Installing an SSL Certificate on CentOS Running Apache

Jason Cannon
A free video tutorial from Jason Cannon
Professional system administrator, consultant, and author.
4.5 instructor rating • 19 courses • 447,992 students

Lecture description

In this video lesson, you’re going to learn how to install a valid SSL certificate on a CentOS Linux Server running the Apache web server. By the way, the SSL certificate you’ll install will be issued by Let’s Encrypt entirely for free. Traditionally, you’ve had to pay for SSL certificates and renew them every year. With Let’s Encrypt that’s all changed.

Learn more from the full course

Linux Tutorials and Projects (Free)

Free Tutorials Including Load Balancing, MySQL Replication, SSL Certificate Management and More.

41:09 of on-demand video • Updated August 2020

  • How to complete several Linux projects while obtaining new Linux skills.
English In this video, you're going to learn how to install a valid SSL certificate on a CentOS Linux server running the Apache web server. By the way, the SSL certificate you'll install will be issued by Let's encrypt entirely for free. Traditionally you've had to pay for SSL certificates and renew them each year incurring additional costs. Well, with Let's Encrypt that's all changed. Before you start configuring your Linux server, I want to give you some important background information. This won't be long, just about a minute or so. Now as a quick reminder, SSL stands for Secure Sockets Layer and it allows for encrypted communications between a user's web browser and a web server. It's important to use SSL anytime sensitive data is going to be transmitted such as credit card numbers, personal information, and authentication credentials such as passwords. Even if your web server is not handling sensitive information using SSL can enhance the trust of visitors to your site. Some web browsers will warn users that the site is not secure unless it's using a valid SSL certificate. Also, search engines such as Google rank SSL enabled websites higher in search results so there's an SEO or search engine optimization benefit as well. By the way, this video makes a couple of assumptions. The first one is that your Linux system is running CentOS or Red Hat Enterprise Linux. The second one is that your system is accessible over the public Internet. The last assumption is that you have a valid DNS entry that points to your Linux system. For example, if your domain is www.example.com when someone types in that domain in the web browser they are actually connecting to your Linux server/ I've included some additional information about the DNS configuration that you'll need in the project notes and documentation. So, if you need additional help look there. All throughout this video I'm going to be using demo Linux training academy calm now even though this domain is going to be used in every example be sure to use or a domain when you're following along the first thing you need to do is to connect to your server for me I'm on my Mac desktop so I'm going to open up the terminal application and simply SSH into my server if you connect to your server as a non root user be sure to go ahead and switch to the root user because a lot of the commands that you'll be executing during this tutorial require root or super user privileges as you can see here I'm logged in with the Jason account and I'm going to switch to the root account by typing in su space - and hitting Enter now I'm going to enter the root password let's start off by installing the Apache HTTP webserver we'll also need to install the mod underscore SSL package as it provides SSL support to Apache so we'll use yum install - why to answer yes to the install questions and then type in our package names we'll use HTTP D and mod underscore SSL now that the web server is installed and the SSL support is installed with it we're going to go ahead and start the webserver we can do that with system CTL start httpd you also want to make sure that if your server gets rebooted that the web server starts on boot and to do that you need to run system CTL enable HTTP D now just to check that the webserver started we can use system CTL status httpd and sure enough it says it's active and running and it lists the processes that are associated with the HTTP D service by the way you can also use the is - active option - systemctl it just gives you very brief output so we'll do system CTL is - active and then the service name and it just reports back if it's active or not and here it is active since I'm working on a fresh installation I really don't have a web application configured or my website on here or anything like that so I'm going to create an index.html file and the document root of the webserver just to put a little bit of data there so I can test with it I'm going to do that by redirecting the output of the echo command here that's going to echo demo into the file that lives at VAR w w HTML index.html now by the way that's the document route if you're unsure what the document route is on your system you can do something like this grab - R or recursive I - ignore case and then type in document route and then we'll look in at the HTTP D and here you can see that the line that is not commented the one that does not begin with a pound sign says document route forward slash var slash W W slash HTML so indeed that is the document route that we're using here if you're using a local Linux firewall then you need to add firewall rules that allow web traffic such as HTTP traffic and HTTP traffic on this system I happen to have the firewall enabled so I'm going to add rules with a firewall - CMD command so our first rule will be firewall - CMD we're going to make it permanent we're going to place it in the public zone and then we're going to tell it what service that we're going to allow we're going to allow HTTP traffic I'll hit enter to add the rule and then