Note: This is an RHCE 7 exam objective.
Configuration Procedure
Install the Web Server package group:
# yum groupinstall -y "Web server"
Activate at boot time and start the service:
# systemctl enable httpd # systemctl start httpd
Add the HTTPS service to the firewall configuration and reload it:
# firewall-cmd --permanent --add-service=https Success # firewall-cmd --reload Success
Let’s assume your server is called instructor.example.com.
Generate a X509 certificate valid for 365 days:
# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/instructor.example.com.crt -keyout /etc/pki/tls/private/instructor.example.com.key -days 365 Generating a 2048 bit RSA private key .....+++ ..............+++ writing new private key to '/etc/pki/tls/private/instructor.example.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:instructor.example.com Email Address []:
Edit the /etc/httpd/conf.d/ssl.conf file, search for the SSLCertificate string and replace as follows:
SSLCertificateFile /etc/pki/tls/certs/instructor.example.com.crt SSLCertificateKeyFile /etc/pki/tls/private/instructor.example.com.key
In the same file, search for the ServerName string and replace as follows:
ServerName instructor.example.com:443
Check the validity of the configuration:
# httpd -t Syntax OK
Or:
# apachectl configtest Syntax OK
Restart the Apache webserver:
# apachectl restart
Check the virtual host configuration:
# httpd -D DUMP_VHOSTS VirtualHost configuration: *:443 is a NameVirtualHost default server instructor.example.com (/etc/httpd/conf.d/ssl.conf:56) port 443 namevhost instructor.example.com (/etc/httpd/conf.d/ssl.conf:56) port 443 namevhost instructor.example.com (/etc/httpd/conf.d/ssl.conf:56)
Optionally, check the certificate:
# openssl s_client -connect localhost:443 -state
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = instructor.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, L = Default City, O = Default Company Ltd, CN = instructor.example.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
CONNECTED(00000003)
---
Certificate chain
0 s:/C=XX/L=Default City/O=Default Company Ltd/CN=instructor.example.com
i:/C=XX/L=Default City/O=Default Company Ltd/CN=instructor.example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDkzCCAnugAwIBAgIJAIw+9vpI8jtuMA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNV
BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
Q29tcGFueSBMdGQxHDAaBgNVBAMME2NlbnRvczguZXhhbXBsZS5jb20wHhcNMTQw
ODIwMTQyNDQwWhcNMTUwODIwMTQyNDQwWjBgMQswCQYDVQQGEwJYWDEVMBMGA1UE
BwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMRww
GgYDVQQDDBNjZW50b3M4LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA3zu5krRBCOU8+2XBM/dk3fjDqLn439/4lXg9o9LdT4aSAP8e
iJJhM5SoG44nYNYBjVchKCzU6WhpkQ43fMEK3jIFnkxAvldz7zhizA8moI9ewuMj
xnWeVCQMC41Jk4jw2pKitVxt5Lk4SX6bZfvkisHGH/RV6WDaargMrJ8N5Pt80jF0
CnldiKZ8PnqFlqhoHH+aeUvrJXmUzmhCxmjXx4YK6UtZ9pbJIlyzkNnD3XOjHwuC
hnMJNnA3jafD471Lu9nNB5EKSIdwn/scfSuo/fcWlrSpKEE1SEB+qs89R5vPIEmu
IjhXrgIlW6HDo1hSWQDe8/eulChHGRMZJFlMUwIDAQABo1AwTjAdBgNVHQ4EFgQU
+VlrvVt4y6P8G01P0DSW9XwBypUwHwYDVR0jBBgwFoAU+VlrvVt4y6P8G01P0DSW
9XwBypUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAgYYVnrs0GDGj
WHtGfak4Mkhw9DcTp60N8+AQR0mXInSA3oekojnCMqQOlf8HmiVJ6EpNgo+L2mFh
pQzZDTAmrJAODoSAYwavrJcbYwD58LVfAdOmDX2zXemirKFd7mnLQMij8WtRuZ/t
fL5ZpnsIz/iGDSZndFbxqKey6j2sbulsjXHG60INwYF0N5dIhHCo5VeOYz7NEXat
7x2n89eNi2awCdid7ArZDNWAqhLFxRreTN8wTR7t3Y0TN9knm7V4ofPPms3KT0Zk
Op1QIcB80jLx6rkcSq1ghadUUpiRFr5BNlMR0Oul8XWQ4u0B17TKu59wwVNyeizc
vmlt/1L1CQ==
-----END CERTIFICATE-----
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=instructor.example.com
issuer=/C=XX/L=Default City/O=Default Company Ltd/CN=instructor.example.com
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1610 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 237566220198BE79A3B0EE9E9D12D3221676329C34F44BF577CC9D77BB6F0C99
Session-ID-ctx:
Master-Key: EFA5C1BC2D6C3EBC3928C2339338D31602E7908A70663C9D18AADB683BFC91BD
824D91D857A899A79BF1B95F606FE783
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - ef 91 60 0f 59 6f 45 28-0b 1c ac ca f0 ab f7 76 ..`.YoE(.......v
0010 - c8 fa 8e 79 b6 c8 47 6a-a3 cf 9c 8b 51 43 1c 8c ...y..Gj....QC..
