Encrypting Apache: https and you!
OS : CentOs 7 / RHEL7 Derivitives Software : httpd (Apache) Version : 2.4.6
Encryption is a good thing. In a perfect world, you would never see an “http” without an “s” at the end. So in an effort to help make that happen, lets talk about encryption.
First of all: There is a new player in the certificate signing game.. Let’s encrypt was founded by some mozilla employee’s that decided it was about time for the internet to stop being s’less. If you hadn’t looked into it before, getting an official signed certificate for your website is expensive. The big name’s in the trust industry can cost hundreds to thousands of dollars yearly to keep your site trusted and secure. That is RIDICULOUS. Security is a right, not a privilege. By making the entry point into a secure internet such a high cost, it creates a world where the little guy can’t afford to be secure. It’s like vaccines: yes they do a lot of good towards eliminating horrible diseases, but if there are some people left un-vaccinated it can still lead to terrible spread of disease. Websites are our bodies on the internet. The more secure everyone is, the more secure EVERYONE is.
So that being the case, how do you get secure? Thankfully, letsencrypt makes that easy.
Clone the Git Repository
First, we’re going to download their client, you’ll need git if you dont have it
yum -y install git
Now for the client.
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto --help
(Note, the –help at the end is to force the letsencrypt-auto program to finish downloading/installing itself, you could do it with letsencrypt command, but letsencrypt themselves say to do it that way, so that is how I represent it)
So, now that you are have that installed, using it is pretty easy. If you are using a debian based system, letsencrypt will handle everything pretty automatically for you. If you are using a Centos/Rhel system….It will tell you that it has to be done manually, but apparently it will still do it automatically. So there’s that.
The letsencrypt client prefers to have your sites sectioned off into virtual hosts by file. To do that, you simple need to add some new directories if you don’t have your system configured that way already
Next you are going to edit your /etc/httpd/conf/httpd.conf file to tell it about your new config directory:
Add the following line to the bottom:
There may already be a line there that say’s something like “IncludeOptional conf.d/*.conf” You could technically use that directory for virtual hosts as well, but this will be a bit cleaner.
Next you’ll want to create a virtualhost file under virtual-hosts/ that represents your website, if you already have a virtualhost defined in your httpd.conf file, move the lines pertaining to it to the new file
<VirtualHost *:80> ServerName www.example.net ServerAlias example.net DocumentRoot /var/www/example </VirtualHost>
Easy peasy. Now test your httpd sytnax with:
If you are using only virtualhosts, with no directly defined “ServerName” (which is a good thing, virtualhosts for all the things!), you may get an error message that say’s something like:
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using ::1. Set the 'ServerName' directive globally to suppress this message
The important part is that at the end it should say:
Once you’ve confirmed your syntax, start/restart your service, and make sure your website is findable at the proper DNS, note that your DNS records do have to be correct to make this work.
systemctl restart httpd
Next we get to the fun part, encrypting with letsencrypt, change to the directory you installed letsencrypt to, and run the following:
./letsencrypt-auto --apache -d example.net
An important side note is, you can configure this for as many virtualhosts/subdomains as you need to (as long as you have the correct virtualhost files setup for each of them:
./letsencrypt-auto –apache -d example.net -d www.example.net -d example2.com -d www.example2.com
You should now be encrypted and ready to go! But wait…Theres more!
First, I recommend editing: /etc/httpd/conf.d/ssl.conf, and find the “SSLProtocol” Line
SSLProtocol all -SSLv2
SSLProtocol all -SSLv3 -SSLv2
Followed up by:
systemctl restart httpd
SSL v3 has been found to be vulnerable, so leaving it enabled will cause you grief, you can check your sites overall security status by visiting: https://www.ssllabs.com/ssltest/index.html
which gives your site a nice grade and tells you what issues need to be addressed.
AN IMPORTANT NOTE TO WORDPRESS USERS:
If you are using wordpress, you may experience a situation where various browsers will report that your ssl cert is secure, but there are insecure elements on your site, this is because there are some hard links in various theme/site css/image links that point to unsecured http locations, you can easily fix this by downloading a plugin called “Really Simple SSL”, which will go through and correct those elements for you.
You should now be secure, and are safe to mingle with all the hot browsers on the internet.