Setup a Fresh Apache Server on CentOS 7 with SSL from LetsEncrypt

Install Apache, mod_ssl, nano, php, java, mlocate, certbot

yum -y install httpd mod_ssl nano php java mlocate certbot
updatedb

Configure Apache to Launch on Boot

systemctl enable httpd

Keep Copy of Clean Apache Config

cd /etc/httpd/conf/
cp httpd.conf httpd.conf.orig

Clear Config File and Replace with EC’s Cleaner Config File

nano httpd.conf
Clean Apache Config File
ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
Include hosts.d/*.conf
User apache
Group apache
ServerAdmin admin@exampledomain.com
<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>
<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>
<Files ".ht*">
    Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>
<IfModule mime_module>
    TypesConfig /etc/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>          
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>               
EnableSendfile on    
IncludeOptional conf.d/*.conf
NameVirtualHost *:80

Create SSL Certificates

sudo certbot --apache certonly
#this tutorial assumes your domain name is ‘exampledomain.com’

Set Up Auto Renewal

crontab -e
#this opens your crontab file in vi, add the following line
14 0,12 * * * certbot renew

Keep Copy of Clean mod_ssl Config

cd /etc/httpd/conf.d/
cp ssl.conf ssl.conf.orig

Clear SSL Config File and Replace with EC’s Cleaner SSL Config File

nano ssl.conf
Clean mod_ssl Config File
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
Include hosts.d/*.ssl
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
NameVirtualHost *:443

Create VirtualHost Entries

mkdir /etc/httpd/hosts.d
cd /etc/httpd/hosts.d
nano exampledomain.conf
HTTP VirtualHost Config File
<VirtualHost *:80>
        ### REDIRECT @ TO SSL ###
        ServerAdmin admin@exampledomain.com
        ServerName exampledomain.com
        Redirect permanent / https://exampledomain.com/
        ErrorLog logs/exampledomain_error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        CustomLog logs/exampledomain_access.log combined
</VirtualHost>
<VirtualHost *:80>
        ### REDIRECT WWW TO SSL ###
        ServerAdmin admin@exampledomain.com
        ServerName www.exampledomain.com
        Redirect permanent / https://exampledomain.com/
        ErrorLog logs/exampledomain_error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        CustomLog logs/exampledomain_access.log combined
</VirtualHost>
nano exampledomain.ssl
SSL VirtualHost Config File
<VirtualHost *:443>
        ### THE ONE TRUE VIRTUALHOST ENTRY! ALL HAIL THE CHOSEN ONE! ###
        ServerAdmin admin@exampledomain.com
        ServerName exampledomain.com
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
        SSLCertificateFile /etc/letsencrypt/live/exampledomain/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/exampledomain.com/privkey.pem
        DocumentRoot /var/www/exampledomain
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/exampledomain>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>
        ErrorLog logs/exampledomain_error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        CustomLog logs/exampledomain_access.log combined
</VirtualHost>
<VirtualHost *:443>
        ### REDIRECT SSL WWW TO SSL @ ###
        ServerAdmin admin@exampledomain.com
        ServerName www.exampledomain.com
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
        SSLCertificateFile /etc/letsencrypt/live/exampledomain.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/exampledomain.com/privkey.pem
        Redirect permanent / https://exampledomain.com/
        ErrorLog logs/exampledomain_error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        CustomLog logs/exampledomain_access.log combined
</VirtualHost>

Place Files in Webroot

mkdir /var/www/exampledomain
cp /path/to/website/* /var/www/exampledomain/

Allow 80 and 443 through firewalld

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent

Start Apache

service httpd start

Leave a Reply

Your email address will not be published. Required fields are marked *