Deploy HTTPS on Apache/Tomcat in CentOS

Although there are tools can automate the SSL cert renewal process for you, it’s always good to know how it works just in case you need to troubleshoot.

We will first see how it works step by step, then introduce a automated tool Certbot.

Step one: get your server ready

An Overview of Security-Related Packages

To enable the secure server, you must have the following packages installed at a minimum:
httpd
The httpd package contains the httpd daemon and related utilities, configuration files, icons, Apache HTTP Server modules, man pages, and other files used by the Apache HTTP Server.
mod_ssl
The mod_ssl package includes the mod_ssl module, which provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
openssl
The openssl package contains the OpenSSL toolkit. The OpenSSL toolkit implements the SSL and TLS protocols, and also includes a general purpose cryptography library.

User below command to install:

sudo yum install httpd mod_ssl openssl

Check that mod_ssl is properly installed:

# rpm -q mod_ssl
mod_ssl-2.4.6-80.el7.x86_64

And is loaded as a module into httpd server:

# apachectl -M | grep ssl
 ssl_module (shared)

The mod_ssl configuration file is sitting at: /etc/httpd/conf.d/ssl.conf. We need to enable Apache from reading configuration files here.

Note: Enable the Apache to load configuration file from conf.d, which is disabled by default on RHEL/CentOS.

Uncomment below in /etc/httpd/conf/httpd.conf to enable apache load the conf files:

IncludeOptional conf.d/*.conf

Step two: apply for the ssl certificate

Once you’ve got an approval of your certificate from the Certificate Authority (CA), you will have email, which will contain an encryption key valuables in hash algorithm such as;

-----BEGIN CERTIFICATE----- 
MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAmowggHXAhAF 
UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNVBAYTAlVTMSAw 
(.......) 
E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6 
K99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS/16S36ITclu4AADEAAAAAAAAA 
-----END CERTIFICATE-----

Or you can apply free SSL from https://www.sslforfree.com/, which only valid for about 100 days but completely free.

Wildcard or not

For paid version, you can apply certificate which will effective for *.example.com, but for the free version from sslforfree.com, we need to apply two versions.

I will apply two copies of ssl certificate, one for www.example.com and one for example.com.

Now you have two copies of three files, certificate file certificate.crt, Private key file private.key, CA bundle file Ca_bundle.crt.

To confirm that you have applied for the correct domain name, use command below to get the CN name from certificate:

# openssl x509 -noout -text -in certificate.crt | grep CN

Step Three

Upload the files via FTP, then rename to CN_name.crt

Now, you’ll want to create below directories and store the cert files for www.example.com on the following directory, which you’re going to keep all your certificate files;

Example: /etc/httpd/conf/ssl.crt/ , /etc/httpd/conf/ssl.key, /etc/httpd/conf/ca-bundle.

Then we edit the /etc/httpd/conf.d/ssl.conf to use the certificate:

......
Listen 443 https
......

<VirtualHost *:443>

DocumentRoot "/var/www/html"

#Below need to match the CN of your certificate
ServerName www.youdomain.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

# SSL Engine Switch:
SSLEngine on

# SSL Protocol support:
SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

# Server Certificate:

SSLCertificateFile /etc/httpd/conf/ssl.crt/yourdomain.com.crt

# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/yourdomain.com.key

# Server Certificate Chain (CA bundle):
SSLCertificateChainFile /etc/httpd/conf/ca-bundle/yourdomain.com.crt

.....................

</VirtualHost>

To force the website redirect http traffice to https:

edit the .htaccess file under the website root directory:

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Apache configuration file

Or you can do it in apache configuration file /etc/httpd/conf/httpd.conf

Under the section of port 80:

# General setup for the virtual host, inherited from global configuration

ServerName you.domain.com:80

Add or edit the below section to enable https for all sites:

RewriteEngine On 
RewriteCond %{HTTPS} !=on 
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Only enable https for a site:

RewriteCond %{SERVER_NAME} =your.domain.name

Verify your SSL certificate installation:

You can use the below command to verify the HTTPS status:

openssl s_client -connect www.youdomain.com:443

Or open a browser and test

Now you will find the https://www.example.com is running well, but if you type https://example.com, it will tell you the site is not safe. If you click the advanced tab on desktop, you will find, it says the certificate is for www.example.com, but not example.com. Sounds stupid, but this how it strict with non wildcard certificate.

