Reasons to add HTTPS encryption to a website:
- Protect private user data entered into forms, as it travels from browser to server
- Keep user navigation and content subject matter private
- Improve user perception that the website is safe. Most users haven't a clue but rather than have them be alarmed by an icon labeling a website as unencrypted, it is easier to add HTTPS
- Perceived SEO benefits (search rank)
Prerequisites:
This tutorial assumes that one has a Bind based DNS configured for the domain as well as the Apache web server configured for virtual hosting of web content. See the following tutorial on Bind DNS and Apache Web Site Configuration on Linux.
Certificates:
This tutorial will cover the installation and use of encryption keys and certificates from LetsEncrypt.org which are available for free for a duration of 90 days after which they must be renewed. The TLS or SSL (TLS is a newer and improved version of encryption than SSL) keys and certificates are obtained from the LetsEncrypt.org server using a client script which employs the Automatic Certificate Management Environment (ACME) protocol. The ACME protocol supports deployment between the Certificate authority (CA), the entity that stores, signs and issues digital certificates to certify the ownership of a public key, and a user's web server. ACME version 2 supports wildcards: *.megacorp.com. This allows the domain certificates obtained to support megacorp.com, www.megacorp.com, mail.megacorp.com and all nodes supporting the domain.
ACME Client:
An ACME client is run to obtain browser trusted certificates from Let's Encrypt. The issued certificate can be used for SSL/TLS for use by web servers, mail servers (but not for email encryption), ftp servers, etc.
The user must show a working DNS or web server configuration to show that they control the domain. This tutorial assumes the use of Bind as a DNS name server.
Apache Configuration:
This tutorial will show the additional required configuration settings to an existing "Virtual Hosts" HTTP web server. See the YoLinux Linux Internet Web Server and Domain Configuration Tutorial for instructions on configuring bind DNS and Apache.
ACME Client:
The Let's Encrypt website lists a lot of eligible ACME clients
Using the bash script getssl:
- Install getssl
- Generate getssl configuration files and edit
- Request certificate generation
- Create DNS record for domain ownership verification
- Configure Apache web server for HTTPS using the certificates generated
Install getssl from github: https://github.com/srvrco/getssl
curl --silent https://raw.githubusercontent.com/srvrco/getssl/latest/getssl > getssl ; chmod 700 getssl
Also download from github:
File: /opt/bin/dns_add_manual
#!/usr/bin/env bash
echo "In the DNS, a new TXT record needs to be created for;"
echo "_acme-challenge.${1}"
echo "containing the following value"
echo "$2"
read -r -p "Press any key to obtain the certificate once the records have been updated..."
File: /opt/bin/dns_del_manual
#!/usr/bin/env bash
echo "In the DNS, the following DNS record should be deleted ;"
echo "_acme-challenge.${1}"
read -r -p "Press any key to obtain the certificate once the records have been updated..."
usage:
- -c: create default config files to edit
- -h: Help
getssl -c *.megacorp.com
May take 5 minutes to run!
Will generate the following configuration files:- ~/.getssl/getssl.cfg - global server config file
- ~/.getssl/*.megacorp.com/getssl.cfg - edit this domain specific file
CA="https://acme-v02.api.letsencrypt.org" ACCOUNT_KEY_LENGTH=4096 ACCOUNT_KEY="/home/user1/.getssl/account.key" ACCOUNT_KEY_TYPE="rsa" PRIVATE_KEY_ALG="rsa"ACCOUNT_KEY_LENGTH=4096 ACCOUNT_KEY="/home/user1/.getssl/account.key" RELOAD_CMD="apachectl restart" RENEW_ALLOW="90" SERVER_TYPE="https" CHECK_REMOTE="true" VALIDATE_VIA_DNS="true" DNS_ADD_COMMAND="/opt/bin/dns_add_manual" DNS_DEL_COMMAND="/opt/bin/dns_del_manual" PUBLIC_DNS_SERVER="XXX.XXX.XXX.XXX" AUTH_DNS_SERVER="XXX.XXX.XXX.XXX"
Tip for AWS EC2 users. Use public "elastic" IP addresses rather than private VPC (Virtual Private Cloud) IP addresses.
Edit (or use default) this domain specific file: ~/.getssl/megacorp.com/getssl.cfgCA="https://acme-v02.api.letsencrypt.org" PRIVATE_KEY_ALG="rsa" SANS="" RELOAD_CMD="apachectl restart" SERVER_TYPE="https"Run the script;
$ ./getssl *.megacorp.com *.megacorp.com: Certificate on remote domain does not match, ignoring remote certificate (megacorp.com != megacorp.com) creating key - /home/user1/.getssl/*.megacorp.com/*.megacorp.com.key Generating RSA private key, 4096 bit long modulus .................................................++ ......................................................................................................................................................................++ e is 65537 (0x10001) creating domain csr - /home/user1/.getssl/*.megacorp.com/*.megacorp.com.csr Registering account Verify each domain Verifying *.megacorp.com In the DNS, a new TXT record needs to be created for; _acme-challenge.megacorp.com containing the following value mMxyziabcde_QbcdbcdbcdbcdenEnucom4xyz9VS5gI Press any key to obtain the certificate once the records have been updated...