I'll just hit the up arrow key to repeat the command and add an S to the end because I also want to allow the secure traffic the SSL traffic that we're going to be using to our website as well HTTPS now that we have the rules added we can go ahead and reload the firewall and that makes the firewall read those rules and allow in the traffic by the way if you're not using firewall D and you try to execute one of these firewall - CMD commands it will just simply report back that firewall D is not running at this point we're ready to test the webserver we just want to make sure that it's up and running and accepting HTTP and HTTPS traffic so open up a web browser and type in domain name ok the page loads it returns back the information that we put in the index.html file so it looks like everything is working the Chrome web browser currently has a warning for any system that is not using HTTPS so here it gives a warning to the user that your connection to this site is not secure so let's connect to it over the secure protocol which is HTTPS so we'll simply prepend HTTP colon forward slash forward slash and hit enter the web browser displays an error our warning here because the server is actually using a self-signed SSL certificate let's actually view the SSL certificate here in Chrome I can go to settings more tools developer tools and then you need to go to the security tab you may have to click these double arrows arrows to see it in the options but here I have it pulled up recently so it's already loaded and then what I'm going to do is just click on view certificate it says right away that it is a self-signed root certificate and if you click on the details you can obviously see this information is fake it's made up it's definitely not a valid SSL certificate so where did that SSL certificate come from well it came from the mod SSL package as a matter of fact when you installed the mod SSL package it executed a post installation script that created that SSL certificate and we can look at this by using the RPM command with the - queue for query and we want to query the scripts for the mod underscore SSL package and I'm just going to use a pipe symbol there and pipe the output of that RPM command into the LES command which is a pager that allows us to move up and down through that output so that doesn't just scroll quickly off of our screen and miss the output so I hit enter here and it says the post installation scriptlet using bin SH and it shows you the script that was executed ultimately what this script does is it looks to see if there's a localhost key file or a localhost dot cert file and if there is it doesn't do anything but if there isn't it goes ahead and generates an SSL self-signed cert so that's exactly where the SSL cert came from that we looked at in our web browser now to get out of the LES pager I'm just going to hit Q by the way you don't have to use a full-blown graphical user interface type web browser to check your web server you can simply do that at the command line with the curl command so we'll do this will type in curl HTTP and then our domain name sure enough what is returned is what is in the index.html file that we created a couple of minutes ago now let's check the HTTPS protocol curl reports an error it says the certificate is invalid and again we know that's fine because it's a self-signed cert here it gives us some instructions to ignore this error if we want to so we can use curl - kay and then provide the address again by the way I'm going to use a little shortcut here which is exclamation mark dollar sign and hit enter that exclamation dollar sign is what bash calls an event designator this particular event designator says give me the last item on the previous command line so exclamation mark dollar sign is the last thing on the previous command line before it actually executed the command it showed what it was executing so it showed the exclamation mark dollar sign expanded to http demo dot Linux training academy com in order to generate an SSL certificate you're going to need the cert bot application it's not part of the base Linux distribution but it is available in the Apple repository apple e PE l stands for extra packages for enterprise linux and it's a fedora project that builds and maintains quality third-party packages for rail based distributions such as CentOS to add the Apple to your system simply install the Apple - release package so we'll run yum install - why Apple release and hit enter now that you've added the Apple repository you can go ahead and install the cert bot application yum install - why sir button by the way if you're unsure what package to install of what the package name is you can search for it with yum so you could have done yum search cert bot and then look at your options if you're still unsure which packages the right one you can get even more detailed information about a specific package with yum info and we're going to supply the cert bot package at the end of this yum info command and get more detailed information on it so there you can see that it gives an extended description and this can help you decide if that's the proper package that you should install or not the surf bot application has a few different plugins that allow it to automatically update the configuration for the web server that you're using since we're using Apache will install the Apache cert bot plugin let's go back up a couple of commands here and do a search for a cert bot and let's see if we can spot these Apache plugin and sure enough we can see it there the Apache plugin for cert bot so I'm just going to copy this and install it yum install - why and then that package name now by the way if you are using nginx you can see there that you could install the nginx plug-in using the package that is listed there as well again we're using Apache so we'll just install the Apache plug-in requesting an SSL certificate