0020 - 8b 23 83 0b e1 bc bf 33-65 d2 37 e5 84 15 39 b1 .#.....3e.7...9.
0030 - 02 a3 4c 0d 65 f7 54 a4-20 1c b1 0a 82 c2 5e 84 ..L.e.T. .....^.
0040 - 75 92 04 de 3e 09 60 71-6e 20 f9 8e fc 8e af 85 u...>.`qn ......
0050 - 1d 7f eb 2d 41 ca f0 ff-96 1a 29 e3 ca 9d 7c b6 ...-A.....)...|.
0060 - 04 84 57 1b ab 78 50 65-c8 ed 0d 7b 6f e3 2d 9c ..W..xPe...{o.-.
0070 - 05 d2 73 24 71 89 14 cc-35 59 f5 11 16 80 a3 0d ..s$q...5Y......
0080 - 43 b7 53 c3 97 22 25 64-40 eb 42 a0 d3 36 6e 32 C.S.."%d@.B..6n2
0090 - 2b f6 61 35 76 96 cc 12-76 f3 93 d6 e8 16 54 19 +.a5v...v.....T.
00a0 - 7d 9d a2 50 b1 d5 87 12-61 f7 d4 c1 46 19 23 f5 }..P....a...F.#.
00b0 - 41 71 43 32 89 7f 9c 9f-b6 ab e3 71 14 d6 13 f4 AqC2.......q....
Start Time: 1408555281
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
read:errno=0
SSL3 alert write:warning:close notify
Note: According to Sander van Vugt, the elinks command doesn’t work well with TLS and shouldn’t be used in this specific context.
Additional Resources
You can read this interesting survey about the complexity of deploying HTTPS.
Daniel Aleksandersen wrote an article about Allowing OCSP stapling in Apache Web Server with SELinux policies.
The official RedHat knowledgebase provides an article about Securing Apache/mod_ssl with SSL/TLS on RHEL7.
A good reference for the openssl command described here is provided in /etc/pki/tls/certs/make-dummy-cert (by openssl package) that has the syntax necessary (replace the keyfile and certificate as necessary).
Thanks for the make-dummy-cert, takes the work out of it.
I had problems testing with elinks but lynx seems to do the trick.
barring typos, the code!
echo “SSL test page” > /var/www/html/index.html
restorecon /var/www/html/index.html
chown ugo+rx /etc/www/html/index.html
yum install -y lynx
lynx https://instructor.example.com
and accept the cert!
Dear Sam
Thanks
We can use curl also
yum install -y curl
curl -k https://instructor.example.com
Thanks,
Hi,
Thanks for this tutorial.
Can I run the /etc/pki/tls/certs/make-dummy-cert some_key_cert_file script to generate the key & cert? Is that acceptable?
I will copy the portion on key and cert into two files.
