Deploy https LAMP website with self signed or commercial certificate on CentOS 7

In this article we will look into setting up very basic LAMP website. We will setup self signed ssl certificate and configure virtual host to run https.
SSL is not bullet proof technology but it helps to make your website more secure by creating encrypted link between browser and web server.


Canada colocation

1. First lets install LAMP. We will not get into too much details and explanation during LAMP setup and just show basic steps needed to set this up.

$yum install httpd
$systemctl start httpd.service
$systemctl enable httpd.service
$yum install mariadb-server mariadb
$systemctl start mariadb
$mysql_secure_installation
$systemctl enable mariadb.service
$yum install php php-mysql
$systemctl restart httpd.service

2. Lets now install mod_ssl package

yum install mod_ssl

3. Now we can generate private key

openssl genrsa -out ca.key 2048

4. Lets Generate CSR

openssl req -new -key ca.key -out ca.csr

5. Now we need to Generate Self Signed Key and provide all required information

openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Toronto
Organization Name (eg, company) [Default Company Ltd]:prolinuxhub
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:demo1.com
Email Address []:demo@myemail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

6. We can now copy all our keys and certificates to correct location

cp ca.crt /etc/pki/tls/certs
cp ca.key /etc/pki/tls/private/ca.key
cp ca.csr /etc/pki/tls/private/ca.csr

7. Lets now create directory for our virtual host based website

mkdir -p /var/www/html/demo1.com

8. We will need to also create vhost configuration file.

vi /etc/httpd/conf.d/demo1.conf

         SSLEngine on
         SSLCertificateFile /etc/pki/tls/certs/ca.crt
         SSLCertificateKeyFile /etc/pki/tls/private/ca.key
         
         AllowOverride All
         
         DocumentRoot /var/www/html/demo1
         ServerName demo1.com

9. Lest restart our apache server

systemctl restart httpd

10. At this point you can access your site with https protocol https://demo1.com

You will need to make sure your test site can be resolved via DNS. If not then you can setup hosts file for testing purposes.

Deploy https with commercial certificate

We used comodo in this example but any other public PKI will do.

1. Install ssl module

yum install mod_ssl

2. Create CSR that will need to be submitted to your public PKI

openssl req -new -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/mywebsite.com.key -out /etc/pki/tls/private/mywebsite.com.csr

2. Ones you get information varified and get your certificates from Public PKI, you will need to copy them to locations specified later in httpd configuration file

cp mywebsite_com.crt /etc/pki/tls/certs/mywebsite_com.crt
cp mywebsite.com.key /etc/pki/tls/private/mywebsite.com.key
cp CARoot.crt /etc/pki/tls/certs/CARoot.crt 
cp TrustCA.crt /etc/pki/tls/certs/TrustCA.crt

3. Now edit configuration file

cd /etc/httpd/conf.d/mywebsite.com.conf

     SSLEngine On
     SSLCertificateFile /etc/pki/tls/certs/mywebsite_com.crt
     SSLCertificateKeyFile /etc/pki/tls/private/mywebsite.com.key
     SSLCACertificateFile /etc/pki/tls/certs/CARoot.crt 
     SSLCertificateChainFile /etc/pki/tls/certs/TrustCA.crt
     ServerAdmin info@example.com
     ServerName www.mywebsite.com
     DocumentRoot /var/www/mywebsite.com/public_html/
     ErrorLog /var/www/mywebsite.com/logs/error.log
     CustomLog /var/www/mywebsite.com/logs/access.log combined

		AllowOverride All
	

This is just for reference but location of certificates varies based on Linux distribution. Please see below for common directories.

"/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
"/etc/pki/tls/cacert.pem",                           // OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
"/etc/ssl/certs",               // SLES10/SLES11, https://golang.org/issue/12139
"/system/etc/security/cacerts", // Android
"/usr/local/share/certs",       // FreeBSD
"/etc/pki/tls/certs",           // Fedora/RHEL
"/etc/openssl/certs",           // NetBSD

Redirect http to https

Method 1
Edit website virtual configuration file

Redirect permanent / https://mywebsite.com/

Method 2

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

Bundle example
Here is how you would create a certificate bundle and configure apache directives

cat ComodoRSAAddTrustCA.crt ComodoRSADomain/Organization/ExtendedvalidationSecureServerCA.crt AddTrustExternalCARoot.crt > yourDomain.ca-bundle

SSL site configuration


     SSLEngine On
     SSLCertificateFile /etc/pki/tls/certs/site_com.crt
     SSLCertificateKeyFile /etc/pki/tls/private/site.com.key
     SSLCertificateChainFile /etc/pki/tls/certs/site.com-bundle
.....