The mod_ssl
module provides SSL v3 and TLS v1.x support for the Apache HTTP Server. This article provides you with a basic step by step mod_ssl
configuration on RHEL 8 / CentOS 8 Linux server with httpd
Apache webserver.
In this tutorial you will learn:
- How to install
mod_ssl
- How to enable
mod_ssl
- How to create a self-signed certificate
- How to include existing SSL certificate into
httpd
configuration - How to redirect all non-ssl HTTP traffic to HTTPS
Software Requirements and Conventions Used
Category | Requirements, Conventions or Software Version Used |
---|---|
System | RHEL 8 / CentOS 8 |
Software | mod_ssl-2.4.35-6.el8 |
Other | Privileged access to your Linux system as root or via the sudo command. |
Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
How to install mod_ssl on RHEL 8 / CentOS 8 step by step instructions
This article assumes that you have already performed a basic installation and configuration of Apache webserver on your RHEL 8 / CentOS 8 server.
- Install
mod_ssl
module.The first step is to installmod_ssl
module usingdnf
command:# dnf install mod_ssl
- Enable
mod_ssl
module. In case that you have just installedmod_ssl
, the module may not be enabled yet. To test whethermod_ssl
is enabled execute:# apachectl -M | grep ssl
In case you see no output from the above command your
mod_ssl
is not enabled. To enable themod_ssl
module restart yourhttpd
Apache webserver:# systemctl restart httpd # apachectl -M | grep ssl ssl_module (shared)
- Open TCP port 443 to allow incoming traffic with
https
protocol:# firewall-cmd --zone=public --permanent --add-service=https success # firewall-cmd --reload success
NOTE
At this point you should be able to access your Apache webserver via HTTPS protocol. Navigate your browser tohttps://your-server-ip
orhttps://your-server-hostname
to confirmmod_ssl
configuration. - Generate SSL certificate. In case you do not already posses a proper SSL certificates for your server use the below command to generate new self-signed certificate.
For example let’s generate a new self-signed certificate for host
rhel8
with 365 days expiry:# openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/httpd.key -x509 -days 365 -out /etc/pki/tls/certs/httpd.crt Generating a RSA private key ................+++++ ..........+++++ writing new private key to '/etc/pki/tls/private/httpd.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:AU State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]:LinuxConfig.org Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:rhel8 Email Address []:
After successful execution of the above command the following two SSL files will be created:
# ls -l /etc/pki/tls/private/httpd.key /etc/pki/tls/certs/httpd.crt -rw-r--r--. 1 root root 1269 Jan 29 16:05 /etc/pki/tls/certs/httpd.crt -rw-------. 1 root root 1704 Jan 29 16:05 /etc/pki/tls/private/httpd.key
- Configure Apache web-server with new SSL certificates.To include your newly created SSL certificate into the Apache web-server configuration open the
/etc/httpd/conf.d/ssl.conf
file with administrative privileges and change the following lines:FROM: SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key TO: SSLCertificateFile /etc/pki/tls/certs/httpd.crt SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
Once ready reload the
httpd
Apache web-server:# systemctl reload httpd
- Test your
mod_ssl
configuration by navigating the web browser tohttps://your-server-ip
orhttps://your-server-hostname
URL. - As an optional step redirect all HTTP traffic to HTTPS.T do so create a new file
/etc/httpd/conf.d/redirect_http.conf
with a following content:<VirtualHost _default_:80> Servername rhel8 Redirect permanent / https://rhel8/ </VirtualHost>
To apply the change reload the
httpd
daemon:# systemctl reload httpd
The above configuration will redirect any incoming traffic from
http://rhel8
tohttps://rhel8
URL. For more information about TLS/SSL configuration on RHEL Linux server visit our How to setup SSL/TLS with Apache httpd on Red Hat guide.