RHEL7: How to get started with SSL certificates.

Share this link

Presentation

HTTPS is a protocol that consists of a communication layer called Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or Secure Sockets Layer (SSL). For simplicity’s sake, the expression SSL certificate will be used instead of TLS/SSL certificate.

Until now it was very expensive to put in place a HTTPS website. Not only the procedure was complicated, but the cost of the SSL certificates themself didn’t allow any try.

With a company like hostmybytes, it is now possible to respectively buy a standard SSL certificate for $2,99/year or a wildcard SSL certificate for $4,99/year.

Disclaimer: I don’t work for hostmybytes and, at the time of this writing, I haven’t received any money from them!

The difference between standard and wildcard certificates is simple:

  • with a standard certificate, you can use it for only one website like www.mydomain.com,
  • with a wildcard certificate (typically called *.mydomain.com), you can use it for several websites like www.mydomain.com, sub.mydomain.com, etc but not for www.sub.mydomain.com nor .mydomain.com.

They are some more advanced SSL certificates (read this article about the various types of SSL certificates) than the DV presented here but there are more geared towards big companies.

If you are serious about your website, you need a wilcard certificate because it will allow you to have a staging environment to test any change in your settings (html, css, javascript, software, architecture, etc). Otherwise you will have to juggle until a big problem happens.

HTTPS Pros and Cons

Pros:

  • increase security and trust,
  • provide a slightly better Google ranking.

Cons:

  • add some latencies due to the HTTPS protocol and increase CPU power consumption,
  • may involve some heavy work for an existing website: Google provides some guidelines.

This tutorial will not dive deeper into these various aspects.

Prerequisites

In order to set up a web site with SSL certificates with hostmybytes, you need to fulfill the following criteria:

  • use a Paypal or BitPay account to pay the SSL certificates price on the hostmybytes website,
  • buy a domain name if not already done (called mydomain.com in this tutorial),
  • install a server with RHEL 7/CentOS 7 if not already done,
  • set up the reverse lookup associated with the domain name and check it (you can use this tool to help you),
  • set up an email server on the domain name, involving the creation of DNS MX records (see the Postfix tutorial),
  • create a user called admin to receive answers from the company producing the SSL certificate.

The remaining part of this tutorial will show how to create and put in place a wildcard SSL certificate.

RSA Key Generation

You need to create a private RSA 2048-bit key stored in the mydomain.com.key file:

# cd /etc/pki/tls/private
# openssl genrsa -out mydomain.com.key 2048

Note: You can add the -des3 option to the previous command, forcing anybody wanting to use the key to enter a passphrase before. Problem: before starting your webserver, you will have to type the passphrase, which is not a good idea.

Assign minimal permissions to the private key to protect it:

# chmod 600 mydomain.com.key

Then, you need to create the CSR (Certificate Signing Request) called here mydomain.com.csr:

# cd /etc/pki/tls/certs
# openssl req -new -key ../private/mydomain.com.key -out mydomain.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Mountain View
Organization Name (eg, company) [Default Company Ltd]:MyCompany
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:*.mydomain.com
Email Address []:admin@mydomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Note1: Replace all the mentioned details by your personal ones and obviously mydomain.com with your domain name.
Note2: For the Common Name, be sure to specify *.mydomain.com if it’s a wildcard SSL certificate and www.mydomain.com if it is a standard SSL certificate.
Note3: For the Email Address, be sure to type admin@mydomain.com

Certificate Purchase

Now, you have to order a SSL certificate on the hostmybytes website, enter your personal details and complete the order.

Just after completing the order, you will receive several mails in the mailbox specified in the hostmybytes account. One of them is titled Order Confirmation and contains the Order Number.

Later, you will receive the following email:

Thank you for your SSL order with HostMyBytes! We need some more information in order to activate your SSL certificate.

Please open a support ticket in the "Support" department with the following information:
      1. Certificate Signing Request (CSR) for your certificate
      2. Domain name for the certificate (if wildcard, make sure it is *.mydomain.com)
      3. Confirm that admin@mydomain.com exists.