It is at this point in running the getssl script that one will have to make an entry in the DNS configuration. The purpose is to show and verify to the certificate authority (CA) that you legitimately own and control the domain. Add a TX entry to the domains DNS record. Here we show a text entry for a bind configuration:
File: /var/named/chroot/var/named/data/named.megacorp.com
...
....
2014123113 ; serial
...
...
_acme-challenge.megacorp.com. IN TXT "mMxyziabcde_QbcdbcdbcdbcdenEnucom4xyz9VS5gI"
Remember to increment the serial value.
Restart bind: service named restart
Return to the terminal window running getssl and press enter.
checking DNS at XXX.XXX.XXX.XXX checking DNS at XXX.XXX.XXX.XXX sleeping 60 seconds before asking the ACME server to check the dns sending request to ACME server saying we're ready for challenge checking if challenge is complete Pending checking if challenge is complete Verified *.megacorp.com In the DNS, the following DNS record should be deleted ; _acme-challenge.megacorp.com Press any key to obtain the certificate once the records have been updated...
Delete the bind DNS TXT "_acme-challenge" line, increment the serial value and restart bind (service named restart).
Return to the terminal window running getssl and press enter.
Verification completed, obtaining certificate. Requesting Finalize Link Requesting Order Link Requesting certificate Certificate saved in /home/user1/.getssl/*.megacorp.com/*.megacorp.com.crt reloading SSL services
At this point the encryption certificates will be generated and will be ready for use by the Apache web server.
Configure Apache for multiple HTTPS domains on the same IP, using virtual hosts with Server Name Indication (SNI) to allow the server to determine the correct certificate for each domain.
Copy encryption certificates to an Apache accessible directory.
sudo cp '.getssl/*.megacorp.com/*.megacorp.com.key' /etc/ssl/websites/megacorp.com/domain.key sudo cp '.getssl/*.megacorp.com/*.megacorp.com.crt' /etc/ssl/websites/megacorp.com/domain.crt sudo cp '.getssl/*.megacorp.com/chain.crt' /etc/ssl/websites/megacorp.com/chain.crt sudo cp '.getssl/*.megacorp.com/fullchain.crt' /etc/ssl/websites/megacorp.com/fullchain.crt sudo cp '.getssl/*.megacorp.com/*.megacorp.com.csr' /etc/ssl/websites/megacorp.com/domain.csr
Edit the configuration for the domain by adding the HTTPS configuration to the HTTP configuration. The working HTTP configuration is not altered. One will add an HTTPS configuration.
File: /etc/httpd/sites.d/megacorp.conf
...
...
<VirtualHost *:443>
ServerName megacorp.com
ServerAlias www.megacorp.com
DocumentRoot /home/websites/www/megacorp.com/html/
<Directory "/">
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /home/websites/www/megacorp.com/html>
XBitHack Full
Options FollowSymLinks MultiViews Includes
IndexOptions SuppressLastModified SuppressDescription
AllowOverride All
Order allow,deny
allow from all
Require all granted
</Directory>
SSLEngine on
SSLProtocol all -SSLv3 -TLSv1
SSLCertificateFile /etc/ssl/websites/megacorp.com/domain.crt
SSLCertificateKeyFile /etc/ssl/websites/megacorp.com/domain.key
SSLCertificateChainFile /etc/ssl/websites/megacorp.com/chain.crt
ErrorLog /var/log/httpd/megacorp.com-error.log
LogLevel warn
CustomLog /var/log/httpd/megacorp.com-access.log combined
ServerSignature Off
</VirtualHost>
Verify the Apache webserver configuration: apachectl configtest
Look for the response Syntax OK
Restart the Apache webserver: apachectl restart
Firewall Rules:
[Pitfall] The webpage does not load but stalls and reaches timeout. Try flushing the firewall rules on the web server: iptables -F
Apache Restart Fails:
[Pitfall] Restart (apachectl restart) fails and give the following error:
(13)Permission denied: AH00058: Error retrieving pid file /var/run/httpd/httpd.pid AH00059: Remove it before continuing if it is corrupted. getssl: error running: apachectl restartOne must be root user in order to restart the server.
Stale Certificate:
Close the browser and then restart the browser application.
Check certificate expiration date:
- openssl x509 -text -in fullchain.pem
- openssl x509 -text -in chain.crt
- openssl x509 -text -in domain.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
05:de:82:...................................:a4:c9:c9
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=R11
Validity
Not Before: Mar 19 05:20:27 2025 GMT
Not After : Jun 17 05:20:26 2025 GMT
Subject: CN=megacorp.com
...
...
Here are some websites which can be used to test and examine your HTTPS installation and give an assessment:
Linux documentation:
Books:
 |
"Apache Server Bible 2"
by Mohammed J. Kabir ISBN # 0764548212, Hungry Minds This book is very complete covering all aspects in detail. It is not your basic reprint of the apache.org documents like so many others. |
|
