Configuring Apache SSL on Red Hat Enterprise Linux 8
The Redhat Enterprise Linux 8 server is up and running, but I want to encrypt traffic to/from the server by enabling https.
This was also another chance to try out ChatGPT, and find that it wasn't exactly accurate with the help it provided. It took a few go-rounds, plus researching and correcting errors, to get the final configuration done.
-
Install necessary packages
According to ChatGPT, I needed to install
mod_sslandopenssl. However, a quick check confirmed thatopensslwas already installed and available (perhaps when I installedhttpd):$ which openssl /bin/opensslSo I just needed to install mod_ssl
$ sudo dnf update $ sudo dnf upgrade $ sudo dnf install mod_ssl -
Generate SSL Certificate
This worked as described in ChatGPT:
$ sudo openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/httpd-selfsigned.key -x509 -days 365 -out /etc/pki/tls/certs/httpd-selfsigned.crtI filled in the prompts and the
certandkeywere generated in the appropriate locations (the/etc/pki/tls/privateand/etc/pki/tls/certsdirectories already existed). -
Load
mod_sslmodule in Apache.This step was omitted from the first response from ChatGPT. After an on-going discussion with ChatGPT (first it told me to add this to the main config file in
/etc/httpd/conf/httpd.conf), I added the module configuration to the dynamic list of modules that get added.$ sudo vi /etc/httpd/conf.modules.d/00-ssl.confAdd the following single line to the configuration file and save it.
LoadModule ssl_module modules/mod_ssl.soYou will note that this directory and many other module configurations already existed, so evidently this is the standard approach adopted by Red Hat.
-
Configure Apache to use SSL
ChatGPT said the SSL configuration file already existed, but it did not. So I added it:
$ sudo vi /etc/httpd/conf.d/ssl.confAnd entered the following lines (per ChatGPT):
Listen 443 https <VirtualHost *:443> DocumentRoot "/var/www/html" ServerName your_domain_or_ip:443 SSLEngine on SSLCertificateFile /etc/pki/tls/certs/httpd-selfsigned.crt SSLCertificateKeyFile /etc/pki/tls/private/httpd-selfsigned.key <Directory "/var/www/html"> AllowOverride All Require all granted </Directory> ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLCipherSuite HIGH:!aNULL:!MD5 SSLProtocol all -SSLv3 SSLHonorCipherOrder on <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> -
Test the configuration.
To make sure all the configuration changes you've made are correct, run this:
$ sudo apachectl configtestIf there are issues, this is a good first step to locate and correct them.
-
Restart Apache.
Usually missing from this step in ChatGPT results is the need to also restart
php-fpm. In different configurations of Apache, the php module can be loaded directly into the Apache process, or it can be installed and configured as a separate FPM (FastCGI Process Manager) process. In RHEL 8, it is installed as the latter.$ sudo systemctl restart httpd $ sudo systemctl restart php-fpm -
Test
https.Go to a browser and go to one of the web pages using
httpsinstead ofhttp. Because the certificate is self-signed, you will get an ugly message warning you to stay away, but don't worry about this. Click the "Advanced" button and select "Continue anyway".If this does not work as expected, you can check log files, and ask ChatGPT about any errors you encounter. This is how I fixed all the errors I encountered when following ChatGPT's original instructions.
To check
httpderrors:$ sudo tail -f /var/log/httpd/error_logTo check
php-fpmerrors:$ sudo tail -f /var/log/php-fpm/error.logAnother method ChatGPT recommended (need to research this one a bit more):
$ sudo journalctl -xe