Httpd SSL Configuration: Difference between revisions
No edit summary |
|||
| (85 intermediate revisions by the same user not shown) | |||
| Line 4: | Line 4: | ||
* http://wiki.centos.org/HowTos/Https | * http://wiki.centos.org/HowTos/Https | ||
* http://www.thegeekstuff.com/2012/05/install-apache-2-on-centos-6/ | * http://www.thegeekstuff.com/2012/05/install-apache-2-on-centos-6/ | ||
=Internal= | =Internal= | ||
* [[httpd Configuration#Subjects]] | * [[httpd Configuration#Subjects]] | ||
* [[SSL/TLS]] | |||
* [[Let's Encrypt]] | |||
=Overview= | |||
In order to protect a web site with SSL, you will need to make sure mod_ssl is available and functional, then create a [[httpd Concepts#Virtual_Host|virtual host]] that listens on port different from the non-SSL protected sites (usually 443), turn the SSLEngine on for that virtual host, and specify the paths to the certificate and the private key. | |||
=Procedure= | |||
==Obtain Certificate== | |||
Obtain a certificate. Options: | |||
* Use a generated self-signed certificate. Note that a Centos installation comes with a local certificate available in <code>/etc/pki/tls/certs/localhost.crt</code> and a private key <code>/etc/pki/tls/private/localhost.key</code>, which can be used for testing. httpd is configured by default to use it. This is how you [[openssl Operations#Generate_a_Self-Signed_Certificate|generate a self-signed certificate]]. | |||
* Install a valid certificated provided by Let's Encrypt. The procedure is available here, and usually is fully automatic: | |||
{{Internal|Let's Encrypt#Procedure|Let's Encrypt}} | |||
* Obtain a commercial certificate signed by a known CA. | |||
==Install mod_ssl and openssl== | |||
<syntaxhighlight lang='bash'> | |||
yum -y install mod_ssl | |||
yum -y install openssl | |||
</syntaxhighlight> | |||
By default, this ends up installing <code>mod_ssl.so</code> in <code>/etc/httpd/modules</code>. It also creates the default SSL configuration file <code>ssl.conf</code> in <code>/etc/httpd/conf.d</code>. | |||
==ssl.conf== | |||
<code>ssl.conf</code> must be included explicitly, yum installation, while it creates, it does not include it. However, usually the main <code>httpd.conf</code> configuration file contains an "include all conf.d" line: | |||
<syntaxhighlight lang='text'> | |||
IncludeOptional conf.d/*.conf | |||
</syntaxhighlight> | |||
which should take care of ssl.conf inclusion. More about <code>[[httpd IncludeOptional|IncludeOptional]]</code>. | |||
If not present, explicitly add the following <code>Include</code> directive above the virtual host area: | |||
<syntaxhighlight lang='text'> | |||
Include conf.d/ssl.conf | |||
</syntaxhighlight> | |||
<code>ssl.conf</code> contains the configuration of a default secure virtual host, and the custom secure virtual hosts should be added under it. See [[#Secure_Virtual_Hosts|Secure Virtual Hosts]] | |||
==Listen== | |||
Restrict the secure server to listen to a specific, dedicated interface by specifying it in ssl.conf <tt>Listen</tt>: | |||
<syntaxhighlight lang='text'> | |||
Listen 1.2.3.4:443 https | |||
</syntaxhighlight> | |||
Note that the main configuration file might still contain a <code>Listen</code> directive for port 80. This is fine if your web server still wants to serve unsecured pages, multiple <code>Listen</code> directives '''for different ports''' are legal. ⚠️ However, if more than one <code>Listen</code> directives instruct the server to listen '''on the same port''', the server will fail to start. More details about <code>Listen</code> are available here: | |||
{{Internal|httpd Listen|<tt>Listen</tt> directive}} | |||
==Log Location== | |||
By default, the SSL logs level and location is different: | |||
<syntaxhighlight lang='text'> | |||