is really as easy as just executing the cert bot command if you run the command without any options you're going to be prompted for all the required information because we already know that we're using the Apache web server we can specify that on the command line with a dash dash of Pachi option so we can use cert bot - - Apache and we also can specify the domain with dash D followed by your domain here we're using demo Linux training academy comm now we just simply answer the questions as we're prompted here it wants an email address so we'll just type in your email address read the Terms of Service and then agree with them by typing a and hitting Enter if you want to join the e FF mailing list you can hit Y here I'm just going to hit now I'm already on their email list the surf out utility looks through the Apache configuration and tries to figure out where and there you have the configuration for your system here it's saying that it didn't find the configuration and it's asking us exactly where to put it so we're just going to accept the one-and-only default choice here which is one so we'll hit one and hit enter okay again we get the same question what configuration file should we use again we'll just hit one and press Enter the real choice you have to make here is do you want to use this easy method or the secure method now if you choose easy here you can serve both HTTP and HTTPS traffic if you choose the secure option then any requests that come to HTTP will be redirected to the HTTPS portion of your website for me I'm just going to force all traffic over HTTPS so I'm going to hit two and press Enter here it gives you some information such as when your certificate will expire and where it's stored at on disk by the way if you want to look at all the files that were created by a cert bot you can look in at C let's encrypt live and hit enter here I'll just use the find command to list all the files in there and you can see all the files that were generated by cert bot if you're hosting multiple domains each domain will have its own directory with its own certificate now let's verify the SSL certificate with our web browser I already have my domain pull up in my web browser so I'm just going to reload it and sure enough it reports as secure and if we click on view certificate we can see that it's issued by let's encrypt and it says that this certificate is valid you can also check this at the command line by using the curl command so we'll type in curl HTTP followed by our domain name sure enough it returns the information we have in our index.html file and it doesn't issue a warning or an error like it did when we were using the self signed certificate at the time of this recording the default Apache SSL configuration that is used on CentOS doesn't account for some recent security issues such as poodle and heartbleed and those types of things so to address these security issues we can update the apache SSL configuration since i'm using a default install the SSL configuration file lives in etsy httpd chord slash conf d SSL com now if you have a different file that you are using and that you told cert bot about and it put the configuration there then edit that file but again I'm using the default so I'm going to edit the ssl.com file now I'm looking for the SSL protocol line here and when we get here I'm just going to put in a comment by the way comments start with a pound sign in this particular file and I'm just going to say this is the insecure version and I'm going to comment out that insecure version I'm actually going to make a copy of that line and add just one more bit of information here and that is to disable SSL v3 so we'll go ahead and save that now the next thing we need to change here is the SSL cipher suite again I'll just say that this is the insecure default option and comment that out now I'm going to copy and paste this big long line of text because I don't want to make any typing mistakes and that's just the easiest way to do it so now what I'm going to do here is save my changes in exit anytime you're making configuration changes to your web server you want to run a config test to make sure that you don't have any unexpected typing mistakes or you accidentally use some incorrect syntax so you can just run Apache CTL config test and hit enter now if it reported some kind of issue or error go back and edit the file again fix the issues and then run the config test again until it says syntax ok this way when you attempt to restart the web server to reread that new configuration you won't end up with your web server being down because of a syntax issue and then have it down while you're troubleshooting so running the config test first is a very good idea so now that the config test passed we can make the Apache web server restart which makes it read all that new configuration that we supplied I'm just going to execute the curl command against our website and to make sure it's up sure enough the web server is up it's returning our web page and everything looks good SSL certificates issued by let's encrypt are valid for 90 days to attempt an SSL certain to get renewal use the cert bot application so we'll run cert but renew and hit enter here it reports that our certificate is not yet ready for renewal the sir bot renew command will renew all previously obtained certs that expire in less than 30 days if it does do a certificate renewal it'll also restart Apache for you here it didn't even attempt to do the certificate renewal so it's okay to run this command as many times as you want because it won't even try unless it's ready to be renewed now there are a couple of different ways to handle SSL certificate renewals one way is a more manual way you could for instance put a note in your calendar to remind yourself to you log into your system and run this command to renew your cert but if you're like me and you have a busy day and you overlooked