How to Secure Apache with SSL in Rocky Linux

Rocky Linux

Last updated on April 3rd, 2023 - by John Gomez - Leave a Comment

Business owners should consider website security as one of their top priorities. The security of Websites can be implemented in many ways, and SSL/TLS certificates are a key part. Through these protocols, sensitive information transmitted between clients and servers is encrypted to prevent unauthorized access.

This article shows step-by-step instructions on how to install an SSL certificate on a website. Using this guide will ensure that your web server is secure, so your customers and users can feel comfortable when visiting your website.

Here are some of the advantages of using SSL certificates:

* Protection of sensitive information / Data encryption

* Improved trust and credibility:

* Better search engine rankings:

* Protection against phishing attacks:

* Compliance with regulations:

Prerequisites :

Operating System       :    Rocky Linux / RHEL /CentOS /Fedora
Packages & Dependencies:    mod_ssl,epel-release, certbot & python3-certbot-apache
User account           :    root user or user account with sudo privileges
Recommended to run all the administrative commands as with sudo privilege instead of root.

Difficulties in setting up sudo users? Click here to find the steps.

Below is a checklist of things to do before installing Apache's SSL certificate on Rocky Linux

1. Ensure that the Apache Server is properly installed and running.

2. Your server should be accessible over the internet with a valid domain name.

3. Make sure your domain name points to the correct IP address on your server.

4. Ensure your Apache server has a virtual host configured for the domain name you      wish to secure.

5. Check your firewall settings to see if they allow incoming connections on ports 80      (HTTP) and 443 (HTTPS).

Click here for instructions on configuring an Apache virtual host under Rocky Linux to accommodate multiple websites. You can also find more information about implementing LAMP stack on Rocky Linux here.

This section assumes you have all the above things configured and are ready to install SSL on your server.

My Lab Setup :

Apache Server:

Operating System    :   Rocky Linux release 9.1 (Blue Onyx)
Hostname            :   apache.linuxteck
IP Address          :   54.236.17.69

Table of Contents  show 

Step 1: Install Certbot

Note:

To begin, install the Certbot package. It is a free, open-source program that manages SSL/TLS certificates for Web Servers automatically. The Electronic Frontier Foundation (EFF) has developed this project in order to simplify the process of obtaining and renewing SSL/TLS certificates.

There are many web servers that Certbot supports, such as Apache, Nginx, and others. To communicate with the Certificate Authority (CA) and obtain SSL/TLS certificates, it uses the Automated Certificate Management Environment (ACME) protocol.

In addition to automating certificate management, Certbot also validates and installs SSL/TLS certificates. Furthermore, it is capable of automatically renewing certificates before they expire, which ensures that websites and applications remain safe until they expire. The Certbot tool is available for Linux, macOS, and Windows and is widely used by web developers and system administrators.

The Certbot Package is not included in Rocky Linux's base repository by default. In order to obtain it, we must install the EPEL (Extra Packages for Enterprise Linux) repository. This repository provides additional software packages through open-source efforts. Besides certbot, we must also install "mod_ssl," which is a security module for Apache to support SSL/TLS protocols.

$ sudo dnf install epel-release

 

$ sudo dnf install mod_ssl

You can now install the Certbot package and its dependencies for Rocky Linux with the following command

$ sudo dnf install certbot python3-certbot-apache

Step 2: Install SSL Certificate for Apache httpd

Note:

Upon completion of the installation, you will be able to get a Let's Encrypt SSL certificate. Certbot offers various methods for obtaining an SSL Certificate, you may use one of the following commands.

a. Simple method: certbot --apache

b. Alternately, you can use the "-d" flag with this command directly to specify multiple domains: certbot --apache -d website.com

In this demo we will proceed with a simple method

$ sudo certbot --apache

Note:

When you run the above command, you will be prompted for a series of questions which you must answer in order to deploy the certificate successfully. In order to make things easier for beginners, I have separated each prompt into different boxes.

[linuxteck@linuxteck ~]$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

In order to verify the certificate, Let's Encrypt it will ask you to enter your email address:

Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): john@linuxteck.com  

Please accept the following terms and conditions:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y  

After your first certificate is issued, you will be asked to share your email address to receive updates on new/campaigns with the Electronic Frontier Foundation. The decision is yours to make "Y or N" :

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:  Y  
Account registered.

Depending on your web server configuration, it will list your domains and ask which one you want to activate HTTPS for. You can select '1' or '2'. However, if you want all domains to begin using HTTPS, press ENTER:

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: linuxteck-vhost.net
2: www.linuxteck-vhost.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):  simply press ENTER to enable HTTPS to all the domains
Requesting a certificate for linuxteck-vhost.net and www.linuxteck-vhost.net

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/linuxteck-vhost.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/linuxteck-vhost.net/privkey.pem
This certificate expires on 2023-06-30.
These files will be updated when the certificate renews.
Cerbot has set up scheduled task to automatically renew this certificate in the background.

Here is the output you will see after a successful installation:

Deploying certificate
Successfully depoloyed certificate for linuxteck-vhost.net to /etc/httpd/conf.d/linuxteck-vhost.net-le-ssl.conf
Successfully depoloyed certificate for www.linuxteck-vhost.net to /etc/httpd/conf.d/linuxteck-vhost.net-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://linuxteck-vhost.net and https://www.linuxteck-vhost.net
blank to select all options shown (Enter 'c' to cancel):  simply press ENTER to enable HTTPS to all the domains
Requesting a certificate for linuxteck-vhost.net and www.linuxteck-vhost.net

Step 3: Test Apache SSL Let's Encrypt certificate

Note:

To find out if HTTPS has been enabled on your site, enter the URL and hit enter. A padlock will appear at the beginning of the URL if HTTPS has been enabled on your site.

You can get more details by clicking on the padlock icon and selecting the 'Certificate is valid' option.

Step 4: Certificate Automatic Renewal

Note:

Let's Encrypt certificates are generally valid for 90 days, so you need to renew them manually after that time. The following command needs to be run to renew the certificate.

$ sudo certbot renew --dry-run

However, we can automate the renewal process using cron jobs. In your crontab file, add the following entry:

0 0 * * * /usr/bin/certbot renew

Step 5: Delete Certificate

If you wish to delete the certificate, use the following command:

$ sudo certbot delete

Conclusion:

We hope this article has helped you understand how to Secure Apache with SSL in Rocky Linux 9.1 step by step. You can also get help from Let's Encrypt's community site if you encounter any issues. Drop me your feedback/comments. Feel free to share this article with others if you like it. 

https://www.linuxteck.com/secure-apache-with-ssl-in-rocky-linux/#google_vignette