Website Security with SSL - HTTPS

Install an SSL certificate on CentOS

By - (Last Modified: June 4, 2018)

Recently we switched over to HTTPS (secure channel) on our website bwdmedia.net and we had trouble finding support for our server which was CentOS 6 running Apache. This will be a short guide if you’re looking to get an ssl certificate for your website and want to know how to install it on your server. Best of all, it’s completely free and just as secure as any other domain validated certificate you can buy commercially.

The service I’ll be using is Let’s Encrypt which went out of beta this year. Let’s Encrypt is an open certificate authority that can issue SSL certificates for your domain automatically and for free. The public service organization was  founded by two Mozilla employees Josh Aas and Eric Rescorla

Josh Aas from Mozilla Eric-Rescorla

Source: Josh Aas and Eric Rescorla

Enough said about history and introductions, let’s dive right into it.

Getting In There

To start with, you need root access to your server which is done through SSH. If you don’t know what it is, I suggest you get familiar with it first. It’s a command line interface (CLI) for interacting with your server remotely. Getting root access depends greatly on your hosting provider so consult them if you’re having trouble.

After you’ve logged in, let’s get the certbot package. I assume you’re using CentOS/RHEL and Apache. If you don’t know which version you’re using, execute the following command and read the output

If you have CentOS/RHEL 7, scroll below to see the easy method of doing it. If it doesn’t work or If you have CentOS/RHEL 6, certbot as of right now doesn’t have an automated script so certificate issuance will have to be done manually. Here’s how…

  1. Enable the EPEL (Extra Packages for Enterprise Linux) repository
  2. Get the package
  3. Certbot is installed, time to issue a certificate. While still in root, run

    Let me explain:

    • ./certbot-auto: invokes the certbot script
    • certonly: instructs the script to only issue the certficate since automation tasks are not supported on this OS
    • –webroot: We’re using the webroot method which doesn’t disable the server while issuing the certificate. It will place a file in your public_html and ca will try to access it. If it happens, you’ll be verified. If it doesn’t work try using the standalone (–standalone) method. This method will bind to Port 80 (http) and Port 443 (https) so your websites on the server will not respond while you’re issuing the certificate. Refer to Documentation for more details.
    • -w: this modifier points to the relative location of your public_html folder where the files of the website reside for which you are issuing the certificate. For me it was /home/user/public_html
    • -d: this modifier tells the script which domains to include in the certificate. Those domains will be authorized to use this particular certificate.
    • -m: this modifier is used to input the email address which will be used to contact you for several reasons, if your certificates are about to expire for instance.

    Do note that the arguments -w and -d can be used multiple times in a command to issue a certificate for multiple domains, for example

    You can omit the -m argument and certbot will ask you for it later.

  4. Certbot will present a blue screen and ask you to agree to terms of service and any other information which will be required and not included in the command executed above.
  5. Next you should receive a success message similar to this

  6. Your certificate is now issued. To install it though, you’ll have to execute another step, that is to configure your server to redirect http traffic to https and appropriate configuration for https.
    Head over to the location of your httpd.conf file which is the main configuration file of apache. For my server, it was located at /usr/local/apache/config/
  7. Open the file

    and navigate to the VirtualHost container of your domain. It’ll look something similar to this

    You’re not supposed to modify this file directly because the changes will be overwritten by Apache sooner or later. To modify this container, there should be an include file at the end

    which means it’ll include any .conf file in the specified directory. Head over to that directory, if there’s a file there open it, else create one with any name. To create a new file in SSH, use

    Add the following lines to redirect all http traffic to https

    This code will override anything in the httpd.conf file so you don’t have to worry about what’s in that file

  8. Configure your server for https traffic.httpd.conf has two other global files that are included at the very top and bottom of the file and are called pre_virtualhost_global.conf and post_virtualhost_global.conf. Names may vary so read your own httpd.conf file. Once you’ve located your include file (preferably in the post file, i.e. the file included towards the end of httpd.conf file) add the following code

     

    Let’s see what we did there:

    • <VirtualHost 11.11.11.11:443>: this is the ip address you originally had, you need to input that. 443 is the default port for communicating over https so this container takes effect when your website is accessed over https
    • These next lines are self explanatory, the domains that will be used to access your site goes here and DocumentRoot specifies where on the server the files of this domain are.
    • Turn SSL on:

      It turns the SSLEngine on and ready to use, next directives specify the location of your certificate files which were generated in Step 3 through 5. You have to specify a certificate file, a key file and a chain file which should all be in letsencrypt directory.

      Note: certbot generates two kinds of chain file: chain.pem and fullchain.pem. The difference is that fullchain.pem is the combination of certificate and chain file in one. Use the above method if your apache is 2.4 or older and if it’s 2.4 or newer, you can instead use

      To find out which version of Apache you’re using, execute

    • HSTS:

      This line denoted by a hashtag in front is a comment which means it won’t have any effect. This is to enable HSTS (HTTP Strict Transfer Protocol). If you enable this header, your website will not work with http for the next 6 months. This is like a commitment to https. I suggest you have https up and running and remove the hashtag (enable directive) when you’re sure you’ll stick with it.

    • Configure Cipher Suites:

      Next, you define the protocols that will be used for communication with the website. These protocols will determine which and how many browsers and operating systems will be able to access your website. If a browser doesn’t find a supported Cipher in this list, it’ll reject communication and you get a handshake failure.

      Handshake Simulation - BWDMEDIA

    • So when I said ‘add the following code’ in step 8, I don’t mean copy and paste it directly. What you should do is copy your VirtualHost container for the http version and add the https parts to it. You should keep the directive as close to the original as possible to ensure stability.
    • Configurations vary, especially the CipherSuite, which one you use is a major question that occurs to everyone. The above mentioned is the Modern set according to Mozilla and will support only the latest of devices. It won’t support IE8 or older, Android 4.3 or older, etc (see image above). Which one should you choose is based on your preference and audience so I can’t give you a right answer but I can tell you what it means – refer to Mozilla’s Recommended Configuration and Configuration Generator for right results for you.
  9. Restart your server: After making configuration changes you can save your files and restart the server and changes will take place immediately.

Get an eCommerce Website

The Automatic Way

If you’re running CentOS/RHEL 7, life’s much easier for you as the fully automatic method is supported for you. Execute the following commands:

Certbot is now installed and ready to use, run the command

certbot will ask your for necessary information, issue the certificate and set up your server along with auto renewal cron jobs

Testing It

After you’re done gloating over what you’ve achieved, take a test to find out if everything works properly. This test will also point out any vulnerabilities on your server, if there are any. To test your configuration go to SSLLabs and enter your domain. You should get something like this

BWD MEDIA - SSL Test Results

Ain’t that satifisfaction?!

After enabling HSTS, you should get an A+ provided there are no vulnerabilities on the server. As you can see, we haven’t done that yet. It’s coming though!

What’s Next?

This has been a lot of information, so take your time to soak it in. In the coming weeks I’ll show you how to manually renew your certificate and set up a cron job to auto renew your certificate when they are about to expire. Let’s Encrypt certificates expires every 3 months so it’s something that’s best automated.

If your site is running on WordPress, I highly recommend checking out this article on cloudliving.com on how to install wordpress SSL and to make sure not to destroy your site in the process.

Share Your Thoughts

Copyright © 2011, 2016 - BWD MEDIA
Web Design & Digital Marketing Agency
Call Now Enquire