Linux

How to Secure Apache Web Server with Let’s Encrypt on RHEL 8

In an online world that is constantly awash with security threats, securing your web server should be foremost in one’s mind. One of the ways of securing your web server is implementing the HTTPS protocol on your site using an SSL/TLS certificate. An SSL/TLS certificate not only secures your site by encrypting information exchanged between the web server and users’ browsers but also helps in Google ranking.

In this guide, you will learn how to secure Apache (http) web server with Let’s Encrypt SSL/TLS on RHEL 8.

Prerequisites

Here is what you need before proceeding:

  • An instance of RHEL 8 server with a sudo user configured.
  • A Fully Qualified Domain Name (FQDN) pointing to your server’s Public IP address. Throughout this guide, we will use the domain name linuxtechgeek.info.

Step 1) Install Apache on RHEL 8

The first step is to install the Apache web server. Since Apache already exists in Red Hat’s AppStream repository, you can install it using the DNF package manager as follows.

$ sudo dnf install -y httpd

Once installed, start the Apache web server and enable it to start on boot time.

$ sudo systemctl start httpd
$ sudo systemctl enable httpd

To verify that Apache is running, execute the command:

$ sudo systemctl status httpd

Apache-Server-Status-RHEL

Note: In case, firewall is running then allow following Apache ports in firewall, run

$ sudo firewall-cmd --add-port=80/tcp --permanent
$ sudo firewall-cmd --add-port=443/tcp –permanent
$ sudo firewall-cmd --realod

Now, you can head over to your web browser and browse your domain in the URL bar.

Default-Apache-Web-Page-rhel8

Step 2) Install Certbot

Certbot is an easy-to-use opensource client that is maintained by EFF (Electronic Frontier Foundation). It fetches the TLS certificate from Lets Encrypt and deploys it to the web server. By doing so, it eliminates the hassle and pain of implementing the HTTPS protocol using the TLS certificate.

To install Certbot and associated packages, first enable EPEL (Extra Packages for Enterprise Linux).

$ sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -y

Next, install certbot and mod_ssl package as follows.

$ sudo dnf install certbot python3-certbot-apache mod_ssl

Install-certbot-python2-package-rhel8

Step 3) Create an Apache virtual host file

Virtual hosts make it possible to host multiple domains on a single web server.

The first step is to create a directory inside the Document root where all the website files will go into.

$ sudo mkdir -p /var/www/linuxtechgeek.info/html

Set the directory ownership to the Apache user.

$ sudo chown -R apache:apache /var/www/linuxtechgeek.info/html

Be sure to set the directory permissions as shown.

$ sudo chmod -R 755 /var/www

With the domain’s directory in place with all the ownership and permissions set, we will create a virtual host file in the /etc/httpd/conf.d/ directory.

$ sudo vi /etc/httpd/conf.d/linuxtechgeek.info.conf

Paste the following lines and be cautious to use your own domain name.

<virtualhost *:80>
ServerName linuxtechgeek.info
ServerAlias www.linuxtechgeek.info
DocumentRoot /var/www/linuxtechgeek.info/html
ErrorLog /var/log/httpd/linuxtechgeek.info-error.log
CustomLog /var/log/httpd/linuxtechgeek.info-access.log combined
</virtualhost>

Save and exit the virtualhost file.

To test if the virtual host is working, we will create a sample HTML file in the website directory.

$ sudo vi /var/www/linuxtechgeek.info/html/index.html

Paste the following sample content. Feel free to modify it to your preference.

<!DOCTYPE html>
<html>
     <body>
         <h1> Welcome to Linuxtechi virtualhost </h1>
      </body>
</html>

Save and exit the HTML file. To save all the changes made, restart the Apache web server.

$ sudo systemctl restart httpd

Now, browse your domain once more, and this time around, instead of the default Apache welcome page, you should see the custom HTML page that you just configured. This is proof that the virtual host file is working.

Custom-Apache-WebPage-RHEL8

Step 4) Secure Apache with Let’s Encrypt Certificate

The last step is to fetch and deploy the Let’s Encrypt certificate. To do this, simply run the command:

$ sudo certbot --apache

When the command is executed, certbot will walk you through a series of prompts. You will be prompted for your email address and be required to agree to the Terms and conditions. You will also be asked whether you would like to receive periodic emails about EFF news, and campaigns about digital freedom.

Certbot-Apache-Command-Output-RHEL

When prompted about the names to activate HTTPS for, just press ENTER to apply the certificate to all the provided domains. 

Certbot will proceed to fetch the TLS certificate from Let’s Encrypt and implement it on your web server. Certbot will then print the path where the certificate and key have been saved as well as the deployment path of the certificate for your domains.

Lets-encrypt-ssl-certs-certbot-apache

To verify that Let’s encrypt was successfully deployed, refresh your browser. This time around, you will notice a padlock icon at the start of the URL bar indicating that the site has been successfully encrypted.

Access-Apache-over-ssl-rhel

You can click on the padlock icon for additional details

Apache-WebPage-Domain-Info

Additionally, you can carry out a ssl test on ssl labs  to digitally verify your certificate. If all went well, you should get an A grade.

Test-Apache-SSL-Certs-On-SSL-Labs

Step 5) Let’s Encrypt Certificate Renewal

The Let’s Encrypt certificate is valid for only 90 days. A few weeks before expiry, you will usually get a notification from EFF about the impending certificate expiry and the need to renew your certificate.

You can manually renew the certificate by running the command:

$ sudo certbot renew

To simulate certificate renewal, run the command:

$ sudo certbot renew --dry-run

This merely mimics the actual certificate renewal and does not perform any action.

Renew-Apache-Certbot-SSL-Certs

To automate certificate renewal, open the crontab file

$ crontab -e

Specify the cron job below which will run every midnight.

0 0 * * * /usr/bin/certbot renew > /dev/null 2>&1

Conclusion

We hope that you can now seamlessly deploy Let’s Encrypt certificate on RHEL to secure Apache web server.

Read Also : How to Harden and Secure NGINX Web Server in Linux


Source link

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button