you try the SSL connection to your domain.
$ sudo vi /var/www/prova-ssl/index.html
In the file, anything can be inserted as long as the syntax of the HTML formatting language is respected.
An example :
<h1>Questa è una pagina di prova HTML</h1>
Once the different files have been created, a syntax check of the instructions written in this step of the tutorial is necessary.
The " spellcheck " of the configuration files is executable through the command:
$ sudo apachectl configtest
Regardless of the warnings that might run into any output, your goal is simply to get, at first, the Syntax OK message in response to this command. This means that no real errors are present in the syntax of the configuration you set up.
After checking, restart the Apache service to apply the new changes:
$ sudo systemctl reload httpd
Now, the connection to your domain can be tested using the HTTPS protocol. To do so, in the address bar, specify https:// instead of just the domain name to connect to the site via an HTTPS connection.
If everything is ok, the browser will report that the certificate issued for that site is not verifiable, as it is issued by an unknown authority. This is correct, as the certificate check will have been attempted and failed only for the reasons referred to at the beginning of this guide and related to the creation of ’self-made’ and self-signed certificates.
Although it might seem that the browser prevents you from accessing the website, this can be overridden by simply clicking on Advanced or on the More information item (depending on the browser used) and locate the item to continue viewing the web page.
Once these steps have been completed, just redirect each web request from HTTP to HTTPS.
Redirecting HTTP traffic to HTTPS
In the configuration set up of this guide, set Apache to receive only HTTPS requests hosted on port 443. Receiving requests also on port 80, linked to HTTP, trying to redirect them to an HTTPS type connection is possible and advisable.
To start it, reopen the configuration file created in the previous steps:
$ sudo vi /etc/httpd/conf.d/nomedominio.conf
At the end of the file, create a new virtual host that responds on port 80. Instead of the previous instructions, it will only be necessary to set the Server Name to specify which domain we are talking about and, subsequently, using the Redirect option, redirect all the requests received to the other virtual host, linked to the SSL protocol.
To do this, the syntax of the block to be added to the configuration file will be as follows:
<VirtualHost *:80>
ServerName nomedominio
Redirect / https://nomedominio/
</VirtualHost>
As for the previous step, check the syntax and apply the changes using the command pair:
$ sudo apachectl configtest
$ sudo systemctl reload httpd
If everything has been done correctly, when you specify the address of your domain with the prefix http://, it will be possible to visit the page with the address https:// automatically.
Conclusions
By the end of the tutorial, you will have learnt to generate a self-signed certificate and redirect any HTTP request to an HTTPS request.
Remember that, in case you want to provide a secure SSL connection on your site, you will need to have a certificate issued by an authority in charge and purchase space for your domain name.
You can purchase one of it from Actalis, Aruba's Certification Authority, by simply browsing on https://shop.actalis.com and choosing the certificate. Through Actalis SSL certificates lasting 1 year can be purchased, also in the OV (Organization Validation) and EV (Extended Validation) class. By doing so, the company's reliability will be certified, offering a greater guarantee of trust.