The approver email will be sent to: admin@mydomain.com If you do not have access to this email address for some reason, please open a support ticket so we can re-send the approval email.
The next step in this process is to confirm the admin approver email and reply to this email once it has been approved.

Best Regards,

CSR Handling

As you already got the CSR and the Order Number, you only need to connect to the hostmybytes website and open a support ticket (Open Ticket -> Technical Support).

In the Open Ticket page, you should specify:

  • the Subject:
    • Request for wildcard certificate, Order Number: XXXXXXXXXX, domain name: *.mydomain.com
    • Request for standard certificate, Order Number: XXXXXXXXXX, domain name: www.mydomain.com
  • the Department: Technical support
  • the Related Service: AlphaSSL wildcard or AlphaSSL standard
  • the Priority: High/Medium/Low (doesn’t matter)
  • the Message: (doesn’t matter)
  • the Attachment: the CSR

When all the fields are set, you can click on the Submit button.

SSL Certificate Receipt

Some time later, you will receive in the admin@mydomain.com mailbox a mail like this one:

From: approval@globalsign.com
To: admin@mydomain.com
Subject: Order ID CE2015XXXXXXXX AlphaSSL - Approve SSL Application
Content-Type: text/plain; charset=UTF-8
Status: RO

An application for a SSL Certificate has been placed with AlphaSSL for *.mydomain.com and Order ID CE201508216076.

In order for AlphaSSL to issue the SSL Certificate, the domain owner or administ
rator must approve the order. Please follow the below link to choose to APPROVE
or NOT APPROVE the application.

Only if you approve the application will the SSL Certificate be issued.

https://regist.alphassl.com/ra/dvApproval/dvApproval/DvApproval.do?r=6c740fed&e=
b5a181f2a610fb&c=3f6470416a0f0684d43a6c3f88f3d9a606220150

Make sure your browser address bar contains the complete unbroken URL.

For your information, the Applicant has provided the following details:

Domain Name: *.mydomain.com
Applicant Email Address: myaddress@gmail.com

If you have any questions about this application, please contact us using the de
tails below.

Kind Regards,
AlphaSSL Support Team

*************************************************
support@alphassl.com
www.alphassl.com
Tel US: 720 3591 590
Tel EU: +44 870 4325190
*************************************************

Then, you need to approve the application (in bold in the above mail) in a browser.

Finally, you will receive a mail titled
CE2015XXXXXXXX: Your SSL Certificate for *.mydomain.com has been issued‏ containing the SSL certificate between the BEGIN CERTIFICATE and the END CERTIFICATE at the end of the mail.

If you get this mail, you are not very far from success!

Environment Preparation

Before going further, you need to follow several steps.

Store the previously received SSL certificate into the /etc/pki/tls/certs/mydomain.com.crt (with the –BEGIN CERTIFICATE– and –END CERTIFICATE– parts).

Go to the AlphaSSL website and get the Root CA certificate in .txt format:

# cd /etc/pki/tls/certs
# wget https://www.alphassl.com/support/roots/root.txt
# mv root.txt root_ca.pem

Then, get the AlphaSSL intermediate CA titled SHA-256 – Orders March 31, 2014 and After and paste it into the /etc/pki/tls/certs/alphassl_ca.pem file.

Finally, generate the CA certificate:

# cd /etc/pki/tls/certs
# cat root_ca.pem alphassl_ca.pem > bundle.crt

Add the HTTPS service to the firewall configuration and reload it:

# firewall-cmd --permanent --add-service=https
Success
# firewall-cmd --reload
Success

Set the httpd_unified SELinux boolean to 1:

# setsebool -P httpd_unified 1

Create a test file:

# cd /var/www/html
# echo "Test" > index.html
# restorecon index.html

Apache Configuration

Install the Web Server package group:

# yum groupinstall -y "Web server"

Note: If you type yum install httpd, you will not get the mod_ssl package.