ErrorLog logs/ssl_error_log | |||
TransferLog logs/ssl_access_log | |||
LogLevel warn | |||
</syntaxhighlight> | |||
==localhost Key and Certificate== | |||
These are self-signed, test certificates. | |||
==Secure Virtual Hosts== | |||
Add custom secure virtual hosts at the bottom of <code>ssl.conf</code>: | |||
<syntaxhighlight lang='text'> | |||
<VirtualHost 1.2.3.4:443> | |||
ServerName praetorian.novaordis.com | |||
SSLEngine on | |||
SSLCertificateFile "/etc/pki/tls/certs/praetorian.novaordis.com.crt" | |||
SSLCertificateKeyFile "/etc/pki/tls/private/praetorian.novaordis.com.key" | |||
SSLCertificateChainFile "/etc/pki/tls/certs/praetorian.novaordis.com-godaddy-chain.crt" | |||
DocumentRoot "/var/www/praetorian.novaordis.com" | |||
</VirtualHost> | |||
</syntaxhighlight> | |||
GoDaddy certificate installation instructions: https://www.godaddy.com/help/installing-an-ssl-certificate-in-apache-centos-5238 | |||
==Site Private Key== | |||
Place the private key under <tt>/etc/pki/tls/private</tt>. | |||
Name it <tt><secure-site-FQN>.key</tt>. Example: praetorian.novaordis.com.key. | |||
Make it available to apache:apache and only it: | |||
<syntaxhighlight lang='text'> | |||
chown apache:apache praetorian.novaordis.com.key | |||
chmod go-rwx praetorian.novaordis.com.key | |||
</syntaxhighlight> | |||
==Site Certificate== | |||
Place the certificate file under <tt>/etc/pki/tls/certs</tt>. | |||
Name it <tt><secure-site-FQN>.crt</tt>. Example: praetorian.novaordis.com.crt. | |||
==Site Chain/Intermediate Certificate== | |||
Most trusted certificates require that you install at least one other intermediate/chain certificate on the server, to link your certificate up to the trusted source. For example, the GoDaddy-issued certificates require that. | |||
Place the intermediate/chain certificate file under <tt>/etc/pki/tls/certs</tt>. | |||
Name it <tt><secure-site-FQN>-godaddy-chain.crt</tt>. Example: praetorian.novaordis.com-godaddy-chain.crt. | |||
Specify the path to the certificate chain under the corresponding secure virtual host as: | |||
<syntaxhighlight lang='text'> | |||
SSLCertificateChainFile "/etc/pki/tls/certs/praetorian.novaordis.com-godaddy-chain.crt" | |||
</syntaxhighlight> | |||
Note that for Apache 2.4.8 and higher you need to use SSLCACertificatePath instead. | |||
==Test Certificate== | |||
Use all of below. Testing is a good idea, test may reveal weaknesses and vulnerabilities. If everything was installed correctly, the checks should be successful. | |||
* https://casecurity.ssllabs.com | |||
* https://www.sslshopper.com/ssl-checker.html or similar. | |||
==Other Details== | |||
* Protect against the [[POODLE Attack]]. | |||
* Disable support for [[RC4 Cipher]] | |||
* Support [[Forward Secrecy]] with the reference browsers. | |||
=Troubleshooting= | |||
=="SSLCertificateFile: file '/etc/pki/tls/certs/kb.novaordis.com.crt' does not exist or is empty"== | |||
If I get an error message similar to <tt>SSLCertificateFile: file '/etc/pki/tls/certs/kb.novaordis.com.crt' does not exist or is empty</tt>, and the certificate file exists, is readable and it is a valid certificate, the cause is related to selinux misconfiguration. | |||
Latest revision as of 03:03, 18 November 2021
External
- http://httpd.apache.org/docs/2.4/ssl/
- http://wiki.centos.org/HowTos/Https
- http://www.thegeekstuff.com/2012/05/install-apache-2-on-centos-6/
Internal
Overview
In order to protect a web site with SSL, you will need to make sure mod_ssl is available and functional, then create a virtual host that listens on port different from the non-SSL protected sites (usually 443), turn the SSLEngine on for that virtual host, and specify the paths to the certificate and the private key.
