Centos6.8 Configuring HTTPS

Source: Internet
Author: User
Tags install openssl ldap website server openldap lenovo

HTTPS Service
Http+openssl

Environmental requirements:
CA Certificate: 192.168.1.103
Web server: 192.168.1.104
Client: 192.168.1.107 (Linux graphical interface)

Kernel: (client is CentOS 7 graphical)
# Cat/etc/centos-release
CentOS Release 6.8 (Final
# Uname-r
2.6.32-642.el6.x86_64


Web server configuration:
# Mkdir/opop
# Cd/opop
# yum-y Install OpenSSL openssl-devel mod-ssl libcurl gcc* expat-devel pcre-devel
**********************************************************************************************
Yum-y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel gd gd-devel libxml2 Libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel Curl Curl-devel E2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel OpenSSL openssl-devel openldap openldap-devel Nss_ldap Open Ldap-clients openldap-serversNote: The lack of any reliance on their own installed can
***********************************************************************************************
Note: To support SSL encryption, you need to install OpenSSL openssl-devel mod_ssl
# wget http://mirrors.hust.edu.cn/apache//httpd/httpd-2.4.33.tar.gz
# wget http://mirrors.hust.edu.cn/apache//apr/apr-1.6.3.tar.gz
# wget http://mirrors.shu.edu.cn/apache//apr/apr-util-1.6.1.tar.gz
# wget https://ftp.pcre.org/pub/pcre/pcre-8.42.tar.gz//pcre support for Perl-compatible regular expressions
# wget HTTPS://GITHUB.COM/NGHTTP2/NGHTTP2/RELEASES/DOWNLOAD/V1.24.0/NGHTTP2-1.24.0.TAR.BZ2
# wget https://curl.haxx.se/download/curl-7.60.0.tar.gz
# wget http://www.digip.org/jansson/releases/jansson-2.11.tar.gz
# wget https://jaist.dl.sourceforge.net/project/libpng/zlib/1.2.11/zlib-1.2.11.tar.gz
# for I in ' ls ';d o tar-zxvf $i;d One
# TAR-JXVF NGHTTP2-1.24.0.TAR.BZ2
# CD pcre-8.42
#./configure && make && make install
# CD nghttp2-1.24.0
#./configure && make && make install
# CD curl-7.60.0
#./configure && make && make install
# CD zlib-1.2.11
#./configure && make && make install
# CD jansson-2.11
#./configure && make && make install
# CD:
# cp-r apr-1.6.3 HTTPD-2.4.33/SRCLIB/APR
# cp-r apr-util-1.6.1 Httpd-2.4.33/srclib/apr-util
(some need to install their own, and some can be sent directly to the Httpd-2.4.33/srclib directory, according to the./configur when prompted to modify)


Install Apache:
# CD httpd-2.4.33
#./configure--prefix=/usr/local/apache2--sysconfdir=/usr/local/apache2/etc--enable-ssl--with-crypto-- WITH-INCLUDED-APR--WITH-APR=/OPOP/HTTPD-2.4.33/SRCLIB/APR--with-apr-util=/opop/httpd-2.4.33/srclib/apr-util-- With-pcre=/opop/httpd-2.4.33/srclib/pcre/pcre-config--with-jansson=/opop/httpd-2.4.33/srclib/jansson-- With-curl=/opop/httpd-2.4.33/srclib/curl--enable-http--enable-include--with-ldap

# Make && make install

To configure the CA server side:
Certificate Location: cd/etc/pki/ca/
# cd/etc/pki/ca/
# (Umask 077;openssl genrsa-out PRIVATE/CAKEY.PEM 2048)//This is also an order
Note: OpenSSL is the command, GENRSA is to use RSA's algorithm output (-out) a certificate in the private directory under the "current" directory with a certificate length of 2048.
Because this file can not be arbitrary to see the contents of the command at the beginning of the file with the anti-code, 077 created by the file permissions is 700

Open the certificate's configuration file to modify some parameters so that the certificate generates some default values:

# VIM/ETC/PKI/TLS/OPENSSL.CNF
[Req_distinguished_name]//Modify in Req_distinguished_name area
Countryname_default = CN //Default Country
Stateorprovincename_default = BJ //Default province, which is the comment state by default
Localityname_default = BJ //default City
0.organizationname_default = LENOVO //default organization, company
Organizationalunitname_default = cloud computing //default unit name, which is the annotation state by default, cloud computing is the meaning of cloud computing

To generate a certificate:
# OpenSSL Req-new-x509-key private/cakey.pem-out cacert.pem-days 3650//Because the template is already configured so as long as all the carriage return
Country Name (2 letter code) [CN]://Enter
State or province name (full name) [BJ]://Enter
Locality Name (eg, city) [BJ]://Enter
Organization Name (eg, company) [LENOVO]://Enter
Organizational Unit Name (eg, section) [Cloud Computing]://Enter
Common name (eg, your name or your server ' s hostname) []://Enter
email address []:[email protected] // Manually enter a mailbox


return to the Web server side:
# cd/usr/local/apache2/
# mkdir SSL
# CD ssl/
# (Umask 077;openssl genrsa 1024x768 > Httpd.key)
# OpenSSL Req-new-key httpd.key-out HTTPD.CRQ
Country Name (2 letter code) [XX]:CNManual input, to be consistent with the Certificate Server
State or province name (full name) []:BJManual input, to be consistent with the Certificate Server
Locality Name (eg, city) [Default City]:BJManual input, to be consistent with the Certificate Server
Organization Name (eg, company) [Default company LTD]:LENOVOManual input, to be consistent with the Certificate Server
Organizational Unit Name (eg, section) []:Cloud ComputingManual input, to be consistent with the Certificate Server
Common name (eg, your name or your server ' s hostname) []:www.biubiubiu.comWhat is the domain name of your website here to write what
Email Address []:[email protected]Mailbox on Demand

Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []://Additional information on-demand configuration, will be issued with the certificate, I did not write the additional information, enter
An optional company name []://Additional information is configured on demand and will be issued with the certificate, I'm not writing any additional information, enter

Note: Send the generated HTTPD.CRQ to the/tmp directory on the CA server, which must be noted ....
# SCP Httpd.crq 192.168.1.103:/tmp

To enable a virtual host:
# vim/usr/local/apache2/etc/httpd.conf
Include etc/extra/httpd-vhosts.conf//enable this option, default is off state
To configure the virtual host:
# Cp/usr/local/apache2/etc/extra/httpd-vhosts.conf/usr/local/apache2/etc/extra/httpd-vhosts.conf.bak
# vim/usr/local/apache2/etc/extra/httpd-vhosts.conf
<virtualhost *:80>
DocumentRoot "/usr/local/apache2/htdocs/www"
ServerName www.biubiubiu.com
</VirtualHost>

<virtualhost *:80>
DocumentRoot "/usr/local/apache2/htdocs/edu"
ServerName edu.biubiubiu.com
</VirtualHost>
2 zones for the virtual host area, all other comments and modifications

To generate a home page file:
# cd/usr/local/apache2/htdocs/
# mkdir www edu
# Vim Www/index.html
Finally finished .....
# Vim Edu/index.html
It's not easy ....

Open the win system above C:\Windows\System32\drivers\etc in the Hosts file to add a website server to test:
192.168.1.104 www.biubiubiu.com
192.168.1.104 edu.biubiubiu.com

To start the Apache service:
#/usr/local/apache2/bin/apachectl Start {restart | stop}

Access www.biubiubiu.com and edu.biubiubiu.com domain names for testing on the win system


Go back to the CA server:
[Email protected] ca]# pwd
/etc/pki/ca
# Touch Index.txt
# echo "XX" > Serial//Number 0

Sign the certificate:
# OpenSSL Ca-in/tmp/httpd.crq-out/tmp/httpd.crt-days 3650///NOTE: One is CRQ, one is CRT. Press 2 times Y to
# ll/tmp///View certificate has not been successfully signed

Back to Web server:
# SCP 192.168.1.103:/tmp/httpd.crt . //Send the certificate generated on the CA server to the current/usr/local/apache2/ssl directory, and don't forget the following Point
At this time, the CRQ and CRT files on the CA server are useless and can be deleted.

The certificate request is successful and requires that the certificate be in effect on the site:
# vim/usr/local/apache2/etc/httpd.conf
Include etc/extra/httpd-ssl.conf//Enable the item, default is comment status

To modify the configuration file for an SSL template:
# vim/usr/local/apache2/etc/extra/httpd-ssl.conf
Listen 443//Monitor 44 port
........... Slightly part of the content ......
<virtualhost _default_:443>

# General setup for the virtual host
DocumentRoot "/usr/local/apache2/htdocs/www"//Where are the pages located
ServerNamewww.biubiubiu.com: 443//change to your domain name
   #ServerAdmin [email protected]//Comment out
   #Errorlog "/usr/local/apache2/logs/error_log"//commented out
   #Transferlog "/usr/local/apache2/logs/access_log"//commented out
........... Slightly part of the content ......
Sslengine on//encryption enabled engine
........... Slightly part of the content ......
Sslcertificatefile "/usr/local/apache2/ssl/ httpd. CRT "//Certificate Location
........... Slightly part of the content ......
Sslcertificatekeyfile "/usr/local/apache2/ssl/Httpd.key"//Secret key location
#/USR/LOCAL/APACHE2/BIN/APACHECTL-T//Check Apache config file syntax, there will be a syntax error .....
Ah00526:syntax error on line of/usr/local/apache2/etc/extra/httpd-ssl.conf:
Invalid command ' Sslciphersuite ', perhaps misspelled or defined by a module no included in the server configuration

Workaround:

# vim/usr/local/apache2/etc/httpd.conf
LoadModule Socache_shmcb_module modules/mod_socache_shmcb.so//enable the module
........... Slightly part of the content ......
LoadModule Ssl_module modules/mod_ssl.so//enable the module

Check the syntax again:
#/usr/local/apache2/bin/apachectl-t
Syntax OK//Check through

To restart the Apache service:
#/usr/local/apache2/bin/apachectl Restart


Client testing:
# vim/etc/hosts
192.168.1.104 www.biubiubiu.com
Open Firefox to access https://www.biubiubiu.com and https://edu.biubiubiu.com (the word "your connection is not secure" will be prompted)
Advanced---> Add exceptions---> View---> (that is, you can see our certificates)---> Confirm security Exceptions---> To see what's on the page---> Complete


Note: the "effects" displayed by different browsers will be different, note the "correctness" when accessing

Centos6.8 Configuring HTTPS

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.