We will copy the other copy of cert files to /etc/httpd/conf/nonwww/ssl.crt/ , /etc/httpd/conf/nonwww/ssl.key, /etc/httpd/conf/nonwww/ca-bundle

Then open ssl.conf file we did above, copy the existing block <VirtualHost *:443> …..</VirtualHost> to bottom, then change the line “ServerName www.youdomain.com:443” to “ServerName youdomain.com:443”

Find the three lines of cert file, key file, and bundle file, change them into the new path:

If you have the cert file and key file combined in one file, then use the below command to create the cert and key, (note you will need openssl installed, and it will ask you for the encryption password if the file is encrypted.)

cat cert_key_file.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "yourdomain.com" n ".crt"}'

sudo openssl rsa -in yourdomain.com.crt -out yourdomain.com.pem
sudo openssl rsa -in yourdomain.com1.crt -out yourdomain.com.key

# Server Certificate:

SSLCertificateFile /etc/httpd/conf/nonwww/ssl.crt/yourdomain.com.crt

# Server Private Key:

SSLCertificateKeyFile /etc/httpd/conf/nonwww/ssl.key/yourdomain.com.key

# Server Certificate Chain (CA bundle):

SSLCertificateChainFile /etc/httpd/conf/nonwww/ca-bundle/yourdomain.com.crt

......
<VirtualHost *:443>

DocumentRoot "/var/www/html"

#Below need to match the CN of your certificate
ServerName youdomain.com:443

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

# SSL Engine Switch:
SSLEngine on

# SSL Protocol support:
SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

# Server Certificate:

SSLCertificateFile /etc/httpd/conf/path.to.your.crt

# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/path.to.your.key

# Server Certificate Chain (CA bundle):
SSLCertificateChainFile /etc/httpd/conf/path.to.your.ca-bundle.crt

.....................

</VirtualHost>

Now you can restart the apache: sudo service httpd restart.

Clear the browser cache, type example.com and see if it work.

Certbot

Open https://certbot.eff.org to select the software and System, it will pull the doc for you. I will take apache with Centos7 as an example.

I will copy some steps from its website, for more info have a look at the link at the bottom:

You still need Step one in the first section to install the SSL module. Certbot does step two and three for you. If you are using RHEL on EC2, you can enable the optional channel by running:

$ yum -y install yum-utils
$ yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

Installing DNF

Currently, the DNF package comes from the EPEL repository, so if your Linux system is not already configured to use this repository, simply run the command below to set it up.

[root@centos7 ~]# yum install epel-release -y

After doing this, you can install Certbot by running:

$ sudo yum install certbot python2-certbot-apache

$ sudo dnf install certbot python3-certbot-apache

automates certificate installation.

$ sudo certbot --apache

If you’re feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonlysubcommand:

$ sudo certbot --apache certonly

it will tell you the location of the certs:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/You.Domain/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/You.Domain/privkey.pem
 Your cert will expire on

Then you can use Step 3 to finish the setup.

Note there are two files here, but there are three needed in the step3 configuration file ssl.conf:

# Server Certificate: SSLCertificateFile /etc/httpd/conf/path.to.your.crt

# Server Private Key: SSLCertificateKeyFile /etc/httpd/conf/path.to.your.key

# Server Certificate Chain (CA bundle): SSLCertificateChainFile /etc/httpd/conf/path.to.your.ca-bundle.crt

If you open the fullchain.pem with a text editor, As the notes explain, the first section is the Server Certificate, the Second part is CA Bundle.

If you open the privkey.pem is the Server Private Key.

You can simply copy them and paste them into a new file if you want to do it manually, or you can continue with the tools.

Automating renewal

The command to renew is as below:

$ sudo certbot renew --dry-run

If this runs perfectly, then you can automate it :

An example cron job might look like this, which will run at noon and midnight every day:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew

Ref: https://certbot.eff.org/lets-encrypt/centosrhel7-apache

Delete a domain cert

You may have multiple domains on a server, to delete the one you don’t need anymore, use the below command:

sudo certbot delete

Tomcat:

There is no automatic cert renew for tomcat, so you have to manually verify it, request it, and copy to the tomcat folder.

Verify

Some application may lock the web root folder, so it is recommended to verify it via DNS.

sudo certbot certonly --manual -d your.domain.name --preferred-challenges dns

It will show your an txt record “_acme-challenge” and desired value.

Then you will need to create a txt record name “_acme-challenge”, pointing to the value shown above.

Or you can use apache as reverse proxy server for TOMCAT, and automate the renew there.

Renew or Reverse back to Http

When you renew http on www.sslforfree.com, you may need to upload a file for ownership verification, they check the http link not https, so you may need to reverse back to http communication.

Use the below steps to do this:

remove the http to https redirect in .htaccess
in the /etc/httpd/conf/httpd.conf, change the DocumentRoot to the real folder of your website if you configured a subfolder for Virtual host in the /etc/httpd/conf.d/ssl.conf
Restart the apache by command sudo service httpd restart