Step by Step :How to install Apache Web Server and deploy SSL (HTTPS) enabled site?

In this post we will go thru step by step instructions for Apache Web server installation. Post Apache Server Installation we will create SSL certificate creation request to generate the certificates from Certificate Authority then deploy the SSL certificates on Apache Web Server. We will also learn how to modify browser settings to make the certificate works in case site is accessed from outside the corporate intranet where Root certificates are not installed on the machine.

Apache web server Installation

Step 1: Install Apache web server, Apache Manual and SSL Module.

# first login as root
sudo su -

#Linux will ask the password and then show that you are loggedin as root.

# Install Apache Web Server , Apache Manual,  SSL and Lynx browser packages
yum -y install httpd httpd-manual mod_ssl lynx

Step 2: Let’s check if Httpd (Apache web server service) is installed and enabled?

systemctl list-unit-files | grep httpd

In case Apache is not enabled use this command to enable it

chkconfig httpd on

Step 3: Browser the webpage from lynx browser and see if Apache is displaying the default webpage: If he webpage is displaying it means that Apache is installed.

lynx http://localhost/

Also these two commands can also help to find if Apache is installed successfully:

 lsof -i | grep http

Step4: Open the firewall to allow port 80 so we can test the Apache server default webpage when we browse the localhost.

#To open up a new port (e.g., TCP/80) permanently, use these commands.
#Please note that Without "--permanent" flag, the firewall rule would not persist across reboots.

$  firewall-cmd --zone=public --add-port=80/tcp --permanent

#Now reload the firewall to make the changes effective

$  firewall-cmd --reload 

#Check the updated rules with:
$ firewall-cmd --list-all 

#OPTIONAL sometimes linux policy is not permisive so you may have to make it permisive from enforcing.
# To check the Linux Policy
sestatus 

#If the current mode is enforcing then to make it permissive use this command  
setenforce 0

Now once the port is opened you can browse the webpage from browser by http://localhost if you are browsing it from outside then use server IP address (i.e. http://Server IP address/

Step 5: Create SSL certificate request file (.CSR).

Please note that this file is need to send a request to Enterprise certificate authority to generate certificate. This file contains an important information about your certificate.It is mandatory to create a SAN certificate so you do not get unnecessary warnings when you browse your site. Here is the Sample SAN file which you can use:

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN )
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = put your site name here 

Save this file as san.cnf and then run this command

openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout sslprivate.key -config san.cnf

It will ask you to provide country name state and other details and then create CSR file with the name sslcert.csr. Please note down the key file and create these certificate requests and files in a directory( i.e. /etc/httpd/ssl/)

Step 6: Convert the .CER file into .CRT file once you receive the certificate in .CER format. Certificate Authority will issue a certificate in CER format. You need to convert it into CRT format because Apache needs this format.Perform these steps for the Intermediate CA root cert and Root cert received from your administrator.

openssl x509 -inform DER -in testcert.cer -out testcert.crt

Step 7: Perform configuration changes based on SSL certificates and create Virtual host

Please make sure to copy the certificate .CRT file and key files to /etc/httpd/ssl/ . In case you have deployed it in different location we will use the same path during our config.

Now edit the ssl.cnf file at this location /etc/httpd/ssl/ by removing the comments from the file. Make sure that these entries are uncommented.

Listen 443
NameVirtualHost *:443

<VirtualHost *:443>
DocumentRoot "/var/www/html" 
# Please note that you you change document root path then you have to modify the same in the httpd.cnf file in the directory tag <Directory "/var/www/html">
ServerName FQDN_of_your_servername
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/testcert.crt
SSLCertificateKeyFile /etc/httpd/ssl/sslprivate.key
SSLCertificateChainFile /etc/httpd/ssl/yourcomapnyrootcertificate.crt
SSLVerifyClient None

</VirtualHost>

Please note that your testcert.crt and yourcomapnyrootcertificate.crt was created in step 6.

Step 8: Restart the Apache server so these settings can take effect.

Service httpd restart
# You can also use these commands by first stopping the server and then starting it again.
Service httpd stop
Service httpd start

If server restarted successfully it means that the config worked file and there is no spelling mistake otherwise you may have to troubleshoot it by modifying the settings.

Step 9. Create Test HTML page and browse the site with HTTPS.

Now create a html page and then copy into /var/www/html (document root directory defined in httpd.cnf file. You can check the path in the config file) and browse it to test if your site is working fine with https url. It should be https://localhost/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.