How to configure HTTPD to use https

Home > Search > How-to
  by

HTTPD can be configured to use HTTPS to encrypt the traffic between the client and server using either a certificate purchased from a trusted CA (certificate authority), such as www.verisign.com, or using a self signed certificate. The main difference between a certificate from a trusted CA and a self signed certificate is that web browsers will display a warning message when a self signed certificate is used. 

 

Use apt-get or yum to install the SSL module. The installation of the SSL module will add the ssl.conf file to the /etc/httpd/conf.d/ directory.

[root@server1 ~]# yum install mod_ssl

 

Restart HTTPD, and ensure HTTPD is active and running.

[root@server1 ~]# systemctl restart httpd
[root@server1 ~]# systemctl status httpd

 

Ensure iptables is configured to allow traffic on port 443.

If your /etc/httpd/conf/httpd.conf file contains ServerName www.example.com and DocumentRoot "/var/www/html", you should now be able to access your site using HTTPS.

If your server uses virtual hosts, edit the /etc/httpd/conf.d/ssl.conf file to mirror your virtual host configuration.

 


SELinux

Use the ls -Z command to view the SELinux permissions of the files in the /var/www/html directory. In this example, the index.php context is admin_home_t. HTTPD needs the type to be httpd_sys_content_t.

[root@server1 ~]# ls -Z  /var/www/html
-rwxrwxrwx. root root unconfined_u:object_r:admin_home_t:s0 index.php

 

Use the restorecon command to update all of the directories and files used by HTTPD to have httpd_sys_content_t.

[root@server1 ~]# restorecon -Rv  /var/www/html

 

Use the ls -Z command again to confirm the context is httpd_sys_content_t.

[root@server1 ~]# ls -Z  /var/www/html
-rwxrwxrwx. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.php

 


Create a public / private key pair

The installation of the SSL module will add the localhost.crt (public certificate) and localhost.key (private key), as well as the server-chain and ca-bundle certificates.

  • /etc/pki/tls/certs/locahost.crt
  • /etc/pki/tls/private/localhost.key
  • /etc/pki/tls/certs/server-chain.crt
  • /etc/pki/tls/certs/ca-bundle.crt

If you would prefer to use your own self signed certificate, OpenSSL can be used to create the self signed public certificate and private key. Then, the localhost.csr and localhost.key can be replaced with your own public certificate and private key in the /etc/httpd/conf.d/ssl.conf file.

Restart HTTPD, and ensure HTTPD is active and running.

[root@server1 ~]# systemctl restart httpd
[root@server1 ~]# systemctl status httpd

 

In this example, a self signed public certificate was created for freekb.net, and Chrome compalins that the root certificate is not trusted, because the certificate is not in the trusted root certificate authorities store. This is the expected behavior of a self signed certificate.

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments