Let’s secure Apache with an SSL/TLS certificate.
Once the certificate is implemented, the configured domain/IP will be accessible over HTTPS.
Let’s get it started.
On a high level, we will do the following.
- Compile Apache HTTP 2.4.5 with SSL module
- Get SSL Certificate
- Configure Apache to support SSL
Install Apache with SSL from Source
To configure SSL, Apache HTTP must be compiled with mod_ssl. I’ll use CentOS 7 VM from Digital Ocean to demonstrate this.
- Login to Linux server with root and download the latest version of Apache
wget http://www-us.apache.org/dist//httpd/httpd-2.4.25.tar.gz .
Note: you can check here for the latest version.
- Extract by gunzip command
gunzip -c httpd-2.4.25.tar.gz | tar xvf -
- You will have a new folder “httpd-2.4.25”
- Go inside and execute the following configure command
./configure --enable-ssl –-enable-so
Note: If you are doing this on a brand-new server, then you may experience issues related to APR, PCRE, and OpenSSL, and you may refer to the Apache troubleshooting guide.
Ensure you don’t get any error from the above configure command, and next you got to install with make commands.
make
make install
As usual, ensure no errors from the above commands. This concludes, you have installed an Apache web server with SSL support.
Getting an SSL Certificate
There are multiple ways to generate and get the SSL cert signed by the certificate authority.
If you are looking to implement SSL in the Intranet web server, then most of the organization has an internal certificate issuer team, so you got to check with them. But you still need to generate a CSR (Certificate Signing Request), and you can do it using OpenSSL.
However, if you are looking to secure an Internet-facing URL then either you can buy a certificate from VeriSign, GoDaddy, Namecheap, ZeroSSL, etc., or get a FREE cert from Let’s Encrypt.
Let’s Encrypt is a Linux Foundation Collaboration Project who offers a FREE SSL/TLS certificate. I will use Let’s Encrypt to get one certificate for my domain – Chandan.io
There are multiple ways to generate CSR, but the easiest one I found is using the “SSL For FREE” online tool.
Enter the URL that you want to secure
Verify the domain ownership by one of the listed methods and download your domain certificate files.
You will get three files that we will use next to configure the Apache webserver.
- key – this is your key file and shouldn’t be shared with anyone publicly
- Certificate – actual SSL certificate for your domain
- Ca_bundle – Signer root/intermediate certificate
Transfer the downloaded file to the Web Server. We will need them shortly.
Apache SSL Configuration
And a final step would be to configure Apache so it can serve the request over HTTPS.
- Log in to the Apache webserver
- Take a backup of httpd.conf file (default location /usr/local/apache2/conf/)
- Open the file with the vi editor and ensure mod_ssl module & httpd-ssl.conf exists and not commented
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
We will use httpd-ssl.conf file to configure the certificate details. There are the following you need to ensure it exists the right parameters.
- SSLCertificateFile – Certificate CRT file path which you downloaded earlier
- SSLCertificateKeyFile – private.a key file path
- SSLCertificateChainFile – ca_bundle.crt file path
Tip: you may want to create a new folder called “ssl” and keep all the certificate-related files in this.
- Take a backup if needed and use the vi editor to modify the file.
SSLCertificateFile "/usr/local/apache2/conf/ssl/certificate.crt"
SSLCertificateChainFile "/usr/local/apache2/conf/ssl/ca_bundle.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/ssl/private.key"
Next, you need to configure the “ServerName” directive. Usually, it’s your domain/URL name
ServerName chandan.io
- Save the file and restart the Apache Webserver
cd /usr/local/apache2/bin
./apachectl stop
./apachectl start
And finally, you got to ensure your domain is mapped to the newly configured web server IP. Once done, try to access your domain with HTTPS.
And as you can see, Chandan.io is accessible over https with the certificate I configured.
The above steps are essential for setting up an SSL certificate, and you must tweak the SSL further to harden and secure, which I explained here. Before go-live, you may also want to test your web server SSL/TLS to ensure it’s not exposed to common security vulnerabilities.
I hope this gives you an idea of how to implement an SSL certificate on your Apache Web server, so the URL is accessible over HTTPS.