Procedure
Obtain Certificate
Obtain a certificate. Options:
- Use a generated self-signed certificate. Note that a Centos installation comes with a local certificate available in
/etc/pki/tls/certs/localhost.crtand a private key/etc/pki/tls/private/localhost.key, which can be used for testing. httpd is configured by default to use it. This is how you generate a self-signed certificate. - Install a valid certificated provided by Let's Encrypt. The procedure is available here, and usually is fully automatic:
- Obtain a commercial certificate signed by a known CA.
Install mod_ssl and openssl
yum -y install mod_ssl
yum -y install openssl
By default, this ends up installing mod_ssl.so in /etc/httpd/modules. It also creates the default SSL configuration file ssl.conf in /etc/httpd/conf.d.
ssl.conf
ssl.conf must be included explicitly, yum installation, while it creates, it does not include it. However, usually the main httpd.conf configuration file contains an "include all conf.d" line:
IncludeOptional conf.d/*.conf
which should take care of ssl.conf inclusion. More about IncludeOptional.
If not present, explicitly add the following Include directive above the virtual host area:
Include conf.d/ssl.conf
ssl.conf contains the configuration of a default secure virtual host, and the custom secure virtual hosts should be added under it. See Secure Virtual Hosts
Listen
Restrict the secure server to listen to a specific, dedicated interface by specifying it in ssl.conf Listen:
Listen 1.2.3.4:443 https
Note that the main configuration file might still contain a Listen directive for port 80. This is fine if your web server still wants to serve unsecured pages, multiple Listen directives for different ports are legal. ⚠️ However, if more than one Listen directives instruct the server to listen on the same port, the server will fail to start. More details about Listen are available here:
Log Location
By default, the SSL logs level and location is different:
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
localhost Key and Certificate
These are self-signed, test certificates.
Secure Virtual Hosts
Add custom secure virtual hosts at the bottom of ssl.conf:
<VirtualHost 1.2.3.4:443>
ServerName praetorian.novaordis.com
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/praetorian.novaordis.com.crt"
SSLCertificateKeyFile "/etc/pki/tls/private/praetorian.novaordis.com.key"
SSLCertificateChainFile "/etc/pki/tls/certs/praetorian.novaordis.com-godaddy-chain.crt"
DocumentRoot "/var/www/praetorian.novaordis.com"
</VirtualHost>
GoDaddy certificate installation instructions: https://www.godaddy.com/help/installing-an-ssl-certificate-in-apache-centos-5238
Site Private Key
Place the private key under /etc/pki/tls/private.
Name it <secure-site-FQN>.key. Example: praetorian.novaordis.com.key.
Make it available to apache:apache and only it:
chown apache:apache praetorian.novaordis.com.key
chmod go-rwx praetorian.novaordis.com.key
Site Certificate
Place the certificate file under /etc/pki/tls/certs.
Name it <secure-site-FQN>.crt. Example: praetorian.novaordis.com.crt.
Site Chain/Intermediate Certificate
Most trusted certificates require that you install at least one other intermediate/chain certificate on the server, to link your certificate up to the trusted source. For example, the GoDaddy-issued certificates require that.
Place the intermediate/chain certificate file under /etc/pki/tls/certs.
Name it <secure-site-FQN>-godaddy-chain.crt. Example: praetorian.novaordis.com-godaddy-chain.crt.
Specify the path to the certificate chain under the corresponding secure virtual host as:
SSLCertificateChainFile "/etc/pki/tls/certs/praetorian.novaordis.com-godaddy-chain.crt"
Note that for Apache 2.4.8 and higher you need to use SSLCACertificatePath instead.
Test Certificate
Use all of below. Testing is a good idea, test may reveal weaknesses and vulnerabilities. If everything was installed correctly, the checks should be successful.
Other Details
- Protect against the POODLE Attack.
- Disable support for RC4 Cipher
- Support Forward Secrecy with the reference browsers.
Troubleshooting
"SSLCertificateFile: file '/etc/pki/tls/certs/kb.novaordis.com.crt' does not exist or is empty"
If I get an error message similar to SSLCertificateFile: file '/etc/pki/tls/certs/kb.novaordis.com.crt' does not exist or is empty, and the certificate file exists, is readable and it is a valid certificate, the cause is related to selinux misconfiguration.