Activate at boot time and start the service:

# systemctl enable httpd && systemctl start httpd

Edit the /etc/httpd/conf.d/ssl.conf file, search for the SSLCertificate string and replace as follows:

SSLCertificateFile /etc/pki/tls/certs/mydomain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/mydomain.com.key
SSLCACertificateFile /etc/pki/tls/certs/bundle.crt

In the same file, search for the ServerName string and replace as follows:

ServerName www.mydomain.com:443

Again, search for the SSLProtocol string and replace as follows:

SSLProtocol all -SSLv2 -SSLv3

Search for the SSLCipherSuite string and replace as follows:

SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM \
 EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 \
 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 \
 EECDH !ECDHE-RSA-DES-CBC3-SHA EDH+aRSA RSA+3DES \
 !aNULL !eNULL !LOW !SEED !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"

Note: This is certainly not the best cypher configuration but two experts will not agree on the same configuration and I’m not a cypher expert!

Check the validity of the configuration:

# httpd -t
Syntax OK

Restart the Apache webserver:

# apachectl restart

If an error occurs, check the /var/log/httpd/error_log and /var/log/httpd/ssl_error_log files.

Check the virtual host configuration:

# httpd -D DUMP_VHOSTS
VirtualHost configuration:
*:443                   is a NameVirtualHost
         default server www.mydomain.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost www.mydomain.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost www.mydomain.com (/etc/httpd/conf.d/ssl.conf:56)

Nginx Configuration

Install the Nginx package:

# yum install epel-release
# yum install nginx

Activate at boot time and start the service:

# systemctl enable nginx && systemctl start nginx

Create the /etc/nginx/conf.d/mydomain.conf file and paste the following lines:

server {
    listen 443 default_server ssl;
    server_name www.mydomain.com;
    root /var/www/html;
    index index.html index.htm index.php;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5:!kEDH;

    error_log /var/log/nginx/mydomain-error_log warn;
    access_log /var/log/nginx/mydomain-access_log main;

    location / { 
        try_files $uri $uri/ /index.php?$args;

        # Enable HSTS
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    } 

    # deliver a static 404 error_page 404 /404.html;
    location /404.html { 
        internal; 
    }  
  
    # deliver 404 instead of 403 "Forbidden" 
    error_page 403 = 404; 

    # redirect server error pages to the static page /50x.html 
    error_page 500 502 503 504 /50x.html; 
    location = /50x.html { 
        root /usr/share/nginx/html; 
    } 
} 

Due to the way Nginx works, you have to add the website certificate itself to the list of CA certificates:

# cd /etc/pki/tls/certs
# cat mydomain.com.crt bundle.crt > chained.crt

Two options:

  • If you bought a wildcard SSL certificate, edit the /etc/nginx/nginx.conf and paste the following lines in the http stanza (this way, you will be able to use the wildcard SSL certificate with all the *.mydomain.com virtual servers):
    ssl_certificate /etc/pki/tls/certs/chained.crt;
    ssl_certificate_key /etc/pki/tls/private/mydomain.com.key;
  • If you purchased a standard SSL certificate, edit the /etc/nginx/conf.d/mydomain.conf file and paste the following lines in the server stanza:
    ssl_certificate /etc/pki/tls/certs/chained.crt;
    ssl_certificate_key /etc/pki/tls/private/mydomain.com.key;

Check the validity of the configuration:

# nginx -t
Syntax OK

Restart the Nginx webserver:

# systemctl restart nginx

If an error occurs, check the /var/log/nginx/error.log and /var/log/nginx/mydomain-error_log files.

Time to Test

If you are confident in your setting, it is now time to test it.
The company SSLlabs provides the perfect tool for that.

Troubleshooting

If you need to troubleshoot the configuration, use the following command:

# openssl s_client -connect localhost:443 -state

Additional Resources

You can go to the Apache TLS configuration page to get some additional tips.
You can also read these pages about optimal cypher configuration, strong cypher on Nginx and 100% Qualys SSL Test A+.
The www.nginxtips.com website provides a tutorial about Hardening Nginx SSL/TLS Configuration.
Bjorn Johansen’s website is full of useful information about Nginx configuration.

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create a new user account called "bob" with password "redhat" and set expiration in one week.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a caching-only DNS server.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...

Recent Comments