a calendar event then you may run into a situation where you have an SSL certificate expire and your visitors will be getting warnings and errors about an invalid certificate on your site and that's no fun so there are a couple of ways to automate this process one way is to create a cron job to create a cron job we can run the cron tab - 'command and that is to edit our crontab now I'm just going to put a comment here about what this job is going to do renew SSL certs daily the first five fields of a crontab entry are actually a time specification and they represent that minute hour day of the month month of the year and day of the week so I'm just going to have this command execute every night at midnight and how you can do that is you type in 0 for 0 minutes 0 for 0 hours and then use asterisk for the remaining time specification fields the command that we're going to put here will only be executed when all the time specification fields match the current date and time when you use an asterisk it matches any date or time for that field so here we've only specified the hours and minutes so every night at 0 hours and 0 minutes this job will get executed so what we want to do is supply the command that we want to be executed at midnight so we'll use user bin cert bot and we're going to do renew now this will generate some output and if you don't do anything else and just save your changes here when this command executes it will produce that output and it will send an email to the account associated with this cron job which is the root account on this system now that may or may not be what you want personally I don't want an email like that what I want to do is just save a log file on the system and so how we can do that is just redirect all the output generated by this command this ampersand followed by the greater than sign says redirect all standard input and standard output more or less everything that this cert bot command could generate and put it into a file and so what we're going to do is put it into var log assert bot dot cron log now every time this command gets executed it over writes that file but for me and my purposes that's good enough because if the SSL cert something wrong has happened I'll get notified via our monitoring system or potentially a user of the website will notice something and then I can go back and look at this log file to see what happened with a renewal process so once you're done adding your cron job you can save your changes and to check that it installed you can use cron tab - L to list your cron jobs there's a second way to automatically schedule the certificate renewals that method uses system D timers the cert bot package includes a cert bot - renew system D service when you start the service it attempts to renew the SSL certs on the system just if you had typed cert bot renew at the command line this particular service is not like most services because it just simply execute that command and immediately exits it's not a background service where it constantly runs for example so let's just execute the service and see what happens system CTL start cert bot - renew dot service and hit enter now let's check it status system CTL status cert bot renewed service here you can see that it's actually inactive and at the bottom of your screen you can see the output that is exactly like you would have expected had you had run the cert Batra new command from the command line so again this service just execute that command and exits luckily for us the cert bot package also includes a system D timer that will execute the cert bot - renew service daily the first thing you want to do is actually start the timer so we can do that with system CTL start cert bot - renew timer we want this timer to start on boots so to enable that happening we can use system CTL an able cert bot renew dot timer and hit enter now you can view the status of all the system D timers using system CTL lists - timers here you can see that there are two timers that are listed the cert bot renew timer and another one so this tells us that an 11 hours from now the cert bot renew timer will be executed now there's information that Scrolls to the right of the screen so I'm going to hit the right arrow and when I do that to kind of readjust our view to the top of the screen it's using a pager to do this so it says let me move over to the left the unit the cert bot renew timer this goes to the right here says that it activates the cert bot renew service so this timer will start the cert bot renew service run the serve art renew command and exit so I'll hit Q to exit out of this pager so that is the alternative method to scheduling the daily renewal by the way if you're going to use that method then I highly suggest that you disable the cron job and we can do that with crontab - II go ahead and comment out the cron job line there right and quit save your changes make sure that the cron tab saved and you're good to go so again you only have to use one method the crontab method or the system the timer method just one will do let's quickly recap what we've covered in this tutorial you learn how to install an SSL certificate issued by let's encrypt on a CentOS system running the Apache web server you started out by installing the Apache web server and mod SSL for SSL support from there you added firewall rules to allow HTTP and HTTPS traffic next you enabled the Apple repository by installing the Apple - release package that enabled you to install the cert bot application as well as the Apache cert bot plug-in you then created and installed an SSL certificate using the cert by utility finally you automated the certificate renewal process so that your site is never without a valid SSL certificate if you enjoyed this tutorial then I know you're going to love all the other videos tutorials and courses available for you at LinuxTrainingAcademy.com and i hope to see you there!