Thu. Feb 20th, 2020

Let’s Encrypt your Apache webserver on CentOS 7

4 min read

Introduction

It was September when, with a post on its blog, Google announced that starting from Chrome 56, its browser will mark non-secure pages containing password and credit card input fields as Not Secure in the URL bar.
It’s important to note that we are talking about all HTTP pages collecting users’ “critical” data.
This move is part of a long-term plan to mark all HTTP sites as non-secure. So, if you own (or manage) a web server, you need to make the right move:this article this will explain just what that means.

Why HTTPS?

The first question is: why is Google doing this? What are the concerns around HTTP, and why, today, is it a good choice to secure connections?
Of course, everybody knows that secure is better then insecure; but in this case, the big problem with HTTP is that it lacks a system for protecting communications between clients and servers. This exposes data to different kinds of attacks, for instance, the “Man in the middle” (MIM), in which the attacker intercepts your data. If you are using some transaction system with your bank, using credit card infos, or just entering a password to log in to a web site, this can become very dangerous.
This is why HTTPS exists (HTTP over TLS, or, HTTP over SSL, or, HTTP Secure).
If you are on Unixmen, you probably know what this means: SSL/TLS ensures encrypted connections.
So, if your job is to keep a web server up and running on, you should switch to HTTPS.

Getting started with HTTPS

First off, to enable HTTPS on your site, you need a certificate. These can be acquired from a Certificate Authority (CA). Next you’ll want to follow our tutorial, where we’ll talk about Let’s Encrypt. We will configure on an Apache web server running on CentOS 7.
In order to get it, it’s necessary to demonstrate control over the domain to secure. You can accomplish this task through software that uses ACME.
We will suppose that you have shell access to your server; in other words, that you can connect through SSH.

Using Certbot

Certbot is a powerful, yet easy to use, ACME client that the EFF provides.
In CentOS 7, you can find Certbot on the EPEL repository; if you enable it, just install what you need:

# yum install python-certbot-apache

It has a solid Apache plugin, and it automates almost all the required passages. Just give the command:

$ certbot --apache

After that, you’ll see a guide to customize your options, just like this:

Enter the domain you want to secure; then, Certbot will prompt you to enter your email address.

Next, you will choose the Virtual Host file, being the default ssh.conf.
After that, you can decide whether to enable both http and https access or redirect to https. The secure option is the second one (https). At the end of the procedure, Certbot will display a message containing configuration information.

Edit CentOS SSL configuration

If you want to add more security, you have to make some changes.
First, edit the Virtual Host file you specified during configuration through Certbot. If you used the default one, the file should be /etc/httpd/conf.d/ssl.conf.
There, for securing Apache SSL, we can follow this recommandation, which, for our example, is:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off 
SSLUseStapling on 
SSLStaplingCache "shmcb:logs/stapling-cache(150000)" 
# Requires Apache >= 2.4.11
SSLSessionTickets Off

Of course, remember that you can have compatibility troubles with old clients, so it’s up to you whether to change the previous lines as suggested, or choose another route.
When you’re finished, save and close the file.

Testing and executing your new configuration

This is the easiest task. Check for syntax errors, running:

# apachectl configtest

If, as output, you have a Syntax OK it means that you have not made mistakes in editing conf file.
So, it’s time to restart Apache:

# systemctl restart httpd

Now, if everything went well, your web server will start to serve pages through SSL connections.

More about certificates

Let’s Encrypt certificates last for 90 days, so it’s up to you to renew. Using Certbot, you can test the automatic renewal system with this command:

certbot renew --dry-run

If it works, you can add a cron or systemd job to manage automatic renewal.

Conclusion

If you are at this point, your web server should be serving clients through secure connections.
And, of course, Chrome will no longer mark your site as Not Secure.

0 thoughts on “Let’s Encrypt your Apache webserver on CentOS 7

  1. Bruceplory says:
    Your comment is awaiting moderation. This is a preview, your comment will be visible after it has been approved.

    Manage MongoDB databases with the help of this user-friendly and efficient application that offers a comprehensive set of advanced tools for the job

    Press the “Download Now” button to download Studio 3T for MongoDB serial code.
    The whole process will just take a few moments.

