mod_ssl on Rocky Linux in an Apache web server environment¶
The Apache web server has existed for many years now.
mod_ssl provides greater security for the web server and is installable on almost any version of Linux.
This procedure will get you up and running with Rocky Linux and
mod_ssl in an Apache web server environment.
- A workstation or server, preferably with Rocky Linux already installed.
- Able to run commands as root or
sudoto elevate privileges.
Install Rocky Linux Minimal¶
When installing Rocky Linux, we used the following sets of packages:
First, run the system update command to let the server rebuild the repository cache to recognize the packages available.
With a conventional Rocky Linux server installation, all necessary repositories will be in place.
Check the available repositories¶
Just to be sure check your repository listing with:
You will get the following:
appstream Rocky Linux 8 - AppStream baseos Rocky Linux 8 - BaseOS extras Rocky Linux 8 - Extras powertools Rocky Linux 8 - PowerTools
dnf install mod_ssl
To enable the
mod_ssl module, run:
apachectl restart httpd
apachectl -M | grep ssl
You will see:
Open TCP port 443¶
To allow incoming traffic with HTTPS, run:
firewall-cmd --zone=public --permanent --add-service=https firewall-cmd --reload
Ensure that your goal is to have the website open to the world when you add this rule! If not, change the zone or configure the firewall to correct that.
At this point you should be able to access the Apache web server via HTTPS. Enter
https://your-server-hostname to confirm the
Generate SSL/TLS certificate¶
To generate a self-signed certificate for host rocky8 with 365 days expiry, run:
openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/httpd.key -x509 -days 365 -out /etc/pki/tls/certs/httpd.crt
You will see the following output:
Generating a RSA private key ................+++++ ..........+++++ writing new private key to '/etc/pki/tls/private/httpd.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:AU State or Province Name (full name) : Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]:LinuxConfig.org Organizational Unit Name (eg, section) : Common Name (eg, your name or your server's hostname) :rocky8 Email Address :
ls -l /etc/pki/tls/private/httpd.key /etc/pki/tls/certs/httpd.crt -rw-r--r--. 1 root root 1269 Jan 29 16:05 /etc/pki/tls/certs/httpd.crt -rw-------. 1 root root 1704 Jan 29 16:05 /etc/pki/tls/private/httpd.key
Configure Apache web server with the SSL/TLS certificates¶
To include your newly created SSL/TLS certificate into the Apache web server configuration open the
ssl.conf file by running:
Change the following lines:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateFile /etc/pki/tls/certs/httpd.crt SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
Reload the Apache web server by running:
systemctl reload httpd
Enter the following in a web browser:
To redirect all HTTP traffic to HTTPS¶
Create a new file by running:
Insert the following content and save file, replacing "your-server-hostname" with your hostname.
<VirtualHost _default_:80> Servername rocky8 Redirect permanent / https://your-server-hostname/ </VirtualHost/>
Apply the change by running:
systemctl reload httpd
The Apache web server will redirect any incoming traffic from
You have seen how to install and configure
mod_ssl, and create a new SSL/TLS certificate to run a web server under HTTPS service.
This tutorial shows the basic installation and use of
Contributors: Steven Spencer, David Hensley, Ganna Zhyrnova