In the first part of the “Your Own Red Hat Server” series, we configured a web server using Apache (and optionally Nginx), and in the second part, we installed the PHP interpreter and the MariaDB database system.
In Part 3, we will install a TSL/SSL certificate in a distribution compatible with Red Hat/CentOS/Alma/Rocky Linux.
What is TSL/SSL?
From Wikipedia:
TLS (Transport Layer Security) – an Internet standard extension of the SSL (Secure Socket Layer) protocol, originally designed by Netscape Communications. TLS ensures the confidentiality and integrity of data transmission, as well as server and sometimes client authentication. It is based on asymmetric encryption and X.509 certificates.
For the purposes of this post, we will use the free Let’s Encrypt certificate, which I will install using the “certbot” tool.
Installation
Make sure your firewall allows https connections.
firewall-cmd –zone=public –permanent –add-service=https
firewall-cmd –reload
The default Rocky Linux repositories we’re using don’t have the certbot package. You need to add the “epel” repositories.
Apache Installation
dnf install epel-release
dnf install certbot python3-certbot-apache
dnf install mod_ssl
Create an SSL configuration, e.g.:
nano /etc/httpd/conf.d/pavroo-ssl.conf
##### pavroo.pl ######
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin@pavroo.pl
ServerName pavroo.pl
ServerAlias www.pavroo.pl pavroo.pl
DocumentRoot /home/pavroo/public_html
<Directory /home/pavroo/public_html/>
Options All Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog /var/log/httpd/error-pavroo-pl.log
CustomLog /var/log/httpd/access-pavroo-pl.log combined
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
If the certificate is not available in the specified locations, create a new one:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt
Restart Apache:
systemctl restart httpd
Now install the TSL certificate:
certbot –apache -d pavroo.pl -d www.pavroo.pl
Restart Apache:
systemctl restart httpd
Installation for Nginx
dnf install epel-release
dnf install certbot python3-certbot-nginx
Add the SSL configuration to the existing file, e.g.:
nano /etc/nginx/conf.d/pavroo.conf
server {
listen 443 ssl http2;
server_name pavroo.pl www.pavroo.pl;
root /home/pavroo/public_html;
index index.php index.html index.htm;
ssl_certificate /etc/pki/tls/certs/localhost.crt;
ssl_certificate_key /etc/pki/tls/private/localhost.key;
location /
{
try_files $uri $uri/ =404;
}
}
If the certificate is not available in the specified locations, create a new one:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt
Restart Nginx:
systemctl restart nginx
Now install the TSL certificate:
certbot –nginx -d pavroo.pl -d www.pavroo.pl
Restart Nginx:
systemctl restart nginx
Renewing the certificate
Manually renewing the certificate for all registered domains,
Renewing the Let’s Encrypt certificate for Apache:
certbot renew –apache
Renewing the Let’s Encrypt certificate for Nginx:
certbot renew –nginx
Automatic certificate renewal
The certificate renewal process can be automated and delegated to cron.
Add a new cron job – it will run (for example) once a month, on the 1st of the month at 12:00 AM. 23:15:
crontab -e
For Apache:
15 23 1 * * certbot -q renew –apache
For Nginx:
15 23 1 * * certbot -q renew –nginx
If you have any problems or questions, please refer to the man pages:
man certboot
man cron
man httpd
man nginx
This concludes part three of the Your Own Red Hat Server series. In part four, we’ll install and configure the FTP server.