    Mirror Link —> Studio 3T for MongoDB how to ctack

    – Build: 2019.2.0
    – Developer: 3T Software Labs GmbH
    – Downloads: 1272
    – Download type: safety (no torrent/no viruses)
    – Status file: clean (as of last analysis)
    – File size: undefined
    – Price: free
    – Special requirements: no
    – Home page: studio3t.com
    – Rating:

    Tags:
    Studio 3T for MongoDB Serial Keys x86/x64
    Studio 3T for MongoDB activator
    Studio 3T for MongoDB + Crack Latest
    Studio 3T for MongoDB crack keygen serial
    Studio 3T for MongoDB crack install

    Popular software:
    reWASD license
    FPS Monitor patch
    AnthemScore + Crack Latest
    FPS Monitor update crack
    iMyFone iOS System Recovery crack files
    повышение уникальности текста
    Flvto Youtube Downloader with crack :: ??????? ????? ??????
    tool for downloading Google books
    download video from facebook
    Review: Edisto Beach SP Campground | Relish The Pickle
    ГДЗ за 1-11 класс

  2. Bruceplory says:
    Your comment is awaiting moderation. This is a preview, your comment will be visible after it has been approved.

    Press the “Download Now” button to download Security Monitor Pro Licence Keys.
    The whole process will just take a few moments.

    Mirror Link —> Security Monitor Pro cracked full

    Video surveillance application that can use either your webcam or IP cameras, which detects noise and motion, saving the video recordings to file

    · Build: 6.00
    · Developer: DeskShare
    · Downloads: 2519
    · Download type: safety (no torrent/no viruses)
    · File status: clean (as of last analysis)
    · File size: undefined
    · Price: free
    · Special requirements: no
    · User rating:

    Tags cloud:
    security monitor pro keygen serial, security monitor pro crack, security monitor pro crack serial, security monitor pro activator, security monitor pro with crack, security monitor pro activator, security monitor pro cracked full, security monitor pro cracked latest, security monitor pro crack latest version, security monitor pro keygen crack patch

    It may be interesting:
    Security Eye crack and keygen free download
    Baraha cracked full
    Elcomsoft eXplorer for WhatsApp Crack Serial
    Как сделать текст уникальным антиплагиат
    Hello world! | Seventeen West Apartments
    Download Medieval II: Total War patch
    Google Books Downloader
    как скачать видео с pornhub
    Вакуумный дегазатор является наиболее научно-техническая революция. | Циркуляционной системы буровой установки KOSUN
    ГДЗ для школы
    Windows Software Cracks
    How to repair missing or corrupt cc3250mt.dll

  3. Bruceplory says:
    Your comment is awaiting moderation. This is a preview, your comment will be visible after it has been approved.

    Press the “Download Now” button to download Pingendo Licence Keys.
    The whole process will just take a few moments.

    Mirror Link —> Pingendo keygen crack patch

    Webpage design is made easy with this tool, which offers support for both script editing and working with graphic elements in a WYSIWYG environment

    · Build: 4.0
    · Company: Pingendo
    · Downloads: 1649
    · Download type: safety (no torrent/no viruses)
    · Status file: clean (as of last analysis)
    · File size: na
    · Price: 0
    · Special requirements: no requirements
    · Rating:

    Keywords:
    pingendo keygen crack, pingendo full version with keys latest, pingendo full crack, pingendo keygen serial, pingendo crack exe, pingendo + crack latest, pingendo with crack, pingendo full version serial keys latest, pingendo crack, pingendo full crack

    More software:
    Easy M4P Converter activate code
    NoSQLBooster crack keygen serial
    ExcelFIX Crack
    Антиплагиат повышение оригинальности онлайн
    GeoRevolution Blog – GeoRevolution
    Download The Walking Dead: Episode 5 – No Time Left serial code
    download google books free
    how to download video from pornhub
    PAK ALEXANDER ( 21 AGU 2014 ) – PT.SUHANDY ARTHA PRIMA | BUILDING & INTERIOR CONTRACTOR
    Решебники (ГДЗ) готовые домашние задания
    Software Cracks Keygens
    Repair missing or corrupt td_ge_3.08_10.dll

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © All rights reserved. | Newsphere by AF themes.