Thanks
It’s not going to work because the certificate hostname will be localhost.localdomain.
Except if nothing is said during the exam about the hostname to use, you won’t be able to use this command.
You can always edit the file and replace localhost.localdomain with your server name to save time. I’d still recommend learning the commands, but any time is valuable and that saving could help.
A note on elinks:Please dont rely on it to display your practice ssl-pages.It will flatly deny with ssl-error,not even offering the choice to accept the self-signed certificate.
Use Firefox instead after maybe installing X Window
Elinks appears to be a little stupid in this respect 🙂
Interesting. Thanks.
is it ok using genkey from the package crypto-utils? it is very easier than openssl..
Sorry. I don’t know.
Hi Lucad2
Yes, you can use genkey as explained in Sander’s book,
I tried it and it is Okay.
Thanks,
I’m assuming that because these are self generated, that cert warnings about the root cert not being trusted, are fine?
Yes, it’s completely normal.
If you don’t want these warnings, you can go to the letsencrypt website and put in place a real certificate for free.
I wonder if you need to disable SSLv3 when configuring Apache on an RHCE exam even if you’re not explicitly asked for it.
SSLv3 is dead, we all remember POODLE (CVE-2014-3566), don’t we?
So if you leave the protocol enabled on the exam, I suspect that you are going to get some points deducted?
I don’t personally think the RHCE scoring system takes into account so much details.
If you don’t want to memorize the openssl command, mod_ssl actually generates a cert on install, and /etc/httpd/conf.d/ssl.conf points to these by default.
If you installed mod_ssl before setting your hostname the cert will be created for localhost.localdomain though. Just rm /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key then yum reinstall mod_ssl and it will generate a new cert.
Interesting. Thanks.
Hi Guys,
I have a question. I have seen many times in different article, even the article right in this page about “config Apache TLS”. They are all mentioned to put the certificate and key path into “/etc/httpd/conf.d/ssl.conf “. What if I put cert and key in my virtualhost file in “/etc/httpd/conf.d/test.conf “. and in this situation what should I put instead of “” ???
Thank you,
Abe
Putting into /etc/httpd/conf.d/ssl.conf uses the default HTTPS virtualhost. You can put certificate paths into your virtualhost if you wish. This is actually the right way of doing this when you have dozens of different HTTPS websites on one server.
That is correct. And I think using default HTTPS virtualhost helps to save a little more time during the exam.
Again thank you.
It does help to save time during the exam, that’s likely the reason you see such configuration mentioned in various RHCE-related articles.
In the exam, do you think that they will provide the cert? or we got to memorize the openssl command?
Yes, they normally provide the cert.
Noted, thanks.
During my LFCE exams I was provided with certificate and key from the remote URL.
http://cert.example.com/ssl/web.key
http://cert.example.com/ssl/web.crt
Am I supposed to download the certificate in my localhost and then add it to the vhost file or shall I use remote certificate and key URL?
I should say that you need to locally download the certificate.
How would I generate SSLCertificateChainFile for practice purpose? My friend Google isn’t helping. I tried Googling, couldn’t find any relevant answer. could someone please help.
This is somewhat complicated since you basically need to run your own certificate authority (CA).
It would likely take a blog post to explain it in detail, therefore I’ll stick to main bits instead and keep it short.
You need to generate the root key and the root certificate (e.g. ca.key and ca.cert). This will be the identity of your CA.
The general rule of thumb is that the root CA is never used to sign client certificates directly, but is used to create an intermediate CA, where the intermediate CA can then sign certificates on behalf of the root CA.
Having said that, you need to generate the intermediate pair (e.g. intermediate.key and intermediate.cert). The root CA then signs the intermediate certificate.
Once you have the root and the intermediate certificates, you can then create the certificate chain file (e.g. ca-chain.cert) which will be used for SSLCertificateChainFile. Note that the certificate chain file must include the intermediate certificate as well as the root certificate because no client application knows about your CA yet.
You can alternatively install the root certificate on a client machine that needs to connect to your webserver, in which case the chain file only needs to contain the intermediate certificate.