Step-by-Step Guide: Securing Apache with an SSL/TLS Certificate on CentOS 8
In today’s digital landscape, securing your website with HTTPS is no longer optional—it’s an absolute necessity. An SSL/TLS certificate encrypts the communication between your web server and your visitors’ browsers, protecting sensitive data, building user trust, and boosting your search engine rankings. If you’re running the Apache web server on CentOS 8, implementing this layer of security is a straightforward process.
This comprehensive guide will walk you through every step of configuring Apache with an SSL/TLS certificate on your CentOS 8 system, ensuring your website is secure and trusted.
Prerequisites
Before we begin, ensure you have the following in place:
- A running CentOS 8 server.
- A non-root user with
sudoprivileges. - The Apache web server (
httpd) installed and running. - A registered domain name pointing to your server’s public IP address.
Step 1: Install the Apache SSL Module
The first step is to install mod_ssl, the Apache module that provides support for SSL/TLS encryption. This package automatically handles the setup of a basic SSL configuration file.
Open your terminal and run the following command:
sudo dnf install mod_ssl -y
Once the installation is complete, you will need to restart Apache for the module to be loaded:
sudo systemctl restart httpd
This command installs the module and creates a default SSL configuration file located at /etc/httpd/conf.d/ssl.conf.
Step 2: Obtain an SSL/TLS Certificate
You have a few options for obtaining an SSL certificate. For production environments, it is highly recommended to use a certificate issued by a trusted Certificate Authority (CA).
Option A: Using a Free Let’s Encrypt Certificate (Recommended)
Let’s Encrypt is a free, automated, and open Certificate Authority that is trusted by all major browsers. The easiest way to get a Let’s Encrypt certificate is by using the Certbot client.
Install Certbot: Add the EPEL repository and install the Certbot client for Apache.
sudo dnf install epel-release -y sudo dnf install certbot python3-certbot-apache -yRequest the Certificate: Run Certbot. It will automatically detect your domain from your Apache configuration, obtain the certificate, and configure Apache for you.
sudo certbot --apacheFollow the on-screen prompts to enter your email address and agree to the terms of service. Certbot will handle the entire process and even set up a cron job to automatically renew your certificate before it expires.
Option B: Generating a Self-Signed Certificate (For Testing/Development)
For development or internal use, you can generate a self-signed certificate. Be aware that browsers will not trust this certificate by default, and visitors will see a security warning.
Generate the Key and Certificate: Use the
opensslcommand to create a private key and a certificate valid for one year.sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/apache-selfsigned.key -out /etc/pki/tls/certs/apache-selfsigned.crtYou will be prompted to enter information for the certificate, such as your country, state, and organization. For the “Common Name” field, be sure to use your server’s domain name or IP address.
Step 3: Configure Apache to Use the SSL Certificate
Whether you used Let’s Encrypt or a self-signed certificate, you need to ensure Apache knows where to find the certificate and key files.
Open the SSL configuration file in a text editor:
sudo vi /etc/httpd/conf.d/ssl.confLocate the following directives within the
<VirtualHost _default_:443>block and update them with the correct paths to your certificate files.- SSLCertificateFile: This is your public certificate file.
- SSLCertificateKeyFile: This is your private key file.
If you used Let’s Encrypt, Certbot has likely already configured this for you in a new configuration file specific to your domain.
If you used a self-signed certificate, your configuration should look like this:
SSLCertificateFile /etc/pki/tls/certs/apache-selfsigned.crt SSLCertificateKeyFile /etc/pki/tls/private/apache-selfsigned.keyMake sure your
ServerNameis correctly set within this virtual host block:ServerName www.yourdomain.comSave the file and exit the editor.
Step 4: Verify Configuration and Update the Firewall
It’s crucial to test your Apache configuration for syntax errors before restarting the service.
Test the configuration:
sudo apachectl configtestIf everything is correct, you should see
Syntax OK. If not, the output will point you to the file and line number containing the error.Allow HTTPS traffic through the firewall: Your server’s firewall must be configured to allow traffic on port 443, the standard port for HTTPS.
sudo firewall-cmd --add-service=https --permanent sudo firewall-cmd --reloadRestart Apache: With the configuration verified and the firewall updated, restart Apache to apply all changes.
sudo systemctl restart httpd
You should now be able to access your website securely by navigating to https://yourdomain.com. Your browser should display a padlock icon in the address bar, indicating a secure connection.
Step 5: Redirect HTTP Traffic to HTTPS
To ensure all visitors use the secure version of your site, you should set up a permanent redirect from HTTP to HTTPS.
Open your domain’s non-secure Apache configuration file (often located at
/etc/httpd/conf/httpd.confor in a separate file under/etc/httpd/conf.d/).Inside the
<VirtualHost *:80>block for your domain, add the following rewrite rules:<VirtualHost *:80> ServerName www.yourdomain.com Redirect permanent / https://www.yourdomain.com/ </VirtualHost>This simple
Redirectdirective is efficient and tells search engines that the HTTPS version is the canonical one.Test the configuration again and restart Apache:
sudo apachectl configtest sudo systemctl restart httpd
Now, any attempt to access your site via http:// will be automatically and permanently redirected to https://. This is a critical final step for both security and SEO.
Source: https://kifarunix.com/configure-apache-with-ssl-tls-certificates-on-centos-8/
